CIELO & CRAFT LTD (hereinafter referred to as "we") is a legally registered and operating bag brand company in the UK, specializing in the design and sale of handbags, crossbody bags, laptop bags, travel bags, and other categories. We respect and protect the personal data privacy of all users of our services (hereinafter referred to as "you"), strictly comply with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, and other applicable laws and regulations, and are committed to ensuring that your personal data is collected and processed legally, fairly, and transparently.

This Privacy Policy aims to inform you of how we collect, use, store, transfer, and protect your personal data, as well as your legally protected data rights and how to exercise them. By using our official website (cielocraftltd.com), email communication, or other related services, you acknowledge that you have fully understood and agreed to all the contents of this Privacy Policy. If you have any questions about this policy, please contact us using the contact information at the end of this document.

I. Types of Personal Data We Collect

To provide and optimize bag sales, order fulfillment, and after-sales service, we only collect personal data necessary to achieve our business objectives (following the "minimum necessary" principle). This primarily includes the following categories:

1. Identity and Contact Data: Including but not limited to your name, email address, mobile phone number, shipping address, and postal code. This data is used for order confirmation, logistics and delivery, and after-sales coordination. The email address used for communication is your pre-registered contact information and care@cielocraftltd.com.
2. Transaction and Payment Data: Including but not limited to order number, type of bag purchased (handbag, crossbody bag, laptop bag, travel bag, etc.), quantity, amount, payment method, and payment voucher information. This data is used to complete transaction settlement, order reconciliation, and after-sales returns and exchanges.
3. Usage Data: Including but not limited to your browsing history on the official website, page dwell time, product categories of interest, and search history. This data is collected through cookies and similar technologies to optimize the website experience, personalize product recommendations, and improve service quality.
4. Other voluntarily provided data: Such as inquiries, complaints, suggestions, and product usage experiences provided via email or customer service feedback, used to respond to your needs and improve services.

We will not collect personal data unrelated to our business, nor will we proactively collect sensitive personal data (such as race, religion, health status, biometric data, etc.) unless we obtain your explicit and separate consent and comply with legal and regulatory requirements.

II. Purpose of Collection and Use of Personal Data

The personal data we collect will only be used for the following legitimate purposes, and each item has a corresponding legal basis (consent, contract performance, legitimate interests, etc.):

1. Fulfilling orders and providing services: Based on your order requirements, we will complete the delivery, after-sales return and exchange, and logistics tracking services for bag products to ensure the smooth fulfillment of the contract.
2. Optimizing product and service experience: Based on your browsing and purchasing behavior, we will analyze user preferences to optimize the website's functional design, product display, and category layout, providing you with bag recommendations that better suit your needs.
3. Communication and Notification: We will send you necessary notifications via email, SMS, etc., regarding order status updates, logistics information, and after-sales processing progress. If you agree, we may also send you information on new products and promotional activities (you can withdraw your consent at any time).
4. Security and Compliance: This is used to prevent fraudulent transactions, ensure the security of our website and payment system, comply with relevant EU and UK tax and trade regulations, and retain necessary transaction records for regulatory verification.
5. Handling Complaints and Disputes: Based on the feedback you provide, we will investigate and resolve any issues that arise during the service process, protecting the legitimate rights and interests of both parties.

III. Basis for Processing Personal Data

According to GDPR requirements, our processing of your personal data must be based on one of the following legal grounds:

1. Contract Performance: To fulfill your submitted bag order, we must process your identity, contact, and transaction data; otherwise, we cannot fulfill our order obligations.
2. Your Consent: Data processing for purposes such as personalized marketing and cookie use will be conducted with your explicit consent beforehand. You may withdraw your consent at any time through the notification method in this policy, and withdrawal will not affect previous legitimate data processing actions based on your consent.
3. Legitimate Interests: Data processing is conducted to optimize service quality, prevent security risks, and protect the legitimate rights and interests of the brand (such as analyzing user behavior to improve the website experience), without compromising your privacy rights.
4. Legal and Regulatory Requirements: Transaction and user data must be retained to comply with EU and UK tax, customs, and consumer protection laws and regulations.

IV. Sharing and Transfer of Personal Data

We promise to strictly control the scope of personal data sharing. Your data will only be shared with the following third parties to achieve business purposes and in compliance with laws and regulations. The confidentiality obligations and data protection responsibilities of these third parties will be stipulated in contracts:

1. Logistics Service Providers: To complete the delivery of bags, necessary information such as your name, delivery address, and contact information will be shared with our logistics partners solely for logistics fulfillment.
2. Payment Service Providers: To complete transaction settlements, we share transaction amounts and payment-related information with compliant payment institutions (such as those supporting PayPal), solely for payment processing and security verification.
3. Compliance and Service Partners: We may share data with law firms, auditing firms, etc., to fulfill legal and regulatory obligations, handle disputes, or share non-identified usage data with IT service providers to optimize our website technology.

