Privacy Policy
Heritag (“we”, “our”, or “us”) respects the privacy of its users and is fully committed to protect their personal data and use it in accordance with data privacy laws. This Privacy Policy describes how we collect, use, and process any personal data that we collect from you—or you provide to us—in connection with your use of our website (www.heritag.store) or our mobile app and our print-on-demand services (collectively, “Services”). By accessing or using our Services, you signify your understanding of the terms set out in this Privacy Policy.
We do not knowingly collect, maintain, disclose, or sell personal information about users under the age of sixteen (16). If you are under the age of 16, please do not use our Services. If you are under the age of 16 and have used our Services, please contact us at the email address below so that we may delete your personal information.
If you use our Services only for your personal use, you are to be considered as the “User” and for the purpose of the General Data Protection Regulation (“GDPR”) and the UK General Data Protection Regulation (as defined by the UK Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments, etc) (EU Exit) Regulations 2019), we are the data controller.
Note that while our Services may contain links to other websites or services, we are not responsible for each respective website’s or service’s privacy practices and encourage you to be aware of this when you leave our Services and carefully read the privacy statements of each and every website and service you visit. This Privacy Policy does not apply to third-party websites and services.
1. Information we collect
1.1. Information collected about Users and how we use it
Where you are a User and it is necessary to fulfill our contract with you for the purposes of providing, maintaining, or improving our products and Services (including, to the extent permitted by applicable law, any matters in our legitimate interests with respect to the Services), we will confirm your identity, contact you, provide customer support (including via chat, in the comment section of our blog, or other platforms, where you may reach us), operate your account with us and invoice you. For the aforementioned purposes, we collect information that may contain the following personal data:
- Name;
- Shipping information;
- Email address and phone number;
- Payment and billing information (payment method details, first and last digits of your payment card);
- Information, including images and data, which may appear on government-issued identity documents;
- Order handling information
We may request some of the personal data indicated above in furtherance of our legal obligations and legitimate interest in ensuring that users and end customers are not the target of trade, financial, and economic sanctions, and do not appear on a sanctions-related list, including lists maintained by the U.S. Department of Treasury’s Office of Foreign Assets Control (“OFAC”), the U.S. Department of State, the U.S. Department of Commerce, the European Union, or Her Majesty’s Treasury of the United Kingdom.
If you have given your consent when registering your account, when subscribing to our newsletter or blog, or shared your email address or other personal data with us to receive any other information (for example, our list of sub-processors), we will process your email address to send you the informative and/or promotional materials, to which you have subscribed to, for example, newsletters, advertisements of our Services and other information about our Services that you have requested. At any point in time you can unsubscribe from receiving the above-mentioned information in our email footers and through your notification settings on Heritag.
We obtain location information you provide in your profile or your IP address. We use and store information about your location to provide features and to improve and customise the Services, for example, for Heritag’s internal analytics and performance monitoring; localisation, regional requirements, and policies for the Services; for local content, search results, and recommendations; for delivery and mapping services; and (using non-precise location information) marketing.
When you call our customer support phone line, we may monitor or record the call to ensure the quality of our customer support. If you have a Heritag account, we will retain the recording for as long as you have an account. If you do not have an account, we will delete the recording within 12 months or retain it, if it will be needed to resolve disputes between you and us.
By using cookies and similar technology on our website, we may collect data such as information on your device, your preferences and information filled while visiting our website, your interaction with the website, and other information used for analytical, marketing, and targeting activities (including unique visits, returning visits, length of the session, actions carried out in the webpage).
As it is in our legitimate interests to ensure our network security, give you access to and to improve our Services, we also collect the following technical usage data:
- How and when you access your account;
- Information about the device and browser you use;
- IP address and device data.
1.2. Privacy Policy Addendum Regarding Data Collection for California and Virginia residents
The chart below describes the categories of Personal Information and Personal Data (as those respective terms are used in Section 7 and Section 8 of the Privacy Policy), as applicable, that we may collect, the purposes for such collection, and the types of entities with whom we may have shared such information. We do not sell personal data to third parties.
Categories of Personal Information |
Sources of Information |
Use of Information |
Sharing of Information |
Identifiers, including your name, postal address, email address, and telephone number. These data types also include “personal information,” as the term is defined by the CCPA (California), and “personal data” as defined under the VCDPA (Virginia). |
We collect this information directly from you. |
We use this information to: provide, maintain, and improve our products and Services; provide customer support (including via chat, in the comment section of our blog, or other platforms, where you may reach us), operate your account with us, and invoice you. |
We share this information with Service Providers and certain other individuals and entities as described in the section above entitled “Sharing Personal Data with Third Parties.” |
Commercial information. |
We collect this information directly from you. |
We use this information to process your transactions and deliver our products to you. |
We share this information with Service Providers and certain other individuals and entities as described in the section above entitled “Sharing Personal Data with Third Parties.” |
Internet or other electronic network activity information, such as IP addresses and cookies. |
We collect this information automatically from your computer or device. |
We use this information to provide, maintain, and improve our Services and to personalize your online experience. |
We share this information with Service Providers and certain other individuals and entities as described in the section above entitled “Sharing Personal Data with Third Parties.” |
Audio Information |
We collect this information directly from you. |
We use this information to ensure the quality of our customer support. |
Not applicable. |
Professional and employment related information. |
We collect this information directly from you. |
We collect such information if you apply for a job via our careers page and use it in connection with processing your application. |
Not applicable. |
Educational information, such as the information included in your resume. |
We collect this information directly from you. |
We collect such information if you apply for a job via our careers page and use it in connection with processing your application. |
Not applicable. |
2. Sharing personal data with third parties
In order for Heritag to provide you with our Services, we work with third parties who perform services on our behalf and with whom we share personal data to support our Services (“Service Providers”).
