Privacy Policy

Last Updated: June 24, 2025

Tales of a Lost Species (“TOLS”, “we”, “us” or “our”) operates the websites tols [dot] store and talesofalostspecies [dot] com (together referred to as the “Site”). We are a sole proprietorship based in the Netherlands. This Privacy Policy describes how we collect, use, and share your personal data when you visit or make a purchase from the Site, in accordance with the EU General Data Protection Regulation (GDPR) and Dutch privacy regulations.

1. Scope and Responsibility

This Privacy Policy applies to all visitors and customers based in the European Economic Area (EEA). We are the data controller for your personal data as collected through the Site.

We have not appointed a Data Protection Officer (DPO). For privacy-related inquiries, you may contact us.

2. Collecting Personal Information

We collect and process the following categories of personal data:

a. Device Information

Examples: Browser type, IP address, time zone, cookies, browsing history, search terms, interactions with the Site.
Purpose: To ensure the Site functions properly, analyze usage trends, and improve performance.
Source: Collected automatically using cookies, log files, tags, and pixels.
Disclosure: Shared with Shopify, Google Analytics, and other analytics partners.

b. Order Information

Examples: Name, billing and shipping address, email address, phone number, payment details.
Purpose: To fulfill your orders, process payments, arrange shipping, and (with consent) send updates or marketing.
Source: Provided directly by you during checkout.
Disclosure:

  • Shopify – our e-commerce platform
  • TPOP – EU-based print-on-demand partner
  • Printify – additional print-on-demand supplier
  • Payment providers (e.g., PayPal, credit card processor)

c. Customer Support Information

Examples: Order details, email conversations, inquiries.
Purpose: To provide assistance, resolve issues, and improve service quality.
Source: Provided by you via email or contact form.

d. Information from Third Parties

We may receive information from third-party services such as advertising platforms and analytics providers when you interact with our Site or marketing materials.

3. Legal Bases for Processing

We rely on the following legal bases under the GDPR to process your data:

Purpose

Legal Basis

Order fulfillment & shipping

Contractual necessity

Payment processing & fraud prevention

Contractual necessity & Legitimate interest

Customer support

Contractual necessity

Site analytics & improvement

Legitimate interest (with documented balancing test)

Marketing communications

Consent

Tax and legal compliance

Legal obligation

You may withdraw consent at any time for marketing communications or non-essential cookies. For services processed on the basis of legitimate interest (such as analytics and fraud prevention), we have conducted a balancing test to ensure your fundamental rights and freedoms are not overridden. You may contact us at any time to object to such processing.

4. Retention Periods

  • Order data: Retained for 7 years to comply with Dutch tax regulations.
  • Customer support correspondence: Retained for up to 2 years.
  • Marketing data: Retained until you withdraw consent.
  • Device/Analytics logs: Retained for up to 14 months before deletion or anonymization.

After the applicable retention period, data is either deleted or irreversibly anonymized.

5. Sharing Personal Information

We only share your personal data with trusted third-party processors to operate our business efficiently. All processors are subject to Data Processing Agreements to ensure GDPR compliance.

Third-party recipients include:

  • Shopify (e-commerce platform)
  • TPOP and Printify (POD production and fulfillment)
  • Payment processors (e.g., PayPal, credit card providers)
  • Advertising platforms (Meta, TikTok, Google Ads)
  • Analytics tools (e.g., Google Analytics)

We may also disclose your personal information:

  • To comply with legal obligations (e.g., tax inspections or court orders)
  • To protect our legal rights and prevent fraud

Third-Party Links

Our Site may contain links to third-party websites or services. We are not responsible for their privacy practices or content. Please review their policies before providing any data.

International Transfers

Some of our partners operate outside the EEA. When personal data is transferred internationally (e.g., to Shopify or advertising platforms), we rely on safeguards such as the European Commission’s Standard Contractual Clauses or data adequacy decisions to ensure a lawful and secure transfer.

6. Behavioural Advertising

We use tracking technologies (e.g., cookies and pixels) to deliver relevant advertising and analyze campaign performance:

Advertising cookies are only activated if you have provided consent through our cookie banner.

7. Cookies & Tracking

We use a GDPR-compliant cookie consent banner that enables you to:

  • Accept or reject non-essential cookies
  • Continue using the Site even if cookies are declined
  • Change or withdraw cookie consent at any time through the banner or your browser settings

Types of cookies used:

  • Essential cookies: Required for checkout, cart functionality, and login.
  • Analytics cookies: Help us understand visitor behavior.
  • Marketing cookies: Deliver relevant ads via platforms such as Meta and Google.

8. Automated Decision-Making

We use Shopify’s automated fraud detection tools to identify potentially fraudulent orders. These systems may flag certain transactions for manual review.

We do not engage in automated decision-making that produces legal or similarly significant effects under Article 22 of the GDPR. If your order is impacted by such a decision, you may request a manual review.

9. Your GDPR Rights

As a resident of the EEA, you have the following rights:

  • Right to access the personal data we hold about you
  • Right to correct inaccurate or incomplete information
  • Right to request erasure (“right to be forgotten”)
  • Right to restrict or object to processing
  • Right to data portability
  • Right to withdraw consent at any time
  • Right to lodge a complaint with a supervisory authority

To exercise any of these rights, please contact us.

You may also contact the Dutch Data Protection Authority:

https://autoriteitpersoonsgegevens.nl

We may require identity verification before processing your request. If you appoint someone to act on your behalf, we may also request proof of authorization.

10. Children’s Privacy

Our Site is not intended for children under the age of 16. We do not knowingly collect data from minors. If we become aware that we have done so, we will delete such data promptly. If you are under 16, please obtain parental consent before using our Site or providing any personal data.

11. Data Breach Notification

In the event of a data breach that may impact your rights and freedoms, we will notify the Dutch Data Protection Authority within 72 hours of becoming aware of the breach, and if the risk is considered high, we will also notify you directly without undue delay.

12. Security

We maintain technical and organizational safeguards—such as encryption, firewall protection, and access controls—to protect your data. However, no method of online transmission is completely secure. We encourage you not to send sensitive information via unencrypted channels.

13. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our services or legal obligations. We encourage you to check this page regularly for the latest version. The “Last Updated” date at the top reflects the current version.

14. Contact Us

Tales of a Lost Species (TOLS)

Legal form: Sole Proprietorship

KVK: 67346693

Contact us here.