Privacy policy

PRIVACY POLICY OF THE ONLINE SERVICE OPERATED BY HEIKI HEIKI SASU

§ 1 GENERAL PROVISIONS

  • We respect and protect the privacy and security of users of our website ("Users"). This Privacy Policy ("Privacy Policy") concerns the data provided to us via the website: https://heikiheiki.com ("Service"). In this Privacy Policy we describe what information we collect in connection with the provision of electronic services ("Services" or "Service"), as well as for what purpose and in what way they are used.

  • When collecting and processing personal data, the following principles are applied: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality.

  • The controller of personal data collected via the Service is HEIKI HEIKI SASU, 37, Rue D'Amsterdam 75008 Paris, SIREN 940207921, hereinafter referred to as the "Controller" and being at the same time the Service Provider of the Service.

  • The term "data processing" used in this Privacy Policy refers to information voluntarily provided by Users as well as information collected automatically (through "cookies"), and covers all operations performed on personal data, in particular: collection, recording, storage, elaboration, modification, disclosure and deletion, carried out in connection with the provision of the Service and Services. The primary purpose of data processing is to optimize the functionality of the Service and Services so that Users can use them in the simplest and most efficient way.

  • The term "personal data" means any information that identifies or allows the identification of a natural person, such as name, surname, e-mail address, phone number, IP address, or other online identifiers collected via cookies or similar technologies.

§ 2 DATA PROCESSING

  • In connection with the use of the Service, the Controller collects Users' personal data to the extent necessary to provide the Services offered within the Service, and also collects information about Users' activity in the Service. Personal data in the Service are processed by the Controller in accordance with applicable law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – "GDPR").

  • The Controller processes the following categories of personal data:

    • for registration of your account in the Service: name and surname, e-mail address.

    • for use and management of your account in the Service: name and surname, phone number, e-mail address, gender, address details (street, building number, apartment number, postal code, city, country), VAT ID (for invoicing purposes).

    • for receiving information (newsletter) about promotional activities, special offers, discount codes: e-mail address, phone number, date of birth.

    • for execution of sales agreements concluded in the Service: name and surname, e-mail address, phone number, address details, VAT ID (if invoicing), purchase information.

    • for execution of agreements without registration: name and surname, e-mail address, phone number, address details, VAT ID (if invoicing).

    • for notification of product availability: e-mail address.

    • for settlement of returned products: name, surname, bank account number.

    • for contacting us: name, surname, order number, contact details (address, e-mail address, phone number).

  • Data are processed for the following purposes:

    • conclusion and performance of a sales agreement, including product presentation, transaction handling, payment settlement, product shipment, complaints, withdrawals, returns, and provision of electronic services, including newsletters and direct communication. The legal basis: necessity of processing for the performance of a contract (Art. 6(1)(b) GDPR).

    • analytical and statistical purposes – legal basis: legitimate interest of the Controller (Art. 6(1)(f) GDPR).

    • ensuring the security of IT systems, software development, and troubleshooting – legal basis: legitimate interest (Art. 6(1)(f) GDPR).

    • establishment, exercise or defense of legal claims – legal basis: legitimate interest (Art. 6(1)(f) GDPR).

    • marketing communication – legal basis: legitimate interest (Art. 6(1)(f) GDPR) in connection with User’s consent.

    • compliance with obligations under accounting, tax, and other applicable laws – legal basis: Art. 6(1)(c) GDPR.

  • Use of the Service and providing personal data are voluntary. However, failure to provide data necessary for the conclusion and performance of a contract may result in the inability to conclude or perform such a contract.

  • The Controller also processes personal data of Users visiting its social media profiles (Facebook, Instagram, YouTube, TikTok). Such data are processed for the purpose of providing information about the Controller’s activity (Art. 6(1)(b) GDPR) and promoting its products and services (Art. 6(1)(f) GDPR).

§ 3 COOKIES IN THE SERVICE

  • The Service uses cookies and similar technologies. Cookies are small text files sent by a server and stored on the User's device (computer, tablet, phone, etc.).

  • The Controller may process data contained in cookies for the following purposes:

    • displaying content and improving service quality,

    • analytical and statistical purposes.

  • By default, browser settings allow cookies to be installed on the User’s device. The User can withdraw consent at any time by changing browser settings.

§ 4 DATA RETENTION

  • Personal data are stored no longer than necessary for the purposes for which they were collected. However, laws may require longer retention.

  • Data are retained for:

    • the duration of the agreement (including account maintenance),

    • until withdrawal of consent (for newsletter),

    • 2 years from the last User contact (for inquiries),

    • 5 years from the end of the tax year (for transactional data),

    • until expiry of limitation periods for claims.

  • After these periods, data are deleted or anonymized.

§ 5 DATA RECIPIENTS

  • The Controller does not disclose personal data to unauthorized parties. Data may be disclosed to subcontractors providing IT, hosting, accounting, advisory, courier, and payment services.

  • Data may also be shared with:

    • HEIKI HEIKI SASU, 37 Rue D'Amsterdam, 75008 Paris, France, SIREN 940207921.

  • With the User’s consent, data may also be shared with other entities for their own marketing purposes.

§ 6 TECHNOLOGIES USED

  • The Controller collects system logs (device details, IP address, date/time, traffic data).

  • Analytical and marketing tools include:

    • Google Analytics cookies – analysis of website usage. Details

    • Google AdWords – sponsored links and campaign measurement. Details

    • Facebook Pixel – tracking ad performance. Details

    • Social media plugins (Facebook, Instagram). Details

§ 6 TRANSFER OF DATA OUTSIDE THE EEA

  • As a rule, personal data are processed within the European Economic Area (EEA). Data may be transferred outside the EEA only with adequate safeguards and in compliance with law.

  • Data are not transferred to international organizations.

§ 7 USER RIGHTS

  • Users have the right to access, rectify, erase, restrict processing, and transfer their personal data.

  • Users may delete their account or request data transfer to another entity.

  • Users may object to processing, withdraw consent to newsletters, and lodge complaints with supervisory authorities.

  • Data deletion may be limited where retention is required by law or necessary to protect the Controller’s legitimate interests.

§ 8 FINAL PROVISIONS

  • Contact with the Controller is possible using the details indicated in § 1 of this Privacy Policy.

  • The Privacy Policy is reviewed and updated as necessary.

  • The current version of this Privacy Policy is effective from 28 August 2025.