Privacy Policy

1. About This Policy

This Privacy Policy applies to all users of fashioncitystore.com (“we”, “us”, “our”)—a pre-launch e-commerce platform (currently displaying a “Pardon our dust! We’re working on something amazing — check back soon!” notice) that will focus on curated lifestyle products (e.g., home essentials, fashion accessories, artisanal goods) post-launch. It governs the collection, use, storage, protection, and disclosure of your personal data across all interactions with our site, including browsing the pre-launch page, subscribing to launch notifications (once available), creating an account (post-launch), placing orders, leaving product reviews (post-launch), or contacting customer support.

We comply with global data protection regulations, including the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and Australia’s Privacy Act, to ensure transparent and ethical data handling. “Personal data” refers to any information that can identify you directly or indirectly, such as your full name, email address, phone number, postal address, IP address, device identifiers (e.g., device ID for mobile/desktop), browsing behavior (e.g., saved “favorite” items post-launch), and preferences (e.g., product category interests like “sustainable home goods”).

This Policy does not cover third-party services linked from our site (e.g., LinkedIn/Instagram/Facebook social icons, payment gateways like PayPal, shipping carriers like UPS)—we strongly recommend reviewing these third parties’ privacy policies independently, as we have no control over their data practices.

2. Data Controller & Contact Information

The data controller responsible for managing your personal data is the operator of fashioncitystore.com. For privacy-related inquiries, requests (e.g., accessing your data, updating preferences, withdrawing consent), or complaints, contact our Privacy Team:

  • Email: support@fashioncitystore.com (Subject Line: “Privacy Inquiry/Request”)
  • Response Commitment: We acknowledge all requests within 1 business day and aim to resolve them within 30 days. For complex requests (e.g., exporting your full data record, correcting historical order data), we may extend this timeline by up to 2 months, but will provide written notice of delays and biweekly progress updates to keep you informed.

3. What Personal Data We Collect

We collect personal data only for specific, legitimate purposes and avoid unnecessary collection. Data collection is categorized by your interaction with the platform (pre-launch and post-launch):

3.1 Pre-Launch Data Collection

While the site is in pre-launch, data collection is limited to supporting launch preparation and user engagement:

  • Automatically Collected Technical Data (no user action required):
    • IP Address: To identify your general geographic region (e.g., “Toronto, Canada” or “Sydney, Australia”) for two key purposes:
      • Pre-launch planning: Prioritizing product categories and inventory based on high-traffic regions (e.g., stocking more cold-weather accessories for users in northern climates).
      • Security monitoring: Blocking access from IP ranges linked to malicious activity (e.g., repeated automated attempts to access restricted pre-launch backend systems or scrape site code).
    • Device & Browser Metadata: Browser type/version (e.g., Chrome 122, Safari 17.4), operating system (e.g., Windows 11, iOS 18), device model (e.g., Dell XPS 15, iPhone 15 Pro), and screen resolution. This ensures the post-launch site is optimized for the devices most used by our audience (e.g., adjusting button sizes and product image layouts for mobile users).
    • Visit Behavior: Date/time of your visit, duration spent on the pre-launch page, and interactions (e.g., clicks on social media icons, “Notify Me When Live” buttons once available). This helps us refine the pre-launch page’s layout (e.g., moving high-click elements to more prominent positions) and measure interest in our brand.
  • Voluntary Launch Notification Data (once the sign-up feature is enabled):
    • Email Address: The primary identifier for sending launch alerts (e.g., “fashioncitystore.com is now live!”), exclusive pre-launch offers (e.g., “20% off your first order for early subscribers”), and updates on product categories (e.g., “Sneak peek: Our sustainable home goods line”).
    • Optional First/Last Name: For personalized communication (e.g., “Hi [Name], your launch access link is ready”)—you may choose to provide only your email address if preferred.
    • Optional Product Interest: A dropdown menu (e.g., “Home Essentials”, “Fashion Accessories”, “Artisanal Foods”) to tailor launch notifications (e.g., sending updates about “sustainable fashion” to users who selected that interest).

Legal Basis for Pre-Launch Collection: Article 6(1)(f) GDPR (our legitimate interest in preparing a user-centric, regionally relevant launch) and CCPA § 1798.100 (reasonable business purposes for pre-launch planning and audience engagement).

