Privacy policy

Effective date: October 25, 2025
Who we are: Boys of Joy, Okerstraße 40, 12049 Berlin, Germany.
Contact: contact@boysofjoy.com

Boys of Joy operates this online store and related services (the “Services”). We care about your privacy and want you to understand how we collect, use, and disclose personal information. If this Policy conflicts with our Terms of Service, this Policy controls for privacy matters.

By using the Services, you acknowledge this Policy.

1) Scope

This Policy applies when you visit our website, place an order, create an account, subscribe to marketing, contact us, or otherwise interact with the Services, wherever you are located. We comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, Germany’s applicable laws, and—where relevant—major U.S. state privacy laws (e.g., California).

2) Personal Information We Collect

Personal information” means information that identifies or can reasonably be linked to you. We collect the following categories (depending on your interactions and your location):

  • Identifiers & contact data: name, email, phone number, billing/shipping address.

  • Account data: username, password, preferences, settings.

  • Order & transaction data: items viewed, added to cart, wishlisted, purchased, returned/exchanged/cancelled; order IDs, payment status, delivery status.

  • Payment data: method, last 4 digits and card type (if shown to us), payment confirmations. We do not store full card numbers; payments are processed by our payment providers.

  • Communications: customer support messages, product reviews, survey responses.

  • Device/technical data: IP address, device and browser type, operating system, language, referrer URL, session IDs, approximate location (derived from IP).

  • Usage & analytics data: pages viewed, links clicked, features used, time on page, conversion events.

  • Inferences: interests or preferences derived from other information (e.g., to personalize content or offers).

3) Sources of Personal Information

  • Directly from you (account creation, checkout, forms, messages).

  • Automatically via cookies and similar technologies when you browse the site (see §8).

  • Service providers & partners (e.g., Shopify, payment processors, analytics/marketing providers, fulfillment/shipping partners).

  • Publicly available sources and, where lawful, from anti-fraud or address-verification services.

4) Purposes & Legal Bases (GDPR/UK GDPR)

We use your information for:

Purpose Examples Legal basis
Provide the Services; perform our contract process orders/payments, deliver products, manage returns, provide support, operate your account Contract (Art. 6(1)(b))
Security & fraud prevention authenticate users, detect/prevent misuse, secure our systems Legitimate interests (Art. 6(1)(f))
Improve & personalize remember preferences, recommend products, debug, develop new features Legitimate interests (Art. 6(1)(f)) / Consent where required
Marketing & advertising send emails/SMS (where permitted), run on-site and cross-site ads, measure campaigns Consent (Art. 6(1)(a)) for email/SMS & non-essential cookies; Legitimate interests (Art. 6(1)(f)) where soft opt-in applies
Legal compliance taxes, accounting, responding to lawful requests, enforcing terms Legal obligation (Art. 6(1)(c))
With your permission posting testimonials, certain data sharing Consent (Art. 6(1)(a))

You can withdraw consent at any time (see §11–§12).

5) Relationship with Shopify & Other Providers

We host our store on Shopify, which processes personal information to operate and improve the Services. Shopify may combine data across merchants to provide features like fraud prevention and personalized experiences. For details and your rights regarding data Shopify processes, see the Shopify Privacy Policy: https://www.shopify.com/legal/privacy and the Shopify Privacy Portal: https://privacy.shopify.com/

Other key providers include:

  • Payment processors (e.g., Shopify Payments/Stripe/PayPal) – often independent controllers for payment/KYC/AML.

  • Fulfillment & shipping (e.g., print-on-demand partners, DHL/DPD/UPS).

  • Marketing & communications platforms (e.g., email/SMS tools), analytics tools, ad platforms (e.g., Meta/Google), and IT/cloud providers – generally processors acting on our instructions.

We disclose only what’s necessary for each purpose and require appropriate safeguards.

6) Disclosures of Personal Information

We disclose personal information:

  • To service providers/processors (IT, hosting, payments, analytics, marketing, customer support, fulfillment, shipping).

  • To business/advertising partners to measure and deliver ads (see §8 and §12 for your choices).

  • At your direction or with your consent, e.g., social login, review widgets.