If your personal data needs to be transferred to countries or regions outside the European Economic Area (EEA) (e.g., transfers between the UK and non-EEA countries), we will implement GDPR-compliant safeguards (such as standard contractual terms and sufficient verification of the data recipient's qualifications) to ensure secure and compliant data transmission.

V. Storage and Protection of Personal Data

1. Storage Period: We will only store your personal data for the shortest period necessary to achieve the data processing objectives. After this period, it will be deleted or anonymized in accordance with the law. Transaction data will be retained for the necessary period in accordance with EU and UK tax regulations, while marketing data will be deleted immediately upon your withdrawal of consent.
2. Protection Measures: We employ technical and management measures such as encrypted storage, access control, security auditing, and firewalls to protect your personal data from unauthorized access, disclosure, alteration, or damage. Only authorized personnel may access personal data, and they must adhere to strict confidentiality obligations.
3. Data Breach Notification: In the event of a personal data breach that may significantly impact your rights, we will notify the EU data protection regulator and you, the affected party, within 72 hours and take necessary remedial measures to mitigate the risk.

VI. Your Data Rights (Based on GDPR)

As a data subject, you have the following rights under the law, and we will provide you with convenient means to exercise these rights:

1. Right of Access: You have the right to request us to confirm whether your personal data is being processed and to obtain a copy of the data and related processing information.
2. Right of Correction: If your personal data contains errors or is incomplete, you have the right to request us to correct it promptly.
3. Right of Erasure (Right to Be Forgotten): You have the right to request us to delete your personal data in cases where the data processing purpose has been achieved, you have withdrawn your consent, or the data processing is illegal.
4. Right to Restrict Processing: You have the right to request that we suspend the processing of your personal data (e.g., if you dispute the accuracy of the data, or if the data processing is illegal but you do not request deletion).
5. Right to Data Portability: You have the right to request that we provide your personal data in a structured, universal, and machine-readable format to facilitate your transfer to other data controllers.
6. Right to Object: You have the right to object to data processing activities such as data analysis and personalized marketing based on legitimate or public interests, and we will cease such processing (unless there are significant legitimate reasons).
7. Right to Withdraw Consent: If data processing is based on your consent, you may withdraw your consent at any time without giving a reason. Withdrawal will not affect the legitimate processing based on consent prior to withdrawal.

To exercise the above rights, you can submit an application through the contact information at the end of this document. We will verify and provide feedback on the processing results within one month (this may be extended to two months in complex cases, in which case you will be notified in advance).

VII. Use of Cookies

Our official website uses cookies and similar tracking technologies to record your browsing preferences, optimize page loading speed, and ensure the secure operation of the website. Cookies are categorized into essential cookies and non-essential cookies:

1. Essential Cookies: Used to ensure basic website functions (such as order submission and page navigation). They can be used without your consent and cannot be disabled.
2. Non-essential Cookies: Used for analyzing user behavior, personalized recommendations, and advertising optimization. We will explicitly inform you and obtain your consent when you visit the website. You can disable them at any time through your browser settings.

Disabling non-essential cookies may affect the personalized experience of the website, but will not affect the use of basic services.

VIII. Third-Party Links and Services

Our website may contain links to third-party websites (such as payment platforms, logistics tracking platforms, etc.). These third parties have independent privacy policies, and we are not responsible for their data processing practices. We recommend that you carefully read their privacy policies before visiting third-party websites.

IX. Policy Updates and Dispute Resolution

1. This Privacy Policy will be updated and revised in a timely manner according to EU and UK laws and regulations and business adjustments. Revised policies will be prominently displayed on the website and will take effect from the date of publication.
2. If you have any objections to our data processing practices, you may first try to resolve the issue with us through the contact information at the end of this document. If the negotiation fails, you have the right to file a complaint with the EU data protection regulatory body (such as the Irish Data Protection Commission) or the UK Information Commissioner's Office (ICO), or pursue your rights through legal channels.

X. Contact Information

For inquiries regarding this Privacy Policy, exercising your data rights, or filing complaints related to data processing, please contact us through the following methods:

CIELO & CRAFT LTD always prioritizes your data privacy and security. Thank you for your trust and support.