Privacy Policy

The Alchemist's Sanctuary™
Copenhagen, Denmark
Effective Date: 1 October 2025

Introduction

At The Alchemist's Sanctuary™, we regard the privacy and protection of your personal data as a fundamental right. This Privacy Policy elucidates the principles governing our collection, processing, storage, disclosure, and safeguarding of personal data pertaining to users who access our website or engage in transactions thereon, accessible at https://www.thealchemistsanctuary.com (the "Website").

The Alchemist's Sanctuary™ is a registered sole proprietorship under CVR/VAT: DK40801448, operating from Copenhagen, Denmark within the EU VAT zone. This fulfills statutory disclosure requirements. The Alchemist's Sanctuary™ is an established creative brand name and identity in continuous use since 2016 across digital, social, and publishing platforms. The name, logo, and related creative assets constitute protected intellectual property under Danish and international copyright and unfair competition law. The domain thealchemistsanctuary.com is officially registered and forms part of the business's intellectual property portfolio, along with verified social media accounts (Facebook, Instagram, Pinterest, TikTok, LinkedIn, YouTube). These collectively represent the official brand presence. The Alchemist's Sanctuary™ covers current and future creative activities, including fine art prints, publishing, digital media, homeware, fashion, and other derivative works produced under the same trade identity. Our artworks are restored and curated from historical archive sources released under Creative Commons CC0 or equivalent rights-free designations. All AI tools are used solely to assist with restoration, research, and communication. Final artworks remain human-directed and original. No customer data or artwork is ever used for AI training, resale, or data-sharing purposes.

Checkout in EUR; prices shown in your local currency. EU prices include VAT; outside the EU, local taxes or import duties may apply on delivery (payable by the recipient).

As the data controller, we are dedicated to processing personal data in a manner that is transparent, accountable, and consonant with prevailing data protection legislation, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR") and, where applicable, the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) ("CCPA").

By accessing the Website, registering an account, or consummating a purchase, you acknowledge and consent to the practices delineated herein. Should you dissent from these provisions, we respectfully advise refraining from utilizing our services. For full details about how we use and protect your data, see our Privacy Policy.

Article 1: Identity and Contact Details of the Data Controller

The Alchemist's Sanctuary™ operates as the data controller responsible for determining the purposes and means of processing personal data in connection with the Website and associated services.

Controller Details

• Legal Entity Name: The Alchemist's Sanctuary™
• Business Form: Sole Proprietorship (Enkeltmandsvirksomhed)
• CVR/VAT: DK40801448
• Governing Jurisdiction: Kingdom of Denmark (European Union VAT territory)
• Registered Address: Copenhagen, Denmark

Contact Information

• Primary Email: support@thealchemistsanctuary.com
• Website: https://www.thealchemistsanctuary.com

We do not maintain a dedicated Data Protection Officer ("DPO"), as our processing activities fall below the thresholds necessitating such appointment under Article 37 of the GDPR. Nonetheless, all data protection inquiries shall be directed to the aforementioned contact particulars.

Article 2: Categories of Personal Data Collected and Processed

In the course of your interaction with the Website—encompassing browsing, account creation, order placement, and customer support engagements—we collect and process specific categories of personal data. Such processing is circumscribed to what is strictly necessary ("data minimisation principle" per Article 5(1)(c) GDPR) and occurs solely with lawful justification.

2.1 Personal Data Provided by You

This encompasses data voluntarily furnished by you during registration, checkout, or communications:

• Identifiers such as full name, email address, billing address, and shipping address.
• Financial particulars, including payment card details (processed exclusively via Shopify's secure gateway; no storage of sensitive payment data on our servers). Checkout is processed in EUR; local currencies may display for reference; FX rates and minor rounding are handled by Shopify or the customer's payment provider.
• Transactional records, including order history, support inquiries, email subscription preferences, and wishlist items.

2.2 Personal Data Collected Automatically

Upon visitation to the Website, our e‑commerce platform (Shopify) automatically collects technical and usage data to facilitate functionality and analytics. This includes the use of Shopify's internal tools for aggregated site performance and behavioral insights. Network identifiers (such as IP address, browser type/version, and device information) are processed securely and pseudonymized wherever possible.

• Network identifiers, including Internet Protocol ("IP") address, browser type/version, device identifiers, and operating system.
• Behavioral metrics, such as referring uniform resource locators ("URLs"), viewed pages, session duration, and referral sources.
• Aggregated, non-identifiable analytics derived from Shopify's internal tools, employed solely for operational enhancements.

We expressly eschew third-party analytics instruments such as Google Analytics or Hotjar. No embedded trackers from external services (e.g., YouTube embeds or autoplay mechanisms) are deployed that could incidentally harvest visitor data.

