Privacy Policy

1. What Data We Collect

We collect personal data only where it is necessary to provide our service. Here is what we collect and why:

Account & Identity Data

• Name and email address — collected when you create an account or take the scent quiz. Used to manage your subscription and send you communications.

Scent Preference Data

• Quiz responses — fragrance families, intensity preferences, mood associations, and note tolerances you provide during the scent quiz. Used to power our AI matching algorithm.
• Monthly ratings — your feedback on candles received. Used to refine your future matches. This is core to our service.

Payment Data

• Billing information — payment is handled entirely by Stripe, our payment processor. We do not store your card number, CVV, or full payment details. We receive a Stripe customer ID and subscription status.
• Billing address — collected to fulfil your orders and comply with VAT obligations.

Delivery Data

• Delivery address — required to ship your monthly box. Stored securely and used only for fulfilment.

Usage & Analytics Data

• Analytics data — we use privacy-respecting analytics to understand how visitors use our site (pages visited, referral source, session duration). This data is aggregated and not used to identify individuals.
• Cookies — see our Cookie section below.

2. How We Use Your Data

We process your personal data for the following purposes and legal bases:

Service Delivery (Contract)

• Matching you with candles using our AI algorithm
• Processing your monthly subscription and payments
• Shipping your box to your delivery address
• Managing your account and subscription settings

Communications (Contract / Legitimate Interest)

• Sending order confirmations and shipping notifications
• Delivering your monthly curation summary and match explanations
• Responding to support enquiries

Marketing Emails (Consent)

• If you opt in, we may send you news, new collections, and exclusive offers. You can unsubscribe at any time using the link in any email.

Service Improvement (Legitimate Interest)

• Improving our AI matching models using aggregated, anonymised rating data
• Analysing usage patterns to improve the website and user experience

3. Third Parties We Share Data With

We share data only where necessary to operate our service. We do not sell your personal data.

Stripe (Payment Processing)

Stripe processes all payments on our behalf. When you pay, you are subject to Stripe's Privacy Policy. Stripe is UK GDPR compliant and certified to PCI DSS Level 1.

Email Service Provider

We use a third-party email platform to send transactional and marketing emails. Your email address is shared with this provider solely for this purpose. They are contractually prohibited from using your data for any other purpose.

Delivery Partners

Your name and delivery address are shared with our logistics partners to fulfil your orders. This is limited to what is strictly necessary for delivery.

Legal Requirements

We may disclose your data if required to do so by law, court order, or to protect our legal rights.

4. Cookies

We use the following types of cookies:

Essential Cookies

Required for the site to function. These include session management and authentication tokens. You cannot opt out of these while using our service.

Analytics Cookies

We use privacy-respecting analytics tools to understand how visitors interact with our site. These cookies track aggregate behaviour (page views, session duration, referral source) and do not track you across other websites.

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect site functionality.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide our services. Specifically:

• Account data — retained while your account is active, plus up to 2 years after closure for legal and fraud prevention purposes.
• Transaction records — retained for 7 years to comply with UK tax and accounting obligations.
• Marketing preferences — retained until you withdraw consent.
• Quiz and preference data — retained while your account is active. Deleted within 30 days of account closure on request.

6. Your Rights Under UK GDPR

As a UK resident, you have the following rights regarding your personal data:

• Right of access — you can request a copy of the personal data we hold about you.
• Right to rectification — you can ask us to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — you can ask us to delete your personal data. We will comply unless we have a legal obligation to retain it.
• Right to data portability — you can request your data in a machine-readable format.
• Right to restrict processing — you can ask us to pause processing your data in certain circumstances.
• Right to object — you can object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at untitled-1773240731478-nhlr@polsia.app. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

7. Data Security

We take data security seriously. Our measures include:

• All data transmitted using HTTPS / TLS encryption
• Payment data processed entirely by Stripe — we never handle raw card data
• Database access restricted to authorised systems only
• Regular security reviews of our infrastructure

No system is 100% secure. If we become aware of a data breach that affects your rights and freedoms, we will notify you and the ICO as required by law.

8. International Data Transfers

We primarily process your data within the UK and European Economic Area. Where data is transferred outside these regions (for example, to Stripe's infrastructure), we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK ICO.

9. Children's Privacy

Our service is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on our website before the changes take effect. The date at the top of this page reflects the most recent revision.

11. Contact Us