Privacy policy

Last updated: August 27, 2025

Corkin (“we,” “our,” or “us”) operates this website and online store (the “Services”), including all related information, content, features, tools, products, and services, in order to provide you, the customer, with a curated shopping experience. Corkin is powered by Shopify, which enables us to provide the Services to you.

This Privacy Policy describes how we collect, use, disclose, transfer and retain your personal information when you visit, use, or make a purchase from our Services, or otherwise communicate with us. Please read it carefully. By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

If there is a conflict between this Privacy Policy and our Terms of Service, this Privacy Policy controls with respect to the collection, processing, and disclosure of your personal information.

Personal Information We Collect

“Personal information” means information that identifies or can reasonably be linked to you. It does not include anonymous or de-identified data. We may collect:

  • Contact details: name, billing/shipping address, phone number, email.

  • Financial information: credit/debit card details, financial account numbers, payment confirmation, and related details.

  • Account information: username, password, security questions, preferences.

  • Transaction information: items viewed, placed in cart, purchased, returned, exchanged, or canceled.

  • Communications: details you provide when contacting customer support.

  • Device and usage information: IP address, browser, operating system, network connection, server logs, unique identifiers, and interactions with our Services.

  • Marketing & analytics data: newsletter subscriptions, Plausible analytics, Facebook Pixel, and other tracking tools (where applicable and with consent).

Sources of Information

We collect information:

  • Directly from you, e.g., when you create an account, place an order, or contact us.

  • Automatically, via cookies, analytics, and server log files.

  • From service providers, such as payment processors and shipping companies.

  • From partners or third parties, including marketing or analytics partners.

How We Use Your Information & Legal Bases

We only process personal data where we have a lawful basis under the GDPR. The main purposes and legal bases are:

Purpose Data categories Legal basis
Process and fulfill orders, payments, shipping and returns Contact details, billing & payment data, transaction data Performance of a contract (Art. 6(1)(b) GDPR)
Customer account management and authentication Account information, credentials, usage data Performance of a contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) for fraud prevention
Direct marketing (email newsletter, promotions) Email address, marketing preferences, purchase history Consent (Art. 6(1)(a)) for EU recipients; where consent is not required we may rely on legitimate interests (Art. 6(1)(f)) with a clear opt-out
Analytics and product improvement (Plausible, aggregated reports) Usage information, device data, aggregated behavior Legitimate interests (Art. 6(1)(f)) to improve the Services — Plausible is a privacy-first, cookie-less analytics provider; where tracking requires consent we will obtain it (see Cookies section)
Security, fraud prevention and legal compliance Account data, transaction logs, IP addresses Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f))
Transfers to service providers (payment processors, carriers) As required to perform the contract Performance of a contract (Art. 6(1)(b))

Where we rely on legitimate interests we have carried out balancing tests and determined the processing does not override your interests, rights or freedoms. You may object to processing based on legitimate interests — see “Your rights” below.

Disclosure of Information

We may share your personal information in the following cases:

  • With Shopify: as our hosting and e-commerce provider. See Shopify’s privacy and DPA pages (links below). Shopify, as a platform provider, may also process analytics or operational data using third-party analytics (e.g., Google) on their side.

  • With vendors and service providers: payment processors, shipping carriers, IT support, analytics providers, marketing partners.

  • With marketing/advertising partners: e.g. Facebook, Google, where you have provided consent or otherwise as allowed by law.

  • With affiliates and within our corporate group.

  • For legal reasons: to comply with applicable law, respond to lawful requests, enforce policies, or protect rights.

  • In a business transaction: such as a merger, acquisition or bankruptcy.

We do not sell your personal information for third-party advertising without your explicit consent.

Cookies & Tracking Technologies

We use cookies and similar technologies on the Services.

Our analytics approach

  • We do not use Google Analytics on Corkin’s storefront. Instead, we use Plausible Analytics, a privacy-focused, cookie-less analytics provider. Plausible does not use cookies and does not collect personal data that identifies individual users by default; it provides aggregated, non-identifying traffic and performance metrics to help us improve the site. Because Plausible is cookie-less and privacy-focused, it generally does not require consent to operate; nevertheless we provide transparent information and a way to opt out via Cookie settings.

  • Important: Shopify as a platform may collect analytics or use Google for platform-level performance and operational analytics; these platform-level processing activities are governed by Shopify’s privacy policies (see links below).

Cookie categories we use (site-level):

  • Strictly necessary cookies: required for the website to function (no consent required).

  • Preferences / functional cookies: remember user settings (consent required for EU users if these are not strictly necessary).

  • Statistics / analytics cookies: where used by third parties in a way that sets cookies and processes personal information, consent will be required — Plausible itself is cookie-less and therefore does not fall under that requirement.

  • Marketing / advertising cookies: used to deliver personalized ads and profiling (consent required).

