Data Privacy

 

DATA PRIVACY POLICY

Executive Summary (Compliance & Use)

 

This Data Privacy Policy is designed for publication on an e-commerce website operated by a data controller established in Ireland. It aims to comply with the information and transparency obligations under the General Data Protection Regulation (GDPR), in particular Article 13 GDPR, the Irish Data Protection Act 2018, and the expectations of the Irish Data Protection Commission (DPC) regarding clarity, accessibility, and transparency.


This Policy must be read together with our Cookie Policy and our Consent Management Platform (CMP), particularly regarding advertising and measurement tools (Meta, Google, Pinterest) and the use of non-essential cookies.

IDENTITY OF THE DATA CONTROLLER

 

KDML Retail Limited (Irish company no. 725523)

Registered Office: 24A Baggot Street Upper, Dublin D04 N528, Ireland

VAT No.: IE4040092UH

Customer Service Phone: +33 7 59 68 76 57

Website: KOSSDESIGN.FR (the “Site”)


KDML Retail Limited (“KDML”, “we”, “us”, “our”) acts as the data controller of the personal data processed via the Site and our associated activities (Art. 13 GDPR).

 

PERSONAL DATA CONTACT – DPO

 

Privacy / Personal Data Contact:

Email: support@kossdesign.com


Postal Address (Registered Office):

KDML Retail Limited – Privacy / Personal Data

The Lighthouse, George Street Lower, Dún Laoghaire, Dublin, A96R2N2, Ireland


Correspondence Address (if applicable):

KDML Retail Limited – Privacy / Personal Data

24A Baggot Street Upper, Dublin D04 N528, Ireland


Data Protection Officer (DPO):

We have not appointed a Data Protection Officer. Please use the privacy contact above.

 

SCOPE

 


This Policy applies to processing carried out:


• via the Site (browsing, account creation, cart, order, payment, delivery, returns);

• via our customer communication channels (email, telephone, social media, chat);

• via our marketing (email/SMS) and advertising activities (Meta Pixel + Conversions API, Google Analytics/Ads + Consent Mode, Pinterest Tag);

• via our service providers: e-commerce/hosting platform (Shopify), payment providers (Shopify Payments, Mollie, PayPal), BNPL providers (Klarna, Alma), delivery providers (La Poste/Colissimo, Chronopost), analytics providers, email/SMS tools (Shopify Email, Klaviyo), web push notifications (PushHowl), and customer support tools, in accordance with Article 28 GDPR.

 

PERSONAL DATA COLLECTED (CATEGORIES)

 


Depending on your interaction with the Site, we may process:


 

A. Identity and Contact Data

 


First name, last name, email address, telephone number, billing and delivery address.


 

B. Account Data

 


Login identifiers (excluding plaintext passwords), login history, preferences.


 

C. Order and Fulfilment Data

 


Cart contents, products purchased, pricing/discounts, order history, delivery preferences, customer service correspondence, returns/claims.


 

D. Payment Data

 


Information necessary to process payment (transaction status, transaction ID, token).

Payment card details are generally processed directly by our payment providers (Shopify Payments, Mollie). We do not store full card details.

Payments via PayPal are processed under PayPal’s own terms and privacy policy.


 

E. BNPL / Instalment Payment Data (if offered)

 


Information required to set up instalment payments via Klarna and/or Alma, which may include automated eligibility assessments carried out by the provider.


 

F. Technical Data, Cookies and Trackers

 


IP address, logs, device/browser type, browsing events, cookie/pixel/SDK identifiers.

A detailed list of cookies, purposes and retention periods is available in our Cookie Policy and via our CMP.


 

G. Marketing Data

 


Consent records, preferences, sending history, opens/clicks, advertising audiences.


 

H. User-Generated Content (if enabled)

 


Reviews/comments, shared content, “verified purchase” indicators, anti-fraud or fake review signals.


Principle: We apply the principle of data minimisation and only collect data that is necessary.


PURPOSES AND LEGAL BASES (Art. 6 GDPR)

 


We process your personal data for the following purposes and legal bases under Article 6 GDPR. Where processing is based on legitimate interests, we balance our interests against your fundamental rights and freedoms.


 

Purpose → Legal Basis → Data Mapping

 

 

Purpose

Legal Basis (Art. 6 GDPR)

Categories of Data (Examples)

Account creation and management

Contract (Art. 6(1)(b))

Identity, account data

Order processing, delivery, returns, refunds

Contract (Art. 6(1)(b))

Identity, order data, delivery data

Invoicing, accounting, legal obligations

Legal obligation (Art. 6(1)(c))

Invoices, payment data, identity

Fraud prevention and security

Legitimate interest (Art. 6(1)(f)) and/or legal obligation

Logs, IP address, fraud indicators

Customer support and dispute management

Contract (Art. 6(1)(b)) and/or legitimate interest

Support communications

Customer reviews and fake review prevention

Legitimate interest and/or consent where required

Reviews, proof of purchase

Email marketing

Consent (Art. 6(1)(a)) or existing customer relationship under ePrivacy rules

Email address, preferences

SMS marketing

Consent (Art. 6(1)(a)) + ePrivacy rules

Phone number, consent records

Targeted advertising and measurement

Consent (Art. 6(1)(a)) via CMP

Cookies, advertising IDs, events

Essential cookies (cart, security)

Technical necessity (ePrivacy)

Technical cookies

BNPL / instalment payments

Contract (Art. 6(1)(b))

Identity, transaction data

 

RECIPIENTS / PROCESSORS / PLATFORMS (Art. 28 GDPR)

 

We may share data with:


• authorised internal staff;

• service providers acting as processors under Article 28 GDPR;

• independent controllers (e.g., certain advertising platforms and payment/BNPL providers) under their own privacy policies.

