Privacy Policy

Last Updated: May 8, 2026

Tales of a Lost Species (“TOLS”, “we”, “us” or “our”) operates the websites tols [dot] store and talesofalostspecies [dot] com (together referred to as the “Site”). We are a sole proprietorship based in the Netherlands. This Privacy Policy describes how we collect, use, and share your personal data when you visit or make a purchase from the Site, in accordance with the EU General Data Protection Regulation (GDPR) and Dutch privacy regulations.

1. Scope and Responsibility

This Privacy Policy applies to all visitors and customers based in the European Economic Area (EEA). We are the data controller for your personal data as collected through the Site.

We have not appointed a Data Protection Officer (DPO). For privacy-related inquiries, you may contact us.

2. Collecting Personal Information

We collect and process the following categories of personal data:

a. Device Information

Examples: Browser type, IP address, time zone, cookies, browsing history, search terms, interactions with the Site.
Purpose: To ensure the Site functions properly, analyze usage trends, and improve performance.
Source: Collected automatically using cookies, log files, tags, and pixels.
Disclosure: Shared with Shopify, Google Analytics, and other analytics partners.

b. Order Information

Examples: Name, billing and shipping address, email address, phone number, payment details.
Purpose: To fulfill your orders, process payments, arrange shipping, and (with consent) send updates or marketing.
Source: Provided directly by you during checkout.
Disclosure:

Shopify – our e-commerce platform
Payment providers: Shopify Payments (processing cards including Visa, Mastercard, American Express, Maestro, and UnionPay, as well as Apple Pay, Google Pay, and Shop Pay); Klarna (buy-now-pay-later, where selected); Bancontact (Belgium); BLIK (Poland). All payment processing is handled by these providers — TOLS does not store or have access to your full card details.

c. Customer Support Information

Examples: Order details, email conversations, inquiries.
Purpose: To provide assistance, resolve issues, and improve service quality.
Source: Provided by you via email or contact form.

d. Information from Third Parties

We may receive information from third-party services such as advertising platforms and analytics providers when you interact with our Site or marketing materials.

3. Legal Bases for Processing

We rely on the following legal bases under the GDPR to process your data:

Purpose	Legal Basis
Order fulfillment & shipping	Contractual necessity
Payment processing & fraud prevention	Contractual necessity & Legitimate interest
Customer support	Contractual necessity
Site analytics & improvement	Consent (required under Dutch Telecommunicatiewet Art. 11.7a for analytics cookies placed on the user’s device; legitimate interest is not a valid basis for non-essential cookie placement under Dutch law)
Marketing communications	Consent
Tax and legal compliance	Legal obligation

You may withdraw consent at any time for marketing communications or non-essential cookies, including analytics cookies. For services processed on the basis of legitimate interest (such as fraud prevention), we have conducted a balancing test to ensure your fundamental rights and freedoms are not overridden. You may contact us at any time to object to such processing.

4. Retention Periods

Order data: Retained for 7 years to comply with Dutch tax regulations.
Customer support correspondence: Retained for up to 2 years.
Marketing data: Retained until you withdraw consent.
Device/Analytics logs: Retained for 14 months (the maximum retention period as configured in Google Analytics 4), after which data is deleted or anonymized.

After the applicable retention period, data is either deleted or irreversibly anonymized.

5. Sharing Personal Information

We only share your personal data with trusted third-party processors to operate our business efficiently. All processors are subject to Data Processing Agreements to ensure GDPR compliance.

Third-party recipients include:

Shopify (e-commerce platform)
Payment processors: Shopify Payments (cards, Apple Pay, Google Pay, Shop Pay), Klarna, Bancontact, BLIK
Advertising platforms (Meta, TikTok, Google Ads)
Analytics tools (e.g., Google Analytics)

We may also disclose your personal information:

To comply with legal obligations (e.g., tax inspections or court orders)
To protect our legal rights and prevent fraud

Third-Party Links

Our Site may contain links to third-party websites or services. We are not responsible for their privacy practices or content. Please review their policies before providing any data.

