top of page

Privacy Policy

Website: herbaniacosmetics.com
Effective Date: March 15, 2026
Last Updated: March 15, 2026

1. Data Controller

This website is operated by:

Herbania Cosmetics
Apartado de correos 147
35610 Castillo Caleta de Fuste
Canarias, Spain

Contact Email: info@herbaniacosmetics.com
Contact Phone: +34664242004

We are the data controller responsible for your personal data under the General Data Protection Regulation (GDPR). We do not have a designated Data Protection Officer.

2. Scope of This Policy

This Privacy Policy applies to all personal data collected through herbaniacosmetics.com and explains how we collect, use, share, and protect your information. This policy applies only to our online activities and does not cover information collected offline or through other channels.

By using our website, you acknowledge that you have read and understood this Privacy Policy.

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Information You Provide Directly

  1. Contact Forms: Name, email address, phone number, message content

  2. Account Registration: Name, company name, address, email address, telephone number

  3. Order Information: Billing and shipping addresses, payment details, order history

  4. Customer Service: Communications with our support team, including attachments you send

3.2 Information Collected Automatically

  1. Technical Data: IP address, browser type and version, Internet Service Provider (ISP), device information

  2. Usage Data: Pages visited, date and time stamps, referring/exit pages, clickstream data

  3. Cookies and Tracking: See Section 8 for detailed cookie information

3.3 Children's Privacy

We do not knowingly collect personal data from children under 13 years of age. If you believe your child has provided us with personal information, please contact us immediately and we will delete such information from our records.

4. How We Collect Your Data

We collect personal data through:

  1. Direct interactions when you fill out forms, create an account, place orders, or contact us

  2. Automated technologies including cookies, log files, and similar tracking technologies

  3. Third parties including payment processors and shipping partners when you make purchases

5. Purposes and Legal Bases for Processing

We process your personal data for the following purposes with corresponding legal bases under GDPR:

Purpose

Legal Basis

Data Used

Process and fulfill orders

Contract necessity (Art. 6(1)(b) GDPR)

Contact info, shipping address, payment data

Manage customer accounts

Contract necessity

Account details, order history

Customer service and support

Contract necessity / Legitimate interests

Contact info, communication records

Improve website functionality and user experience

Legitimate interests (Art. 6(1)(f) GDPR)

Usage data, technical data

Analyze website usage and trends

Legitimate interests

Analytics data, log files

Send marketing communications

Consent (Art. 6(1)(a) GDPR)

Email address, preferences

Prevent fraud and ensure security

Legitimate interests / Legal obligation

IP addresses, transaction data

Comply with legal obligations (tax, accounting)

Legal obligation (Art. 6(1)(c) GDPR)

Order data, invoices


 

Table 1: Processing purposes and legal bases

Marketing Communications: We will only send you marketing emails if you have explicitly opted in to receive them. You can withdraw your consent at any time by clicking the unsubscribe link in any marketing email or by contacting us directly.

6. Data Sharing and Third-Party Processors

We share your personal data only with trusted third-party processors who assist us in operating our website and fulfilling orders. All processors are bound by data processing agreements under Article 28 GDPR.

6.1 Primary Data Processor - Fulfillment Partner

Herbania Kosmetik Deutschland / Alissa Lerch & Michael Lerch GbR
Eschenweg 5
61381 Friedrichsdorf, Germany

Purpose: Order fulfillment, shipping, and delivery within EU mainland (VAT zone)

Data Shared: Name, shipping address, email address, phone number, order details

Legal Basis: Data Processing Agreement dated January 6, 2022, in accordance with Art. 28 GDPR

Sub-Processors Used by Fulfillment Partner:

  1. DHL Group: Shipping and package tracking services

    1. Data retention: Tracking data up to 90 days after delivery; proof of delivery approximately 3 months

    2. Storage: Electronic (DHL IT systems) and physical (package labels)

  2. Zoho Inventory: Internal order management and invoice recordkeeping

    1. Data retention: Active use while account is active; tax-relevant invoices retained for 10 years (German legal requirement)

    2. Storage: Cloud-based systems within EU or with appropriate safeguards

6.2 Other Service Providers

  1. Wix.com: Website hosting and infrastructure

  2. Payment Processors: Secure payment processing (payment card data is processed directly by payment providers; we do not store full card details)

6.3 No Data Sales

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

6.4 International Data Transfers

All primary data processing occurs within the European Union. Where sub-processors transfer data outside the EU/EEA, they use appropriate safeguards such as:

  1. Standard Contractual Clauses approved by the European Commission

  2. EU-US Data Privacy Framework certification (where applicable)

  3. Adequacy decisions by the European Commission

You may request information about specific safeguards by contacting us.