Consent and cookie banner
We do not place non-essential cookies (analytics, advertising, profiling) prior to obtaining your explicit consent. Our cookie banner provides granular controls so you may accept or reject individual cookie categories. Consent is recorded and logged (timestamp, categories accepted). You can withdraw or change consent at any time via the “Cookie settings” link in the site footer.

Cookie details

Category Example cookie(s) / provider Purpose Typical expiry Consent required
Strictly necessary session cookies, cart, storefront session (Shopify) — Provider: Shopify Keep you logged in during a session, maintain cart contents, enable checkout and secure site functions. Session or short-lived No
Preferences / Functional language, currency, theme choices — Provider: Shopify / theme Remember UI preferences such as language or currency so the site behaves as you expect. 30 days — 1 year No (functional)
Analytics (privacy-first) Plausible — cookie-less by default (Plausible.io) Aggregated, non-identifying site metrics (pageviews, referrers, events). Plausible does not set tracking cookies by default and does not collect personal identifiers. Raw metrics retention depends on provider settings (e.g., 24 months) Not required for Plausible (cookie-less), but we offer a user opt-out toggle for transparency
Marketing / Advertising _fbp, _fbc (examples) — Provider: Meta / Facebook Conversion tracking, ad targeting and audience building (creates profiles used for personalised ads). ~90 days (varies by provider) Yes — explicit consent required for EU visitors
Platform cookies (note) Shopify platform cookies and operational analytics Shopify (the platform) may process platform-level operational data and may use analytics tools (e.g., Google) for platform diagnostics — governed by Shopify’s privacy policies. Varies Governed by Shopify; not controlled by Corkin cookie banner


Third-Party Services & Tools, Profiling & Automated Decision-making

Third-party tools we may use

  • Plausible Analytics — our chosen site analytics provider (privacy-first, cookie-less). Plausible provides aggregated site metrics (pageviews, referrers, events) and does not collect or store personal data that identifies individual visitors by default.

  • Facebook Pixel / advertising partners — we may use Facebook Pixel for advertising and conversion tracking where you have given consent; this is separate from Plausible and does involve profiling unless you opt out.

  • Shopify platform analytics — note that Shopify, as the underlying platform, may use other analytics services for operational purposes (see Shopify privacy links).

Profiling & targeted advertising
When you give consent, we may use data collected through advertising tools (e.g., Facebook Pixel) to create profiles and deliver targeted advertising. Profiling and targeted advertising for EU users is based on consent. You may withdraw consent to profiling/targeted advertising at any time via Cookie settings or directly via the providers:

Automated decision-making
We do not currently carry out decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects concerning you (Art. 22 GDPR). If we implement such processing in the future we will notify affected individuals, provide meaningful information about the logic involved and the envisaged consequences, and put in place appropriate safeguards including the right to human review.

Data security, retention & deletion (Shopify-aligned)

We use administrative, technical, and physical measures designed to protect personal data from unauthorized access, disclosure, alteration, or destruction. However, no security measures are 100% secure — we cannot guarantee absolute security.

How Shopify handles retention & erasure (what happens automatically)

Some aspects of data retention and erasure are managed by Shopify as the underlying platform:

  • Customer-initiated erasure: Customers can start an erasure request using Shopify’s privacy controls (the “Erase my data” tool). Shopify may take up to 30 days to process such erasure requests.

  • Merchant-initiated erasure: As a Shopify merchant we can request the erasure of a customer’s personal data from our store and from apps and channels installed through our Shopify admin. When Shopify erases a customer’s personal data it removes identifying fields (for example, name and address), while certain transaction metadata (for accounting or record-keeping) such as what was sold and the date/time of the sale may remain visible in the admin in anonymized or non-identifying form. You remain responsible for contacting any third parties you shared the data with.

  • Active payments & subscriptions: Shopify will not automatically erase personal data that is tied to active pre-authorized payments, subscriptions or recent orders where doing so would prevent proper processing (for example, chargebacks or subscription billing). Merchants should review and handle such cases carefully before initiating erasure.

  • Store deactivation: If a merchant deactivates a Shopify store, Shopify retains the store’s information for a period; merchants may request erasure of customer personal data within that period.

Our retention practices (how Corkin operates on top of Shopify)

We align our retention practices with Shopify’s platform behaviour and legal requirements:

  • Accounting & tax records: We retain order and transaction records (invoicing data required by Dutch law) for 7 years to comply with tax and accounting obligations. These records may include non-identifying transaction metadata even after identifying fields are erased or anonymized by Shopify.

  • Customer account data: Active customer account details are retained while the account is active. If you request erasure, we will use Shopify’s erasure tools and our internal process to remove identifying information unless retention is required by law or necessary to settle outstanding transactions.

