Privacy policy

Last updated: December 30, 2025

Rottalab operates this online store and website (collectively, the “Services”) to provide you with a curated shopping experience. We use the Shopify platform to power our store and Zendrop as our dropshipping fulfillment partner, which enables us to provide the Services to you. This Privacy Policy explains how we collect, use, and disclose your personal information when you visit or use our Services or make a purchase/transaction, as well as your rights under applicable data protection laws. We process personal data in compliance with the EU General Data Protection Regulation (GDPR) and Malta’s Data Protection Act (Cap. 586)idpc.org.mt, along with other relevant privacy laws. In the event of any conflict between our Terms of Service and this Privacy Policy regarding personal information, this Privacy Policy will control. By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and processing of your information as described herein.

Personal Information We Collect

Definition: In this policy, “personal information” (also referred to as personal data) means any information that identifies, relates to, or can reasonably be linked to you or another individualgdpr-info.eu. This does not include anonymous data or information that has been de-identified such that it cannot be linked back to you.

Categories of Data: We may collect and process the following categories of personal information (depending on how you interact with us, your location, and as permitted by law):

  • Contact Details: Name, billing address, shipping address, email address, telephone number, and other contact information.

  • Financial and Transaction Information: Payment details (e.g. credit or debit card number or other payment information), financial account numbers, payment confirmations, and details of your purchases, returns, exchanges, or cancellations. We do not store full payment card information on our servers; payments are processed securely by our payment providers.

  • Account Credentials and Preferences: If you create an account, we collect your login username and password, security question answers, and any preferences or settings in your account profile.

  • Shopping and Transaction History: Details about the items you view on our site, items you add to cart or wishlist, and your purchase history (including products ordered and dates). This includes records of past orders, returns, or exchanges.

  • Communications with You: Any information you choose to provide in communications with us. For example, if you contact customer support or send us an inquiry, we will collect the information you include in those communications (such as the content of your email or chat and your contact details for reply).

  • Device and Usage Information: Technical information about the device and browser you use to access the Services, such as your IP address, device identifiers, browser type, language preference, and operating system. We also collect information about how you interact with our Services, such as the pages or screens you view, the features you use, the links you click, and the dates/times of your visitsidpc.org.mt. This usage data may be collected through cookies and similar tracking technologies as described below.

Cookies and Tracking Technologies: Our Services use cookies and similar technologies to automatically collect certain device and usage information when you visit our site. Cookies are small text files stored on your browser that help websites remember your preferences and activity. We (and authorized third parties acting on our behalf) use these technologies to enable site functionality, remember your preferences, analyze traffic, and provide you with a personalized experience, including tailored content or advertisements. Where required by law (such as in the EU), we will obtain your consent for non-essential cookies (e.g. analytics or advertising cookies). You can manage or disable cookies through your browser settings; however, please note that disabling cookies may affect the functionality of the Services.

Sources of Personal Information

We collect personal information from several sources:

  • Directly from You: Most of the data we collect comes directly from you. You provide personal information when you use our Services – for example, when you register an account, place an order, fill out forms, enter information at checkout, subscribe to newsletters, or communicate with us via email or chat.

  • Automatically from Your Device: As you navigate and interact with our Services, we automatically collect technical and usage data through cookies, log files, and other tracking technologies on your browser or device (as described above). This helps us understand how you use the Services and personalize your experience.

  • Service Providers: We receive personal information from service providers we engage to operate our store and fulfill orders. For instance, our website is hosted on Shopify, which collects data about your interactions with our site on our behalf, and our fulfillment partner Zendrop obtains the necessary order details to ship products to you (e.g. your name and shipping address)zendrop.com. Payment processors may also provide us with limited information (such as confirmation that a payment was completed).

  • Business Partners and Other Third Parties: In some cases, we may receive information about you from third parties. For example, if you use a social media login to sign into our site or if you participate in a promotion that involves a partner, that third party might share certain information with us. We may also collect or infer information from advertising and analytics partners about your engagement with our ads or other merchants’ websites (see Marketing and Advertising below). We only obtain such information where those third parties have the legal right to share it with us.