7. Data Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy or as required by law:

Data Category

Retention Period

Contact form submissions

6 years (Spanish legal/tax requirements)

Account information

While account is active, then 6 years after closure

Order and invoice data

10 years (tax and accounting legal obligations)

Shipping data (via processor)

90 days to 3 months (tracking and delivery proof)

Marketing consent and communications

Until consent is withdrawn, then deleted within 30 days

Website log files

12 months

Cookie data

As specified in cookie banner (typically 13 months for analytics)


 

Table 2: Data retention schedule

After retention periods expire, we securely delete or anonymize your personal data.

8. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance your browsing experience and analyze website usage.

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit websites. They help websites remember your preferences and improve functionality.

8.2 Types of Cookies We Use

  1. Essential Cookies: Required for website functionality (e.g., shopping cart, login sessions). These do not require consent as they are necessary for the service you requested.

  2. Analytics Cookies: Help us understand how visitors use our website (e.g., pages visited, time spent). These require your consent.

  3. Marketing Cookies: Track your browsing to show relevant advertisements. These require your consent.

8.3 Managing Your Cookie Preferences

You can manage your cookie preferences through:

  1. Our cookie consent banner that appears when you first visit the site

  2. Your browser settings (see your browser's help section for instructions)

  3. Third-party opt-out tools for advertising cookies

Blocking essential cookies may affect website functionality. For more details, please see our Cookie Policy [link to separate cookie policy if available].

9. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

9.1 Right of Access (Art. 15 GDPR)

You have the right to request copies of your personal data. We may charge a reasonable administrative fee for additional copies beyond the first request.

9.2 Right to Rectification (Art. 16 GDPR)

You have the right to request correction of inaccurate personal data or completion of incomplete information.

9.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You have the right to request deletion of your personal data under certain conditions, such as:

  1. The data is no longer necessary for the purposes it was collected

  2. You withdraw consent and no other legal basis exists

  3. You object to processing and no overriding legitimate grounds exist

  4. The data was unlawfully processed

Note: We may be required to retain certain data to comply with legal obligations (e.g., tax records).

9.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing under certain conditions, such as when you contest the accuracy of data or object to processing.

9.5 Right to Object to Processing (Art. 21 GDPR)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds.

9.6 Right to Data Portability (Art. 20 GDPR)

You have the right to request that we transfer your data to another organization or provide it to you in a structured, commonly used, machine-readable format.

9.7 Right to Withdraw Consent

Where processing is based on consent (e.g., marketing emails), you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

9.8 How to Exercise Your Rights

To exercise any of these rights, please contact us:

  1. Email: info@herbaniacosmetics.com with subject line "GDPR Data Rights Request"

  2. Mail: Herbania Cosmetics, Apartado de correos 147, 35610 Castillo Caleta de Fuste, Canarias, Spain

We will respond to your request within one month. If your request is complex, we may extend this period by two additional months and will notify you.

9.9 Right to Lodge a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with your local supervisory authority.

Spanish Data Protection Authority (AEPD):
Website: www.aepd.es
Address: C/ Jorge Juan, 6, 28001 Madrid, Spain

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration:

  1. SSL/TLS encryption for data transmission

  2. Access controls limiting data access to authorized personnel only

  3. Secure server infrastructure with regular security updates

  4. Regular security audits and vulnerability assessments

  5. Encryption of sensitive data at rest

  6. Secure backup procedures

  7. Staff training on data protection and security

While we strive to protect your personal data, no internet transmission is completely secure. We cannot guarantee absolute security but will notify you and relevant authorities of any data breach within 72 hours if required by law.

11. Third-Party Websites and Links

Our website may contain links to third-party websites, advertisers, or services not operated by us. This Privacy Policy does not apply to those third-party sites. We are not responsible for the privacy practices of third parties.

We recommend reviewing the privacy policies of any third-party websites you visit. If you click on third-party advertisements or links, they may collect your information directly.

12. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. Significant changes will be communicated through:

  1. A prominent notice on our website

  2. Email notification to registered users (for material changes)

  3. Updated "Last Updated" date at the top of this policy

We encourage you to review this Privacy Policy periodically. Your continued use of our website after changes constitutes acceptance of the updated policy.

13. Legal Compliance

13.1 GDPR Compliance (EU)

This Privacy Policy complies with the General Data Protection Regulation (EU) 2016/679.

13.2 CCPA Rights (California Residents)

Under the California Consumer Privacy Act (CCPA), California residents have the right to:

  1. Request disclosure of categories and specific pieces of personal data collected

  2. Request deletion of personal data

  3. Request that we do not sell personal data (note: we do not sell personal data)

To exercise these rights, contact us using the information in Section 9.8. We will respond within 45 days.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Herbania Cosmetics
Apartado de correos 147
35610 Castillo Caleta de Fuste
Canarias, Spain

Email: info@herbaniacosmetics.com
Phone: +34664242004

For GDPR-related requests: Please use subject line "GDPR Request" or "Data Rights Request"

For DPA inquiries: Our Data Processing Agreement with fulfillment partners is available upon request.

 

Acknowledgment: By using herbaniacosmetics.com, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

bottom of page