Privacy policy

Last updated: 10 September 2025

Tils tiny Terrors operates this shop and website, including all related information, content, features, tools, products and services, to provide you with a personalised shopping experience (the “Services”). Tils tiny Terrors is hosted on Shopify, which enables me to provide the Services. This Privacy Notice explains how I collect, use, and disclose personal data when you visit or use the website, make a purchase or other transaction using the Services, or otherwise communicate with me. If there is a conflict between my Terms and this Privacy Notice, this Privacy Notice governs the collection, processing and disclosure of your personal data.

Please read this Privacy Notice carefully. By accessing or using any of the Services, you confirm that you have read this Privacy Notice and agree to the collection, use and disclosure of your data as described herein.

What personal data do I collect or process?

When I use the term “personal data” I mean information that identifies you or can be reasonably linked to you. Personal data does not include data that has been anonymised so that it can no longer be used to identify you. Depending on how you interact with the Services, where you live and what applicable law allows or requires, I may collect or process the following categories of personal data (including inferences drawn from such data):

• Contact data such as name, postal address, billing address, shipping address, phone number and email address.

• Financial data such as credit or debit card numbers and payment details, payment confirmations and other payment information.

• Account information such as username, password, security questions, configurations and settings.

• Transaction information including items you view, add to cart, wishlist or purchase, returns, exchanges or cancellations, and your past transactions.

• Communications with me including information you provide when you contact customer support.

• Device information including device, browser or network connection information, IP address and other unique identifiers.

• Usage information including how and when you interact with or browse the Services.

Sources of personal data

I may collect personal data from the following sources:

• Directly from you. I collect data when you create an account, access or use the Services, contact me, or otherwise provide personal data.

• Automatically via the Services. I collect data from your device or when you use my products or Services or visit my website, including through cookies and similar technologies.

• From my service providers. I collect data when I engage service providers to enable certain technologies and when they collect or process personal data on my behalf.

• From partners and other third parties.

How do I use your personal data?

Depending on how you interact with me or which Services you use, I may use personal data for the following purposes:

• Provide, personalise and improve the Services. I use personal data to provide the Services, fulfil my contract with you, process payments, complete your orders, save your preferences and items of interest, send account-related notifications, create and manage your account, organise shipping, facilitate returns and exchanges, enable reviews, and create a personalised shopping experience (for example, recommending products based on your purchases). This may include using personal data to better tailor and improve the Services.

• Marketing and advertising. I may use personal data for marketing and advertising, for example to send promotional emails, SMS or postal mail, and to display online advertising for products or services based on items you have previously purchased or added to cart and other activity related to the Services.

• Security and fraud prevention. I use personal data to authenticate accounts, provide a secure payment and shopping experience, detect and investigate potentially fraudulent or unlawful activity, and to protect the security of the Services. If you register an account, you are responsible for keeping your login details secure; I recommend not sharing your username, password or other access credentials.

• Communicating with you. I use personal data to provide customer support and Services, respond to inquiries in a timely manner, and maintain my business relationship with you.

• Legal reasons. I may use personal data to comply with applicable law or respond to lawful requests from law enforcement or regulators, to investigate potential or actual legal claims or disputes, and to enforce my terms and policies.

How do I share personal data?

In certain circumstances I may share personal data for legitimate purposes as described in this Privacy Notice. Those circumstances may include:

• Service providers. I share personal data with Shopify and other third-party service providers that perform services on my behalf (for example, IT management, payment processing, data analytics, customer support, cloud storage, fulfilment and shipping).

• Business and marketing partners. I may share personal data with business and marketing partners that provide marketing services and display advertising. For example, I may use Shopify’s features and third-party services to support personalised advertising across different merchants and websites. Those partners use your data according to their privacy policies. Depending on where you live, you may have the right to instruct me not to share certain information for targeted advertising — see the “Your rights” section below.

• When you ask me to share. If you request or consent to disclosure of certain information to a third party (for example to facilitate delivery), or when you use social media widgets or login integrations.

• Affiliates and corporate transfers. I may share personal data with my affiliates or within my corporate group. I may also share personal data in connection with a business transaction (for example a merger or sale).

• Legal and safety reasons. I may disclose personal data to comply with legal obligations, respond to subpoenas or search warrants, enforce the Services’ terms and policies, or protect the safety and rights of others.