How We Use Your Personal Information

We use your personal information for the following purposes, in accordance with applicable law, including the GDPR principles of lawfulness, fairness, and transparencyidpc.org.mt:

  • To Provide and Improve Our Services: We process your information to perform our contract with you and deliver the Services you expectgdpr-info.eu. This includes using your information to facilitate and fulfill your orders (e.g. processing payments, shipping your products via Zendrop, and handling returns or exchanges), to provide you with the features and functionality of our website, and to remember your preferences such as language, currency, and items saved in your cart. We also use the data to maintain and improve our Services – for example, diagnosing technical issues, analyzing site usage to enhance user experience, and developing new features or products that better meet your needs.

  • Personalized Shopping Experience: Your information helps us personalize your experience on the store. We may use your browsing and purchase history to recommend products or services you might be interested in. For instance, we might display related items based on what you viewed or suggest products similar to your past purchases. This personalization is intended to make it easier for you to discover products that fit your preferences.

  • Marketing and Advertising: We may use your contact information and shopping history to send you promotional communications about our latest products, special offers, or other updates we think you’ll find valuable. These may be sent via email or, where you have agreed, via text/SMS. We also use your data to show you relevant advertisements for our products or Services on our website or on third-party sites (such as advertising networks or social media platforms). For example, if you have viewed or purchased certain items, we might work with advertising partners to display ads for those or similar items when you visit other websites. In some cases, this may involve sharing limited information (like cookies or hashed email addresses) with those ad partners to enable such tailored advertising. Legal Note: Where required by law, we will obtain your consent before sending marketing emails or using your data for personalized ads. You always have the right to opt out of our marketing communications (see Managing Your Communication Preferences below).

  • Security and Fraud Prevention: We are committed to keeping our Services safe and secure. We use personal information to authenticate your account and identify you when you log in, as well as to monitor for and detect fraudulent transactions or other malicious activities. For example, we may use certain technical information (like IP addresses or device identifiers) and purchase history to flag suspicious activity (such as potential credit card fraud or account takeover attempts)gdpr-info.eu. If we detect fraud or security risks, we may use your data to investigate or take appropriate action. We also process data as needed to protect the rights, property, or safety of our business, our users, or others (such as during an investigation of misuse of our site).

  • Customer Service and Communications: If you contact us for support or with a question, we will use your contact information and any details you provide to respond to you and resolve any issues. This includes using your data to send you service-related messages such as order confirmations, shipping notifications, receipts, updates on any service interruptions, or responses to your inquiries. We may also send you administrative emails as needed, for example if we update our terms or privacy policy or need to notify you of important information about your account or transactions (these are not marketing messages, but essential service communications).

  • Legal and Compliance Purposes: In certain cases, we need to process personal information to comply with our legal obligations or in response to lawful requests by public authorities. For example, we may retain and use certain transaction data for tax and accounting purposes, or disclose information if required by a court order, subpoena or other legal processidpc.org.mt. We also use and retain data as necessary to meet record-keeping requirements under consumer protection laws and to enforce our Terms of Service or other agreements. Additionally, if we are involved in a dispute or legal claim, we will use relevant personal information as needed to establish, exercise, or defend our legal rights.

Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, our processing of your personal information is justified by one or more “lawful bases” under the GDPR/UK GDPRgdpr-info.eugdpr-info.eu:

  • Performance of a Contract: Much of our data processing is done so that we can provide you with the Services you requested. When you make a purchase or sign up for an account, we need to process your personal data to fulfill our contract with you – for example, to process your payment, deliver your order, or provide customer supportgdpr-info.eu. We could not provide the Services without this use of your data.

  • Your Consent: In some cases, we rely on your consent to process your personal information. For instance, if you subscribe to our newsletter or agree to receive marketing communications, we process your email address for that purpose based on your consent. Likewise, certain cookies or tracking for personalized advertising are used only with your consent (where required by law). You have the right to withdraw your consent at any time (see Your Rights and Choices below), and we will stop the related processing going forwardgdpr-info.eu.

  • Legal Obligation: We process personal data when necessary for us to comply with a legal obligationgdpr-info.eu. This includes retaining records as required by tax laws, responding to lawful requests from government or law enforcement, or handling data subject rights requests under privacy laws. If the law requires us to process or keep your information, we will do so to meet those obligations.

