Privacy policy

Privacy Policy

Last updated: April 2026

1. Data controller

The data controller for personal data collected through my-pacha.com is:

Emporia SASU
4 rue de la République, 69001 Lyon, France
Telephone: +33 1 84 80 28 60
Email: support@my-pacha.com

We process personal data of UK consumers in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Personal data we process

  • Identity and contact data: name, postal address, email, telephone
  • Order data: products purchased, payment details (processed by our payment providers), order history
  • Usage data: pages visited, clicks, time spent, referral source
  • Technical data: IP address, browser, device, cookies (see Section 6)

3. Lawful bases for processing (Article 6 UK GDPR)

  • Article 6(1)(a) — Consent: for non-essential cookies, marketing emails (you may withdraw consent at any time)
  • Article 6(1)(b) — Contract performance: to process orders, deliver goods, manage your account
  • Article 6(1)(c) — Legal obligation: tax records, accounting (typically retained for 6 years)
  • Article 6(1)(f) — Legitimate interests: website security, fraud prevention, service improvement (balanced against your rights)

4. Recipients and third-party processors

We share personal data only as necessary with the following processors, each subject to appropriate data protection agreements:

  • Shopify Inc. (hosting, order processing) — Canada
  • Google LLC (Google Analytics, Google Ads, reCAPTCHA) — USA, with UK adequacy or SCCs in place
  • Meta Platforms Ireland (Facebook/Instagram pixel) — Ireland/USA
  • Microsoft Clarity (behaviour analytics) — USA
  • Trustpilot A/S (customer reviews) — Denmark
  • Cloudflare Inc. (security, CDN) — USA
  • Converge (server-side tracking) — USA
  • CookieYes (cookie consent management) — India/EU
  • Payment providers (Stripe, PayPal) for transaction processing

For international transfers outside the UK/EEA, we rely on UK adequacy decisions, the UK Addendum to EU Standard Contractual Clauses, or your explicit consent.

5. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or for legal obligations (in particular HMRC and accounting records, generally 6 years). Beyond that, data is deleted or anonymised.

6. Cookies

Our website uses cookies. Detailed information about each cookie's purpose and duration is available via the cookie banner. You can manage your preferences at any time via the "Manage cookies" link in the footer.

Non-essential cookies are only stored with your prior consent under the Privacy and Electronic Communications Regulations (PECR).

7. Your rights under UK GDPR

You have the following rights:

  • Right of access (Article 15) — to a copy of your personal data
  • Right to rectification (Article 16) — to correct inaccurate data
  • Right to erasure (Article 17) — also called "right to be forgotten"
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21) — including to direct marketing
  • Right to withdraw consent (Article 7(3)) — with effect for the future
  • Right to lodge a complaint with the supervisory authority (Article 77)

To exercise your rights, contact us at support@my-pacha.com. We will respond within one month (extendable by two months for complex requests).

8. Right to complain to the ICO

You have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
ico.org.uk

You also retain the right to lodge a complaint with the French CNIL (as our establishment is in France):

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy, 75007 Paris, France
www.cnil.fr

9. Data security

We use SSL/TLS encryption with the highest cipher level supported by your browser to protect data transmitted between your device and our servers.

10. Children

Our website is not directed at persons under 13 years of age (the age of consent for processing under UK GDPR). We do not knowingly collect personal data from children under 13. If we become aware that we have collected such data without proper authorisation from a parent or guardian, we will delete it promptly.

11. No automated decision-making

We do not make any decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.

12. Changes to this Privacy Policy

This Privacy Policy is current as of April 2026. As our website and services evolve, or in response to changes in law, we may need to update this Policy. The current version is always available on this page.

Last updated: April 2026