Skip to main content
Free US Shipping on All Orders
HEVA LIVINGLifestyle Store

Privacy Policy

1. Introduction

Heva Living β€” Lifestyle Store ("we," "our," "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and your rights regarding your personal information.

This policy applies to all visitors and customers of www.hevaliving.com. By using our website, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

Heva Living β€” Lifestyle Store is the data controller responsible for your personal data. For any privacy-related enquiries, you can reach us via our contact form or at hello@hevauniqueart.com.

3. Data We Collect

We collect the following categories of personal information:

Information you provide directly

  • Purchase information: Full name, email address, shipping address
  • Contact form submissions: Name, email address, message content
  • Newsletter signup: Email address (with your explicit consent)

Information collected automatically

  • Analytics data: Page views, session duration, device type, approximate location (via Google Analytics 4, only with your consent)
  • Technical data: IP address, browser type, operating system (collected by our hosting provider for security purposes)

Information we do not collect

We never collect, store, or have access to your credit card or payment details. All payment processing is handled entirely by Stripe. Card information never touches our servers.

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Contract performance: Processing your order, communicating about your purchase, and providing shipping updates (Article 6(1)(b) GDPR)
  • Legitimate interest: Fraud prevention, website security, and improving our services (Article 6(1)(f) GDPR)
  • Consent: Analytics cookies, marketing emails, and newsletter subscriptions (Article 6(1)(a) GDPR)
  • Legal obligation: Retaining transaction records for tax and accounting purposes (Article 6(1)(c) GDPR)

5. How We Use Your Data

  • To process and fulfil your order
  • To send order confirmation and shipping update emails
  • To respond to contact form enquiries
  • To send marketing emails (only with your explicit consent)
  • To analyse website traffic and improve our services (with consent)
  • To detect and prevent fraud
  • To comply with legal and tax obligations

We do not sell, rent, or share your personal data with third parties for marketing purposes.

6. Third-Party Services & Sub-Processors

We use trusted third-party services to operate our business. Each may process personal data as described:

  • Stripe (USA) β€” Payment processing. Stripe stores your payment method details and billing information under their own Privacy Policy. We never see or store your card number.
  • Print production and fulfilment partner (EU/USA) β€” Your name, shipping address, and order details are transmitted to our print production partner and their provider network to produce and ship your order.
  • Secure database hosting provider (USA) β€” Your name, email, shipping address, and order history are stored in our securely hosted database with encryption at rest and row-level access controls.
  • Image delivery and optimisation service (USA) β€” Used for delivering product artwork images only; no personal data is processed.
  • Transactional email delivery service (USA) β€” Your email address is used to send order confirmations and shipping updates.
  • Google Analytics 4 (USA) β€” Website analytics (consent-only). Anonymised usage data; no purchase or personal details shared.
  • Website hosting provider (USA) β€” May process IP addresses for security and performance monitoring.

7. International Data Transfers

Several of our sub-processors are based in the United States. Where personal data is transferred outside the EU/EEA, we ensure that appropriate safeguards are in place, including:

  • EU-U.S. Data Privacy Framework certification (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission

8. Cookies

We use the following types of cookies:

  • Essential cookies: Required for core website functionality (e.g., session management). These cannot be disabled.
  • Analytics cookies: Used by Google Analytics 4 to understand website usage. These are only set after you provide explicit consent via our cookie banner.

A cookie consent banner is displayed on your first visit. You may accept or decline analytics cookies at any time. You can also manage cookies through your browser settings.

9. Do Not Track Signals

Some browsers offer a "Do Not Track" (DNT) setting that sends a signal to websites you visit indicating that you do not wish to be tracked. There is currently no universally accepted standard for how websites should respond to DNT signals.

At this time, our website does not respond to DNT browser signals. However, you can manage your tracking preferences through our cookie consent banner, which allows you to opt out of analytics cookies at any time.

10. Data Retention

  • Order data (name, email, shipping address, order details): Retained for 7 years to comply with tax and accounting obligations
  • Contact form enquiries: Retained for 2 years, then deleted
  • Newsletter subscribers: Retained until you unsubscribe
  • Analytics data: Per Google Analytics retention settings (default 14 months)

After the retention period expires, data is securely deleted or anonymised.

11. Your Rights Under GDPR (EU/EEA Residents)

If you are located in the EU/EEA, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention requirements
  • Right to restrict processing: Request that we limit how we use your data
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interest
  • Right to withdraw consent: Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, contact us at hello@hevauniqueart.com or via our contact form. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.

12. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know: You may request details about the categories and specific pieces of personal information we have collected about you
  • Right to delete: You may request that we delete your personal information, subject to certain legal exceptions
  • Right to correct: You may request correction of inaccurate personal information
  • Right to opt out of sale/sharing: We do not sell or share your personal information for cross-context behavioural advertising
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at hello@hevauniqueart.com. We will respond within 45 days as required by law.

13. Children's Privacy

Our website is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete the information.

14. Data Security

We implement appropriate technical and organisational security measures to protect your personal data, including:

  • HTTPS/TLS encryption for all data in transit
  • Encryption at rest for stored data
  • Row-level security policies on our database
  • Access controls limiting data access to authorised personnel only
  • Regular security reviews of third-party integrations

While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security but are committed to safeguarding your information to the best of our ability.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be posted on this page with an updated effective date. We encourage you to review this page periodically. Your continued use of the website after changes are posted constitutes acceptance of the revised policy.

16. Contact

For privacy-related questions, data requests, or complaints, please contact us:

Effective date: March 13, 2026