Privacy policy

This Privacy Policy (the “Policy”) explains how Essence Valley (the “Company”, “we”, “us”, “our”) collects, uses, stores, shares, and otherwise processes personal data when you access or use EssenceValley.com (the “Website”).
The Policy is designed for an international e-commerce environment, including sales within the European Union (“EU”) and outside the EU, and is intended to reflect high standards under the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) as well as applicable local laws.

I. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Data Subject” means the individual whose Personal Data is processed.
• “Processing” means any operation performed on Personal Data (collection, storage, analysis, disclosure, etc.).
• “Third Party” means any entity other than the Data Subject, the Company, or persons acting under the Company’s authority.
• “Platforms” means third-party advertising and analytics providers such as Google, Meta, and similar services.
• “Website” means EssenceValley.com.

II. Data Controller & Contact

The data controller for the purposes of the GDPR is Essence Valley (the “Company”).

If you have questions or requests regarding this Policy or your Personal Data, you can contact us at:

Email: info@essencevalley.com

III. Core Processing Principles

We process Personal Data in accordance with the principles of:

• lawfulness, fairness, and transparency;
• purpose limitation;
• data minimization;
• accuracy;
• storage limitation;
• integrity and confidentiality (security); and
• accountability.

IV. Legal Bases for Processing

We process Personal Data only where we have a lawful basis under the GDPR, including:

• Contract (GDPR Art. 6(1)(b)) – to create and perform a purchase contract, process payments, deliver orders, and provide support.
• Legal obligation (GDPR Art. 6(1)(c)) – to comply with accounting, tax, and other mandatory legal requirements.
• Legitimate interests (GDPR Art. 6(1)(f)) – to operate, secure, and improve our business, prevent fraud, and measure performance (including marketing to existing customers where permitted).
• Consent (GDPR Art. 6(1)(a)) – for marketing cookies, remarketing, audience building, and similar tracking where required by law.

Where we rely on legitimate interests, we apply a balancing test (Legitimate Interest Assessment, “LIA”) to ensure that our interests do not override your fundamental rights and freedoms.

V. Categories of Personal Data We Process

1) Data you provide (WooCommerce / Orders)

• first and last name;
• email address;
• phone number;
• billing and shipping address;
• order details and purchase history;
• communications with customer support;
• IP address (as part of security and transaction integrity checks).

2) Data you provide (Contact Form 7)

• name;
• email address;
• phone number (if provided);
• message content;
• technical metadata (e.g., IP address and timestamps, where available).

3) Data collected automatically (Website usage / technical)

• IP address;
• device information and identifiers;
• browser type, operating system;
• timestamps, pages viewed, session duration;
• clickstream/navigation paths and interaction events;
• shopping cart events and checkout behavior (where applicable).

4) Advertising, analytics & conversion data (Google / Meta / similar)

When you accept marketing/analytics cookies (or where otherwise permitted by law), we may collect and/or receive:

• ad interaction data (impressions, clicks, view-through interactions);
• conversion events (e.g., product view, add to cart, purchase);
• audience segmentation attributes and campaign performance signals;
• remarketing identifiers (cookies, pixels, device IDs);
• approximate location (derived from IP);
• measurement data used to optimize ads and build/lookalike audiences.

VI. Profiling & Automated Analysis

We may use automated analysis (including “profiling”) to understand preferences, measure website performance, segment audiences, personalize marketing, and optimize campaigns.
Such profiling is used for marketing effectiveness and user experience improvement and is not intended to produce legal effects or similarly significant effects on you within the meaning of GDPR Article 22.

VII. Cookies & Tracking Technologies

We use cookies and similar technologies (including pixels and tags) for:

• Strictly necessary functions (WordPress and WooCommerce core functionality, security, cart, checkout);
• Functional preferences (where applicable);
• Analytics to measure website performance;
• Marketing to provide remarketing, conversion tracking, and personalized advertising.

You can manage cookies via your browser settings and (where implemented) our cookie consent banner. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

VIII. Joint Controllership & Third-Party Platforms

Where we deploy Meta Pixel, Google tags, or similar technologies, we may be considered a joint controller with those Platforms for the initial collection and transmission of certain data (to the extent described by applicable court and regulatory practice).
After transmission, the relevant Platform typically acts as an independent controller for its own purposes under its own privacy policies.