Relationship with Shopify

The Services are hosted by Shopify, and Shopify collects and processes data about your access to and use of the Services to enable and improve the Services. Data you submit through the Services will be transmitted to Shopify and to third parties that may be located in countries other than your country of residence so they can provide and improve the Services. I also use certain advanced Shopify features that may incorporate data from your interactions with my shop, other merchants and Shopify into those advanced features. In those cases Shopify is responsible for processing personal data for those purposes and for responding to your requests to exercise rights related to that processing. For more information about how Shopify uses personal data and the rights available to you, see the Shopify privacy information for consumers at https://privacy.shopify.com/en.

Third-party websites and links

The Services may include links to websites or online platforms operated by third parties. If you follow links to websites that are not affiliated with me, please review the privacy and security practices of those sites. I am not responsible for the privacy or security of third-party websites, the accuracy or completeness of their content, or their use of data. Information you post publicly or on third-party social platforms may be viewable by others and used without restriction.

Children’s data

The Services are not intended for children, and I do not knowingly collect personal data from children who have not reached the age of majority in their country. If you are a parent or guardian and believe your child has provided personal data to me, please contact me using the details below to request deletion of that data. At the time this Privacy Notice was issued, I am not aware that I sell or share personal data of persons under 16 (as those terms may be defined by applicable law).

Security and retention of your data

No security measure is perfect or impenetrable and I cannot promise “perfect security.” Information you transmit to me may be subject to risk during transmission. Please avoid sending highly sensitive information through insecure channels.

How long I retain your personal data depends on a range of factors, including whether I need the data to manage your account, provide Services, comply with legal obligations, resolve disputes, or enforce agreements and policies.

Your rights and choices

Depending on where you live, you may have some or all of the following rights regarding your personal data; these rights are not absolute and may be subject to restrictions under applicable law:

• Right of access. You may have the right to request access to the personal data I hold about you.

• Right to deletion. You may have the right to request the deletion of personal data I hold about you.

• Right to rectification. You may have the right to request correction of inaccurate personal data.

• Right to data portability. You may have the right to obtain a copy of personal data I hold about you and request that I transmit it to a third party in certain circumstances.

• Right to opt out of sale/sharing for targeted advertising. Depending on where you live, you may have the right to opt out of the “sale” or “sharing” of your personal data for targeted advertising. If you wish to exercise such rights, please follow the opt-out options described in the Services or contact me directly. If you visit my site with an enabled Global Privacy Control (GPC) signal, I will treat that as a device-level opt-out request where required by applicable law. For more about GPC, see https://globalprivacycontrol.org/. I do not recognise other “Do Not Track” signals sent by browsers or devices.

• Manage communication preferences. I may send promotional emails; you may opt out of such marketing communications using the unsubscribe mechanism included in those emails. I may still send non-marketing messages relating to your account or orders.

If you reside in the United Kingdom or the European Economic Area, you may also have rights to restrict or object to certain processing activities and the right to withdraw consent where I rely on consent. These rights may be subject to legal exceptions and conditions.

You may exercise your rights where that option is available in the Services or by contacting me using the contact details below. Exercising your rights will not result in any detriment to you. I may need to verify your identity before fulfilling certain requests. You may also appoint an authorised representative to submit requests on your behalf; in that case I will require proof that the representative is authorised.

Complaints

If you have questions or complaints about how I process your personal data, please contact me using the details below. Depending on where you live, you also have the right to lodge a complaint with your local data protection authority.

International transfers

Please note that I may transfer, store and process personal data in countries other than the country where you reside. Where I transfer personal data outside the EEA or the UK, I rely on recognised transfer mechanisms such as the European Commission’s Standard Contractual Clauses or equivalent arrangements issued by the relevant UK authority, unless the transfer is to a country that has been determined to provide an adequate level of protection.

Changes to this Privacy Notice

I may update this Privacy Notice from time to time to reflect changes in my practices or for operational, legal or regulatory reasons. I will post the revised Privacy Notice on this website, update the “Last updated” date, and provide any notices required by applicable law.

Contact

If you have questions about my privacy practices or this Privacy Notice, or if you wish to exercise any of your rights, please contact me by email at tilstinyterrors@gmail.com, or by post at:

Alte Eppelheimer Straße 47
Heidelberg, 69115
Germany

For the purposes of applicable data protection laws, I am the data controller of your personal data.