Privacy Policy

At Eleven Spectacles, your trust is everything. This Privacy Policy explains how we collect, use, and protect your personal data with the same care we apply to every pair of sunglasses we create.

Quick Answer: Is Eleven Spectacles GDPR compliant? Yes. We fully comply with EU data protection laws, store your data securely in the EU, never sell your information, and respect your rights to access, delete, and control your data.

Who We Are

Eleven Spectacles is a luxury eyewear brand committed to transparency and data protection. We comply with the General Data Protection Regulation (GDPR) and all applicable EU data protection laws. This policy describes how we handle your personal data and your rights under EU law.

What Personal Data Does Eleven Spectacles Collect?

We collect data that helps us serve you better. Here's what we gather:

Data You Provide Directly

• Order information: Name, email address, shipping address, billing address
• Payment details: Card information (processed securely by Stripe, not stored by us) - learn about our checkout process
• Contact information: Phone number (optional)
• Communication: Messages you send through contact forms, email, or customer support
• Marketing preferences: Your choice to receive or not receive promotional emails

Data We Collect Automatically

• Browsing activity: Pages visited, time spent, links clicked
• Device information: Browser type, operating system, IP address
• Analytics: Anonymized interaction patterns with our website (via PostHog cookieless tracking)

How We Collect Your Data

Direct Collection

You provide data when you:

• Place an order on our website
• Enter your email and shipping details at checkout
• Contact us for support or inquiries
• Opt in or out of marketing communications
• Submit feedback or reviews
• Contact us with questions

Indirect Collection

We receive data from trusted partners:

• Stripe: Payment processing and fraud prevention
• Railway: Cloud hosting infrastructure
• PostHog: Anonymous website analytics (no cookies, no personal data)
• Brevo: Email marketing services (only if you've opted in)

Legal Basis for Processing Your Data

We process your personal data based on the following legal grounds (GDPR Article 6):

How Does Eleven Spectacles Use Your Personal Data?

Order Processing & Fulfillment

• Process payments and prevent fraud
• Ship your order to the correct address
• Provide order updates and tracking information
• Handle returns and refunds - view our return policy
• Respond to order-related questions

Customer Service

• Answer your questions and resolve issues
• Send important order notifications (confirmations, shipping updates, delivery status)
• Process data access requests and complaints

Marketing (With Your Consent)

• Send newsletters about new products and collections
• Notify you of special offers and promotions
• Invite you to exclusive events or early access
• You can opt out anytime-no strings attached
• Manage your preferences in any marketing email

Anonymous Website Analytics

• Analyze how visitors use our website in aggregated, anonymous form
• Identify and fix technical issues
• Improve user experience and performance
• Test new features
• No personal data collected; no consent required

Fraud Prevention & Security

• Verify credit card transactions with payment processors
• Detect fraudulent activity
• Protect our systems from abuse
• Comply with financial regulations

Legal Compliance

• Maintain records for tax and accounting purposes (legally required)
• Comply with government requests (where legally required)
• Protect legal rights in disputes

Our Data Processing Partners

We share your data only with carefully selected partners who process it on our behalf (data processors). Each partner is contractually bound to protect your data and use it only as instructed.

Stripe (Payment Processing)

What data: Name, email, payment card details, billing address
Why: Process payments securely and detect fraud
Legal basis: Contract performance & legitimate interest
GDPR compliance: Stripe is GDPR-compliant and notifies us of data breaches within 48 hours
Data retention: Per Stripe's privacy policy
Your rights: You can request data deletion from Stripe directly

Learn more: Stripe Privacy Policy / Learn about secure payment methods

Railway (Cloud Hosting)

What data: All data stored on our servers (orders, customer communications)
Why: Securely host our website and store order data
Legal basis: Legitimate interest & contract performance
GDPR compliance: Railway is EU-compliant with encryption at rest and in transit
Data retention: Per our retention schedule (see Section 8)
Security: Encryption, access controls, continuous monitoring

