Privacy Policy

HossiShop respects your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have under the EU General Data Protection Regulation (GDPR · Regulation 2016/679) and Italian Legislative Decree 196/2003 (Codice Privacy) as amended by D.Lgs. 101/2018.

1. Data Controller

The data controller responsible for your personal data is:

HossiShop di Hossain Mosharef
Via Milano 25F, 30172 Venezia (VE), Italia
Email: support@hossishop.com
PEC: hossishop@pec.it
Full legal identification: Informazioni Legali

For any privacy-related question, data subject request, or complaint, you may contact us directly at the email above. We aim to respond within 30 days, as required by Article 12 GDPR.

2. Data We Collect

When you visit, browse, or purchase from HossiShop, we may collect the following categories of personal data:

Information you provide directly

• Identification data: first name, last name.
• Contact data: email address, phone number (optional).
• Shipping & billing address: street, city, postal code, country.
• Order details: products purchased, order history, preferences.
• Account credentials: if you create an account, a hashed password.
• Communications: messages you send us via email, chat, or contact forms.
• Marketing preferences: newsletter opt-in status.

Information collected automatically

• Technical data: IP address, browser type, device type, operating system, language.
• Usage data: pages visited, time spent, click paths, referrer URL.
• Cookies & similar technologies: see Section 8 below.

Payment data

Payments are processed exclusively by Stripe Payments Europe Ltd. We do not store your full card number, CVC, or expiration date on our servers. Stripe is PCI-DSS Level 1 certified and acts as an independent data controller for payment processing. See Stripe's Privacy Policy.

3. How We Use Your Data

We process your personal data for the following purposes:

• Order fulfillment: processing, shipping, and delivering your purchases.
• Customer service: responding to your questions, complaints, returns, and refund requests.
• Account management: if you choose to create an account.
• Payment processing: via Stripe, including fraud prevention.
• Marketing communications: only if you have opted in (newsletter, promotional offers, abandoned-cart reminders).
• Analytics: understanding how visitors use the site to improve user experience (subject to cookie consent).
• Legal compliance: tax records, accounting, dispute resolution, fraud prevention.
• Site security: detecting and preventing unauthorized access, abuse, or fraud.

4. Legal Basis for Processing

Under Article 6 GDPR, we rely on the following legal bases:

• Contract performance (Art. 6.1.b): processing necessary to fulfill your order, deliver products, and provide customer service.
• Consent (Art. 6.1.a): for marketing emails, analytics cookies, and non-essential cookies. You may withdraw consent at any time.
• Legitimate interest (Art. 6.1.f): for fraud prevention, site security, and improving our services. Our legitimate interests are balanced against your rights and freedoms.
• Legal obligation (Art. 6.1.c): for tax records, accounting, and compliance with Italian and EU law.

5. Third-Party Processors

We share your data only with carefully selected partners who help us operate the store. Each acts as a data processor under Article 28 GDPR and is bound by data processing agreements.

We do not sell your personal data to any third party.

6. Data Retention

We keep your personal data only as long as necessary for the purposes described:

• Order & billing data: 10 years (Italian tax law · Codice Civile Art. 2220).
• Customer accounts: until you request deletion or after 3 years of inactivity.
• Marketing data: until you unsubscribe or withdraw consent.
• Support communications: 24 months after last contact.
• Analytics data: 14 months (GA4 default).
• Server logs: 12 months for security audit purposes.

After these periods, data is securely deleted or anonymized.

7. Your Rights

Under GDPR Articles 15-22, you have the following rights regarding your personal data:

• Right of access (Art. 15): request a copy of your data.
• Right to rectification (Art. 16): correct inaccurate data.
• Right to erasure (Art. 17): request deletion ("right to be forgotten"), subject to legal retention obligations.
• Right to restriction (Art. 18): limit how we process your data.
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interest or for direct marketing.
• Right to withdraw consent: at any time, without affecting prior lawful processing.
• Right to lodge a complaint: with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali · www.garanteprivacy.it).

To exercise any of these rights, email support@hossishop.com with the subject line "DSAR — [your request]". We respond within 30 days.

8. Cookies

We use cookies and similar technologies to operate the site and improve your experience. Cookies are classified as follows:

• Strictly necessary: essential for cart, checkout, login, security. No consent required.
• Functional: language and currency preferences. Consent-based.
• Analytics: Google Analytics 4 to understand site usage. Consent-based.
• Marketing: Meta, TikTok, Pinterest pixels for advertising. Consent-based.

You may manage your cookie preferences at any time via the cookie banner or by emailing support@hossishop.com. No analytics or marketing cookies are loaded before you grant explicit consent, as required by the Italian Garante (8 May 2014 Guidelines) and the ePrivacy Directive.

9. Security

We implement appropriate technical and organizational measures to protect your data:

• HTTPS encryption (TLS 1.2+) on all pages.
• Hashed passwords (bcrypt).
• Stripe-handled payment data (PCI-DSS Level 1).
• Cloudflare WAF and DDoS protection.
• Restricted internal access on a need-to-know basis.
• Regular backups and security audits.

In the event of a data breach affecting your rights and freedoms, we will notify you and the Italian Garante within 72 hours, as required by Article 33 GDPR.

10. International Transfers

Some of our processors (Stripe, Google, Meta, TikTok, Pinterest) may transfer data outside the European Economic Area. Such transfers are protected by:

• EU Standard Contractual Clauses (Decision 2021/914);
• EU-US Data Privacy Framework where applicable;
• Equivalent safeguards under Article 46 GDPR.

11. Contact & DSAR (Data Subject Access Request)

To exercise any of your rights, ask a question about this policy, or file a complaint:

Email: support@hossishop.com
Postal address: HossiShop, Via Milano 25F, 30172 Venice (VE), Italy
Subject line for data requests: "DSAR — [your request]"

You may also lodge a complaint with the supervisory authority: Italian Garante per la Protezione dei Dati Personali · Piazza Venezia 11, 00187 Roma · www.garanteprivacy.it.

For online disputes, EU customers may also use the European Commission's ODR platform: ec.europa.eu/consumers/odr.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services offered. The "Last updated" date at the top of this page indicates when the policy was last revised. Material changes will be communicated by email (if you have an account) or via a prominent notice on the homepage.

By continuing to use HossiShop after a policy update, you acknowledge the changes. If you do not agree, please discontinue use and contact us to request data deletion.