IX. Sharing & Disclosure of Personal Data

We may share Personal Data with trusted recipients where necessary, including:

• payment service providers (for payment processing);
• shipping/logistics partners (for delivery);
• IT and hosting providers (for website operations and security);
• accounting and professional advisors (where required);
• advertising and analytics Platforms (Google, Meta, and similar) when permitted by law and/or with your consent.

We do not sell or rent your Personal Data. We may disclose data where required by law, in response to lawful requests by public authorities, or to protect our rights and security.

X. International Transfers (EU/EEA to Third Countries)

Because we sell products within and outside the EU/EEA and use global service providers, your Personal Data may be processed in countries outside the EU/EEA.
Where such transfers occur, we use appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (SCCs), reliance on adequacy decisions where applicable, and additional technical and organizational measures (e.g., encryption, access limitation) when necessary.

XI. Retention (How Long We Keep Data)

• Order and accounting data: retained for up to 10 years (or longer if required by applicable law).
• Customer service communications: retained as needed to address requests and potential disputes (subject to limitation periods).
• Marketing data: retained until you withdraw consent or object (as applicable), or until data is no longer necessary for the purpose.
• Security logs: retained as long as reasonably necessary for security and fraud prevention.

When retention periods expire, we delete, anonymize, or securely restrict access to data in accordance with our retention procedures.

XII. Security

We use technical and organizational security measures appropriate to the risk, including encryption in transit (SSL/TLS), access controls, least-privilege administration, regular updates, and security monitoring.
However, no method of transmission or storage can be guaranteed to be 100% secure.

XIII. Your Rights

Subject to applicable law, you may have the right to:

• access your Personal Data;
• rectify inaccurate data;
• request erasure (“right to be forgotten”);
• restrict processing;
• object to processing (including based on legitimate interests and direct marketing);
• data portability;
• withdraw consent at any time (where processing is based on consent);
• lodge a complaint with a supervisory authority (in the EU, typically in your country of residence).

We may request additional information to verify your identity before responding to a request. Where permitted by law, we may refuse requests that are manifestly unfounded or excessive.

XIV. Enhanced Limitation of Liability

To the maximum extent permitted by applicable law:

• We are not responsible for the independent privacy practices, internal algorithms, or security measures of Third-Party Platforms (including Google and Meta) after data is transmitted to them.
• We do not control Third-Party Platforms’ decisions regarding audience creation, ad delivery, or downstream processing of data under their own purposes.
• We are not liable for indirect, incidental, consequential, exemplary, or punitive damages, including loss of profits, goodwill, reputation, or business interruption, arising out of or relating to data processing, except where such limitation is prohibited by mandatory law.
• Our aggregate liability for any data-related claim is limited to the amount you paid to us for products during the preceding 12 months, except where mandatory consumer protection laws provide otherwise.
• We are not liable for events beyond our reasonable control (force majeure), including cyberattacks, network outages, infrastructure failures, or actions of public authorities.

Nothing in this Policy excludes or limits liability where such exclusion or limitation is not permitted by applicable law.

XV. Dispute Resolution & Jurisdiction

This Policy is governed by the laws of the Republic of Lithuania and directly applicable EU law (including the GDPR).
If you are an EU/EEA resident, you may also have rights under the laws of your country of residence and may contact your local supervisory authority.

Before initiating court proceedings, the parties agree to attempt to resolve disputes amicably. If no resolution is reached within 30 calendar days of a written notice, disputes shall be submitted to the competent courts of the Republic of Lithuania, unless mandatory law provides otherwise.

For users located outside the EU/EEA, you agree that disputes related to this Policy will be handled in Lithuania, except where non-waivable local laws require a different forum.

XVI. Severability

If any provision of this Policy is held invalid or unenforceable, the remaining provisions will remain in full force and effect.

XVII. Changes to This Policy

We may update this Policy from time to time. The updated version becomes effective when posted on the Website.
We encourage you to review this page periodically for changes.