  • Legitimate Interests: We also process data as needed for our legitimate business interests, so long as those interests are not overridden by your fundamental rights and freedomsgdpr-info.eu. For example, it is in our legitimate interest to improve and personalize our Services, to prevent fraud, to secure our website, and to market our products to adult customers. We always consider the potential impact on your rights when relying on this basis, and will not process personal information for activities where our interests are outweighed by the potential risks to your privacy. You have the right to object to processing based on our legitimate interests in certain cases (see Your Rights and Choices below).

Note: Where we rely on legitimate interests to process your data for direct marketing, you have the absolute right to object at any time, and if you do so we will cease processing your data for marketing purposesidpc.org.mtidpc.org.mt.

How We Disclose Personal Information

We do not sell your personal information to third parties. However, we do share your information in certain circumstances, as needed to run our business and as permitted by law, as described below. Whenever we disclose data, we take steps to ensure the recipients will handle the data appropriately and securely. The types of third parties with whom we may share personal information include:

  • Service Providers (Processors): We share personal information with our trusted service providers who perform services on our behalf and under our instructionsidpc.org.mt. This includes, for example:

    • Shopify: Our store is hosted on Shopify Inc., which means Shopify processes your personal data (such as information about your device and interactions with our site) to enable our online storefront and payment infrastructure. Shopify also stores our customer account data and order information in their systems. They act as our data processor for hosting and transaction services, and in some cases as a separate controller (see “Shopify Platform” section below for details).

    • Order Fulfillment (Zendrop): We use Zendrop as a dropshipping fulfillment partner to source products and ship orders to you. When you place an order, the necessary details are automatically transferred to Zendrop so that your order can be fulfilledzendrop.com. This will include your name, shipping address, purchased items, and any relevant notes needed for delivery. Zendrop and its suppliers will use this information solely to procure the product and ship it to you, and for related purposes like addressing any shipping issues. They are contractually obligated to protect your data and not use it for other purposes. Zendrop may in turn share your address with logistics partners (e.g., postal or courier services) as needed to deliver the package.

    • Payment Processors: We rely on external payment gateways (such as Shopify Payments, Stripe, PayPal, or other providers) to process your payment information securely. When you enter your credit or debit card details at checkout, that information is transmitted directly to the payment processor and not stored by us (aside from possibly a token or the last 4 digits for reference). The payment processor will provide us with confirmation of payment and certain details (like card type or failure reason if a transaction is declined) so we can handle your order. These providers are responsible for complying with financial data security standards (PCI DSS) and applicable regulations.

    • IT and Infrastructure Providers: We may share information with cloud storage providers, website analytics services, email service providers, customer support platform providers, and similar vendors that enable our Service functionality. For example, we might use an email service to send order confirmations or a cloud service to store backups securely. These providers only access your data to the extent needed to perform their functions on our behalf and are not allowed to use it for their own marketing.

  • Business and Marketing Partners: In some cases, we share limited personal information with third-party partners for marketing, advertising, and analytics purposes. For example, we may allow advertising networks to set cookies or pixels on our site to collect usage information for targeted advertising (with your consent where required). We may also work with partners (like social media platforms or Google/Facebook Ads) to serve ads to you based on your past interactions with our site. This may involve sharing a hashed version of your email or other identifier with the platform to try to “match” you and deliver the ad. Additionally, because we use Shopify to host our store, Shopify may separately facilitate personalized advertising services that involve your data and data from other merchants’ customers (as part of Shopify’s network features)help.shopify.comhelp.shopify.com. For instance, Shopify might use information about your purchases on our store and others to help us (and other merchants) show you relevant products. Your Choices: Depending on where you reside, you may have the right to opt out of certain sharing of your data for targeted advertising. For example, users in some U.S. states have the right to direct businesses not to “share” personal data for cross-context behavioral advertising, and under the GDPR you have the right to object to profiling for direct marketingidpc.org.mt. We will honor any valid opt-out or objection request. You can exercise this by contacting us or using any opt-out tools we provide (such as a “Do Not Sell/Share My Info” link or cookie consent manager, as applicable).

  • Affiliates and Corporate Group: If Rottalab has affiliates or is part of a corporate family, we may share personal information within that group (for example, if we establish a Maltese parent company or related entities) for purposes consistent with this Policy. Any such affiliate receiving your information will be bound to protect it to at least the same standard as we do.