3.2 Post-Launch Data Collection

Once the platform launches, we collect additional data to support core e-commerce functions and user experience:

  • Account Registration Data:
    • Full Legal Name: To verify your identity for order fulfillment, comply with anti-fraud regulations (e.g., matching your name to payment method details), and ensure accurate delivery (e.g., matching the name on the shipping label to the recipient).
    • Email Address: For account activation (via a verification link to confirm ownership), password resets (sent to your registered email), transactional communications (e.g., order confirmations, shipping updates), and marketing communications (if you opt in).
    • Encrypted Password: Stored using bcrypt hashing (with a work factor of 12) — a secure industry standard that ensures we never access or store your raw password, even internally.
    • Optional Phone Number: For SMS security alerts (e.g., “A new device logged into your account from London”) and delivery updates (e.g., “Your package will arrive today between 3–5 PM”)—you can opt out of non-essential SMS communications (e.g., promotional texts) anytime via your account’s “Communication Preferences” tab.
    • Saved Addresses: Shipping and billing addresses (stored with your consent) to streamline future purchases (e.g., auto-filling addresses for repeat orders). You can add, edit, or delete addresses at any time.
  • Purchase Transaction Data:
    • Order Details: Product name, SKU, quantity, price, color, size (if applicable), and customizations (e.g., “engraved jewelry box with ‘Family’”). This ensures accurate fulfillment and simplifies returns/exchanges (e.g., verifying the correct product was shipped).
    • Payment Identifiers: Last 4 digits of a credit card, PayPal account ID, or Apple Pay/Google Pay token. Full payment details are processed by PCI DSS (Payment Card Industry Data Security Standard)-compliant third-party providers (e.g., Stripe, Adyen)—we never store full credit card numbers, CVV codes, or expiration dates.
    • Billing Address: To verify payment method legitimacy (e.g., matching the address on your credit card statement to reduce fraud) and comply with tax regulations (e.g., calculating sales tax for U.S. orders or GST for Canadian orders).
  • User-Generated Content (UGC) Data (post-launch, if you submit reviews/photos):
    • Account Username/Name: To attribute UGC to you (e.g., “Review by [Name]”) and build trust with other users.
    • UGC Content: Text (product reviews, comments), photos, or videos you submit (e.g., a photo of you using our fashion accessory). We may moderate this content (per our Terms of Service) to ensure compliance with guidelines (e.g., removing hate speech or irrelevant content) before publishing.
    • Optional Location Tag: If you choose to tag your location (e.g., “Reviewed from Paris”), we collect this to enhance community engagement (e.g., featuring local UGC in regional promotions).

Legal Basis for Post-Launch Collection: Article 6(1)(b) GDPR (necessary to fulfill our contractual obligation to deliver your order) and CCPA § 1798.100 (contractual compliance for purchases and account management).

4. How We Use Your Personal Data

We use your personal data exclusively for the purposes it was collected—no unstated use without your explicit consent. Key use cases include:

4.1 Pre-Launch Preparation & Communication

  • Launch Alerts: Send email notifications to users who subscribed to launch updates, including launch timelines, early access windows (e.g., “Early access for subscribers starts tomorrow at 10 AM”), and pre-launch product teasers (e.g., “Sneak peek: Our new line of eco-friendly home candles”).
  • Brand Engagement: Share occasional updates about our brand’s mission (e.g., “We partner with 15 female artisans to create our products”)—you can unsubscribe from non-essential brand updates via the “Unsubscribe” link in emails.

4.2 Post-Launch Order Fulfillment & Account Management

  • Payment Processing: Share your billing address and payment identifiers (last 4 digits of a card) with PCI DSS-compliant payment providers to process transactions securely, verify funds availability, and prevent fraud (e.g., flagging stolen credit cards).
  • Shipping Coordination: Share your name, delivery address, and order number with trusted shipping carriers (e.g., UPS, FedEx, Canada Post) to ensure timely delivery. If you provided a phone number, we may share it with the carrier to send delivery notifications (e.g., “Your package is out for delivery”).
  • Account Security: Use device metadata (e.g., device model, IP address) to detect unauthorized account activity (e.g., a login from a country you’ve never visited) and send security alerts to your registered email/phone. We may also lock your account temporarily if suspicious activity is detected, requiring you to verify your identity (e.g., via a verification code) to regain access.

4.3 Personalization & Platform Improvement (Post-Launch)

  • Product Recommendations: Use your purchase history and product interests (e.g., “sustainable home goods”) to suggest relevant items (e.g., “You bought our eco-friendly tote bag—try our matching reusable water bottle”).
  • Site Optimization: Analyze anonymized browsing data (e.g., which product pages have high bounce rates, how users navigate the checkout process) to improve the platform’s design (e.g., adding more product photos to low-engagement pages, simplifying checkout steps to reduce abandonment).
  • UGC Moderation & Use: Review submitted UGC to ensure compliance with our content guidelines (e.g., no false claims about products, no offensive language) before publishing. With your consent, we may feature your UGC in marketing materials (e.g., a review in a promotional email) to build trust with other users.

