Privacy policy

Effective Date: November 2025

At Flick & Puff, we value your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard your information in accordance with the General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD).

1. Data Controller & Contact Information

Data Controller:

Flick & Puff

Email:

team@flickandpuff.com

Flick & Puff is responsible for determining the purposes and means of processing your personal data. We do not currently appoint a Data Protection Officer (DPO), as this is not required under Article 37 GDPR; however, all privacy-related inquiries can be directed to the contact details above.

Certain processing activities are carried out by our trusted Data Processors. All processors act strictly under our instructions and in full compliance with GDPR.

2. Personal Data We Collect

We collect and process the following categories of personal data strictly for the purposes of providing our services and fulfilling orders:

  • Identity and contact details: name, email address, shipping address, and phone number. These details are also shared with trusted carriers and logistics partners for the purpose of delivering your order;
  • Order and payment data: billing details and transaction identifiers. Payment information is securely processed by our authorized payment providers. Flick & Puff does not store full card details;
  • Usage and analytics data: IP address, browser type, and browsing activity collected via cookies for website functionality, performance, and analytics purposes. Where possible, this data is anonymized or aggregated;
  • Marketing and advertising data: information collected through cookies or tracking pixels used to measure campaign effectiveness and deliver personalized ads, but only after you give explicit consent via the cookie banner;
  • Marketing preferences: data about your subscription to newsletters or promotional updates, collected only if you have explicitly opted in.

All personal data is processed lawfully, fairly, and transparently in accordance with GDPR and LOPDGDD.

3. Purpose & Legal Basis for Processing

Your personal data is processed for the following purposes and legal bases:

Purpose Legal Basis
To process and deliver your orders, including sharing necessary information with carriers and logistics partners Performance of a contract (Art. 6(1)(b) GDPR)
To communicate with you about your orders or inquiries Performance of a contract and/or legitimate interest (Art. 6(1)(b) & 6(1)(f) GDPR)
To send you marketing communications (only if you opt in) Explicit consent (Art. 6(1)(a) GDPR)
To run and measure advertising campaigns on social media platforms Explicit consent (Art. 6(1)(a) GDPR)
To comply with tax, accounting, and legal obligations Legal obligation (Art. 6(1)(c) GDPR)
To improve our website, products, and services through analytics Legitimate interest (Art. 6(1)(f) GDPR), with data anonymized or aggregated wherever possible

4. Sharing & Disclosure of Data

We only share your personal data when necessary for the purposes stated above. We work with trusted partners who process data on our behalf, ensuring your data remains protected:

  • Shopify – our e-commerce platform and data host. Some data may be stored outside the European Union;
  • Printful – for print-on-demand order fulfillment, with GDPR-compliant processing;
  • Payment processors – to securely handle payments; payment card data is processed only by the provider and is never stored by us;
  • Google Analytics – for website traffic analysis. Data is anonymized or aggregated to prevent identification of individuals;
  • Social media and advertising platforms – we may use marketing cookies, tracking pixels, and other tracking technologies from third-party advertising networks (e.g., Meta, TikTok, Pinterest, YouTube, and others) to measure campaign effectiveness and deliver personalized ads. These cookies are only activated after you give explicit consent through our cookie banner;
  • Carriers and logistics partners – your name, shipping address, email, and phone number are shared strictly for the purpose of delivering your order and related delivery inquiries. These partners process personal data in compliance with GDPR and do not use it for marketing purposes. Where data is transferred outside the European Union, appropriate safeguards such as Standard Contractual Clauses are applied.

Important: All partners act strictly as Data Processors under our instructions, except where a partner acts as an independent Data Controller (such as some social media and advertising networks). In such cases, their data processing practices are governed by their respective privacy policies available on their official websites.

We do not share marketing data without your prior explicit consent.

5. International Data Transfers

Some of our service providers may process your data outside the European Union. In such cases, transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, or
  • Adequacy decisions where applicable.

These mechanisms ensure your personal data receives an equivalent level of protection required by GDPR.

6. Cookies & Similar Technologies

Our website uses cookies to ensure proper functionality, enhance your browsing experience, and analyze website traffic:

  • Essential cookies are necessary for site operation (e.g., to remember items in your cart);
  • Analytics cookies (e.g., Google Analytics) are used only after you give your explicit consent through the cookie banner;
  • Marketing cookies (e.g., social media advertising and tracking pixels) are only activated after you give your explicit consent and are used to deliver personalized ads and measure campaign effectiveness.

Consent Logging: Non-essential cookies and scripts are blocked until you provide explicit consent via our cookie banner. We log your consent and retain it for 5 years to demonstrate compliance with GDPR.

You can change or withdraw your consent at any time in the cookie settings on our website. For full details, please review our Cookie Policy.

7. Your Data Protection Rights

Under GDPR and Spanish data protection law, you have the right to:

  • Access your personal data (Art. 15 GDPR);
  • Rectify inaccurate or incomplete data (Art. 16 GDPR);
  • Erase your data ("right to be forgotten") (Art. 17 GDPR);
  • Restrict processing of your data (Art. 18 GDPR);
  • Object to certain processing activities, including marketing (Art. 21 GDPR);
  • Port your data to another service provider (Art. 20 GDPR).

You can exercise these rights by contacting us at team@flickandpuff.com. We will respond to all legitimate requests within 1 month of receipt, in accordance with applicable data protection laws. If your request is particularly complex or if we have received multiple requests, this period may be extended by up to 2 additional months. In such cases, we will notify you of the extension and explain the reasons for the delay.

8. Data Security

We take appropriate technical and organizational measures to ensure your personal data is protected from loss, misuse, unauthorized access, or disclosure.

This includes:

  • Encrypted connections (SSL/TLS) for all transactions;
  • Secure servers hosted in the European Union.

We regularly review our security measures and update them as necessary to mitigate risks.

9. Data Retention

We retain your personal data only for as long as necessary for the purposes stated in this policy or as required by law:

  • Order and billing data: retained for 7 years (for tax and accounting);
  • Account data: retained while your account remains active;
  • Marketing data: retained until you withdraw consent;
  • Consent logs: retained for 5 years to demonstrate GDPR compliance;
  • Data shared with carriers and logistics partners for order delivery: retained only as long as necessary for the delivery process and related inquiries, after which it is securely deleted or anonymized.

Aggregated or anonymized analytics data may be retained indefinitely for reporting, research, and business improvement purposes, as it cannot be linked to identified individuals.

After these periods, data will be securely deleted or anonymized.

10. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Significant changes will be announced via our website or email notice. The latest version will always be available on this page, with the date of the last update shown above.

11. Contact Us

For any questions or to exercise your rights under data protection law, please contact:

Data Controller: Flick & Puff

Email: team@flickandpuff.com

Last updated: November 2025