  • Business Transfers: If we undergo a business transaction such as a merger, acquisition by another company, reorganization, or sale of all or part of our assets, your personal information may be disclosed to the prospective or actual acquiring entity (and its representatives) as part of the due diligence process or transfer of assets. In such cases, we will ensure that appropriate confidentiality safeguards are in place and that your data remains protected. If a transfer occurs, the successor entity will be entitled to continue using your information, but only in line with this Privacy Policy or as otherwise permitted by law.

  • Legal Compliance and Protection: We may disclose personal information to courts, law enforcement, government authorities, or other third parties when we believe in good faith that such disclosure is necessary to comply with a legal obligationidpc.org.mt. This includes situations such as responding to subpoenas, warrants, or other legal process, or to meet national security or law enforcement requirements. We may also disclose your information if we believe it is necessary to investigate or enforce our Terms of Service or other agreements, or to protect the rights, property, or safety of our company, our customers, or others. For example, we might share information with fraud prevention agencies or consult with our legal advisors in handling a breach of contract or a violation of law.

We endeavor to limit the personal information we share to what is directly relevant and necessary for each specified purpose. Whenever personal data is transferred to a third-party recipient, we take steps to ensure they maintain adequate privacy and security standards. Please note that third parties who process your data on our behalf (our processors) are contractually bound to use it only for the agreed-upon services and to safeguard it in accordance with applicable law.

Shopify Platform and Data Sharing

As noted above, our store is built on the Shopify platform. Shopify acts as both a service provider to us and, in certain cases, an independent data controller with respect to some of your personal data processed through our site. Here is what that means for you:

  • Hosting and Basic Processing: Shopify provides the e-commerce infrastructure that allows us to run this store. When you visit our website or make a purchase, your information is automatically transmitted to Shopify’s systems. Shopify needs this information to host the website, enable checkout and payments, and perform other core functions for us. In this capacity, Shopify is processing your data on our behalf (as a “processor”) to help us fulfill our contract with you. Examples include storing your account data, processing your order information, routing your payment details to the payment gateway, and storing records of your transactions. Shopify also implements security measures and monitors the platform for fraud or security issues.

  • Shopify “Network Intelligence” and Enhanced Services: We utilize certain Shopify features that leverage data insights across the network of Shopify merchants. Specifically, Shopify may combine data about how you interact with our store and other Shopify-powered stores, as well as with Shopify’s own services, to provide enhanced functionalities to merchants and customershelp.shopify.comhelp.shopify.com. For example, Shopify might use a history of fraudulent orders across multiple stores to better detect fraud on ours, or it might use your browsing/purchase patterns to power personalized product recommendations or advertising audiences. In these cases, Shopify is not just acting on our instructions but determining certain purposes of processing – meaning Shopify is responsible for that data use as a controller under data protection law. Shopify’s use of your data for these “Enhanced Services” is covered by Shopify’s own privacy policy (often referred to as the Shopify Consumer Privacy Policy). Importantly, if you have any questions or wish to exercise data rights (like access, deletion, objection, etc.) specifically regarding the data that Shopify processes for its own purposes (for example, data used to personalize ads across different stores), you should direct those requests to Shopify, since Shopify controls that datahelp.shopify.com.

  • Your Choices with Shopify-Processed Data: Depending on your location, you may have rights to limit Shopify’s use of your data for these cross-merchant services. For instance, in the EEA/UK, Shopify may seek your consent (usually via our cookie banner or similar) to use your data for personalized advertising featureshelp.shopify.com. If you opt-out of such cookies or tracking, Shopify will honor that choice and exclude your data from those advertising featureshelp.shopify.com. Likewise, in certain U.S. states, Shopify’s use of data for targeted advertising could be considered a “sale” or “share,” and you have the right to opt outhelp.shopify.com (Shopify provides tools to facilitate compliance with those state lawshelp.shopify.comhelp.shopify.com). We have enabled Shopify’s privacy features (like its Customer Privacy API) to respect global privacy signals and opt-out preferences where applicablehelp.shopify.com.

