1. Who we are

This Privacy Policy describes how KRIEGER GLOBAL SLU ("Eternas Beauty", "we", "us", "our") processes personal information collected through the Eternas Beauty website (eternas.beauty and any associated subdomains) and related services.

For the purposes of the European General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Brazilian Lei Geral de Proteção de Dados (LGPD), and other applicable privacy frameworks, KRIEGER GLOBAL SLU is the entity that determines the purposes and means of processing your personal data.

2. What information we collect

We only collect data we genuinely need. Categories of personal information we may process include:

What we do not collect

• We do not collect biometric data.
• We do not collect health, medical, religious or political data.
• We do not store full credit card details — they are handled exclusively by our PCI-DSS compliant payment processors (Shopify Payments, Stripe, PayPal).
• We do not knowingly collect data from minors under 18 (see section 12).

3. How we collect your information

We collect personal data through three channels:

1. Directly from you: when you place an order, create an account, subscribe to our newsletter, submit a contact form, leave a product review, request a return, or contact customer support.
2. Automatically: when you browse our website, through cookies, server logs and similar technologies.
3. From third parties: from payment processors, shipping carriers, fraud-prevention services, advertising platforms (with consent), and trustworthy review platforms.

4. Why we use your information

Every category of data above has a clear purpose. We do not "collect for the sake of it".

5. Legal basis for processing

Under GDPR and equivalent regulations, every purpose above must rely on a valid legal basis. Here are ours:

• Contract performance: processing necessary to fulfill our purchase contract with you (order, shipping, returns, warranty).
• Legal obligation: compliance with tax, accounting, consumer protection and product safety regulations.
• Legitimate interest: fraud prevention, site security, basic analytics, improving our products and services. We only invoke this basis when our interest is balanced against your rights.
• Consent: marketing emails, non-essential cookies, advertising tracking. You can withdraw consent at any time.

6. Who we share your data with

We share your personal data only with carefully selected service providers ("processors") who help us deliver our service. We never sell your data.

All processors operate under data processing agreements (DPAs) that bind them to use your data only for the contracted purpose, apply appropriate security measures, and assist us in honoring your rights.

7. International data transfers

Some of our service providers are based outside the European Economic Area, including the United States and Canada. When we transfer personal data internationally, we ensure adequate safeguards through:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission;
• Adequacy decisions where applicable (e.g. UK, Canada, Switzerland);
• EU-US Data Privacy Framework certification, where the receiving party is certified.

You can request a copy of the safeguards in place by emailing us.

8. How long we keep your information

At the end of the relevant period, data is either anonymized (so it can no longer identify you) or securely deleted.

9. How we protect your data

We apply industry-standard technical and organizational safeguards:

• Encryption in transit: all communication with our website uses TLS 1.2+ (HTTPS).
• Encryption at rest: sensitive data is encrypted on our processor's infrastructure (AES-256).
• Access control: staff access to personal data is role-based and audit-logged.
• PCI-DSS compliance: payment data flows directly to PCI-DSS Level 1 processors; we never see your full card number.
• Regular audits: our platform partners (Shopify, Stripe, etc.) undergo independent security audits.
• Incident response: in the unlikely event of a data breach, we will notify affected users and the competent authority within 72 hours, as required by GDPR.

10. Your rights

You have substantial control over your personal data. Specifically, you have the right to:

How to exercise your rights

Email support@eternas.beauty.com with the subject "Privacy rights request" and tell us which right you wish to exercise. We will respond within 30 days as required by GDPR (extendable by two further months for complex requests, with notice).

For California residents (CCPA), Brazilian residents (LGPD), Canadian residents (PIPEDA, Quebec Law 25), Japanese residents (APPI), South African residents (POPIA), Singapore/Australian/New Zealand residents (PDPA/APA/NZPA), please also see our dedicated regional pages linked in the footer of our website.

11. Cookies & tracking technologies

We use cookies and similar technologies to make our website work, understand how it's used, and (with your consent) personalize your experience.

On your first visit, our consent banner lets you accept all cookies, reject non-essential cookies, or customize per category. You can change your preferences at any time via the "Cookie settings" link in our website footer, or by deleting cookies in your browser settings.

12. Children's privacy

Our website and products are not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you become aware that a minor has provided us with personal data without parental consent, please contact us and we will delete the information promptly.

13. Changes to this policy

We review this Privacy Policy at least once a year and whenever we materially change our data practices. The "Last updated" date at the bottom of this page reflects the latest revision. For substantive changes, we will give clear advance notice by email or a banner on the website. Continued use of our services after changes take effect constitutes acceptance.

14. Contact & complaints