Privacy policy

Last updated: 29 May 2026

1. Who we are

This Privacy Policy describes how Bunny Honey Club SRL, a Romanian limited liability company registered at the Romanian National Trade Register Office (Oficiul Național al Registrului Comerțului), operating the online store Warm Shelf at warmshelf.com, collects, uses, and protects your personal data.

For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and applicable consumer privacy laws in the United States (including the California Consumer Privacy Act, "CCPA"), Bunny Honey Club SRL is the data controller for personal data collected through Warm Shelf.

Legal entity: Bunny Honey Club SRL
Registered office: Strada Petricani 4, 023842 Bucharest, Romania
Privacy contact: support@warmshelf.com
Phone: +49 163 7830812 (Germany / International Support)

2. What personal data we collect

We collect personal data in the following categories:

2.1 Information you provide directly

Account and order information: name, email address, postal address, telephone number, billing address, shipping address
Payment information: handled directly by our payment processors (Shopify Payments, PayPal). We do not store full payment card numbers on our servers
Customer support communications: the content of emails or messages you send us
Marketing preferences: if you subscribe to our email newsletter

2.2 Information collected automatically

Device and connection information: IP address, browser type, operating system, referring URL, language preference
Usage information: pages visited, time spent, products viewed, items added to cart, search queries on our site
Cookies and similar technologies: see Section 8 below

2.3 Information from third parties

Analytics providers: aggregated visitor statistics from Google Analytics 4
Advertising platforms: attribution data from Google Ads (conversion tracking)
Customer reviews: if you submit a review via our reviews provider, the review platform collects your name and review content

3. Why we collect personal data (legal bases under GDPR)

Purpose	Legal basis
Processing and shipping your orders	Performance of a contract (Art. 6(1)(b) GDPR)
Customer support and warranty claims	Performance of a contract / legitimate interest (Art. 6(1)(b), (f) GDPR)
Tax, accounting, and legal compliance	Legal obligation (Art. 6(1)(c) GDPR)
Fraud prevention and account security	Legitimate interest (Art. 6(1)(f) GDPR)
Marketing emails to subscribers	Consent (Art. 6(1)(a) GDPR) — withdrawable any time
Analytics and website improvement	Consent for non-essential cookies (Art. 6(1)(a) GDPR)
Personalized advertising	Consent (Art. 6(1)(a) GDPR)

4. Who we share personal data with

We share personal data only with trusted processors who help us operate Warm Shelf. We do not sell personal data.

Shopify Inc. — hosts our online store and processes order data
Shopify Payments / Stripe / PayPal — processes payments
Fulfilment partners — receive shipping address and order details to dispatch your order
Shipping carriers (e.g. DHL, UPS, USPS, Royal Mail, Deutsche Post, local last-mile partners) — receive shipping address and delivery information
Email service provider (Shopify Email) — to send order confirmations and marketing emails (only with your consent)
Google LLC — for analytics (Google Analytics 4) and advertising (Google Ads), where consent has been given
Customer reviews provider — to display reviews on our site
Professional advisors — accountants, lawyers, auditors, where required by law
Regulatory authorities — where required by law (tax, consumer protection, court orders)

5. International data transfers

Some of our processors are based outside the European Economic Area (EEA), including in the United States. Where personal data is transferred outside the EEA, we rely on:

European Commission adequacy decisions where applicable
Standard Contractual Clauses (SCCs) approved by the European Commission
Other valid transfer mechanisms under GDPR Art. 46

6. How long we keep personal data

Order data: 10 years (Romanian fiscal retention requirement)
Marketing data: until you withdraw consent or for 3 years after your last interaction
Customer support correspondence: 3 years after closing the matter
Cookies and analytics: see Section 8 below

7. Your rights

Under GDPR (for EU/EEA/UK customers) and applicable laws in your jurisdiction (including CCPA for California residents), you have the following rights:

Right of access — request a copy of the personal data we hold about you
Right to rectification — correct inaccurate or incomplete data
Right to erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations
Right to restriction of processing
Right to data portability — receive your data in a structured, machine-readable format
Right to object — to processing based on legitimate interest or for direct marketing
Right to withdraw consent — at any time, where processing is based on consent
Right to lodge a complaint with your local data protection authority. The Romanian supervisory authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP): www.dataprotection.ro

For California residents: you have the right to know what personal information we collect, the right to delete personal information, the right to opt out of the sale or sharing of personal information (we do not sell personal information), and the right to non-discrimination for exercising your CCPA rights.

To exercise any of these rights, email support@warmshelf.com. We respond within 30 days (or up to 60 days for complex requests under GDPR Art. 12(3)).

8. Cookies and similar technologies

We use cookies and similar technologies for:

Strictly necessary cookies — required for the cart, checkout, login, and security. Cannot be disabled.
Functional cookies — remember your preferences (language, currency)
Analytics cookies — Google Analytics 4, only with your consent
Marketing cookies — Google Ads conversion tracking, only with your consent

You can manage your cookie preferences via the cookie banner on first visit and via our cookie settings link at any time. You can also disable cookies in your browser, although this may affect site functionality.

9. Children

Warm Shelf is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a minor, please contact us at support@warmshelf.com and we will delete it.

10. Security

We use industry-standard security measures to protect personal data, including HTTPS encryption, access controls, secured hosting through Shopify (PCI-DSS Level 1 compliant), and processor agreements with all our service providers. No method of transmission over the Internet is 100% secure, but we work to protect your data against unauthorized access, alteration, disclosure, or destruction.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be announced via the homepage or by email. The "Last updated" date at the top of this page reflects the most recent revision.