4.4 Legal & Regulatory Compliance

  • Tax Reporting: Retain order and payment data for 7 years to comply with global tax laws (e.g., U.S. IRS requirements, EU VAT regulations, Canadian CRA guidelines).
  • Fraud Investigations: Use transaction data (e.g., billing/shipping address matching) and IP address to investigate suspicious orders (e.g., multiple high-value orders from the same IP with different billing addresses) and report fraud to law enforcement if necessary.
  • Dispute Resolution: Use your order history and communication records to resolve customer inquiries (e.g., “You claimed your order was missing—here’s proof of delivery via signature”) and defend against false claims.

5. How We Share Your Personal Data

We never sell your personal data to third parties for marketing purposes. We only share data with trusted partners who assist us in delivering services, and these partners are bound by strict contractual obligations to protect your data and use it only as instructed:

5.1 Pre-Launch/Post-Launch Technical Partners

  • Hosting & Security Providers: Share anonymized technical data (e.g., IP region, device type) with AWS (Amazon Web Services) for hosting and Cloudflare for security. These partners use the data to maintain site uptime (e.g., scaling server capacity during high-traffic periods), block DDoS attacks, and optimize page load speed.
  • Analytics Providers: Share aggregated, anonymized data with Google Analytics 4 to measure pre-launch engagement (e.g., sign-up conversion rate for launch notifications) and post-launch user behavior (e.g., how many users add products to cart but don’t checkout). Anonymized data cannot be linked to individual users (e.g., IP addresses are truncated to “192.168.1.XXX”).

5.2 Payment & Shipping Partners

  • Payment Processors: Share your billing address and payment identifiers (last 4 digits of a card) with Stripe/Adyen to process transactions. These providers retain data only for the transaction lifecycle (typically 30 days) and do not use it for marketing. They are required to comply with PCI DSS standards to protect your financial data.
  • Shipping Carriers: Share your name, delivery address, and order number with UPS/FedEx/Canada Post to deliver your order. Carriers are prohibited from using your data for any purpose other than delivery (e.g., adding you to their marketing lists) and must delete your data within 60 days of delivery confirmation.

5.3 Marketing Partners (With Explicit Consent)

  • Email Service Providers: Share your email address (if you opt in to marketing) with Mailchimp to send personalized promotions (e.g., “Your saved items are now 15% off”) and new product announcements. Mailchimp is contractually required to honor opt-out requests within 7 days and encrypt your email address to prevent unauthorized access.
  • Social Media Advertising Partners: Share hashed email addresses (never raw data) with Meta (Facebook/Instagram) and Google Ads to run targeted launch campaigns (e.g., reaching users who subscribed to launch alerts but haven’t made a purchase). This data is used only to match users to their social media profiles and cannot be reversed to identify individuals.

5.4 Legal Authorities

  • Disclose your personal data if required by law (e.g., court orders, subpoenas, tax audits) or to protect our legitimate interests (e.g., defending against false claims of product defects, investigating fraud). We share only the minimum amount of data necessary to fulfill the request and will notify you of the disclosure unless prohibited by law (e.g., sealed court orders or ongoing criminal investigations).

6. Data Security & Retention

6.1 Data Security Measures

We use industry-leading technical and organizational measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction:

  • End-to-End Encryption: All data transmitted between your device and our server (e.g., launch notification sign-ups, account registration, payment details) is encrypted using TLS 1.3—verified by a Comodo SSL certificate (visible via the padlock icon in your browser).
  • Secure Storage: Sensitive data (encrypted passwords, order records, payment identifiers) is stored on servers with:
    • Physical security: 24/7 guarded data centers with biometric entry (fingerprint/retina scans), video surveillance, and fire suppression systems.
    • Digital security: Multi-factor authentication (MFA) for all staff accessing user data, role-based access controls (e.g., only customer support teams can view order details; only finance teams can view payment identifiers), and automated breach detection (alerts for unusual data access patterns, such as a staff member accessing multiple user accounts in a short period).
  • Regular Audits: Annual third-party security audits (by firms like Deloitte) to test for vulnerabilities (e.g., SQL injection, cross-site scripting) and ensure compliance with global standards (GDPR, PCI DSS, CCPA).
  • Breach Response Plan: If a data breach occurs (e.g., unauthorized access to launch notification email lists or post-launch order data), we will:
    1. Isolate the affected system within 1 hour of detection to prevent further access.
    2. Notify affected users and regulatory authorities within 72 hours (as required by GDPR/CCPA) via email and a prominent banner on the pre-launch/post-launch site.
    3. Provide free credit monitoring (for users whose payment identifiers or personal data was exposed) and a dedicated support line to address questions.

