Data Privacy
DATA PRIVACY POLICY
Executive Summary (Compliance & Use)
This Data Privacy Policy is designed for publication on an e-commerce website operated by a data controller established in Ireland. It aims to comply with the information and transparency obligations under the General Data Protection Regulation (GDPR), in particular Article 13 GDPR, the Irish Data Protection Act 2018, and the expectations of the Irish Data Protection Commission (DPC) regarding clarity, accessibility, and transparency.
This Policy must be read together with our Cookie Policy and our Consent Management Platform (CMP), particularly regarding advertising and measurement tools (Meta, Google, Pinterest) and the use of non-essential cookies.
IDENTITY OF THE DATA CONTROLLER
KDML Retail Limited (Irish company no. 725523)
Registered Office: 24A Baggot Street Upper, Dublin D04 N528, Ireland
VAT No.: IE4040092UH
Customer Service Phone: +33 7 59 68 76 57
Website: KOSSDESIGN.FR (the “Site”)
KDML Retail Limited (“KDML”, “we”, “us”, “our”) acts as the data controller of the personal data processed via the Site and our associated activities (Art. 13 GDPR).
PERSONAL DATA CONTACT – DPO
Privacy / Personal Data Contact:
Email: support@kossdesign.com
Postal Address (Registered Office):
KDML Retail Limited – Privacy / Personal Data
The Lighthouse, George Street Lower, Dún Laoghaire, Dublin, A96R2N2, Ireland
Correspondence Address (if applicable):
KDML Retail Limited – Privacy / Personal Data
24A Baggot Street Upper, Dublin D04 N528, Ireland
Data Protection Officer (DPO):
We have not appointed a Data Protection Officer. Please use the privacy contact above.
SCOPE
This Policy applies to processing carried out:
• via the Site (browsing, account creation, cart, order, payment, delivery, returns);
• via our customer communication channels (email, telephone, social media, chat);
• via our marketing (email/SMS) and advertising activities (Meta Pixel + Conversions API, Google Analytics/Ads + Consent Mode, Pinterest Tag);
• via our service providers: e-commerce/hosting platform (Shopify), payment providers (Shopify Payments, Mollie, PayPal), BNPL providers (Klarna, Alma), delivery providers (La Poste/Colissimo, Chronopost), analytics providers, email/SMS tools (Shopify Email, Klaviyo), web push notifications (PushHowl), and customer support tools, in accordance with Article 28 GDPR.
PERSONAL DATA COLLECTED (CATEGORIES)
Depending on your interaction with the Site, we may process:
A. Identity and Contact Data
First name, last name, email address, telephone number, billing and delivery address.
B. Account Data
Login identifiers (excluding plaintext passwords), login history, preferences.
C. Order and Fulfilment Data
Cart contents, products purchased, pricing/discounts, order history, delivery preferences, customer service correspondence, returns/claims.
D. Payment Data
Information necessary to process payment (transaction status, transaction ID, token).
Payment card details are generally processed directly by our payment providers (Shopify Payments, Mollie). We do not store full card details.
Payments via PayPal are processed under PayPal’s own terms and privacy policy.
E. BNPL / Instalment Payment Data (if offered)
Information required to set up instalment payments via Klarna and/or Alma, which may include automated eligibility assessments carried out by the provider.
F. Technical Data, Cookies and Trackers
IP address, logs, device/browser type, browsing events, cookie/pixel/SDK identifiers.
A detailed list of cookies, purposes and retention periods is available in our Cookie Policy and via our CMP.
G. Marketing Data
Consent records, preferences, sending history, opens/clicks, advertising audiences.
H. User-Generated Content (if enabled)
Reviews/comments, shared content, “verified purchase” indicators, anti-fraud or fake review signals.
Principle: We apply the principle of data minimisation and only collect data that is necessary.
PURPOSES AND LEGAL BASES (Art. 6 GDPR)
We process your personal data for the following purposes and legal bases under Article 6 GDPR. Where processing is based on legitimate interests, we balance our interests against your fundamental rights and freedoms.
Purpose → Legal Basis → Data Mapping
|
Purpose |
Legal Basis (Art. 6 GDPR) |
Categories of Data (Examples) |
|---|---|---|
|
Account creation and management |
Contract (Art. 6(1)(b)) |
Identity, account data |
|
Order processing, delivery, returns, refunds |
Contract (Art. 6(1)(b)) |
Identity, order data, delivery data |
|
Invoicing, accounting, legal obligations |
Legal obligation (Art. 6(1)(c)) |
Invoices, payment data, identity |
|
Fraud prevention and security |
Legitimate interest (Art. 6(1)(f)) and/or legal obligation |
Logs, IP address, fraud indicators |
|
Customer support and dispute management |
Contract (Art. 6(1)(b)) and/or legitimate interest |
Support communications |
|
Customer reviews and fake review prevention |
Legitimate interest and/or consent where required |
Reviews, proof of purchase |
|
Email marketing |
Consent (Art. 6(1)(a)) or existing customer relationship under ePrivacy rules |
Email address, preferences |
|
SMS marketing |
Consent (Art. 6(1)(a)) + ePrivacy rules |
Phone number, consent records |
|
Targeted advertising and measurement |
Consent (Art. 6(1)(a)) via CMP |
Cookies, advertising IDs, events |
|
Essential cookies (cart, security) |
Technical necessity (ePrivacy) |
Technical cookies |
|
BNPL / instalment payments |
Contract (Art. 6(1)(b)) |
Identity, transaction data |
RECIPIENTS / PROCESSORS / PLATFORMS (Art. 28 GDPR)
We may share data with:
• authorised internal staff;
• service providers acting as processors under Article 28 GDPR;
• independent controllers (e.g., certain advertising platforms and payment/BNPL providers) under their own privacy policies.