  • Learn More: For transparency, we provide a link to Shopify’s Consumer Privacy Policy and Shopify’s Privacy Portal on our site. You can review Shopify’s Privacy Policy to understand how they collect and use personal data in generalhelp.shopify.com. If you wish to exercise any data rights with respect to information in Shopify’s control (for example, opting out of Shopify’s cross-store data use, or accessing data Shopify holds about you), you can use Shopify’s Privacy Portal (accessible at privacy.shopify.com or via the link on our website) to submit your request directly to Shopifyhelp.shopify.com. Shopify is responsible for responding to those requests regarding the Enhanced Services data. Of course, for any data that we as Rottalab control, you can always contact us to exercise your rights, as detailed in the next section. We and Shopify cooperate as needed to ensure your privacy rights are respected.

In summary, Shopify is an essential part of our e-commerce operations, and we work closely with them to protect your data. We want you to be aware that by using our Shopify-powered store, your data will be handled both by us and by Shopify. We include this information to stay transparent in line with GDPR’s transparency requirementshelp.shopify.com and Shopify’s own policies.

Third-Party Links and Websites

Our Services may contain links to websites or services that are not operated by us, but by third parties. For example, our site might feature links to our social media pages, to Shopify’s policies, or to third-party content. If you click on a third-party link, you will be directed to that third party’s site, which is outside of our control. We are not responsible for the privacy practices or content of third-party sites. Once you leave our website or are redirected to a third-party service, their own privacy policy and terms will apply. We recommend that you review the privacy policy of any website or service you visit before providing any personal information. This Privacy Policy applies only to data collected through our own Services. We do not endorse or make any representations about third-party websites; providing a link is for your convenience, and you access such sites at your own risk.

Please note that if you post information in public areas – for instance, leaving a product review or commenting on our social media – those comments may be visible to other users or the general public. Think carefully before you share personal data in any public forum. We are not responsible for how other users or the platform itself may use information you make public in such forums.

Children’s Data

Our Services are not intended for use by children, and we do not knowingly collect personal information from individuals who are under the age of majority in their jurisdiction (typically under 18 years old) without appropriate consent. If you are a minor, you should not use or make purchases on this site without involvement of a parent or guardian. We do not target our products or Services toward children. In fact, when you create an account or make a purchase, you represent that you are of legal age to form a binding contract with us (generally 18 in most countries, including Malta).

If we learn that we have inadvertently collected personal data from someone under the applicable age without proper consent, we will take steps to delete that data as soon as possible. Parents or guardians who discover that their child has provided us with personal information without consent can contact us at our email address below and request deletion of the data.

No “Selling” of Minors’ Data: We also confirm that, as of the effective date of this Policy, we do not have actual knowledge of any “sale” or “sharing” of personal information of users under 16 years of agetermsfeed.com. (The terms “sell” and “share” here are used as defined in certain privacy laws, such as the California Consumer Privacy Act/CPRA, which impose special rules for data of minors under 16termsfeed.com.) We do not knowingly engage in such activities. If you are under 16, we will not use your personal data for targeted advertising or other uses that would be considered a sale/sharing under applicable law, without obtaining any required opt-in consent. Again, our Services are not intended for minors at all, so under normal operation we should not collect data from anyone in this age group.

Data Security

We take reasonable and appropriate measures to secure your personal information and protect it from unauthorized access, alteration, disclosure, or destruction. Our security measures include technical, administrative, and physical safeguards designed to protect personal data. For example, we use encryption protocols for data in transit where necessary, maintain up-to-date firewall and intrusion detection systems, and restrict access to personal data only to employees and service providers who need it for the purposes described above. Shopify, as our hosting provider, is certified to high industry security standards and implements measures like encryption of payment information and continuous monitoring for vulnerabilities. Zendrop and our other processors are also required to follow stringent security practices.

However, please note that no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of information, and you use our Services at your own risk. For instance, email communications may not be secure, so avoid sending us sensitive information (like credit card numbers) via email. We recommend that you keep your account login credentials confidential and use a unique, strong password to help prevent unauthorized access to your account. If you suspect any unauthorized access or security breach relating to your personal data or our Services, please contact us immediately so we can investigate.

Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirementsidpc.org.mtidpc.org.mt. In practice, this means:

  • For active customer accounts, we will keep your account information until you deactivate your account or request deletion, since we need it to provide you with ongoing service.

  • For orders and transactions, we retain records of your purchase history, communications, and transactional data as required for our legitimate business operations (such as bookkeeping) or legal compliance. For example, we keep invoice and payment records to comply with tax laws and financial regulations, typically for at least the minimum period required by those laws (often 5-7 years, depending on jurisdiction).