2.3 Cookies and Similar Tracking Technologies

The Website employs cookies—small data files stored on your device—and analogous technologies (e.g., pixels, local storage) to optimize user experience and compliance. These are categorized as follows:

• Essential/Strictly Necessary Cookies: Imperative for core functionalities, including cart persistence, secure checkout, and locale/language settings (exempt from consent under Article 6(1)(f) GDPR).
• Analytics Cookies: Furnished by Shopify for performance monitoring (processed on legitimate interests basis).
• Marketing/Targeting Cookies: Deployed by integrated platforms such as Meta (Facebook Pixel) or Klaviyo for retargeting and personalization, subject to explicit prior consent pursuant to ePrivacy Directive 2002/58/EC and GDPR Article 6(1)(a).

2.4 Consent Management Mechanisms

A conspicuous cookie consent banner, integrated via Shopify's native tools, is prominently displayed for users in the European Economic Area ("EEA") and equivalent jurisdictions. This enables granular management of preferences, with options to accept, reject, or revoke non-essential cookies. Users may further configure via browser settings. For exhaustive particulars, consult our Cookie Policy. Our website uses Shopify's built-in cookie management system. You can manage your cookie preferences through the banner or your browser settings.

Article 3: Legal Bases for Processing Personal Data

Pursuant to Article 6 of the GDPR, all processing activities are predicated upon one or more lawful bases, meticulously documented in our internal records of processing activities ("ROPA"). We process personal data only to the extent requisite for specified, explicit, and legitimate purposes, eschewing incompatible further processing (Article 5(1)(b) GDPR).

3.1 Contractual Necessity (Article 6(1)(b) GDPR)

Processing is indispensable for the performance of a contract to which you are a party, or in anticipation of entering such a contract—e.g., order fulfillment, account management, and customer support.

3.2 Consent (Article 6(1)(a) GDPR)

Where explicit, informed consent is obtained (freely given, specific, and revocable at any juncture), we process for ancillary purposes such as email marketing or optional personalization features.

3.3 Legal Obligation (Article 6(1)(c) GDPR)

Compliance with statutory mandates, including Danish tax ordinances (e.g., under the Danish Bookkeeping Act) and EU VAT directives, necessitates retention and disclosure of certain fiscal data.

3.4 Legitimate Interests (Article 6(1)(f) GDPR)

Processing pursues our legitimate interests (or those of a third party), provided such interests are not overridden by your fundamental rights and freedoms. Examples include: fraud detection, website optimization, and aggregated analytics. A legitimate interests assessment ("LIA") has been conducted internally to balance these pursuits. You may object to such processing under Article 21 GDPR (see Article 7 below).

No automated decision-making, including profiling, is undertaken that produces legal effects or similarly significant impacts (Article 22 GDPR).

Article 4: Purposes of Personal Data Processing

Personal data is processed exclusively for the following delimited purposes, aligned with our core operations as a print-on-demand art retailer:

4.1 Order Processing and Fulfillment

To execute purchases, coordinate production via trusted global print partners, and orchestrate delivery logistics.

4.2 Customer Service and Communication

To furnish support via email, contact forms, or Shopify Inbox, encompassing order confirmations, shipping notifications, and query resolutions.

4.3 Marketing and Promotional Activities

To disseminate transactional emails (e.g., receipts) and consented marketing communications (e.g., newsletters, abandoned cart reminders) through GDPR-compliant platforms like Klaviyo or MailerLite.

4.4 Analytics and Business Improvement

To scrutinize Website efficacy, user engagement, and trends, employing pseudonymized data to refine services without identifying individuals.

4.5 Statutory Compliance

To discharge fiscal, anti-money laundering, and regulatory duties under Danish and EU law.

Article 5: Recipients and Disclosure of Personal Data

The Alchemist's Sanctuary™ does not engage in the sale, rental, or barter of personal data. Disclosure is confined to indispensable third parties, acting as processors under data processing agreements ("DPAs") incorporating GDPR-mandated safeguards (Article 28).

5.1 Service Providers and Processors

• Shopify, Inc. – E‑commerce hosting, payments, and analytics.
• GoDaddy Operating Company, LLC – Domain registration, DNS management, and security.
• Trusted Global Print, Fulfilment, and Logistics Partners – On‑demand production and delivery.
• Klaviyo, Inc. – Email automation and transactional marketing.
• Meta Platforms, Inc. – Facebook, Instagram, WhatsApp, Threads pixels, and analytics.
• Pinterest, Inc. – Advertising analytics.
• TikTok Technology Limited – Pixel integration and ad analytics.
• LinkedIn Ireland Unlimited Company – Insight Tag and analytics.
• Google LLC – YouTube embeds.
• Carrier Partners (PostNord, DHL, or equivalents) – Shipment handling and tracking.

All data resides within Shopify's fortified ecosystem; no exports to extraneous repositories occur.

