Privacy Policy

Version: 2025-01-24 | Last updated: January 24, 2025

1. Introduction

Cherry Suede ("we", "us", "our") is a Canadian company committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal data in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). As we serve members in the UK and European Union, we also comply with the UK General Data Protection Regulation (UK GDPR) and the EU GDPR.

2. Data Controller

Cherry Suede, based in Ontario, Canada, is the data controller for your personal data. You can contact us at band@cherrysuede.com.

3. What Data We Collect

3.1 Data You Provide

• Account Information: Email address, name (optional), phone number (optional)
• Shipping Addresses: Postal addresses for physical deliveries
• Payment Information: Processed securely by Paddle; we do not store card details
• Event Preferences: Cities and events you're interested in

3.2 Data We Collect Automatically

• Usage Data: How you interact with our service
• Technical Data: IP address, browser type, device information
• Consent Records: When and how you provided consent

4. How We Use Your Data

We use your data for:

5. Data Sharing

We share your data with:

• Paddle: For payment processing (acting as Merchant of Record)
• Resend: For sending emails
• Supabase: For data storage and authentication
• Vercel: For hosting our website
• Shipping carriers: For delivery of physical products

We never sell your personal data. All our service providers are GDPR-compliant and process data only as instructed by us.

6. Your Rights

Under PIPEDA and GDPR (for UK/EU members), you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Request deletion of your data
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to certain processing
• Right to Withdraw Consent: Withdraw consent at any time

You can exercise these rights through your privacy settings or by contacting us.

7. Data Retention

We retain your data for:

• Active members: As long as your account is active
• Order records: 7 years for legal/tax compliance
• Marketing preferences: Until you withdraw consent
• Deleted accounts: Anonymized immediately, legal records retained as required

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit and at rest, regular security assessments, and strict access controls.

9. International Transfers

Our primary data processing occurs in Canada. Some of our service providers may process data outside Canada and the UK/EEA. When this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions. Canada has been recognized by the European Commission as providing adequate protection for personal data.

10. Cookies

We use essential cookies for authentication and security. We do not use tracking or advertising cookies.

11. Children's Privacy

Our service is not intended for children under 18. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes and may require you to acknowledge the updated policy.

13. Complaints

If you have concerns about how we handle your data, please contact us first at band@cherrysuede.com.

For Canadian members: You may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

For UK members: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

For EU members: You may contact your local data protection authority.

14. Contact

For privacy-related questions, contact us at: band@cherrysuede.com