  • If you contacted customer support, we may retain our correspondence for a period to ensure we have a history of your issue in case of follow-up, and to train or improve our support processes.

  • We routinely clean up or anonymize data that we no longer need. For instance, if you subscribed to marketing emails and then unsubscribed, we may move your email to a suppression list to ensure we do not contact you again, rather than deleting it outright.

  • In some cases, we may retain data longer than usual if needed for litigation or legal enforcement – for example, if we are handling a dispute with you or if retention is necessary to meet a legal hold or fulfill a statutory requirement. In all cases, retention will be in line with applicable laws.

When we have no ongoing legitimate need or legal obligation to retain your personal information, we will either securely delete it or anonymize it (so that it can no longer be associated with you). If deletion is not immediately feasible (for example, because the data is stored in backup archives), we will ensure the data is isolated and protected from further use until deletion is possible.

Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information. We respect your rights and have processes in place to help you exercise them. Please note that these rights are not absolute – they can vary by region and may be subject to certain legal exceptions. We will not unlawfully discriminate against you for exercising any of your privacy rights.

Data Subject Rights (EU/EEA, UK, and Similar Jurisdictions): If you are in the European Union, EEA, UK, or other jurisdictions with similar data protection laws, you generally have the following rights under the GDPR and local law:

  • Right of Access (Right to Know): You have the right to request confirmation of whether we are processing your personal information. If we are, you can request access to the data and additional information about how we use itidpc.org.mt. This means you can ask us for a copy of the personal data we hold about you, as well as details like the purposes of processing, the categories of data, the types of recipients we share it with, and how long we plan to keep itidpc.org.mtidpc.org.mt. We will provide this information except in limited circumstances where we are permitted to refuse (for example, if providing a copy would adversely affect the rights of others).

  • Right to Rectification (Correction): If any of your personal information that we have is inaccurate or incomplete, you have the right to request that we correct or update itidpc.org.mt. For instance, you can ask us to update your contact details if they change, or fix any errors in your data. Where reasonable, we will also inform any third parties with whom we have shared the incorrect data to rectify the information.

  • Right to Erasure (Deletion): You have the right to request that we delete your personal data, also known as the “right to be forgotten,” in certain circumstancesidpc.org.mtidpc.org.mt. This is not an absolute right, but we will honor a deletion request if: (a) the data is no longer necessary for the purposes we collected it for; (b) you initially gave consent for processing and now withdraw it, and no other legal basis exists; (c) you have objected to processing (see “Right to Object” below) and we have no overriding legitimate grounds to continue; (d) we processed your data unlawfully; or (e) the data must be erased to comply with a legal obligationidpc.org.mt. If we have made your data public (for example, posted a testimonial you provided) and you validly request erasure, we will take reasonable steps to inform other controllers processing the data to also erase links or copies. Exceptions: Sometimes we may deny a deletion request, for example if retaining the data is necessary for exercising the right of freedom of expression, compliance with a legal obligation, the establishment or defense of legal claims, or other exemptions allowed by lawi dpc.org.mt idpc.org.mt. We will inform you if any such exception applies.

  • Right to Restrict Processing: You have the right to request that we limit the processing of your personal information in certain scenarios. This means we would hold onto the data but temporarily stop using or viewing it for any purpose other than storage. You can request restriction if: (a) you contest the accuracy of the data (for a period enabling us to verify it); (b) the processing is unlawful but you oppose erasure and prefer restriction; (c) we no longer need the data but you need it for the establishment, exercise, or defense of legal claims; or (d) you have objected to processing (see below) and verification of our overriding grounds is pending. If processing is restricted, we will notify you before lifting the restriction.

  • Right to Data Portability: You have the right, in certain cases, to receive your personal data from us in a structured, commonly used, and machine-readable format, and to have that information transmitted to another controller (for example, another service provider) where technically feasibleidpc.org.mt. This right applies when the processing is carried out by automated means and is based on your consent or on a contract (i.e., the legal basis is consent or contract)idpc.org.mt. We will provide the data in a commonly used format (likely a CSV or JSON file) that should allow you to easily transfer it.

