Privacy Policy

Applies To: This Policy applies to all digital assets owned or operated by Maertin LLC, including the primary website www.maertinhair.com and any subdomains, mobile versions, custom web applications, third-party integrations, APIs, CRM platforms, advertising tools, campaign landing pages, user portals, chatbots, and any future-developed digital service or interface that collects or processes personal data from end users, customers, vendors, affiliates, employees, contractors, or regulatory bodies.

Definitions

"Personal Information" means any information that relates to, identifies, describes, is capable of being associated with, or could reasonably be linked to a particular individual or household. "Processing" includes any operation or set of operations performed on Personal Information, whether or not by automated means. "Data Subject" refers to any individual whose personal information is processed by or on behalf of Maertin LLC. "Controller" means the entity that determines the purposes and means of processing. "Processor" means the entity that processes data on behalf of the Controller. "Sensitive Data" includes information related to racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or sex life or sexual orientation. "Profiling" means automated processing of Personal Information to evaluate certain personal aspects relating to an individual.

Binding Arbitration & Class Action Waiver

By using our Services, you agree that any and all disputes, claims, or controversies arising out of or relating to this Privacy Policy or the breach, termination, enforcement, interpretation, or validity thereof shall be determined by binding arbitration in [Insert State], in accordance with the rules of the American Arbitration Association. You further waive your right to participate in any class action, class arbitration, or representative action or proceeding.

Scope Limitations

This Policy applies solely to websites, applications, and Services controlled by Maertin LLC and does not apply to any third-party websites or platforms that we do not control, even if linked to our Services. We are not responsible for the privacy practices or content of such third parties. Users should review the privacy policies of external websites prior to providing personal information.

1. Introduction & Legal Agreement

This Privacy Policy ("Policy") is a legally binding agreement issued by Maertin LLC ("Maertin," "Mäertin," "we," "our," or "us"), a United States-based limited liability company. It governs the collection, use, storage, processing, disclosure, safeguarding, and lawful handling of personal data provided to us by customers, website visitors, clients, or others interacting with our Services. This Policy applies globally and is enforceable under United States federal law, state privacy laws, the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, Canada's PIPEDA, and other applicable international laws. By using our Services, you confirm that you have read, understand, and accept this Policy in full. If you do not accept its terms, you may not access or use our Services. Continued use after notice of updates to this Policy constitutes acceptance of the revised terms. This Policy supplements our Terms of Service and does not override any rights you have under applicable laws.

2. Corporate Identity & Regulatory Contact Information

Maertin LLC is a domestic limited liability company formed under the laws of [Insert State/Country], with business registration number [Insert Registration Number]. Our registered business address is [Insert Address]. Legal inquiries or communications regarding this Policy, privacy-related complaints, or requests for access, deletion, correction, or restriction may be submitted to our Data Protection Officer (DPO) at [Insert Contact Email]. The DPO is responsible for overseeing our privacy governance program, including compliance with GDPR Article 37, CCPA/CPRA, and related U.S. and international privacy laws. All DSARs (data subject access requests) are logged, timestamped, and reviewed within the timelines required by applicable law.

3. Territorial Scope & Applicable Legal Frameworks

Mäertin complies with all applicable privacy and data protection laws based on the user's location and the origin of the data. These include, but are not limited to, the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), the EU General Data Protection Regulation (GDPR), UK GDPR, the Data Protection Act 2018, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and any other legislation applicable in regions where we do business. In the event of jurisdictional overlap or conflict, the most protective standard is applied unless explicitly prohibited by law. Mäertin uses Standard Contractual Clauses (SCCs) where required for international data transfers.

4. Types of Information We Collect

We collect a range of Personal Information for lawful and clearly defined purposes. This includes, but is not limited to, identifiers such as your name, alias, account credentials, email address, phone number, and postal address; commercial information such as purchase history, product selections, loyalty program details, shipping preferences, and coupon usage; financial data, which may include billing address, transaction identifiers, and tokenized payment details handled by PCI-DSS certified processors; technical information including browser type, device ID, operating system version, screen resolution, session logs, and IP address; usage data including pages visited, time spent, clickstream behavior, form engagement, referral source, and heatmaps; marketing data such as UTM parameters, cookie-based engagement, ad views, and promotional participation; and any content voluntarily submitted through forms, chats, reviews, surveys, or testimonials. Sensitive personal data is only collected when strictly necessary and with the data subject's explicit consent under GDPR Article 9 or similar legal basis.

