Privacy Policy

# Privacy Policy

**By A Needle's Head** *Last updated: May 2026*

This Privacy Policy describes how **By A Needle's Head** ("we", "us", or "our") collects, uses, and shares your personal information when you visit or make a purchase from our website (the "Site"). Our Site is built on Next.js and Payload CMS, hosted on Vercel.

***

## Section 1: Information We Collect

When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us such as your name, delivery address, and email address.

When you browse our store, we may also automatically receive your device's internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system. This information is used only to improve the performance and functionality of our Site.

We store order data, customer records, and product information in our database (MongoDB, hosted via Vercel).

**Email communications:** We use Resend to send you transactional emails such as order confirmations, shipping updates, and delivery notifications. With your explicit permission, we may also send you marketing emails about new products and offers. You can withdraw this consent at any time (see Section 3).

***

## Section 2: Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases under the General Data Protection Regulation (EU) 2016/679 and Greek Law 4624/2019:

| Purpose | Legal Basis | |---|---| | Processing and fulfilling your order | Contract performance (Article 6(1)(b) GDPR) | | Sending transactional emails (order confirmation, shipping) | Contract performance (Article 6(1)(b) GDPR) | | Fraud prevention and security | Legitimate interests (Article 6(1)(f) GDPR) | | Analytics and site performance | Consent (Article 6(1)(a) GDPR) | | Email marketing | Consent (Article 6(1)(a) GDPR) | | Legal obligations (tax records, etc.) | Legal obligation (Article 6(1)(c) GDPR) |

***

## Section 3: Consent

**How do you get my consent?**

When you provide us with personal information to complete a transaction, place an order, arrange for a delivery, or return a purchase, we rely on contract performance as our legal basis. We use your data only for that specific purpose.

If we ask for your personal information for a secondary reason, such as marketing emails, we will ask you directly for your expressed consent before we proceed.

Before any analytics cookies are placed on your device, we will ask for your consent through our cookie banner. Analytics tools (Google Analytics 4) will only activate after you have clicked "Accept."

**How do I withdraw my consent?**

If, after you have opted in, you change your mind, you may withdraw your consent at any time by:

- Emailing us at: info@byaneedleshead.gr - Writing to us at: By A Needle's Head, Patras, Greece

You can also manage or withdraw cookie consent at any time by clicking the **"Cookie Settings"** link in our website footer.

***

## Section 4: Disclosure

We may disclose your personal information if we are required by law to do so, or if you violate our Terms of Service. We will never sell your personal data to third parties.

***

## Section 5: Hosting & Infrastructure

Our website is built with **Next.js** and **Payload CMS**, deployed on **Vercel, Inc.** (101 2nd Street, Suite 700, San Francisco, CA 94105, USA). Vercel acts as a data processor on our behalf. Site files and media assets are stored using **Vercel Blob**.

Our database is hosted via **MongoDB** on Vercel's infrastructure. Customer data, order records, and product information are stored in this database on secure servers protected by firewalls.

Note: Vercel infrastructure is primarily located in the United States. Data transfers from the EU to the US are conducted under Standard Contractual Clauses (SCCs) as required by GDPR.

For more information, see [Vercel's Privacy Policy](https://vercel.com/legal/privacy-policy).

***

## Section 6: Third-Party Services

The third-party providers we use will only collect, use, and disclose your information to the extent necessary to perform the services they provide to us.

**Our third-party service providers include:**

| Provider | Purpose | Data Stored / Transferred | Privacy Policy | |---|---|---|---| | **Vercel, Inc.** | Website hosting, Blob storage, infrastructure | Site data, uploaded files, logs | vercel.com/legal/privacy-policy | | **MongoDB** | Database (orders, customers, products) | Personal data, order records | mongodb.com/legal/privacy-policy | | **Google LLC** | Analytics (Google Analytics 4) | Anonymised usage data | policies.google.com/privacy | | **Resend, Inc.** | Transactional & marketing email delivery | Email address, name, email content | resend.com/legal/privacy-policy | | **Viva Payments S.A.** | Payment processing (Viva Smart Checkout) | Payment card data, billing info | viva.com/en-gr/privacy-notice |

**Viva Smart Checkout:** When you proceed to payment, you are redirected to Viva Payments S.A., a licensed Payment Institution regulated by the Bank of Greece (Licence No. 1). Viva Payments handles all card data directly and is fully PCI DSS and SCA/3DS compliant. We do not store or access your card details at any point. See [Viva's Privacy Notice](https://www.viva.com/en-gr/privacy-notice) for full details.

**Resend:** We use Resend to deliver transactional emails (order confirmations, shipping updates). Resend stores data in the United States under Standard Contractual Clauses. See [Resend's Privacy Policy](https://resend.com/legal/privacy-policy) and their [GDPR page](https://resend.com/security/gdpr).