International Transfers

Some of our partners operate outside the EEA. When personal data is transferred internationally (e.g., to Shopify or advertising platforms), we rely on safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) or data adequacy decisions to ensure a lawful and secure transfer. Specifically, for TikTok: data may be transferred to TikTok’s entities outside the EEA (including the United States). We rely on the Standard Contractual Clauses adopted by the European Commission as the transfer mechanism for these transfers. Given ongoing regulatory scrutiny of TikTok data flows by the Dutch Autoriteit Persoonsgegevens and the EDPB, we periodically review this arrangement to ensure continued compliance with GDPR Chapter V.

6. Behavioural Advertising

We use tracking technologies (e.g., cookies and pixels) to deliver relevant advertising and analyze campaign performance:

Meta (Facebook/Instagram) – Opt out
TikTok – Opt out
Google Analytics – Opt out
General opt-out for EEA users – YourOnlineChoices.eu

Advertising cookies are only activated if you have provided consent through our cookie banner.

7. Cookies & Tracking

We use a GDPR-compliant cookie consent banner that enables you to:

Accept or reject non-essential cookies
Continue using the Site even if cookies are declined
Change or withdraw cookie consent at any time through the banner or your browser settings

Types of cookies used:

Essential cookies: Required for checkout, cart functionality, and login.
Analytics cookies: Help us understand visitor behavior.
Marketing cookies: Deliver relevant ads via platforms such as Meta and Google.

Important note on Google Analytics 4 (GA4): GA4 always requires explicit consent before it may be activated. It does not qualify for the limited-analytics exemption under Article 11.7a(3) of the Dutch Telecommunicatiewet, because Google processes analytics data for its own purposes in addition to ours. GA4 is therefore treated as a non-essential analytics cookie and will only load after you have actively accepted analytics cookies through our consent banner. No GA4 cookies or tracking scripts are activated prior to your consent.

8. Automated Decision-Making

We use Shopify’s automated fraud detection tools to identify potentially fraudulent orders. These systems may flag certain transactions for manual review.

We do not engage in automated decision-making that produces legal or similarly significant effects under Article 22 of the GDPR. If your order is impacted by such a decision, you may request a manual review.

9. Your GDPR Rights

As a resident of the EEA, you have the following rights:

Right to access the personal data we hold about you
Right to correct inaccurate or incomplete information
Right to request erasure (“right to be forgotten”)
Right to restrict or object to processing
Right to data portability
Right to withdraw consent at any time
Right to lodge a complaint with a supervisory authority

To exercise any of these rights, please contact us. We will respond to your request without undue delay and in any event within one month of receipt, as required by Article 12(3) of the GDPR. Where requests are complex or numerous, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons within the initial one-month period.

You may also contact the Dutch Data Protection Authority:

https://autoriteitpersoonsgegevens.nl

We may require identity verification before processing your request. If you appoint someone to act on your behalf, we may also request proof of authorization.

10. Children’s Privacy

Our Site is not intended for children under the age of 16. As a Netherlands-based controller, we apply the age threshold of 16 years across all markets we serve, in accordance with Article 16 of the Dutch UAVG (Uitvoeringswet AVG), which sets 16 as the age at which a minor may consent to information society services without parental authorisation. We do not knowingly collect data from minors. If we become aware that we have done so, we will delete such data promptly. As required by Article 8 of the GDPR, we take reasonable technical and organisational measures to verify that users providing personal data are at least 16 years old. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us so we can take appropriate action.

11. Data Breach Notification

In the event of a data breach that may impact your rights and freedoms, we will notify the Dutch Data Protection Authority within 72 hours of becoming aware of the breach, and if the risk is considered high, we will also notify you directly without undue delay.

12. Security

We maintain technical and organizational safeguards—such as encryption, firewall protection, and access controls—to protect your data. However, no method of online transmission is completely secure. We encourage you not to send sensitive information via unencrypted channels.

13. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our services or legal obligations. We encourage you to check this page regularly for the latest version. The “Last Updated” date at the top reflects the current version.