5. Legal Basis for Processing Personal Data

We process personal data under one or more lawful bases defined under GDPR Article 6 and equivalent U.S. and international frameworks. These bases include: consent (freely given, specific, informed, and revocable); contractual necessity (where processing is required to fulfill an agreement with you); compliance with legal obligations (such as tax compliance, fraud prevention, and legal claims); legitimate interests (for internal analytics, customer experience improvement, and service development, provided such interests are not overridden by your fundamental rights); and, in rare cases, vital interests (to protect life or health). We maintain a documented record of all lawful bases for each processing activity in our RoPA (Records of Processing Activities) in compliance with GDPR Article 30.

6. Methods of Data Collection

We collect Personal Information through both direct and indirect means. Direct collection occurs when you interact with our website or Services, such as completing registration forms, placing an order, engaging with support, subscribing to emails, or submitting reviews. Indirect collection occurs through cookies, web beacons, tracking pixels, browser fingerprinting, session replays (e.g., Hotjar), IP tracking, and log files. We also receive data from third parties such as advertising networks, affiliate partners, and integrated service providers. All collection mechanisms are reviewed by our compliance team to ensure necessity, proportionality, and data minimization.

7. Cookies, Trackers & Consent Management

Our Services use cookies and other tracking technologies categorized as strictly necessary (for login sessions and order functionality), performance (for load speed and crash reporting), functional (for saving preferences and user settings), and marketing (for advertising attribution, audience targeting, and retargeting). We use a Cookie Consent Management Platform (CMP) that allows users to customize consent preferences and opt out of non-essential tracking. Consent preferences are logged and refreshed every 12 months or upon significant policy change. We honor browser-based Global Privacy Control (GPC) and Do Not Track (DNT) signals where recognized.

8. Engagement with Third-Party Data Processors

We work with carefully vetted third-party processors to provide essential business services. These include Shopify (eCommerce platform), AWS (hosting infrastructure), Stripe and PayPal (payment processing), Klaviyo (email/SMS automation), Meta and TikTok (marketing and analytics), Google Analytics 4 (event tracking), and Gorgias (customer support platform). All third parties are contractually bound by Data Processing Agreements (DPAs) that require encryption, restricted access, data protection audits, and incident response obligations. Subprocessors are cataloged and monitored, and data transfers are performed using Standard Contractual Clauses or other lawful transfer mechanisms.

9. Permitted Uses of Data

We use personal data only for legitimate and authorized purposes. These include processing orders, responding to inquiries, delivering email communications, fulfilling legal and regulatory obligations, preventing fraud and abuse, conducting analytics and performance testing, and honoring opt-in marketing preferences. We do not sell personal information for monetary value, do not engage in political profiling, facial recognition, or GPS tracking, and do not perform automated decision-making that produces legal effects without meaningful human involvement. Any profiling conducted is transparent, opt-in, and reviewed manually before being acted upon.

10. Data Retention, Disposal, and Archiving

We retain data based on legal, contractual, and operational requirements. Transactional records are stored for at least seven years for compliance with U.S. tax and financial regulations. Support interactions and communications are retained for two years for quality assurance. Accounts inactive for 12 months are flagged and deleted or anonymized after 24 months unless needed for legal hold. Marketing opt-outs are retained indefinitely in suppression lists to prevent recontact. Backups are encrypted using AES-256 encryption and rotated on a 180-day schedule. All deletion activities follow NIST 800-88 Rev. 1 standards and are documented in tamper-resistant audit logs. Data retention schedules are reviewed annually.

