Privacy Policy

Curvay operates curvay.com and is the Data Controller responsible for your personal data under the General Data Protection Regulation (GDPR) and applicable EU member state data protection laws.

We only collect personal data that is necessary for the purposes described in this policy. The table below explains what we collect and the legal basis under GDPR.

We never collect sensitive personal data (such as health information, racial or ethnic origin, or political opinions) and we never sell your personal data to third parties.

We use your personal data only for the following purposes:

To process and fulfil your order

• Process payments and send order confirmations
• Arrange delivery and provide tracking information
• Handle returns, refunds, and customer service requests

To operate and improve our website

• Monitor site performance and fix technical issues
• Analyse browsing patterns to improve user experience
• Prevent fraud and ensure platform security

For marketing communications (with your consent only)

• Send email newsletters, promotions, and product updates
• You can unsubscribe at any time via the link in any email or by contacting hello@curvay.com

Under GDPR, we must have a valid legal basis for processing your personal data. We rely on the following:

• Contract performance processing is necessary to fulfil your order and deliver your purchase
• Legitimate interests to prevent fraud, maintain website security, and improve our services
• Consent for marketing emails and non-essential cookies (you can withdraw consent at any time)
• Legal obligation where we are required to retain data for tax, accounting, or legal compliance purposes

We do not sell, rent, or trade your personal data. We share your data only with trusted third-party service providers who help us operate our business, and only to the extent necessary.

Our key service providers:

• Shopify Inc. our e-commerce platform and hosting provider (data stored on secure, encrypted servers)
• Payment processors (Stripe, PayPal, etc.) to securely handle payment transactions. They are PCI-DSS compliant and do not share your card data with us.
• Shipping carriers (DHL, DPD, PostNL, Colissimo) will deliver your order. Your name and delivery address are shared.
• Email marketing platform  to send you transactional and promotional emails (if you have opted in)
• Analytics tools  anonymised browsing data to help us understand how customers use our site

All third-party providers are contractually required to handle your data securely and in compliance with GDPR. They may not use your data for their own purposes.

Some of our third-party service providers (such as Shopify) may process or store data outside of the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries recognised by the EU as providing adequate data protection
• Binding corporate rules where applicable

You can request information about the specific safeguards in place by emailing hello@curvay.com.

We only retain your personal data for as long as necessary. Below are our standard retention periods:

• Order and transaction data: 7 years (required for tax and accounting compliance under EU law)
• Customer account data: for the duration of your account, plus 2 years after last activity
• Marketing email data: until you unsubscribe or withdraw consent
• Technical / analytics data: up to 26 months
• Cookie data: as specified in our Cookie Policy (see Section 10)

When your data is no longer required, it is securely deleted or anonymised.

As an EU resident, you have the following rights regarding your personal data. These rights can be exercised free of charge by contacting us at hello@curvay.com.

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, disclosure, or destruction. These include:

• SSL/TLS encryption on all pages of curvay.com (HTTPS)
• AES-256 encryption for stored sensitive data
• PCI-DSS compliant payment processing — we never store full card details
• Access controls limiting who within our team can access personal data
• Regular review of our security practices

No method of data transmission over the internet is 100% secure. While we implement industry best practices, we cannot guarantee absolute security.

We use cookies and similar tracking technologies on curvay.com. Cookies are small text files stored on your device that help us provide a better experience.

Types of cookies we use:

• Essential cookies necessary for the website to function (e.g. shopping cart, login session). Cannot be disabled.
• Analytics cookies help us understand how visitors use our site (e.g. Google Analytics). Require your consent.
• Marketing cookies used to show relevant ads and track campaign performance. Require your consent.
• Preference cookies remember your settings and preferences (e.g. language, currency). Require your consent.

When you first visit curvay.com, you will be presented with a cookie consent banner. You can accept, reject, or customise your cookie preferences at any time by clicking the cookie settings link in the footer of our website.

We use your personal data to deliver targeted advertising and marketing communications that may be relevant to you. This includes sharing certain data with our advertising partners to show you ads on other websites and platforms.

How we use your data for advertising:

• Google Analytics: We use Google Analytics to understand how customers use our website. You can learn more about how Google uses your data at google.com/intl/en/policies/privacy. You can opt out of Google Analytics tracking at tools.google.com/dlpage/gaoptout.
• Google Ads: We share information about your website usage and purchases with Google to show you relevant ads. You can manage your Google ad preferences at google.com/settings/ads.
• Facebook / Meta Ads — We may share data with Meta to serve ads on Facebook and Instagram. You can manage your Facebook ad preferences at facebook.com/settings/?tab=ads.
• Microsoft / Bing Ads — We may use Bing Ads to show personalised ads. You can opt out at advertise.bingads.microsoft.com.

How to opt out of targeted advertising:

• Use the Digital Advertising Alliance opt-out portal: optout.aboutads.info
• Learn more about how targeted advertising works at the NAI educational website: networkadvertising.org
• Withdraw your cookie consent at any time via the cookie settings link in the footer of our website

curvay.com is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us at hello@curvay.com and we will delete it promptly.

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your national data protection supervisory authority.

Supervisory authorities by country:

• Austria: Österreichische Datenschutzbehörde (dsb.gv.at)
• Belgium: Autorité de protection des données (dataprotectionauthority.be)
• France: Commission Nationale de l’Informatique et des Libertés / CNIL (cnil.fr)
• Germany: Bundesdatenschutzbeauftragte (bfdi.bund.de)
• Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)

We would, however, appreciate the opportunity to address your concerns directly before you contact a supervisory authority. Please reach out to us first at hello@curvay.com.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email.

We encourage you to review this policy periodically. Continued use of curvay.com after any changes constitutes your acceptance of the updated policy.

For any privacy-related questions, data requests, or concerns, please contact us.

This Privacy Policy applies to all users of curvay.com.