Learn more: Railway Security & GDPR

PostHog (Anonymous Analytics)

What data: ONLY anonymized, aggregated browsing behavior - NO personal data
How it works: PostHog uses cookieless tracking that stores data in page memory (JavaScript objects) that does not persist beyond the current session
Why: Understand how visitors use our website to improve experience
Legal basis: Legitimate interest (Article 6(1)(f)) - no consent needed because data is anonymous
Data characteristics:

• No cookies used
• No personal identifiers collected
• No cross-session tracking
• Data stored only in memory during active session
• Cannot identify individual visitors
• Fully anonymous and aggregated

GDPR compliance: PostHog's cookieless tracking approach means GDPR consent is not required. The data processed is not "personal data" because it cannot identify you.
Data retention: Session-based (cleared when you leave our website)
Your rights: No special rights apply because this data doesn't identify you

Learn more: PostHog Privacy & Cookieless Tracking

Brevo (Email Marketing)

What data: Email address, name, marketing preferences, email engagement data
Why: Send newsletters and marketing communications (only if you've opted in)
Legal basis: Consent
GDPR compliance: Brevo supports data access, deletion, portability, and unsubscribe rights
Data retention: Until you unsubscribe or request deletion
Your rights: Unsubscribe anytime with one click in any email; request data deletion

Learn more: Brevo GDPR Compliance

Data Transfers Outside the EU

All personal data is processed and stored within the European Union to ensure maximum protection under GDPR. We do not transfer personal data outside the EU/EEA without appropriate safeguards.

PostHog Analytics Exception: PostHog's anonymized data may be processed in the US or other locations, but because it's completely anonymized and non-identifiable, GDPR restrictions on international transfers do not apply.

Exception: If you're outside the EU and we need to process your data to fulfill your order, we may use service providers outside the EU, but only with:

• Standard Contractual Clauses (approved by the European Commission)
• Adequacy decisions (for countries deemed equivalent to EU protection)

How Long Does Eleven Spectacles Keep My Data?

Data Retention Schedule

After the retention period expires, we securely delete your data by removing all associated database entries and backups.

Your right to deletion: You can request deletion anytime (see Section 10 - Data Subject Rights), subject to legal obligations to retain records.

How Does Eleven Spectacles Secure My Personal Data?

We protect your personal data with the same precision we apply to every product.

Technical Safeguards

• Encryption in transit: All data transmitted to/from our servers uses HTTPS/TLS encryption
• Encryption at rest: Sensitive data encrypted on our servers
• Access controls: Only authorized employees can access personal data
• Secure backups: Data backed up securely with limited access

Organizational Safeguards

• Staff training: Regular data protection training for all employees
• Limited access: Employees access only the data necessary for their role
• Vendor management: All partners comply with GDPR and have data processing agreements
• Incident response: We have procedures in place for data breach notification

What We Don't Do

• We never sell your data to third parties
• We never use your data for purposes you didn't consent to
• We never share your payment information with marketing partners
• We never store your credit card details (Stripe handles this securely)
• We never use cookies for analytics (PostHog is cookieless and anonymous)

Your Data Protection Rights (GDPR Articles 15-22)

You have comprehensive rights over your personal data. We make it easy to exercise them.

Note: These rights apply to personal data that identifies you (order info, email, communications). They do not apply to anonymized analytics data, which cannot identify you.

The Right to Access (Article 15)

You can request a copy of all personal data we hold about you.

How to request: Email support@elevenspectacles.com with "Data Access Request" in the subject line.

What we'll provide:

• All personal data we hold about you
• How it's being processed
• Who we share it with
• How long we keep it

Response time: 30 calendar days
Cost: Free (we may charge a small fee only if requests are excessive or repetitive)

The Right to Rectification (Article 16)

You can request that we correct inaccurate or incomplete data.