 

Summary of Main Service Providers

 

unction

Provider

Categories of Data

E-commerce platform & hosting

Shopify

Technical data, account data, orders, logs

Payments

Shopify Payments; Mollie; PayPal

Identity, order data, transaction status, transaction ID/token

BNPL / Instalment payments

Klarna; Alma

Identity, order data, eligibility/score (as applicable), transaction data

Delivery

La Poste/Colissimo; Chronopost

Identity, delivery address, parcel information

Email marketing

Shopify Email; Klaviyo

Email address, preferences, send/open/click logs

SMS marketing

Klaviyo (if activated)

Phone number, consent records, sending logs

Web push notifications

PushHowl

Technical data, subscription identifiers

Analytics & tracking

Google (Analytics/Ads) + Consent Mode

Cookies/IDs, browsing events, technical data

Advertising & measurement

Meta (Pixel + Conversions API); Pinterest (Tag)

Advertising identifiers, conversion events, cookies/trackers

Customer support

Gorgias (or email if not used)

Customer service communications, ticket history

Where required, processors are bound by agreements compliant with Article 28 GDPR and subject to security and confidentiality obligations.

 

INTERNATIONAL TRANSFERS OUTSIDE THE EEA – SAFEGUARDS (SCC 2021 / EU–US DPF)

 


Some providers may process data outside the European Economic Area (EEA).


Where transfers occur outside the EEA, we implement appropriate safeguards, such as:


• Standard Contractual Clauses (SCC 2021)

• Adequacy Decisions (e.g., EU–US Data Privacy Framework), where applicable

• Supplementary safeguards where necessary (encryption, minimisation, access controls)


You may request information regarding safeguards by contacting support@kossdesign.com

RETENTION PERIODS – ACCOUNTING RULE (6 YEARS)

 

 

We retain personal data only for as long as necessary for the purposes described, unless a legal obligation requires longer retention.

Data Category

Retention Period

Orders / invoices / accounting

Minimum 6 years from end of relevant financial year (Companies Act 2014, section 285)

Customer account

While active; then 3 years after last activity

Customer support / disputes

Duration of processing + 5 years after closure

Marketing data

Until withdrawal of consent; proof retained 3 years from last active contact

Cookies

As specified in the Cookie Policy and CMP


 

 

YOUR RIGHTS (GDPR)

 


You have the following rights:


• Right of access

• Right to rectification

• Right to erasure

• Right to restriction

• Right to object

• Right to data portability

• Right to withdraw consent (without retroactive effect)

• Right to lodge a complaint with a supervisory authority


To exercise your rights: contact support@kossdesign.com.

We may request proportionate identity verification.

Response time: generally within one month.


Supervisory Authority (Ireland):

Data Protection Commission (DPC)

http://dataprotection.ie/e

 


 

 

AUTOMATED DECISION-MAKING / PROFILING (Art. 22 GDPR)

 


We may use:


• Fraud prevention/security tools that may lead to manual verification or transaction blocking;

• BNPL eligibility decisions managed by Klarna and/or Alma.


Where Article 22 GDPR applies, you may request human intervention, express your viewpoint, and contest the decision.

 


 

 

EMAIL / SMS MARKETING

 


You may unsubscribe at any time:


• Email: via the unsubscribe link or by contacting support@kossdesign.com

• SMS: by replying STOP or contacting support@kossdesign.com


Consent is not a condition of purchase.

 


 

 

COOKIES AND ADVERTISING TECHNOLOGIES

 


Our CMP allows you to:


• Accept or refuse non-essential cookies

• Modify your preferences at any time

• Consult the detailed cookie list in our Cookie Policy


User consent is required for non-essential cookies under ePrivacy Regulation 5(3) and DPC guidance.


Advertising integrations (subject to consent where required):


• Meta Pixel + Conversions API

• Google Analytics / Google Ads with Consent Mode

• Pinterest Tag

 


 

 

SECURITY – DATA BREACHES (Art. 33/34 GDPR)

 


We implement appropriate technical and organisational measures including access control, logging, backups, vendor management, and staff awareness.


In the event of a personal data breach, we will notify the competent authority and affected individuals where required.

 


 

 

CHILDREN

 


The Site is not intended for children. We do not knowingly collect data from minors without required authorisation.

 


 

 

UPDATES

 


We may update this Policy to reflect legal, technical or operational developments. The version published on the Site is the current version.


Last updated: 21 February 2026

Submit Withdrawal Request

Please fill out the following form to submit your withdrawal request.