-737x453.png "COSMONV")
Company Name: COSMONOVA TRADE CO., LTD
Company Registration Number: 16714390
Official Website: cosmonv.com
Contact Email: [email protected]
1. Scope of Policy
This Privacy Policy describes the collection, use, storage, transfer, and protection of personal data by COSMONOVA TRADE CO., LTD (hereinafter referred to as "we") in connection with our apparel business with users in the EU. This Policy applies to all interactions with us, whether through our official website (cosmonv.com), email communications, order transactions, or other forms of cooperation, as long as you are an EU resident or your personal data is processed within the EU. We strictly adhere to the General Data Protection Regulation (GDPR) and other relevant EU data protection regulations to safeguard your personal data rights and security. 2. Collection and Processing of Personal Data
(I) Types of Personal Data Collected
Depending on the needs of our apparel business, we may collect the following personal data:
Identity and Contact Data: including but not limited to name, gender, age, email address (other than the contact address you provide at [email protected]), phone number, mailing address, etc., for order confirmation, logistics delivery, and business communications.
Transaction and Order Data: including purchased apparel categories, sizes, quantities, payment information (only necessary transaction receipts are retained; full payment card information is not stored), order status, etc., for transaction fulfillment and after-sales service.
Interaction and Preference Data: including apparel products you browse through the website, styles you inquire about, and opinions you submit for market research participation, etc., for optimizing product recommendations and service experience.
Compliance Data: such as business license information and contact authorization certificates for corporate clients, for meeting legal obligations and business compliance requirements. (II) Lawful Basis for Data Collection
Pursuant to Article 6 of the GDPR, our data processing is based on the following lawful grounds:
Your explicit consent: If you consent to us analyzing your browsing and preferences for personalized recommendations, you may withdraw this consent at any time.
Necessary for contract performance: For example, collecting your shipping address and contact information to fulfill the shipping and delivery of clothing orders.
Complying with legal obligations: For example, retaining transaction records to meet EU and related country filing requirements for commercial transactions.
Protecting legitimate interests: For example, data verification to prevent order fraud and ensure website information security, provided that such processing does not infringe upon your fundamental rights and freedoms.
3. Core Principles of Data Processing
We strictly adhere to the seven data processing principles set out in the GDPR to ensure that our data processing activities are lawful and compliant:
Principles of fairness and transparency: All data processing activities are conducted in a non-discriminatory manner, and this policy clearly informs you of the purposes, methods, and rights of your data processing, without any misleading statements. Purpose Limitation: Personal data collected will only be used for the specific purposes stated in this Policy (e.g., order processing and customer service). If new purposes (e.g., marketing) are needed, we will evaluate and obtain your consent in advance.
Data Minimization: We only collect necessary data directly related to our business purposes. For example, we do not need to collect your physical address when purchasing e-books or clothing.
Accuracy: We regularly review your personal data. If you find any errors in your shipping address, contact information, or other information, you may request corrections at any time.
Storage Limitation: Personal data will only be retained for as long as necessary to achieve the purposes for which it is processed. Transaction data will be retained for no more than three years from the date of the transaction. After that, it will be anonymized or securely deleted.
Integrity and Confidentiality: We implement technical and organizational measures, such as encrypted storage and access control, to prevent unauthorized access, disclosure, destruction, or alteration of personal data.
Accountability and Compliance: We maintain a system for recording data processing activities to readily demonstrate compliance with this Policy and the GDPR, and to be subject to compliance audits by regulatory authorities. 4. Data Subject Rights
In accordance with the GDPR and related regulations, you, as a data subject, have the following rights, and we will facilitate your exercise of these rights:
Right of Access: You have the right to request confirmation from us regarding whether we are processing your personal data, and to obtain information such as the purpose, type, and recipients of such data.
Right to Correction: If your personal data is inaccurate or incomplete, you have the right to request that we promptly correct or supplement it.
Right to Erasure (Right to Be Forgotten): You have the right to request that we delete your personal data if it is no longer necessary, you have withdrawn your consent, or our processing violates applicable law, unless we are required to retain it by law or regulation.
Right to Restriction of Processing: You have the right to request that we restrict data processing activities if you object to the accuracy of the data, if the processing is unlawful but you object to its deletion.
Right to Data Portability: You have the right to request that we provide your personal data in a structured, commonly used, and machine-readable format, or to have it transmitted directly to another data controller (for example, if you change your clothing supplier).
Right to Object: If we process your personal data based on legitimate interests, you have the right to object based on your particular situation. We will cease processing unless we have overriding legitimate grounds. If you wish to exercise the above rights, please contact us at [email protected]. We will respond within one month. In complex cases, this period may be extended to two months (we will notify you in advance).
5. Data Sharing and Cross-Border Transfer
(I) Scope of Data Sharing
We only share personal data with third parties in the following circumstances:
Service Providers: For example, we share your delivery information with logistics providers to complete delivery, and we share necessary transaction data with payment institutions to process payments. These third parties must sign a data processing agreement and abide by confidentiality obligations.
Regulatory Authorities: We will provide necessary data to EU and member state data protection authorities, tax authorities, and other agencies when required by law or when conducting legitimate regulatory investigations.
We will never sell or rent your personal data to unrelated third parties.
(II) Cross-Border Data Transfer Rules
If your personal data is transferred outside the EU for business purposes, we will implement the following safeguards:
Transfers will only be made to countries or regions recognized by the EU as providing "adequate protection";
Sign an agreement with the recipient that includes data protection clauses and clearly defines security responsibilities;
Use encryption and other technical means to ensure the security of data during transfer. 6. Data Security and Breach Response
(I) Security Protection Measures
We have established a comprehensive data security management system, including but not limited to:
Website data transmission uses SSL encryption technology to prevent data interception during transmission;
Strict access permissions are set for servers and databases, limiting access to sensitive data to authorized personnel only;
Regular employee data protection training is provided to clarify compliance requirements for data processing;
ISO 27001 Information Security Management System certification is achieved to ensure that security measures meet international standards.
(II) Data Breach Notification
If a high-risk personal data breach occurs, we will notify both the EU data protection authorities and the affected individuals within 72 hours of discovery, detailing the scope of the breach, potential impact, and remedial measures implemented.
7. Third-Party Services
Our official website (cosmonv.com) may contain links to third-party services (such as social media plugins). We do not control the privacy policies of such third parties. We recommend that you carefully review their privacy policies before using them. We are not responsible for their data processing practices. 8. Policy Updates and Contact Us
(I) Policy Updates
This Privacy Policy will be updated based on revisions to EU data protection regulations and business development needs. The updated policy will be prominently posted on our official website and notified to registered users via email. Updates will take effect from the date of posting.
(II) Contact Us
If you have any questions or complaints regarding this Privacy Policy, or wish to exercise your data subject rights, please contact us through the following methods:
Email: [email protected]
Official Website: cosmonv.com (Inquiries may be submitted through the "Contact Us" section)
EU users may also lodge complaints directly with the data protection authority of their member state.