  • Right to Object: You have the right to object to our processing of your personal information at any time, on grounds relating to your particular situation, when the processing is based on our legitimate interests (or those of a third party)idpc.org.mt. If you lodge an objection, we will stop processing the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless we need to continue processing for the establishment or defense of legal claimsidpc.org.mt. Direct Marketing: Importantly, if your data is being processed for direct marketing purposes, you have an absolute right to object at any time, and if you exercise this, we will stop using your data for marketing immediatelyidpc.org.mtidpc.org.mt. This includes profiling to the extent that it’s related to direct marketing. (For example, if we were creating customer profiles to target certain offers, you can object to that as well.)

  • Right to Withdraw Consent: If we are processing any of your personal information based on your consent, you have the right to withdraw that consent at any time. You can do this by contacting us at our email below or by using any specific opt-out mechanisms provided (for example, an “unsubscribe” link in an email). Once you withdraw consent, we will stop the processing that was based on your consent. Please note that withdrawing consent does not affect the legality of any processing we conducted prior to your withdrawal. Also, if you withdraw consent for marketing emails, we may still need to contact you for transactional or service-related purposes (we will only stop the promotional communications).

  • Rights Related to Automated Decision-Making: We do not typically use automated decision-making that produces legal or similarly significant effects on you (such as algorithms that decide something without human intervention). However, if we ever do, you would have the right not to be subject to a decision based solely on automated processing (including profiling) that significantly affects you, except as permitted by lawidpc.org.mtidpc.org.mt. You would also have the right to request human intervention or to contest the decision. (This is mostly relevant for things like credit approvals, etc., which our store does not perform.)

These rights may be subject to certain conditions and exceptions under applicable law. For example, we might refuse a request for access if disclosing the information would adversely affect the rights or freedoms of others, or decline a request to delete data that we are legally required to keep. If we deny any request, we will explain the reasons to you, to the extent permitted.

Managing Communication Preferences (Opt-Out): Regardless of where you live, you can always choose not to receive promotional emails from us. If you prefer not to get marketing emails, you can opt out at any time by clicking the “unsubscribe” link in any marketing email we send. You can also contact us at our support email to request removal from our marketing list. Please note that even if you opt out of marketing messages, we may still send you essential transactional or account communications (such as order confirmations, shipping notices, password reset emails, or customer service responses), as these are not promotional but rather necessary for providing our Services.

If we send SMS/text message communications (for example, for order updates or promotions) and you have consented to those, you can opt out by following the instructions provided (often replying “STOP” to a text).

California and Similar Privacy Rights: While our business is based in Malta/EU, we strive to respect privacy rights globally. If you are a resident of certain U.S. states (like California), you may have additional rights such as the right to opt out of the “sale” or “sharing” of your personal information, and the right to limit use of sensitive personal information. As noted, we do not sell personal data for money. If we engage in any data sharing considered a “sale” or “sharing” under U.S. state laws (such as using third-party ad cookies), we will provide you with the ability to opt out through a mechanism like a “Do Not Sell or Share My Personal Information” link or via our cookie consent bannerhelp.shopify.comhelp.shopify.com. California residents also have the right to request certain information about our data practices (a privacy policy like this one is meant to provide that information, including the categories of personal information collected, sources, purposes, and categories of third-party disclosures), as well as to know, delete, or correct personal information, similar to the rights described above. If you are a California resident and wish to exercise any privacy rights under the CCPA/CPRA, you can contact us as described below. We will verify your identity and respond as required by law. You may also designate an authorized agent to make requests on your behalf, in which case we will take steps to verify the agent’s authority and your identity.

Exercising Your Rights: To exercise any of the applicable rights mentioned above, please contact us using the contact details provided in the Contact section below. Provide sufficient information for us to verify your identity (we may ask for additional info to confirm you are the account owner or the person who made a purchase, etc.) and clearly describe your request. We will respond to your request as soon as we can, and no later than the timeframe required by law (within one month for most requests under GDPRidpc.org.mtidpc.org.mt, which can be extended by an additional two months if necessary, in which case we will inform you of the extension and the reason). For requests that are manifestly unfounded or excessive (for example, repetitive requests), we may charge a reasonable fee or refuse to act on the request, as permitted by law. If we cannot fulfill a request, we will explain the reason, provided it is lawful to do so.

