Privacy Policy

Last updated: 1 April 2026

1. Data Controller

The data controller responsible for your personal data is:

If you have any questions about how we process your personal data or wish to exercise your rights, please contact us at the email address above.

2. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

• Identity data: first name, last name.
• Contact data: email address, phone number, billing and shipping address.
• Transaction data: order details, payment information (processed by our payment provider; we do not store full card details), purchase history.
• Account data: username, password (hashed), account preferences.
• Technical data: IP address, browser type and version, device information, operating system, time zone, language preference.
• Usage data: pages viewed, products browsed, time on site, click activity, referring URLs.
• Communication data: emails, messages, and support queries you send to us.
• Marketing data: newsletter subscription preferences, marketing consent records.

3. Purposes and Legal Bases for Processing

We process your personal data for the following purposes, based on the legal bases set out in Article 6(1) of the GDPR:

Purpose	Legal Basis (Art. 6(1) GDPR)
Processing and fulfilling your orders	(b) Performance of a contract
Managing your customer account	(b) Performance of a contract
Processing payments	(b) Performance of a contract
Sending order confirmations and shipping updates	(b) Performance of a contract
Responding to customer support queries	(b) Performance of a contract / (f) Legitimate interest
Sending marketing emails and newsletters	(a) Consent
Personalised advertising (e.g. Facebook, Google)	(a) Consent
Website analytics and performance improvement	(a) Consent (for non-essential cookies) / (f) Legitimate interest (for aggregated analytics)
Fraud prevention and security	(f) Legitimate interest
Compliance with tax, accounting, and legal obligations	(c) Legal obligation

4. Data Retention

We retain your personal data only for as long as is necessary for the purposes set out in this policy:

• Order and transaction data: 7 years from the date of transaction (to comply with Estonian tax and accounting law).
• Customer account data: for the duration of your account, plus 12 months after deletion request to handle any outstanding claims.
• Marketing consent records: until consent is withdrawn, plus 3 years for proof of consent.
• Customer support communications: 3 years from the date of last interaction.
• Website analytics data: 26 months (Google Analytics default), then automatically anonymised or deleted.
• Cookie data: see cookie durations in Section 7 below.

When data is no longer required, it is securely deleted or anonymised.

5. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”).
• Right to restriction of processing (Art. 18) — request that we limit how we use your data.
• Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent (Art. 7(3)) — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint — you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), www.aki.ee. You may also complain to the supervisory authority in your EU Member State of residence.

To exercise any of these rights, email us at order@moodstories.com. We will respond within 30 days.

6. Third-Party Processors and Data Sharing

We share your personal data with the following categories of third-party processors, all of whom process data on our behalf and under our instructions:

• Shopify Inc. — e-commerce platform hosting, order processing, payment processing. Shopify’s privacy policy: shopify.com/legal/privacy.
• Google LLC (Google Analytics, Google Ads) — website analytics and advertising. Google’s privacy policy: policies.google.com/privacy.
• Meta Platforms Inc. (Facebook Pixel, Instagram) — advertising, audience measurement, remarketing. Meta’s privacy policy: facebook.com/privacy/policy.
• Shipping carriers — name and address for delivery purposes only.
• Payment processors — payment data necessary for transaction processing (e.g. Shopify Payments, PayPal).
• Email service providers — email address for transactional and, where consented, marketing communications.

We do not sell your personal data to any third party.

7. Cookies

Our website uses cookies and similar technologies. We categorise them as follows:

Essential Cookies

These cookies are strictly necessary for the website to function and cannot be switched off. They include:

• Shopify session cookies (_shopify_s, _shopify_y, cart) — enable shopping cart, checkout, and account authentication. Duration: session to 1 year.
• Cookie consent cookie — stores your cookie preferences. Duration: 1 year.

Analytics Cookies

These cookies help us understand how visitors interact with our site. They are set only with your consent.

• Google Analytics (_ga, _ga_*, _gid) — measure traffic and usage patterns. Duration: up to 26 months.

Marketing Cookies

These cookies are used to deliver relevant advertisements and measure campaign effectiveness. They are set only with your consent.

• Meta/Facebook Pixel (_fbp, _fbc) — remarketing and conversion tracking. Duration: up to 90 days.
• Google Ads (_gcl_au, _gcl_aw) — conversion tracking and remarketing. Duration: up to 90 days.

You can manage your cookie preferences at any time through the cookie consent banner on our website or through your browser settings.

8. International Data Transfers

Some of our third-party processors (including Shopify, Google, and Meta) may transfer your personal data to countries outside the European Economic Area (EEA), including the United States and Canada.

Where such transfers occur, they are protected by:

• Adequacy decisions by the European Commission (e.g. the EU-U.S. Data Privacy Framework, Canada).
• Standard Contractual Clauses (SCCs) approved by the European Commission, where no adequacy decision exists.
• Additional technical and organisational safeguards as appropriate.

You may request a copy of the relevant safeguards by contacting us.

9. Children’s Data

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that we have inadvertently collected data from a child under 16, please contact us immediately at order@moodstories.com and we will take steps to delete such data promptly.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include SSL/TLS encryption for data in transit, access controls, and regular security reviews. Our store is hosted on Shopify, which maintains PCI-DSS compliance for payment processing.

11. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. The updated version will be posted on this page with a revised “Last updated” date. We encourage you to review this page periodically. Where changes are significant, we will notify you by email or a prominent notice on our website.

12. Contact

For any questions, concerns, or requests related to this privacy policy or the processing of your personal data, please contact: