Privacy Policy

Who we are

Gukkimukk is operated by [GUKKIMUKK_ENTITY], registered at [REGISTERED_ADDRESS]. Company registration number: [REG_NUMBER]. VAT number (where applicable): [VAT_NUMBER].

For privacy questions, data access requests, or to exercise any of the rights described below, contact us at info@gukkimukk.com.

Data we collect

We collect only what we need to run the site and fulfil your orders.

Account data. When you create an account we store the email address you sign up with, your chosen handle and display name, and (optionally) your avatar image and marketing preference. If you sign in with Discord we also receive your Discord user ID.

Order data. When you place an order we store your order number, the items purchased, totals, currency, shipping address, the email address you provided at checkout, and identifiers from our payment processor (Stripe payment intent ID; PayPal order ID where applicable). Card details never reach our servers — they are handled directly by Stripe on its own infrastructure.

Wallet data. If you choose to link a Solana wallet for community access or token-gated drops, we store the public wallet address you sign with. No transaction is broadcast, no gas is spent, and we never have custody of your assets or private keys.

Newsletter data. If you subscribe to our newsletter we store your email address, the date you confirmed your subscription, and your subscription status. Subscription requires a double opt-in (confirmation link sent to your inbox).

Technical data. Our hosting and analytics providers receive technical metadata such as IP address, browser user agent, the page requested, and timestamps. See our Cookie Policy for the full list of cookies and storage items used.

What we do not collect. We do not knowingly collect special-category data (health, biometric, religious, political), payment card numbers, government-issued IDs, or precise geolocation. We do not use Google Analytics, Meta Pixel, TikTok pixel, or other third-party advertising trackers.

How we use your data, and our legal basis

For visitors in the EEA / UK, the GDPR requires us to identify a lawful basis for each processing purpose.

• To create and manage your account — performance of the contract between you and us (Art 6(1)(b)).
• To process orders, payments, and shipping — performance of the contract (Art 6(1)(b)).
• To send transactional emails (order confirmation, shipping notification, password reset, newsletter confirmation) — performance of the contract or our legitimate interest in completing the transaction (Art 6(1)(b) / (f)).
• To send the newsletter or other marketing communications — your consent (Art 6(1)(a)), which you can withdraw at any time.
• To measure aggregate, anonymous usage of the site via cookieless analytics — your consent where required (Art 6(1)(a)).
• To prevent fraud and abuse, and to defend legal claims — our legitimate interests (Art 6(1)(f)).
• To comply with tax, accounting, and other legal obligations — legal obligation (Art 6(1)(c)).

Who we share data with

We share your data only with the service providers we need to run the site. Each is bound by a written data-processing agreement and processes data on our instructions.

• Supabase — database, authentication, and file storage. Data is stored in the European Union (Stockholm, Sweden; region eu-north-1).
• Stripe— payment processing. When you pay you interact directly with Stripe's hosted checkout. Stripe receives your card details, billing address, and order metadata.
• Printify — print-on-demand fulfilment partner. Receives your shipping address and the items you ordered so they can manufacture and dispatch them.
• Resend — transactional email delivery (order confirmations, shipping notifications, newsletter confirmation). Receives your email address and the contents of the email.
• Hostinger — web hosting infrastructure. Processes web requests and may temporarily log IP addresses for security and operations.
• Discord — only if you choose to sign in with Discord. Discord receives standard OAuth metadata.
• Plausible Analytics — privacy-friendly, cookieless web analytics. Plausible does not set cookies and does not store personal data; only aggregate, anonymous metrics are processed.

We do not sell your personal information, and we do not share it with advertising networks, data brokers, or third parties for their own marketing purposes.

International data transfers

Most of your data is stored within the European Union. Some of our service providers (notably Stripe, Resend, and Printify) process data outside the EEA, including in the United States. These transfers are protected by the European Commission's Standard Contractual Clauses, supplementary technical safeguards where required, and the EU-US Data Privacy Framework where applicable.

How long we keep your data

• Account data — for as long as your account is active. You can delete your account at any time from your account settings.
• Order data — retained for the period required by tax and accounting laws (typically up to 10 years). When you delete your account, the personally identifying parts of your order records (shipping address, guest email, notes, billing address) are anonymised; the remaining order line items and totals are kept solely to satisfy our legal obligations.
• Newsletter data — retained until you unsubscribe. Unsubscribe records are kept long enough to enforce your opt-out preference.
• Server and security logs — retained for a short period (typically up to 30 days) to detect and investigate abuse.
• Backup copies — may persist in encrypted backup snapshots for a short additional period before being overwritten.

Your rights — EEA, UK, and Switzerland

If you are located in the EEA, the UK, or Switzerland, you have the following rights under the GDPR / UK GDPR:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — correct inaccurate data.
• Right to erasure — request deletion of your data, subject to legal retention obligations.
• Right to restrict processing — limit how we use your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — including the right to object to direct marketing at any time.
• Right to withdraw consent — where processing is based on consent.
• Right to lodge a complaint with your national supervisory authority. You can find your authority at edpb.europa.eu.

You can exercise the rights of access, portability, and erasure directly from your account settings, or by emailing info@gukkimukk.com. We aim to respond within one month.

Your rights — California (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to know what categories of personal information we have collected, the purposes, and the categories of third parties with whom we share it.
• Right to delete your personal information, subject to legal exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing — although we do not sell personal information and do not share it for cross-context behavioural advertising, you may still record an opt-out using the link in our footer or by sending a Global Privacy Control signal from your browser.
• Right to limit use of sensitive personal information — we do not process sensitive personal information for purposes that would trigger this right.
• Right to non-discrimination — we will not deny you services, charge different prices, or provide a different level of quality for exercising any of your rights.

To exercise these rights, email info@gukkimukk.com from the address on your account, or use the data export and deletion tools in your account settings. You may designate an authorised agent in writing.

California's "Shine the Light" law (Civil Code §1798.83) gives California residents the right to request, once per year, certain information about disclosures of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their own direct marketing.

Your rights — other US states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, and Delaware have rights similar to those described above under their respective state privacy laws, including the right to access, correct, delete, and opt out of certain types of processing. To exercise these rights, contact us using the same channels.

Cookies and tracking

We use only essential and functional cookies plus a privacy-friendly, cookieless analytics service (Plausible). We do not run advertising or behavioural-tracking pixels. See our Cookie Policy for the full list and instructions on managing your preferences. We honour Global Privacy Control browser signals where required by US state law.

Children

Gukkimukk is not directed at children. We do not knowingly collect personal information from anyone under the age of 16 (EEA) or under 13 (United States and other jurisdictions). If you believe a child has provided us with personal information, contact info@gukkimukk.com and we will delete it.

Security

We use industry-standard technical and organisational measures to protect your data: all traffic is encrypted in transit using TLS; data at rest is encrypted by our infrastructure providers (Supabase, Stripe); access to production systems is restricted and authenticated. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top. Material changes will be communicated by email to account holders and/or by prominent notice on the site.

Contact us

Email: info@gukkimukk.com
Postal address: [REGISTERED_ADDRESS]