Between Customer (Data Subject) & TreasuredTale (United States) — Data Controller
This Data Processing Addendum ("DPA") supplements and forms part of TreasuredTale's Privacy Policy and Terms & Conditions. It applies when TreasuredTale (United States) ("TreasuredTale", "we", "us", "our") processes personal information on behalf of customers, website visitors, or other individuals ("you", "your", "data subject") in connection with the purchase of TreasuredTale products or use of our Services.
This DPA ensures compliance with:
- GDPR (EU/EEA);
- UK GDPR;
- CCPA/CPRA (California);
- Other global privacy laws.
This DPA does not create a subcontractor or vendor relationship — rather, it clarifies how TreasuredTale processes personal data as part of providing its online store and fulfilling orders.
1. Parties to This Agreement
TreasuredTale (United States) — Data Controller
TreasuredTale determines the purposes and means of processing your personal information.
Customer / User / Data Subject — Individual whose data is processed
You provide personal information when purchasing items, creating an account, submitting personalization, or interacting with the website.
Because TreasuredTale is not processing personal information on behalf of another business entity (you are an individual consumer), TreasuredTale is legally the Data Controller, not a processor.
1.1 No Processorship or Subcontractor Relationship
For clarity, nothing in this DPA creates a processor–controller or sub-processor relationship between TreasuredTale and the customer. TreasuredTale processes personal information solely for the purpose of providing goods and services directly to the customer as an independent business. Customers do not have the right to issue data processing instructions, require custom processing terms, or request bespoke contractual arrangements applicable to processor relationships.
2. Purpose of Data Processing
Treatedale processes personal data strictly for:
- Fulfilling and delivering your orders;
- Personalizing items according to details you provide;
- Customer support and communication;
- Fraud prevention and security;
- Payment processing (via secure third-party processors);
- Operating and improving our website;
- Compliance with legal obligations;
- Advertising and marketing (where permitted by law and with your consent where required).
Under GDPR, the legal bases may include:
- Contractual necessity (order fulfillment);
- Legitimate interests (fraud prevention, store analytics);
- Consent (marketing cookies, email marketing, where required);
- Legal obligation.
Under CCPA/CPRA, we process personal information as a Service Provider / Business, depending on the context.
3. Types of Data Collected
TreasuredTale may collect the following categories of personal information:
- Identifiers:
Name, email, billing/shipping address, phone number. - Commercial Information:
Orders, order history, personalization inputs. - Internet/Activity Data:
IP address, device data, pages viewed, interactions. - Payment Information:
Processed securely through Shopify or third-party processors; we do not store full card details. -
User-Generated Content:
Reviews, photos, comments.
We do not process sensitive personal information to infer characteristics.
4. Personalization Data
If you submit names, dates, personal messages, or custom instructions for personalized products:
- You confirm the information is accurate and owned by you.
- We process it only to create your personalized item.
- TreasuredTale does not modify, correct, or review personalization content — items are produced exactly as entered by the customer.
4.1 Sensitive Personal Information Submitted Voluntarily
TreasuredTale does not request or require any sensitive personal information (such as health details, religious beliefs, biometric identifiers, or information about minors). If a customer voluntarily includes such details within personalization fields, TreasuredTale processes this information strictly for the purpose of fulfilling the order under the lawful basis of contractual necessity (GDPR Art. 6(1)(b)).
Customers are solely responsible for ensuring that personalization content does not include unlawful, offensive, or sensitive data. TreasuredTale accepts no liability for the processing of sensitive personal information voluntarily provided by the customer during customization.
5. Data Retention
We retain personal information only as long as necessary to:
- Fulfill your order;
- Provide support;
- Meet legal and tax obligations;
- Resolve disputes;
- Maintain business records.
Retention periods differ by category and jurisdiction.
6. Subprocessors & International Transfers
To operate our online store, TreasuredTale uses trusted subprocessors such as:
- Shopify (store platform);
- Payment processors (Stripe, PayPal, Shopify Payments, etc.);
- Fulfillment & production partners (U.S. production facilities);
- Email marketing and customer service tools;
- Analytics and security providers;
6.1 Cross-border transfers
Your data may be stored or processed in:
- the United States;
- Canada;
- the EU/EEA;
- or other locations where our partners operate.
For EU/EEA/UK residents, transfers are supported by:
- Standard Contractual Clauses (SCCs);
- Equivalent UK or EU-approved transfer mechanisms.
7. Rights of Data Subjects
Depending on your location, you may have rights to:
- Access personal information;
- Correct inaccurate information;
- Request deletion ("right to be forgotten");
- Restrict processing;
- Object to certain processing;
- Data portability;
- Withdraw consent;
- Opt-out of sale/sharing (CCPA/CPRA).
You may exercise rights via:
support@treasuredtalestore.com.
We verify identity before fulfilling requests.
8. Security Measures
TreasuredTale implements appropriate:
- Technical safeguards (encryption, HTTPS, secure infrastructure);
- Organizational measures (access controls, training, incident response).
Although no system is 100% secure, we follow industry best practices to protect your data.
9. No Selling of Personal Information
TreasuredTale does not:
- Sell personal data;
- Share personal data for cross-site behavioral advertising when you opt out;
- Process sensitive data to infer characteristics.
Where applicable, you may opt out at any time via our Do Not Sell or Share My Personal Information page.
10. Children's Privacy
We do not knowingly collect or process personal information from children under applicable age-of-consent laws.
If you believe a child has submitted data, contact us immediately.
11. Incident Notification
If a data breach affecting your personal information occurs, TreasuredTale will notify you in accordance with applicable laws and regulations.
12. Responsibilities of the Customer
You agree to:
- Provide accurate personalization details;
- Ensure information submitted is lawful and correct;
- Not upload unlawful, offensive, or infringing content.
13. Automated Decision-Making & Profiling
TreasuredTale does not use automated decision-making that produces legal or significant effects on individuals.
Any personalization, recommendations, or marketing segmentation is limited to standard e-commerce functions such as:
- showing relevant products based on browsing history,
- basic analytics,
- non-intrusive advertising audiences, where permitted by law.
You will not be subject to decisions based solely on automated processing that would significantly affect your rights.
14. Updates to This DPA
We may update this DPA to reflect:
- Legal changes;
- Service updates;
- Policy improvements.
We will update the "Last updated" date and provide additional notice where required.
15. Contact Information
For questions about this DPA or your privacy rights, contact:
support@treasuredtalestore.com.
TreasuredTale (United States)
Last Updated: August 15, 2025
Version 3.0