  • Within our corporate group/affiliates.

  • For legal reasons (e.g., to comply with law, enforce our terms, protect our rights or safety).

  • Business transfers (e.g., merger, acquisition, restructuring).

We do not sell your personal information for money. In some jurisdictions, using data for cross-context behavioral advertising may be considered a “sale” or “sharing”—see §12 for opt-out.

7) International Data Transfers

We are based in Germany and may transfer personal information to countries outside the EEA/UK (e.g., Canada, U.S., other locations of Shopify and our providers). Where required, we use appropriate safeguards such as the EU Standard Contractual Clauses (and UK equivalents). Copies or meaningful information about these safeguards are available upon request.

8) Cookies & Similar Technologies

We use cookies, pixels, and similar tech to:

  • Essential: site functionality, security, checkout.

  • Analytics: measure use and improve performance.

  • Advertising/personalization: show relevant content/ads on our site and others.

Where required, we obtain consent via our cookie banner. You can change preferences anytime via Cookie Settings in the footer. See our Cookie Policy ([link to Cookie Policy]) for a detailed list of cookies, purposes, lifetimes, and partners.

Global Privacy Control (GPC): If you visit with GPC enabled, we treat it as an opt-out of targeted advertising/“sale”/“sharing” for that browser/device (and to your account when recognized). Other “Do Not Track” signals aren’t recognized today.

9) Retention

We keep personal information only as long as necessary for the purposes above, including to comply with law, resolve disputes, and enforce agreements. Typical periods:

  • Orders/transactions: up to 10 years (German tax/accounting rules).

  • Account data: for the life of the account and 24 months after inactivity, then deletion/anonymization.

  • Marketing data: until you opt out/withdraw consent; we minimize on opt-out.

  • Security/fraud logs: 12–24 months.

10) Security

We use appropriate technical and organizational measures (e.g., encryption in transit, access controls, MFA for internal tools, vendor due-diligence). No method is 100% secure. Please keep your account credentials confidential.

11) Your Rights (EEA/UK)

Subject to conditions/exceptions in law, you have the right to: access/know, rectify, erase, restrict, object (including to direct marketing and related profiling), and data portability. Where processing is based on consent, you may withdraw consent at any time.

To exercise rights, contact us at contact@boysofjoy.com. We may verify your identity and will respond within 30 days (or as required by law). You will not be discriminated against for exercising rights.

You may also complain to your supervisory authority. In Berlin:
Berliner Beauftragte für Datenschutz und Informationsfreiheithttps://www.datenschutz-berlin.de/

12) U.S. State Privacy Rights (e.g., California)

If you are a resident of certain U.S. states, you may have rights to access, delete, correct, opt-out of targeted advertising, and opt-out of “sale” or “sharing.” Exercise these via:

  • “Do Not Sell or Share My Personal Information” link: [insert link]

  • Cookie Settings (for advertising cookies)

  • Or email contact@boysofjoy.com

We honor GPC as an opt-out signal. Response time: up to 45 days (extendable by law). Authorized agents may act on your behalf, subject to verification.

13) Automated Decision-Making & Profiling

We use limited profiling (e.g., purchase/browse behavior) to personalize content and offers. We do not make decisions that produce legal or similarly significant effects without human involvement. You may object to profiling for marketing at any time (see §11–§12) or adjust Cookie Settings.

14) Children

The Services are not directed to children. We do not knowingly collect or “sell/share” personal information of children under 16 (and under 13 in the U.S.). If you believe a child provided personal information, contact us and we will delete it.

15) Third-Party Links & Social Features

Our Services may link to third-party sites or include social widgets. Their privacy practices apply to their services. Review their policies before sharing information.

16) Changes to This Policy

We may update this Policy from time to time. We will post the revised version with an updated “Effective date” and provide additional notice where required.

17) Contact Us

Questions or requests about this Policy or your personal information:

Contact: https://www.boysofjoy.com/pages/contact
Email: contact@boysofjoy.com
Address: Boys of Joy, Okerstraße 40, 12049 Berlin, Germany
Data Controller: Boys of Joy (Berlin, Germany)