Summary of Main Service Providers
|
unction |
Provider |
Categories of Data |
|---|---|---|
|
E-commerce platform & hosting |
Shopify |
Technical data, account data, orders, logs |
|
Payments |
Shopify Payments; Mollie; PayPal |
Identity, order data, transaction status, transaction ID/token |
|
BNPL / Instalment payments |
Klarna; Alma |
Identity, order data, eligibility/score (as applicable), transaction data |
|
Delivery |
La Poste/Colissimo; Chronopost |
Identity, delivery address, parcel information |
|
Email marketing |
Shopify Email; Klaviyo |
Email address, preferences, send/open/click logs |
|
SMS marketing |
Klaviyo (if activated) |
Phone number, consent records, sending logs |
|
Web push notifications |
PushHowl |
Technical data, subscription identifiers |
|
Analytics & tracking |
Google (Analytics/Ads) + Consent Mode |
Cookies/IDs, browsing events, technical data |
|
Advertising & measurement |
Meta (Pixel + Conversions API); Pinterest (Tag) |
Advertising identifiers, conversion events, cookies/trackers |
|
Customer support |
Gorgias (or email if not used) |
Customer service communications, ticket history |
Where required, processors are bound by agreements compliant with Article 28 GDPR and subject to security and confidentiality obligations.
INTERNATIONAL TRANSFERS OUTSIDE THE EEA – SAFEGUARDS (SCC 2021 / EU–US DPF)
Some providers may process data outside the European Economic Area (EEA).
Where transfers occur outside the EEA, we implement appropriate safeguards, such as:
• Standard Contractual Clauses (SCC 2021)
• Adequacy Decisions (e.g., EU–US Data Privacy Framework), where applicable
• Supplementary safeguards where necessary (encryption, minimisation, access controls)
You may request information regarding safeguards by contacting support@kossdesign.com
RETENTION PERIODS – ACCOUNTING RULE (6 YEARS)
We retain personal data only for as long as necessary for the purposes described, unless a legal obligation requires longer retention.
|
Data Category |
Retention Period |
|---|---|
|
Orders / invoices / accounting |
Minimum 6 years from end of relevant financial year (Companies Act 2014, section 285) |
|
Customer account |
While active; then 3 years after last activity |
|
Customer support / disputes |
Duration of processing + 5 years after closure |
|
Marketing data |
Until withdrawal of consent; proof retained 3 years from last active contact |
|
Cookies |
As specified in the Cookie Policy and CMP |
YOUR RIGHTS (GDPR)
You have the following rights:
• Right of access
• Right to rectification
• Right to erasure
• Right to restriction
• Right to object
• Right to data portability
• Right to withdraw consent (without retroactive effect)
• Right to lodge a complaint with a supervisory authority
To exercise your rights: contact support@kossdesign.com.
We may request proportionate identity verification.
Response time: generally within one month.
Supervisory Authority (Ireland):
Data Protection Commission (DPC)
http://dataprotection.ie/e
AUTOMATED DECISION-MAKING / PROFILING (Art. 22 GDPR)
We may use:
• Fraud prevention/security tools that may lead to manual verification or transaction blocking;
• BNPL eligibility decisions managed by Klarna and/or Alma.
Where Article 22 GDPR applies, you may request human intervention, express your viewpoint, and contest the decision.
EMAIL / SMS MARKETING
You may unsubscribe at any time:
• Email: via the unsubscribe link or by contacting support@kossdesign.com
• SMS: by replying STOP or contacting support@kossdesign.com
Consent is not a condition of purchase.
COOKIES AND ADVERTISING TECHNOLOGIES
Our CMP allows you to:
• Accept or refuse non-essential cookies
• Modify your preferences at any time
• Consult the detailed cookie list in our Cookie Policy
User consent is required for non-essential cookies under ePrivacy Regulation 5(3) and DPC guidance.
Advertising integrations (subject to consent where required):
• Meta Pixel + Conversions API
• Google Analytics / Google Ads with Consent Mode
• Pinterest Tag
SECURITY – DATA BREACHES (Art. 33/34 GDPR)
We implement appropriate technical and organisational measures including access control, logging, backups, vendor management, and staff awareness.
In the event of a personal data breach, we will notify the competent authority and affected individuals where required.
CHILDREN
The Site is not intended for children. We do not knowingly collect data from minors without required authorisation.
UPDATES
We may update this Policy to reflect legal, technical or operational developments. The version published on the Site is the current version.
Last updated: 21 February 2026