How to request: Contact support@elevenspectacles.com with details of what needs correcting.

Examples:

• Incorrect shipping address in your order
• Wrong email address or name
• Outdated contact information

Response time: 30 calendar days

The Right to Erasure (Article 17 - "Right to Be Forgotten")

You can request deletion of your personal data under certain circumstances.

We'll delete your data if:

• It's no longer necessary for the original purpose
• You withdraw consent (for marketing)
• You object to processing
• Your data has been processed unlawfully
• Legal obligations don't require us to keep it

We must keep your data if:

• We need it for tax or accounting purposes (5-year legal requirement for order records)
• There's an active dispute or legal claim
• You have recent orders that require record-keeping

How to request: Email support@elevenspectacles.com with "Deletion Request" in the subject line. We'll explain any reasons we must retain your data.

Response time: 30 calendar days

The Right to Restrict Processing (Article 18)

You can ask us to limit how we use your data while we verify its accuracy or investigate a complaint.

How to request: Contact support@elevenspectacles.com with "Restrict Processing" in the subject line.

Example: You believe your address is incorrect and want us to stop using it until we've verified the correct information.

Response time: 30 calendar days

The Right to Data Portability (Article 20)

You can request a copy of your data in a portable, machine-readable format (such as CSV or JSON) to transfer to another service.

How to request: Email support@elevenspectacles.com with "Data Portability Request" in the subject line.

What we'll provide:

• All personal data you've provided to us
• In a structured, commonly-used format
• Suitable for import into another system

Response time: 30 calendar days

The Right to Object (Article 21)

You can object to us processing your data for certain purposes.

You can object to:

• Marketing and promotional communications (anytime, with one click)
• Processing based on legitimate interest (we'll stop unless we have a compelling reason)
• Automated decision-making (if applicable)

How to object:

• Marketing: Click "unsubscribe" at the bottom of any marketing email (immediate)
• Other purposes: Email support@elevenspectacles.com

Response time: 30 calendar days

The Right to Not Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to automated decisions that have a legal or significant effect on you.

Our position: We don't make automated decisions about credit, eligibility, or other significant matters. Stripe may use automated fraud detection on payments, but this is necessary for transaction security and is not a "decision" that significantly affects your rights.

Cookies & Tracking Technologies

We use minimal cookies to enhance your experience. Importantly, we do not use cookies for analytics.

What Are Cookies?

Small text files stored on your device that remember your preferences and activity.

Our Cookies

Why No Analytics Cookies?

We use PostHog's cookieless tracking, which:

• Stores data in page memory (not persistent cookies)
• Doesn't persist across sessions
• Cannot identify you as an individual
• Requires no consent

This gives us the analytics insights we need while respecting your privacy.

Your Cookie Choices

When you first visit our site, you'll see a cookie consent banner. You can:

• ✓ Accept all cookies
• ✓ Accept only necessary cookies
• ✓ Customize which types you allow

You can change your preferences anytime by visiting our Cookie Policy or managing cookie settings.

Do Not Track

If your browser sends a "Do Not Track" signal, we respect it and minimize non-essential cookies.

Children's Data Protection

Eleven Spectacles is not intended for children under 16. We do not knowingly collect data from children under this age.

If we discover we've inadvertently collected data from a child under 16 without parental consent, we'll delete it immediately.

If you're a parent and believe your child has provided data, please contact us at support@elevenspectacles.com.

Marketing Communications

We'd love to share updates about new collections, special offers, and exclusive events-but only if you want to hear from us.

How to Receive Marketing

You can opt in to marketing emails during checkout or by contacting us at support@elevenspectacles.com. We only send newsletters to those who've explicitly requested them.

You can change your preference anytime.

How to Unsubscribe

Easiest way: Click "Unsubscribe" at the bottom of any marketing email
Or email: support@elevenspectacles.com with "Unsubscribe" in the subject line

You'll be removed from our marketing list within 24 hours. You'll still receive transactional emails (order confirmations, shipping updates, etc.).