Information you have provided to us during the use of our Services, including technical usage data, is shared for business purposes in our legitimate interests with third parties who provide hosting and server co-location services as well as data and cyber security services.
Information you have provided to us during the use of our Services may be shared with third-party manufacturing services whom we engage to provide our Services to you.
Your email address and other contact details you have provided to us and your messages to our customer service is shared for business purposes in our legitimate interests with communication, email distribution, and content delivery services as well as customer support system providers.
Information regarding your purchases and payments is shared with billing and payment processing services, fraud detection and prevention services, accounting and financial advisors, advisors, so that we can provide our Services
to you.
Information regarding your use of our website and other information received from cookies and similar technology is shared with web analytics, session recording, and online marketing services.
If we provide marketing to you, information on your account, purchases and preferences can be shared with marketing services.
Insofar as reasonably necessary to defend our legal rights, we may share your personal data with our legal advisors.
We will only share personal data to Service Providers that have undertaken to comply with obligations set out in applicable data protection laws.
We may share your personal data with our affiliates (companies within our corporate family), in our legitimate interests for business purposes.
In certain circumstances, we are required to share information with third parties to comply with legal requirements or requests, as well as to protect our, or a third party’s, lawful interests. We will also disclose your information to third parties in and outside your country only to the extent allowed by applicable law, including:
- to a prospective purchaser or purchaser that acquires all or substantially all of us or our business;
- to a third party in the event that we sell or buy any business or undergo a merger, in which case we may disclose your information to the prospective buyer of such business; and
- to a third party if we sell, buy, merge or partner with other companies or businesses, undergo a reorganisation, bankruptcy, or liquidation; or otherwise undertake a business transaction or sell some or all of our assets. In such transactions, your information may be among the transferred assets.
3. Retention periods
We may retain your personal data for as long as you have a Heritag account or any of the abovementioned legal bases for personal data processing still exists. For example, if you unsubscribe from our marketing, newsletter, or blog emails, we will stop the processing of the personal data for such purposes. If you have used our Services without creating a Heritag account, we will keep your personal data as long as necessary to comply with our legal obligation to retain information relating to provision of services, for example, for tax purposes.
After terminating your relationship with us by deleting your Heritag account or otherwise ceasing to use our Services, we may continue to store copies of your personal data as necessary to comply with our legal obligations, to resolve disputes between you and us, to prevent fraud and abuse, to enforce our agreements, and/or to protect our legitimate interests (to the extent that we are permitted by the applicable law to continue to store copies to protect our legitimate interests).
4. Data subject's rights
If you are located in the European Economic Area or the United Kingdom, in accordance with European Union and United Kingdom data protection regulations, you have certain rights with respect to your personal data. You have the right to request access to your personal data; in certain circumstances to correct, amend, delete, or restrict the use of your personal data by logging into your Heritag account or by reaching us using the contact information provided below. In addition, you can object to the processing of your personal data in some circumstances (in particular, where we are not required to process your data to meet a contractual or other legal requirement). These rights may be limited, for example, if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law to retain, are permitted by law to retain, or have compelling legitimate interests in retaining (to the extent that applicable law permits us to retain such information based on our legitimate interests).
Furthermore, if you believe that we have unlawfully processed your personal data, you have the right to submit a complaint to the contact information provided below, or to your respective data protection supervisory authority.
5. Information security
We seek to use reasonable organizational, technical, and administrative measures to protect the confidentiality, integrity, and availability of personal data. We encourage you to take care of the personal data in your possession that you process online and set strong passwords for your Heritag account, limit access to your computer and browser by signing out after you have finished your session, and avoid providing us with any sensitive information.
6. Privacy Policy addendum for California residents
Under the California Consumer Privacy Act (“CCPA”), California residents are afforded certain rights about the Personal Information (as such capitalized term is defined under the CCPA) we have collected about them, which we have described in more detail below.
We are both a “business” and a “service provider” under the CCPA, depending on how you interact with us. This section applies only to personal information we collect in our role as a business.
Rights under the CCPA
If you are a California resident, the processing of certain personal information about you may be subject to the CCPA. Where the CCPA applies, this section provides additional privacy disclosures and informs you of key additional rights as a California resident. We will never discriminate against you for exercising your rights, including providing a different level or quality of services or denying goods or services to you when you exercise your rights under the CCPA.
