GDPR

Privacy Policy (GDPR)

Last updated: August 10, 2025

Thank you for visiting Cozy Nest Crochet (the “Site”) at cozynestcrochet.com. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our Site, purchase our products, or contact us. It is written to meet the requirements of the EU/EEA General Data Protection Regulation (GDPR) and the UK GDPR.

By using the Site, you agree to the practices described here.

1) Who we are (Data Controller)

Cozy Nest Crochet is the data controller for personal data processed via this Site, customer support, and marketing communications.

  • Email: contact@CozyNestCrochet.com

  • Website: cozynestcrochet.com

EU/UK representative: If we are required to appoint an Article 27 representative, we will update this section with their details.

Data Protection Officer (DPO): Not required for our size and processing activities. We will update this policy if that changes.

2) What we sell

We sell digital crochet patterns (PDF/ZIP downloads) and related digital content.

3) Personal data we collect

We collect and process the following categories of personal data:

  • Identity & Contact Data – name, email address, country/region, billing information.

  • Account Data – login credentials (hashed), order history, saved items, preferences.

  • Transaction Data – purchase details, price, currency, tax, and fulfillment status.

  • Content Data – messages you send us (support requests, reviews).

  • Usage & Device Data – IP address, device identifiers, browser type, pages viewed, clickstream, approximate location, referring URLs.

  • Marketing & Communications Data – opt‑in/opt‑out choices, email engagement.

We do not intentionally collect special category data (e.g., health, religion) or data about children.

4) How we collect data

  • Directly from you – when you purchase, create an account, contact support, or subscribe to emails.

  • Automatically – via cookies and similar technologies when you browse the Site (see Cookies below).

  • From third parties – e.g., our payment provider (Merchant of Record), analytics, email delivery, and hosting partners.

5) Why we use your data (purposes & legal bases)

We process personal data only when we have a lawful basis:

  • Provide the Site and deliver purchases – to process orders, deliver digital downloads, send order emails, and provide support.
    Legal bases: Contract (Art. 6(1)(b)); Legitimate interests (service quality); Legal obligation (tax/records).

  • Account creation & management – to enable login, track orders, and maintain preferences.
    Legal bases: Contract; Legitimate interests.

  • Payments, taxes & fraud prevention – handled with our payment provider (see Section 8).
    Legal bases: Contract; Legal obligation; Legitimate interests (prevent misuse).

  • Customer support – to respond to messages and fix issues.
    Legal bases: Contract; Legitimate interests.

  • Marketing & newsletters – only with your consent (you may unsubscribe at any time).
    Legal bases: Consent (Art. 6(1)(a)); Legitimate interests for service updates where applicable.

  • Analytics & performance – to understand site usage and improve the Site.
    Legal bases: Consent (where required for cookies); Legitimate interests (security, debugging).

  • Security & abuse detection – to protect accounts and our services.
    Legal bases: Legitimate interests; Legal obligation.

6) Cookies & similar technologies

We use cookies and similar technologies to operate the Site, remember preferences, analyze traffic, and (if enabled) measure campaign performance. Where required, we will ask for your consent via a cookie banner. You can change your preferences at any time using the banner or your browser settings.

Cookie types we may use:

  • Strictly necessary (login, security, checkout).

  • Functional (remember preferences).

  • Analytics (e.g., page performance, aggregated stats).

  • Advertising/Measurement (e.g., Meta Pixel or server‑side events) — only if you consent where required.

You can block or delete cookies in your browser, but some features may not work properly.

7) Optional analytics & ads (edit to match your setup)

  • Meta Pixel / Conversions API (optional): If enabled, we may process hashed contact data, fbp/fbc identifiers, IP address, user agent, and event details (e.g., view content, add to cart, purchase) to measure performance and improve our ads. Processing is based on consent where required, otherwise legitimate interests for basic measurement. You can withdraw consent via the cookie banner at any time.

  • Other tools (optional): If we add tools like Google Analytics or hotjar‑style UX tools, we will update this policy and request consent where required.

8) Payments & Merchant of Record

We use a third‑party Merchant of Record (MoR) to process payments, handle sales taxes/VAT, and issue invoices/receipts. When you complete a purchase:

  • The MoR acts as an independent controller for transaction, billing, and tax data; we receive only the data we need to fulfill your order (e.g., product purchased, buyer email, status).

  • Your card/bank details are handled by the MoR and its payment partners; we do not receive or store full card numbers.

Current provider: Paddle (subject to change). If we change providers (e.g., Lemon Squeezy), we will update this section.

9) Sharing your data

We share personal data with trusted service providers who help us run the Site and deliver purchases, such as:

  • Payment & tax: Merchant of Record (e.g., Paddle) and its banking/payment partners.

  • Hosting & infrastructure: web hosting/CDN, backup, security.

  • Email & communications: transactional email delivery, newsletter platform.

  • Analytics & measurement: only if enabled by you via consent.

We require our processors to safeguard your data and only process it according to our instructions. We may also disclose data to comply with law, enforce our terms, or protect rights, property, and safety.

10) International data transfers

Our service providers may be located outside your country (including outside the EEA/UK). Where we transfer personal data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or UK IDTA/Addendum, and additional measures where necessary.

11) Data retention

  • Orders & invoices: retained for the period required by tax laws (typically 6–10 years, depending on jurisdiction).

  • Accounts: retained while your account is active; if you close it, we delete or anonymize within a reasonable time unless we must keep data for legal reasons.

  • Marketing: retained until you unsubscribe or your consent is withdrawn; we may keep minimal suppression data to honor your opt‑out.

  • Logs & security data: typically retained for up to 12 months unless needed longer to investigate issues.

12) Your rights (EEA/UK)

Subject to conditions and exceptions under applicable law, you have the right to:

  • Access your personal data and receive a copy

  • Rectify inaccurate or incomplete data

  • Erase your data (“right to be forgotten”)

  • Restrict processing in certain cases

  • Portability – receive data in a structured, commonly used, machine‑readable format

  • Object to processing based on legitimate interests or to direct marketing

  • Withdraw consent at any time where processing is based on consent

You also have the right to lodge a complaint with your local supervisory authority (EEA/UK). We encourage you to contact us first so we can resolve your concerns.

13) How to exercise your rights

Email contact@CozyNestCrochet.com with the subject line “GDPR Request” and tell us:

  • what right you want to exercise, and

  • the email address used on our Site / order number (so we can find your data).

We will respond within one month (or explain any lawful extension).

14) Security

We use reasonable administrative, technical, and physical safeguards designed to protect personal data against loss, misuse, and unauthorized access. No system is 100% secure; please use strong passwords and keep your account details confidential.

15) Third‑party links

Our Site may link to third‑party sites or services we do not control. Their privacy practices are governed by their own policies.

16) Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date shows the latest version. If changes are material, we will take appropriate steps to notify you (e.g., banner, email, or account notice).