5.2 International Disclosures

See Article 10 for transfers outside the EEA.

Article 6: Periods for Retention of Personal Data

Retention adheres to the storage limitation principle (Article 5(1)(e) GDPR), confining data to durations commensurate with purposes:

6.1 Transactional Data

Order records, including personal and fiscal details, are retained for a minimum of five (5) years post-transaction to satisfy Danish accounting statutes (Bogføringsloven) and EU VAT retention mandates.

6.2 Marketing Data

Consent-based profiles are maintained until revocation or for three (3) years following last interaction, whichever precedes.

6.3 Technical Logs

Automatically collected data is depersonalized or erased within thirty (30) days, barring fraud investigations.

Upon cessation of purpose or lawful request, data is securely erased, pseudonymized, or anonymized.

Article 7: Data Subject Rights

As a data subject, you are vested with an array of rights under the GDPR (Articles 12–23) and, for California residents, the CCPA. These rights are exercisable gratuitously, subject to identity verification.

7.1 Rights under the GDPR

• Right of Access (Article 15): Obtain confirmation of processing and access to your personal data, including purposes, categories, recipients, and retention periods.
• Right to Rectification (Article 16): Correct inaccurate or incomplete data without undue delay.
• Right to Erasure ("Right to be Forgotten") (Article 17): Request deletion where data is no longer necessary, consent is withdrawn, or processing is unlawful.
• Right to Restriction of Processing (Article 18): Suspend processing pending verification, in cases of inaccuracy or objection.
• Right to Object (Article 21): Oppose processing based on legitimate interests, direct marketing, or profiling.
• Right to Data Portability (Article 20): Receive data in a structured, machine-readable format for transfer to another controller.
• Right to Withdraw Consent (Article 7(3)): Revoke at any time, with prospective effect.

You may also lodge complaints with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk.

7.2 Rights under the CCPA (California Residents Only)

• Right to Know: Disclose categories and specific pieces of personal information collected over the preceding twelve (12) months.
• Right to Delete: Direct erasure of personal information, subject to exemptions (e.g., transactional fulfillment).
• Right to Opt-Out of Sale: We do not "sell" personal information as defined under CCPA § 1798.140; nonetheless, opt-out mechanisms are honored.
• Right to Non-Discrimination: No adverse action for exercising rights.

7.3 Exercising Rights

Submit requests to support@thealchemistsanctuary.com. We shall respond within thirty (30) days, per Article 12(3) GDPR.

Article 8: Privacy of Minors

The Website and services are neither directed at nor designed for minors under sixteen (16) years of age in the EEA/Denmark or thirteen (13) years in the United States, in accordance with COPPA (15 U.S.C. §§ 6501–6506) and GDPR Article 8, or the minimum age required in your jurisdiction. We do not knowingly solicit or collect personal data from such individuals.

Should a parent or guardian ascertain that a minor has inadvertently disclosed data, please notify support@thealchemistsanctuary.com forthwith; we shall expeditiously purge such data and confirm deletion upon request.

Article 9: Security of Processing

We implement appropriate technical and organizational measures to ensure a level of security commensurate with risks (Article 32 GDPR), including:

9.1 Encryption Protocols

• Transport Layer Security ("TLS") 1.3 for data in transit.
• Advanced Encryption Standard ("AES")-256 for at-rest data.

9.2 Access Controls

• PCI-DSS compliance via Shopify for payment handling.
• Role-based access and regular audits.

Data is hosted on Shopify's ISO 27001-certified infrastructure. Notwithstanding these safeguards, absolute security cannot be guaranteed; we exhort vigilance over your credentials. Report suspected breaches to support@thealchemistsanctuary.com immediately.

Article 10: Transfers of Personal Data to Third Countries

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including by our third-party service providers (e.g., Shopify), some of whom are located in jurisdictions such as the United States or Canada.

Where such transfers occur, we ensure that appropriate safeguards are in place, including the use of Standard Contractual Clauses (SCCs) approved by the European Commission, to provide an adequate level of protection in accordance with Article 46 of the GDPR.

Article 11: Amendments to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal obligations, or business operations.

When we make changes, we will revise the "Effective Date" at the top of this page. If the changes are significant, we will notify you by email (if you have an account or subscription with us) or by placing a prominent notice on our website.

We encourage you to review this page periodically to stay informed about how we protect your information.

Article 12: Contact and Complaints

For inquiries, rights exercises, or grievances concerning data processing:

• Email: support@thealchemistsanctuary.com
• Business Location: Copenhagen, Denmark

We aim to acknowledge all inquiries within 24–48 business hours and provide a full response within one (1) month, extendable under Article 12(3) GDPR.

For supervisory recourse: Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark (datatilsynet.dk).

© The Alchemist's Sanctuary™ 2025. All rights reserved.