Third-Party Links

Our website may contain links to other websites. We are not responsible for their privacy practices. We encourage you to review their privacy policies before providing any data.

International Users

If you're located outside the EU, this Privacy Policy still applies. However:

• EU residents have specific rights under GDPR (described above)
• Your data may be stored in the EU as described in Section 7
• Your local laws may provide additional protections

Data Breaches & Incident Notification

In the unlikely event of a data breach affecting your personal data:

1. We will assess the risk and potential impact
2. We will notify you without undue delay (required by GDPR)
3. We will inform your national data protection authority within 72 hours
4. We will provide information about what happened and what we're doing

Our partners commit to the same timeline:

• Stripe: Notifies us within 48 hours
• Railway: Notifies us within 72 hours
• Brevo: Notifies us within 72 hours

PostHog Note: A PostHog breach would not affect you because PostHog only processes anonymous data that cannot identify you.

Complaints & Supervision

Your Right to Complain

If you believe we've violated your data protection rights, you have the right to lodge a complaint with your national data protection authority (supervisory authority).

Find your authority:

• European Data Protection Board - Member Authorities

Common supervisory authorities:

• Austria: Austrian Data Protection Authority
• Belgium: Belgian Data Protection Authority
• France: CNIL (Commission Nationale de l'Informatique et des Libertés)
• Germany: BfDI (German Federal Data Protection Officer)
• Italy: Garante per la Protezione dei Dati Personali
• Spain: AEPD (Agencia Española de Protección de Datos)
• Netherlands: AP (Autoriteit Persoonsgegevens)

You can file a complaint anytime. We encourage you to contact us first at support@elevenspectacles.com-we'd like the opportunity to resolve issues directly.

Changes to This Privacy Policy

We review this policy regularly as regulations and our practices evolve.

We'll notify you of significant changes:

• Email notification (if you've consented to marketing)
• Banner on our website
• Updated "Last Updated" date at the top of this policy

Your continued use of our website after changes are posted means you accept the updated policy.

Contact Us

Questions about this Privacy Policy or how we handle your data?

Email: support@elevenspectacles.com
Subject: "Privacy Policy Question"

Or mail us: Eleven Spectacles
Your Business Address
City, Country, Postal Code

We'll respond within 30 days.

Related Legal Documents

Learn more about our commitment to your rights and our terms:

• Terms & Conditions
• Cookie Policy
• Company Imprint
• Accessibility Statement

Summary: Your Key Rights at a Glance

Appendix: Legal Basis Reference

This appendix explains why we process specific data:

Order Processing (Article 6(1)(b) - Contract Performance)

We need your name, email, shipping and billing address to process your order and fulfill our contract with you.

Payment & Fraud Prevention (Article 6(1)(b) & 6(1)(f) - Contract & Legitimate Interest)

We use Stripe to process payments securely and verify transactions to prevent fraud. This protects both you and us.

Marketing (Article 6(1)(a) - Consent)

We only send marketing emails to those who've opted in at checkout. You can unsubscribe anytime with one click.

Anonymous Website Analytics (Article 6(1)(f) - Legitimate Interest)

PostHog's cookieless analytics help us improve your experience. Because the data is completely anonymized and cannot identify you, no consent is required. We rely on legitimate interest: improving our website benefits both you and us.

Customer Support (Article 6(1)(f) - Legitimate Interest)

We process your communications and support requests to serve you better and resolve issues fairly.

Accounting & Tax Compliance (Article 6(1)(c) - Legal Obligation)

EU law requires us to keep records of transactions for 5 years for tax and accounting purposes. We're legally required to retain this data.

Version: 1.0
Effective Date: January 7, 2026
Last Updated: January 7, 2026
Compliance: GDPR (EU 2016/679), GDPR Articles 13-14 disclosures