11. Data Subject Rights

Maertin LLC upholds and enforces all legally recognized rights of data subjects under relevant privacy legislation, including but not limited to the GDPR (Articles 12–23), CPRA, PIPEDA, LGPD, PDPA (Singapore), and POPIA (South Africa). These rights include access, rectification, erasure, restriction, data portability (provided in machine-readable CSV or JSON format), objection, and rights relating to automated decision-making. Requests are logged and retained for 24 months for compliance auditing. Users may submit DSARs via our dedicated privacy request form or by emailing [Insert Privacy Email]. We provide full documentation of all request histories, and our privacy operations maintain alignment with ISO/IEC 27701 standards for privacy information management. Data subjects also have the right to lodge complaints with supervisory authorities such as the UK ICO, EU DPA, or state Attorneys General. Mäertin does not discriminate against individuals for exercising any of their privacy rights under applicable laws. Where necessary, Mäertin offers DSAR assistance for individuals with language barriers or accessibility needs, including screen-reader compatibility and alternative submission formats.

12. Identity Verification Procedures

Mäertin uses layered verification methods to authenticate DSARs. Standard requests require verification of three unique data points, including a registered email, recent transaction ID, or device fingerprint. For sensitive rights (e.g., erasure or portability), government-issued photo ID with redacted sensitive fields and a signed declaration are required. Risk-based scoring is applied to requests, incorporating IP geolocation, device telemetry, and behavioral analytics. Agent-based requests must be accompanied by power of attorney, a notarized document, or equivalent authority. Records of verification steps are securely logged in encrypted storage and retained for a minimum of 24 months. We implement DSAR rate-limiting and anomaly detection to prevent spam or abuse. All identity verification documentation is securely destroyed within 30 days of request closure unless required for regulatory audit.

13. Response Timeframes and Appeals

Acknowledgement of requests occurs within 10 business days. Mäertin provides full responses within 30–45 calendar days and documents each DSAR in our Rights Request Register. Where permitted by law, an extension notice is issued citing the applicable basis (e.g., GDPR Article 12(3)). Denied requests include specific statutory justification, and appeal mechanisms are provided, including regulator contacts and appeal links for Virginia (§59.1-577), Colorado (§6-1-1306), and similar jurisdictions. Mäertin prioritizes requests concerning urgent data risks such as fraud, identity theft, or account compromise. We maintain an internal DSAR audit trail which includes submission timestamps, resolution outcomes, access logs, and appeal history, retained for a minimum of 3 years. All DSAR decisions are reviewed internally for consistency, fairness, and non-discrimination. Periodic audits are conducted on denied requests to prevent systemic denial patterns or discriminatory impacts.

14. Children's Privacy

Mäertin does not knowingly collect or retain personal information from children under the age of 13 (U.S.), 16 (EU/UK), or under the minimum age of digital consent in other applicable jurisdictions. Content is restricted using age-gating and consent interstitials. If inadvertently collected, data is deleted within 10 days of detection, and Mäertin logs the incident in its Children's Data Risk Register. For users aged 13–15, Mäertin obtains opt-in consent for data sharing under CPRA §1798.120(d) and restricts targeted advertising. Our COPPA-compliant safeguards include internal age-verification logic and dynamic parental verification processes. GDPR Recital 38 principles are embedded in our child data handling SOPs. Child consent records are minimized and retained only as long as necessary. Where legally required, Mäertin geofences access to certain content and services based on the user's jurisdiction and age.

15. Profiling and Automated Decision-Making

Mäertin does not perform automated decision-making with legal or similarly significant consequences. Where personalization is used (e.g., product recommendations), this is conducted using non-sensitive data and excludes profiling based on protected categories. Mäertin has conducted Data Protection Impact Assessments (DPIAs) on all personalization models to ensure compliance with GDPR Article 35. Opt-out options are available for all personalization segments, and model logic—including feature variables and output categories—can be disclosed upon written request. Mäertin certifies that profiling does not create discriminatory outcomes or disparate impact under any jurisdiction. We do not use third-party AI scoring APIs or automated credit/risk modeling tools. We do not use profiling for price discrimination, service eligibility, or employment-related determinations.

16. Marketing Communications and Opt-Outs

All marketing communications from Mäertin require prior opt-in consent. Opt-outs are processed immediately, and suppression tokens are synchronized across all outbound platforms, including Klaviyo, Mailchimp, Meta Custom Audiences, and Google Customer Match. Consent timestamps and consent receipts are stored for 5 years per GDPR Article 7(1) and CPRA audit obligations. Mäertin supports integration with centralized opt-out hubs such as NAI, DMAchoice, and AdChoices. Users can manage communication preferences via our self-service privacy dashboard, which includes access to prior consent history. Cross-device syncing is supported for logged-in users. Mäertin does not override email marketing opt-outs, even after order placement or transactional contact. Inferred consent is never assumed based on browsing behavior or site interaction alone. Transactional messages such as order confirmations are excluded from marketing opt-outs and limited strictly to fulfillment-related content only.