  • Support correspondence: Customer support communications are retained for 2 years after the last contact unless a valid erasure request requires deletion sooner and it is technically possible without violating legal obligations.

  • Marketing consents: Consent records and marketing preferences are kept until you withdraw consent; we log consent (who, when, what categories) to demonstrate compliance.

  • Analytics data: We use Plausible for site analytics (cookie-less, privacy-first). Raw Plausible metrics are retained according to Plausible’s settings; aggregated/anonymized metrics may be kept indefinitely for product improvement.

Erasure requests & timelines (customer-facing)

If you request erasure of your personal data from Corkin:

  1. Contact us at hello@corkin.nl with your request and sufficient information to identify the data (order number, email, etc.).

  2. We will verify your identity and then submit the erasure request via our Shopify admin and to any relevant processors/apps.

  3. Shopify and connected processors may take up to 30 days to complete erasure and may delay erasure where legal or contract obligations apply (for example active subscriptions, recent transactions, or legal retention requirements). If we cannot erase certain data due to legal obligations (e.g., tax records), we will inform you which data must be retained and why.

Practical notes for customers & merchants

  • Some information (order date, what was sold) may remain visible in anonymized form for record keeping even after identifying fields are removed — this is normal and necessary for accounting and legal compliance.

  • If you need immediate erasure but have active subscriptions or pre-authorized payments, please contact us so we can pause or handle billing appropriately before completing erasure.

  • If you request erasure after we have deactivated the store, Shopify may still retain store-level data for a period; you may request earlier erasure, and we will help submit that request to Shopify.

Your Rights

Depending on your location, you may have the following rights under applicable data protection laws:

  • Right of access — request a copy of the personal data we hold about you (Art. 15 GDPR).

  • Right to rectification — correct inaccurate or incomplete personal data (Art. 16).

  • Right to erasure — request deletion of personal data in certain circumstances (Art. 17).

  • Right to restriction of processing — request a temporary halt to processing in certain circumstances (Art. 18).

  • Right to object — object at any time to processing based on legitimate interests and to processing for direct marketing purposes (Art. 21). If you object to direct marketing, we will stop sending marketing messages.

  • Right to portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller where applicable (Art. 20).

  • Right to withdraw consent — where processing is based on consent you may withdraw it at any time; withdrawal does not affect processing before withdrawal.

  • Right in relation to automated decision-making and profiling — you may have the right not to be subject to decisions based solely on automated processing that have legal or similarly significant effects (Art. 22).

How to exercise your rights
To exercise any of these rights, contact our privacy contact at hello@corkin.nl or by post (address below). We will verify your identity before responding. We will respond without undue delay and in any event within one month of receipt of your request. If a request is complex or multiple requests are made, we may extend the response period by a further two months; we will inform you of any extension and the reasons. If we refuse your request we will explain why and inform you of your right to lodge a complaint and to seek a judicial remedy.

If you are not satisfied with our response, you may lodge a complaint with your local supervisory authority — in the Netherlands: Autoriteit Persoonsgegevens (https://autoriteitpersoonsgegevens.nl/).

Objecting to profiling or direct marketing
To object to profiling or direct marketing, use the unsubscribe link in marketing emails or contact hello@corkin.nl with your order/account number and details of the processing you want to object to.

Children’s Data

Our Services are not intended for children under the age of majority in your jurisdiction. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal information, please contact hello@corkin.nl and we will take steps to delete such information.

International Transfers & Safeguards

Some service providers we use (including Shopify) may process or store data outside the European Economic Area (EEA) — for example in Canada and the United States. Where personal data is transferred outside the EEA/UK to countries that do not have an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs), binding corporate rules or other lawful transfer mechanisms, and we require processors to implement technical and organizational measures to protect your data.

For details on Shopify’s processing and transfer mechanisms see:

You may request a copy of the relevant safeguards (for example, SCCs) or further information about data transfers by contacting hello@corkin.nl.

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or for operational, legal, or regulatory reasons. Updates will be posted on this page with the “Last updated” date revised. Where required by law we will provide you with notice of any material changes.

Contact

For questions, concerns, or to exercise your privacy rights under this Privacy Policy, please contact us:

Corkin, eenmanszaak
Owner / Data Controller: Simone (Simo) Tommaso
📍 Schouwtjeslaan 53, 2012 KM Haarlem, Netherlands
📧 hello@corkin.nl
📞 +31 (0) 683500003
KvK (Chamber of Commerce) number: 85785857
VAT number: NL004146742B48

Privacy contact / Data Protection Officer
We have not appointed a Data Protection Officer under the GDPR. For all privacy matters, data subject requests, or to raise concerns please contact our privacy contact at hello@corkin.nl.

If you remain unsatisfied with our response, you may lodge a complaint with the Autoriteit Persoonsgegevens (the Dutch Data Protection Authority).

Additional information & links