Right to Know Request
Under the CCPA, California residents have a right to request information about our collection, use, and disclosure of your personal information over the prior twelve (12) months, and ask that we provide you free of charge with the following information:
- the categories of personal information about you that we collected;
- the categories of sources from which the personal information was collected;
- the purpose for collecting personal information about you;
- the categories of third parties to whom we disclosed personal information about you and the categories of personal information that was disclosed (if applicable) and the purpose for disclosing the personal information about you; and
- the specific pieces of personal information we collected about you.
Right to Delete Request
Under the CCPA, you also have a right to request that we delete personal information, subject to certain exceptions.
Right to Opt-Out of the Sale of Personal Information
You may request that we not sell your Personal Information. Please note, however, that CCPA defines “sale” very broadly, and includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a California consumer’s Personal Information by the business to another business or third party for monetary or other valuable consideration.” We use services that help deliver interest-based ads to you and may transfer Personal Information to business partners for their use. Making Personal Information (such as online identifiers or browsing activity) available to these companies is considered a “sale” under the CCPA.
How to Exercise Your Rights
If you are a California resident to whom the CCPA applies, you may contact us to exercise your rights.
Once we receive your request, we will review it, determine whether we can verify your identity, and process the request accordingly. We may need to collect information from you to verify your identity, such as your email address, government issued ID or date of birth. You may make a verifiable consumer request to access your personal information twice per twelve (12) month period. We aim to fulfill all verified requests within 45 days pursuant to the CCPA. If necessary, extensions for an additional 45 days will be accompanied by an explanation for the delay.
You may designate, in writing or through a power of attorney document, an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require that the agent provide proof that you have authorized them to act on your behalf, and we may need you to verify your identity directly with us.
8. Privacy Policy addendum for Virginia residents
Under the Virginia Consumer Data Protection Act (“VCDPA”), Virginia residents are afforded certain rights regarding the data we have collected about them. This notice describes how we collect, use, and share your Personal Data in our capacity as a “Controller” under the VCDPA, and the rights that you have with respect to your Personal Data, including sensitive personal data. For purposes of this section, “Personal Data” and “sensitive data” have the meanings given in the VCDPA and do not include information excluded from the VCDPA’s scope. In general, personal data is information reasonably linkable to an identifiable person.
The chart found at Section 1.3 of the Privacy Policy describes the categories of Personal Data that we collect about you. However, the type of Personal Data collected will depend upon how you interact with our Sites and the information you voluntarily provide us. Accordingly, we may not collect all of the information listed in the chart from you. In addition, we may collect and/or use additional types of information after providing notice to you and obtaining your consent to the extent such notice and consent is required by the VCDPA.
Your rights under VCDPA
Right to Access Information/Correct Inaccurate Personal Data. You have the right to request access to Personal Data collected about you and information regarding the purposes for which we collect it, and the third parties and service providers with whom we share it. Additionally, you have the right to correct inaccurate or incomplete Personal Data. You may submit such a request as described below.
Right to Deletion of Personal Data. You have the right to request in certain circumstances that we delete any Personal Data that we have collected directly from you. You may submit such a request as described below. We may have a reason under the law why we do not have to comply with your request, or why we may comply in a more limited way than you anticipated. If we do, we will explain that to you in our response.
Right to Opt-Out of Sale of Personal Data to Third Parties. You have the right to opt out of any sale of your Personal Data by Heritag to third parties. We do not sell Personal Data to third parties for their own direct marketing purposes.
Right to Portability. You have the right to request a copy of the Personal Data that you previously provided to us as a Controller in a portable format. Our collection, use, disclosure, and sale of Personal Data are described in our Privacy Policy.
Right to Opt-Out of Targeted Advertising. You have the right to opt-out of Targeted Advertising based on your Personal Data obtained from your activities over time and across websites or applications.
Right to Opt-Out of Profiling. You have the right to opt-out of having your Personal Data processed for the purpose of profiling in the furtherance of decisions that produce legal or similarly significant effects concerning you.
Right to Appeal. If we decline to take action on any request that you submit in connection with the rights described in the above sections, you may ask that we reconsider our response by sending an email. You must ask us to reconsider our decision within 45 days after we send you our decision.
How to Exercise Your Rights
If you are a Virginia resident to whom the VDCPA applies, you may contact us to exercise your rights.
Once we receive your request, we will review it, determine whether we can verify your identity, and process the request accordingly. We may need to collect information from you to verify your identity, such as your email address, government-issued ID, or date of birth. We aim to fulfill all verified requests within 45 days pursuant to the VCDPA. If necessary, extensions for an additional 45 days will be accompanied by an explanation for the delay. You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require that the agent provide proof that you have authorized them to act on your behalf, and we may need you to verify your identity directly with us.
9. Privacy Policy changes
Any changes we make to this Privacy Policy in the future will be posted on this page. Therefore, we encourage you to check this page frequently from time to time.