GDPR Compliance

GDPR Compliance Statement

This statement explains how Algaplay processes personal data of customers and visitors located in the European Union, the European Economic Area, and the United Kingdom, in accordance with Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR") and applicable national implementing laws.

1. Data Controller

The data controller responsible for the processing of personal data carried out through algaplay.com is:

  • Algaplay [TBD: full legal entity name, e.g. "Algaplay S.r.l." or equivalent]
  • Registered office: [TBD: full registered address]
  • Company / VAT registration: [TBD]
  • Contact for privacy matters: privacy@algaplay.com
  • Data Protection Officer (DPO): [TBD: name and contact, if formally appointed under Art. 37 GDPR]

Where applicable, our EU representative under Article 27 GDPR is: [TBD — required only if the controller is established outside the EU/EEA].

2. Categories of Personal Data We Process

Depending on how you interact with our store, we process the following categories of personal data:

  • Account data: name, email address, password (hashed), date of birth where required for age-verified products, language and country preferences.
  • Order and transaction data: billing and shipping address, telephone number, items purchased, order history, returns, invoices.
  • Payment data: processed by certified third-party payment providers (e.g. Shopify Payments, PayPal, Stripe). Algaplay does not store full card numbers; we only retain transaction identifiers and the last four digits where provided by the processor.
  • Communication data: the content of emails, contact-form submissions, customer-service tickets, and chat conversations.
  • Marketing data: newsletter subscription status, marketing preferences, opens, clicks, and engagement events (where consent is given).
  • Technical and usage data: IP address, device and browser identifiers, operating system, referring URL, pages viewed, session duration, cookies and similar identifiers (see our Cookie Policy).

3. Purposes of Processing and Legal Bases

We process personal data only on one or more of the legal bases listed in Article 6 GDPR:

  • Performance of a contract — Art. 6(1)(b): creating and managing your account, processing orders, payments, deliveries, returns, refunds, and providing customer support.
  • Compliance with a legal obligation — Art. 6(1)(c): tax, accounting, invoicing, anti-fraud, and consumer-protection obligations under EU and national law.
  • Legitimate interest — Art. 6(1)(f): securing the website against fraud and abuse, preventing chargebacks, conducting aggregated analytics, improving the product catalogue, and defending legal claims. A balancing test is documented for each such processing activity and is available on request.
  • Consent — Art. 6(1)(a): sending marketing communications, profiling for personalised offers, and setting non-essential cookies. Consent is freely given, specific, informed, unambiguous, and may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR).

Where products are restricted by age (e.g. items requiring an 18+ confirmation), we may process date-of-birth or age-confirmation data on the basis of legal obligation and/or legitimate interest.

4. Recipients and Sub-Processors

We share personal data only with carefully selected recipients acting as data processors under a written agreement compliant with Article 28 GDPR:

  • E-commerce platform: Shopify Inc. (hosting, order management).
  • Payment service providers: [TBD: confirmed list — e.g. Shopify Payments, PayPal, Stripe].
  • Shipping carriers and logistics partners: [TBD: confirmed list].
  • Email and marketing platforms: [TBD: confirmed list — e.g. Klaviyo, Mailchimp].
  • Analytics providers: [TBD: confirmed list — e.g. Google Analytics, where consent is obtained].
  • Customer-service tooling: [TBD].

We do not sell personal data. We may disclose personal data to public authorities where required by law, court order, or to defend our legal rights.

5. International Data Transfers

Some of our processors are established outside the EU/EEA (in particular in the United States and Canada). When personal data is transferred outside the EU/EEA, we rely on one of the safeguards listed in Chapter V of the GDPR:

  • An adequacy decision of the European Commission under Article 45 (e.g. for Canada — commercial organisations subject to PIPEDA, the United Kingdom, or the EU–U.S. Data Privacy Framework where the recipient is certified).
  • Standard Contractual Clauses adopted by the European Commission under Article 46(2)(c) (Decision (EU) 2021/914), supplemented by a Transfer Impact Assessment where required.
  • Binding Corporate Rules or other appropriate safeguards under Article 46.

A copy of the safeguards in place for any specific transfer is available on request at privacy@algaplay.com.

6. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, and in any case in accordance with the following indicative criteria:

  • Account data: for the lifetime of the account, plus up to 24 months of inactivity, after which the account is anonymised or deleted.
  • Order, invoice, and accounting data: 10 years from the end of the financial year, where required by tax and accounting law in the controller's jurisdiction.
  • Customer-service correspondence: up to 24 months from the last interaction.
  • Marketing data: until consent is withdrawn or 24 months of inactivity, whichever occurs first.
  • Cookies and similar identifiers: as set out in the Cookie Policy (typically 6–13 months for analytics, session-only for technical cookies).
  • Logs and security data: typically 6–12 months, longer where necessary to investigate a confirmed incident.

After the applicable retention period, personal data is deleted or irreversibly anonymised.

7. Your Rights Under the GDPR

Subject to the conditions and limitations set out in Articles 15–22 of the GDPR, you have the right to:

  • Access your personal data and obtain a copy (Art. 15).
  • Rectify inaccurate or incomplete personal data (Art. 16).
  • Erasure ("right to be forgotten") of your personal data where one of the grounds in Art. 17 applies.
  • Restrict processing in the cases listed in Art. 18.
  • Data portability: receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller, where processing is based on consent or contract and is carried out by automated means (Art. 20).
  • Object to processing based on legitimate interest, including profiling, and to object at any time and free of charge to processing for direct-marketing purposes (Art. 21).
  • Not be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you, except in the cases permitted by Art. 22.
  • Withdraw consent at any time, where processing is based on consent (Art. 7(3)).
  • Lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77).

8. How to Exercise Your Rights

You may exercise any of the rights above by writing to privacy@algaplay.com, including sufficient information for us to verify your identity. We will respond without undue delay and in any event within one month of receipt of the request, extendable by two further months for complex or numerous requests, in which case we will inform you of the extension and its reasons (Art. 12(3) GDPR).

You may also lodge a complaint with the supervisory authority of the EU/EEA Member State where you live, where you work, or where the alleged infringement of the GDPR took place. A list of EU supervisory authorities is available at edpb.europa.eu.

9. Security of Processing

We implement appropriate technical and organisational measures (Art. 32 GDPR) to ensure a level of security appropriate to the risk, including encryption in transit (TLS), access controls, segregation of environments, logging, and periodic review of our processors.

10. Children

Our store is not directed to children under the age of 16 (or the lower age set by the applicable Member State under Art. 8 GDPR, which may be 13, 14, or 15). We do not knowingly collect personal data from children below that age without verifiable parental consent. If you believe a child has provided personal data, please contact us so that we can delete it.

11. Changes to This Statement

We may update this statement to reflect changes in our processing activities or legal obligations. The date at the top indicates the most recent revision. Material changes will be communicated by reasonable means before they take effect.

12. Contact

For any question regarding this statement or our data-protection practices, please contact privacy@algaplay.com.

Last updated: 28 April 2026.