17. Do Not Track (DNT) and Global Privacy Control (GPC)

Mäertin honors Global Privacy Control (GPC) browser headers in jurisdictions that recognize them as enforceable opt-outs, including California, Colorado, and Connecticut. GPC signals are logged and override cookie preferences immediately. While DNT signals lack a global legal standard, Mäertin's privacy engineering team continues to track regulatory developments from W3C, EFF, and state AG offices. Our cookie consent platform auto-blocks marketing tags on detection of valid GPC signals. GPC preferences are stored using non-personally identifiable flags tied to browser fingerprinting or authenticated sessions, retained for 12 months unless cleared by user settings. GPC signals are revalidated upon each session refresh.

18. Sale, Sharing, and Targeted Advertising Disclosures

Mäertin does not sell personal data for monetary gain. Targeted advertising practices using hashed identifiers (e.g., email, phone) for lookalike audiences may qualify as "sharing" under CPRA. We identify Meta, Google Ads, and TikTok as potential recipients and designate them as limited-service providers under CPRA-compliant contracts. Our public "Do Not Sell or Share" link activates real-time opt-out suppression across DSPs. We conduct quarterly audits of all advertising SDKs and track opt-out propagation using hashed user suppression keys. Our advertising vendor contracts prohibit re-use or resale of data unless expressly authorized. Contractual minimum security requirements are reviewed annually. A summary of CPRA "sharing" metrics is available in our annual compliance report upon request. When GPC is enabled, behavioral cookies used for advertising are fully disabled and ad targeting is halted until preference expires or is revoked. If Mäertin uses identity resolution platforms (e.g., LiveRamp), all opt-outs are contractually extended to those platforms via shared suppression.

19. Data Security and Breach Response

Mäertin adheres to ISO/IEC 27001, ISO/IEC 27701, CIS Controls v8, and NIST SP 800-53 and 800-61 for its information and privacy security programs. Physical access is limited to authorized personnel, monitored via CCTV, and tracked via badge access logs. Network architecture includes segmented VLANs, least-privilege IAM policies, and automated WAF protections. All customer and compliance data is encrypted in transit using TLS 1.3 and at rest using AES-256. Monthly vulnerability scans, daily endpoint telemetry reviews, and yearly third-party penetration tests are conducted. Our Incident Response Plan (IRP) aligns with NIST CSF categories (Identify, Protect, Detect, Respond, Recover) and includes protocols for forensic preservation, breach containment, and regulator notification. Mäertin employs data loss prevention (DLP) tools and AI-driven anomaly alerts. Government subpoenas are only honored with valid legal process, and users will be notified when legally permissible. A breach response team is maintained and led by a designated incident response officer. All breach events and internal investigation records are reviewed by the privacy governance team. Security awareness training is mandatory for all employees annually and conducted quarterly for IT and security roles.

20. Cross-Border Transfers and International Protections

Mäertin's cross-border transfers are governed by EU Standard Contractual Clauses (SCCs), the UK IDTA, and equivalent legal safeguards. All international transfers are supported by Transfer Impact Assessments (TIAs), assessing foreign surveillance laws, redress mechanisms, and access limitations. Encryption using TLS 1.3 with Perfect Forward Secrecy is enforced during all data transfers. Contracts with international subprocessors include binding obligations preventing unauthorized disclosure to foreign governments unless required by law. Mäertin maintains a centralized Data Transfer Registry audited annually and available upon lawful request by supervisory authorities. Staff handling international data flows receive annual compliance training on cross-border transfer requirements. Mäertin respects local data localization laws in countries that require domestic storage, including those in India, China, and Russia, where applicable. Our Article 30 record includes a register of all third countries receiving personal data, their legal basis, and risk classification. Any new international subprocessor must undergo a formal cross-border risk evaluation and executive legal approval before being onboarded.