**Links to other sites:** When you click links on our store, they may direct you away from our site. We are not responsible for the privacy practices of other sites. Once you leave our site, you are no longer governed by this Privacy Policy.

***

## Section 7: Analytics

**Vercel Web Analytics**

We use Vercel Web Analytics to understand how visitors use our site. Vercel Analytics is **cookieless** — it does not place any cookies on your device, does not track you across websites, and does not store any personally identifiable information. Data is aggregated and anonymised. No cookie consent is required for Vercel Analytics.

**Google Analytics 4 (GA4)**

We use Google Analytics 4, provided by Google LLC, to collect aggregated data about how visitors use our site, including pages visited, session duration, and e-commerce events such as product views and purchases. GA4 places cookies on your device (see Section 8). GA4 data may be transferred to Google servers in the United States under Standard Contractual Clauses.

**GA4 is only activated after you give your explicit cookie consent.** If you decline cookies, GA4 will not load.

***

## Section 8: Cookies

Cookies are small text files placed on your device. We use cookies to enable essential shop functionality and — with your consent — to understand how visitors use our store.

**Essential Cookies — no consent required**

These cookies are strictly necessary for our store to function and cannot be switched off.

| Cookie | Duration | Purpose | |---|---|---| | `__session` | Session | Maintains your login session and authentication state | | `payload-token` | Session / persistent | Authentication token set by Payload CMS |

**Analytics Cookies — consent required**

These cookies are only placed on your device if you click "Accept" on our cookie banner. You may withdraw consent at any time via Cookie Settings in our footer.

| Cookie | Duration | Purpose | |---|---|---| | `_ga` | 2 years | Google Analytics 4 — distinguishes individual users | | `_ga_[container-id]` | 2 years | Google Analytics 4 — persists session state |

**Third-Party Cookies (Payment)**

When you are redirected to Viva Smart Checkout to complete a payment, Viva Payments may set their own cookies. These are governed by [Viva's Privacy Notice](https://www.viva.com/en-gr/privacy-notice) and are outside our control.

**Managing Cookies**

You can manage your preferences at any time by clicking **"Cookie Settings"** in our website footer. You can also set your browser to refuse all cookies; note that disabling essential cookies may affect the functionality of our store.

***

## Section 9: Data Retention

| Data | Retention Period | |---|---| | Order and transaction records | 10 years (Greek tax law) | | Customer account and contact information | Duration of relationship + 3 years | | Analytics data (GA4) | 14 months (GA4 default setting) | | Transactional email logs (Resend) | 30–90 days (per Resend's policy) | | Marketing consent records | Until consent is withdrawn + 3 years | | Media files (Vercel Blob) | Duration of active store listing |

***

## Section 10: Security

To protect your personal information, we take reasonable precautions and follow industry best practices to ensure it is not inappropriately lost, misused, accessed, disclosed, altered, or destroyed.

Payment card data is handled exclusively by **Viva Payments S.A.**, which is fully PCI DSS compliant. We never receive, store, or process card numbers on our own servers.

Although no method of transmission over the Internet is 100% secure, we implement generally accepted industry-standard security measures across all systems.

***

## Section 11: Your Rights

As a resident of the European Union / European Economic Area, you have the following rights under GDPR:

- **Access** — Request a copy of the personal data we hold about you - **Rectification** — Request correction of inaccurate or incomplete data - **Erasure** — Request deletion of your data, subject to legal obligations (e.g. tax records) - **Restriction** — Request that we limit how we use your data - **Portability** — Request your data in a structured, machine-readable format - **Object** — Object to processing based on legitimate interests or for direct marketing - **Withdraw consent** — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at **info@byaneedleshead.gr**. We will respond within 30 days.

You also have the right to lodge a complaint with the **Hellenic Data Protection Authority (HDPA)**: Website: www.dpa.gr | Tel: +30 210 6475600

***

## Section 12: Age of Consent

By using this site, you confirm that you are at least 18 years of age, or that you have obtained parental or guardian consent if required in your country.

***

## Section 13: Changes to This Policy

We reserve the right to modify this Privacy Policy at any time. Changes take effect immediately upon posting on the website. If we make material changes, we will notify you by updating the "Last updated" date at the top of this page. If our store is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to provide products and services to you.

***

## Contact & Data Controller

**By A Needle's Head** is the data controller for the purposes of this Privacy Policy.

**Email:** info@byaneedleshead.gr **Address:** By A Needle's Head, Patras, Achaia, Greece

*For complaints, you may also contact the Hellenic Data Protection Authority (HDPA) at www.dpa.gr.*

***

*This Privacy Policy is prepared in accordance with GDPR (EU) 2016/679, Greek Law 4624/2019, and the guidelines of the Hellenic Data Protection Authority (HDPA).*