Privacy Policy

When you place an order or interact with our site we may collect: - Order data: your name, email address, shipping address, phone number (optional), order details, and customization choices. - Payment data: handled entirely by Stripe. We never see your card number, CVV, or full payment credentials. - Technical data: IP address (anonymized before storage), browser type and version, device, language and timezone preferences. - Marketing identifiers: click identifiers (gclid, fbclid, ttclid) and platform browser cookies (_fbp, _ttp, _ga) when you arrive from an ad or have given marketing consent. These help measure which campaigns drove your visit. - Account data (if you create one): email and a hashed password managed by our authentication provider. - Communications: messages you send us via the contact form or email.

We rely on the following legal bases under the GDPR (and equivalent provisions in other jurisdictions): - Performance of a contract (Art. 6(1)(b)): processing your order, payment, and shipment. - Legal obligation (Art. 6(1)(c)): keeping invoices and tax records for the period required by law (typically 7 years in the EU). - Consent (Art. 6(1)(a)): analytics, advertising, and remarketing cookies, server-side conversions, and marketing emails. You can withdraw consent at any time via the Manage Cookies link in our footer. - Legitimate interest (Art. 6(1)(f)): fraud prevention, securing the site, and improving the customer experience, balanced against your privacy.

We use four categories of cookies and similar technologies. You choose what to allow when you first visit, and you can change your choice anytime via Manage Cookies in the footer. - Strictly necessary: required for the cart, checkout, language and currency preferences, and security. These cannot be turned off. - Analytics: helps us understand how visitors use the site, in aggregate. Powered by Google Analytics 4. Loaded only with your consent. - Advertising: helps us measure Google Ads campaign performance and run reminder ads to people who visited our site. Includes Google Ads conversion tracking. Loaded only with your consent. - Social and remarketing: lets us run personalized product ads on Facebook, Instagram, and TikTok and exclude existing customers from acquisition campaigns. Includes the Meta Pixel and TikTok Pixel and their server-side counterparts (Meta Conversions API and TikTok Events API). Loaded only with your consent. We use Google Consent Mode v2: with consent denied, no advertising cookies are written and platforms receive only consent signals, never your personal data.

We share personal data only with vendors that help us run the business. Each is bound by a data processing agreement and their own privacy policy. - Stripe, Inc. (United States): payment processing. https://stripe.com/privacy - Cloudflare, Inc. (United States): content delivery and DDoS protection. https://www.cloudflare.com/privacypolicy/ - Resend (United States): transactional email delivery. https://resend.com/legal/privacy-policy - Google LLC (United States): Google Analytics 4 and Google Ads, with your consent. https://policies.google.com/privacy - Meta Platforms, Inc. (United States): Meta Pixel and Conversions API for Facebook and Instagram ads, with your consent. https://www.facebook.com/privacy/policy/ - TikTok (Singapore and United States): TikTok Pixel and Events API, with your consent. https://www.tiktok.com/legal/page/row/privacy-policy/en - Hosting infrastructure: our application servers are hosted in the European Union (or comparable jurisdiction with adequate safeguards). We do not sell your personal data.

Some of the providers listed above are based in the United States. When your data leaves the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on: - Adequacy decisions: Stripe, Google, and Meta are certified under the EU-US Data Privacy Framework (DPF) and its UK and Swiss extensions, which the European Commission has recognized as providing an adequate level of protection. - Standard Contractual Clauses: where the DPF does not apply, transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) plus, where appropriate, supplementary technical and organizational measures. You can ask us for a copy of the safeguards in place for any specific transfer.

We keep your data only as long as needed: - Order and tax records: 7 years (legal requirement). - Account data: until you ask us to delete it. - Analytics data: 14 months in Google Analytics 4 (the platform default). - Advertising cookies: up to 13 months from your last visit, then automatically expire. - Server logs: 30 days for security and debugging.

Depending on your location, you may have the right to access, correct, or delete your personal data, restrict or object to processing, port your data to another service, and not be subject to solely automated decisions. To exercise any of these rights, email us at contact@sanghamoon.com and we will respond within 30 days. You can also withdraw your consent to analytics or advertising tracking at any time via the Manage Cookies link in our footer; withdrawing consent does not affect processing that already took place. EEA residents can lodge a complaint with their local data protection authority. California residents have specific CCPA rights including 'Do Not Sell or Share My Personal Information': email us with that subject line to opt out of cross-platform advertising signals.

Our website is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. When we do, we will revise the 'Last Updated' date at the top of this page. Continued use of our website after changes constitutes acceptance of the revised policy.