6.2 Data Retention Periods

We retain your personal data only as long as necessary to fulfill the purposes it was collected, plus any time required by law:

  • Pre-Launch Data:
    • Technical browsing data (IP address, device metadata): Anonymized or deleted within 2 months of your last visit.
    • Launch notification data (email/name/interest): Retained until 60 days post-launch (or longer if you opt in to post-launch marketing communications).
  • Post-Launch Data:
    • Account data (name, email, saved addresses): Retained while your account is active—deleted 45 days after you close your account (to allow for post-closure refund requests or dispute resolution).
    • Order data (order details, payment identifiers): Retained for 7 years (tax compliance)—anonymized after 7 years (all personal identifiers, such as your name or email, are removed).
    • UGC data (reviews, photos): Retained as long as the content is published on our site—deleted within 7 days of your request to remove the content.
    • Marketing data (email/phone for promotions): Retained only while you opt in—deleted within 7 days of unsubscribing (we may retain a hashed version of your email to avoid re-adding you to marketing lists).

7. Your Privacy Rights

Under global data protection laws, you have the following rights regarding your personal data. To exercise these rights, email support@fashioncitystore.com with proof of identity (e.g., a copy of your launch notification sign-up confirmation, a redacted government-issued ID, or a response to a security question like “What was the email address you used to subscribe?”):

  • Right to Access: Request a free copy of all personal data we hold about you (e.g., your launch sign-up date, post-launch order history, saved preferences) in a machine-readable format (CSV, JSON, or PDF).
  • Right to Rectification: Correct inaccurate or incomplete data (e.g., updating an outdated shipping address, fixing a misspelled name) within 7 business days of your request.
  • Right to Erasure (“Right to Be Forgotten”): Request deletion of your personal data if it is no longer necessary for the purpose it was collected (e.g., you no longer want launch updates) or if you withdraw consent. We will confirm deletion within 14 business days and notify third parties (e.g., marketing providers) to delete your data as well.
  • Right to Restrict Processing: Limit how we use your data (e.g., pausing marketing communications while you’re on vacation) until a dispute (e.g., a contested order) is resolved.
  • Right to Data Portability: Transfer your account and order data to another e-commerce platform (if technically feasible) within 14 business days of your request (e.g., exporting your purchase history to import into another retailer’s system).
  • Right to Object: Opt out of non-essential data processing (e.g., personalized product recommendations, marketing communications) at any time—we will stop processing within 3 business days of your request.
  • Right to Withdraw Consent: Withdraw consent for any processing based on your consent (e.g., SMS delivery updates, UGC publication) — this does not affect the legality of processing before consent was withdrawn.
  • Right to Lodge a Complaint: File a complaint with a data protection authority in your region if you believe we have violated your privacy rights:
    • EU/UK: Local data protection authority (e.g., ICO in the UK, CNIL in France).
    • California: California Attorney General’s Office or California Privacy Protection Agency (CPPA).
    • Canada: Office of the Privacy Commissioner of Canada (OPC).

8. Changes to This Policy

We may update this Privacy Policy to reflect:

  • Changes in legal requirements (e.g., new state privacy laws like the Colorado Privacy Act, updates to GDPR).
  • Post-launch platform features (e.g., adding a loyalty program that collects points data, launching a “wishlist” function).
  • Updates to our data processing practices (e.g., switching to a new payment provider, discontinuing a marketing tool that uses personal data).

When we make changes:

  • We post the revised Policy on fashioncitystore.com with a new “Last Updated” date prominently displayed at the top.
  • We notify account holders and pre-launch subscribers of material changes (e.g., new data collection categories, changes to how we share data) via email at least 7 days before the changes take effect. The email will include a summary of key updates and a link to the full revised Policy.
  • For non-material changes (e.g., updating contact information, clarifying existing provisions), we post the revised Policy on the site without additional notification.

Your continued use of fashioncitystore.com after the revised Policy is posted constitutes acceptance of the changes. If you do not agree to the revised Policy, you must stop using the site and close your account (post-launch) by emailing support@fashioncitystore.com.

9. Children’s Privacy

We do not intentionally collect personal data from children under the age of 13 (or the age of majority in your region, if higher—e.g., 16 in the EU). Our platform is not directed at children, and parents or legal guardians must ensure minors do not provide personal data on our site (e.g., subscribing to launch notifications, creating an account post-launch).

If we become aware that we have collected personal data from a child without parental consent (e.g., a parent notifies us that their 10-year-old subscribed to launch alerts), we will:

  • Delete the child’s personal data within 7 business days (e.g., removing the email from our launch notification list).
  • Notify the parent or guardian (if contact information is available) to explain the steps taken and confirm deletion.

If you believe your child has provided personal data on our site, please contact us at support@fashioncitystore.com with:

  • The child’s name.
  • The date the data was provided (e.g., “My child subscribed to launch alerts on 10/1/25”).
  • Any relevant details (e.g., the email address used to subscribe).
Scroll to Top