We will not retaliate or deny you services for exercising your rights in good faith. If you have any questions about your rights or how to exercise them, you can always reach out to us for clarification.

Lodging Complaints: If you believe we have infringed your data protection rights or processed your personal information unlawfully, you have the right to lodge a complaint with a supervisory authority. For individuals in Malta, this is the Office of the Information and Data Protection Commissioner (IDPC). You can find the IDPC’s contact details on their official websiteedpb.europa.euedpb.europa.eu. For residents of other EEA countries, you can contact your local Data Protection Authority; a list of national EU data protection authorities is available from the European Data Protection Boardedpb.europa.euedpb.europa.eu. We would, however, appreciate the chance to address your concerns before you approach a regulator – so please consider reaching out to us first, and we will do our best to resolve any issue. In any event, your right to contact a Data Protection Authority is unaffected.

International Data Transfers

Because our business is based in Malta (an EU member state) and we use service providers in various countries, your personal information may be transferred to and stored in countries outside of your own. If you are located in the EEA, UK, or Switzerland, this means your personal data might be transferred to jurisdictions that are not deemed to have the same level of data protection as your home country. For example, Shopify and Zendrop may store or process data on servers in the United States or other countries.

When we transfer personal data out of the EEA/UK, we take steps to ensure that an adequate level of protection is applied to your information, as required by the GDPR. These safeguards include:

  • Adequacy Decisions: In some cases, data may be transferred to a country that the European Commission (or UK government, as applicable) has determined offers an “adequate” level of data protection comparable to EU law. In such cases, transfers are permitted under Article 45 GDPR without additional measures. (For example, as of the date above, the EU has adopted adequacy decisions for countries like Canada, Switzerland, Japan, and others. The UK has adequacy for the EU/EEA, and vice versa.)

  • Standard Contractual Clauses: For transfers to countries without an adequacy finding (such as the United States), we rely on the European Commission’s Standard Contractual Clauses (SCCs) or equivalent legal instrumentscommission.europa.eucommission.europa.eu. The SCCs are standardized contractual commitments that impose data protection obligations on the foreign recipient to ensure your data remains protected to EU standardscommission.europa.eu. We have executed SCCs (or the UK’s International Data Transfer Addendum, as relevant) with our service providers like Shopify and Zendrop to cover cross-border data flows. These contracts bind the recipients to protect your personal data, provide legal remedies for data subjects, and give you enforceable rights in relation to your datacommission.europa.eucommission.europa.eu.

  • Other Safeguards: In addition to SCCs, we may implement supplementary measures as needed (for instance, encryption in transit and at rest, data minimization, and policies to handle any government access requests for data). We continually monitor legal developments around international data transfers and will adjust our practices if needed.

  • Derogations: In rare cases, we may rely on specific exceptions under Article 49 GDPR to transfer data, such as when a transfer is necessary to perform a contract with you (e.g., if you are ordering a product to be delivered from outside the EU, the transfer of your address to the foreign supplier is necessary for the contract) or if you explicitly consent to the transfer after being informed of any risks.

You can contact us if you have questions about our international data transfer practices or want to obtain a copy of the relevant transfer safeguards (e.g., a copy of the SCCs we use, though some terms may need to be redacted for confidentiality). Despite the jurisdiction your data may reside in, we will ensure it is handled in accordance with this Privacy Policy and as required by applicable law.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will post the updated policy on this website and update the “Last updated” date at the top. If the changes are significant, we will provide a more prominent notice (such as a banner on our site or an email notification) as required by law. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Services after any updates take effect will constitute acceptance of the revised Privacy Policy, to the extent permitted by law. If you do not agree with any updates or modifications, you should stop using the Services and you may contact us to exercise your rights (such as deleting your account or data).

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact us. We are here to help and will do our best to address your inquiry promptly.

Contact Email: info@rottalab.com

(Note: As of now, Rottalab is a small business and may not have a dedicated DPO or office address. Please use email for the quickest response.)

For the purposes of EU data protection law, Rottalab is the “data controller” of your personal information collected through the Servicesidpc.org.mt. This means we determine the purposes and means of processing that data (aside from certain processing by Shopify as noted).

We thank you for reading our Privacy Policy. Your trust is very important to us, and we are committed to safeguarding your personal data. If you have any further questions or need clarifications, feel free to get in touch.