Shop Privacy Notice
Scope and Application
This Privacy Notice explains the collection, processing, retention, and protection of personal data in connection with the Kaharagia Official Shop at shop.kaharagia.org.
It applies to data submitted in the course of browsing, ordering, paying for, and receiving goods through the Shop. It does not apply to payment-card data submitted directly to Stripe, the Shop's payment processor, which is handled under Stripe's own data-protection arrangements.
This Notice forms an integral part of, and shall be read in conjunction with, the Shop Terms of Sale.
Data Controller and Responsible Authority
The data controller for personal data processed through the Shop is the Principality of Kaharagia, acting through its competent sovereign institutions. Day-to-day oversight is exercised by the Office of Digital Government & Cybersecurity, Secretariat of State.
For payment-card data submitted to Stripe, Stripe is the relevant data controller under its own privacy policy. The Shop receives only payment tokens, the last four digits of the card, and transaction identifiers, never the full card number, expiry, or CVC.
Categories of Personal Data Processed
Browsing and Catalogue
- IP address and approximate technical metadata of the device making the request
- Pages and products viewed, timestamps, and basket contents
- Cookies and storage strictly necessary to operate the catalogue and checkout (including session and cart cookies)
Account Data (where the Customer creates an account)
- Email address and password (stored only in securely hashed form)
- Order history associated with the account
Order Data
- Customer name and contact details (email, telephone)
- Billing address
- Shipping address(es) and recipient name
- Order contents, value, currency, and timestamps
Payment Metadata (received from Stripe)
- Payment method type (e.g. card brand)
- Last four digits of the payment card
- Stripe payment-intent and charge identifiers
- Refund and chargeback records
Fulfilment Data
- Carrier, tracking number, and delivery status
- Customs declaration data where required for international shipments
Customer Support
- Correspondence between the Customer and the Shop's support function
- Notes recorded by support staff in connection with an Order
Legal Basis for Processing
Performance of a Contract: processing necessary to take, accept, fulfil, and support the Customer's Order.
Compliance with Legal Obligations: record-keeping, tax, customs, and consumer-protection obligations under Kaharagian law and applicable rules.
Legitimate Interests: fraud prevention, order security, and the operational integrity of the Shop.
Consent: for any processing not falling under the above bases (including any future marketing communications, which would require explicit opt-in).
Purpose Limitation
Personal data is used exclusively for:
- Operating the catalogue and checkout
- Accepting, processing, and fulfilling Orders
- Communicating with the Customer about their Order
- Processing payments, refunds, and chargebacks via Stripe
- Complying with tax, customs, and consumer-protection obligations
- Investigating fraud or abuse
- Responding to customer-support enquiries
- Maintaining records as required by Kaharagian law
The Shop does not use Customer data for behavioural profiling, retargeting, or marketing without explicit consent.
Data Sharing and Disclosure
Personal data may be shared or disclosed to:
Stripe: payment data necessary to process transactions, refunds, and chargebacks.
Carriers (e.g. national post, courier services), name, shipping address, contact telephone, and parcel reference, as required to deliver the Order.
Customs Authorities: declaration data and Order contents as required by law for international shipments.
Intra-Governmental Sharing: between competent Kaharagian institutions where necessary for compliance with legal requirements.
Legal and Regulatory Requirements: where required by Kaharagian law, judicial order, or lawful law enforcement request.
The Shop does not sell, rent, or trade Customer data, and does not disclose Customer data to third parties for their independent commercial use.
International Hosting and Data Transfers
The Shop is currently hosted on technical infrastructure located in the Federal Republic of Germany, with the associated domain registered through a registrar also based in the Federal Republic of Germany. Hosting and registrar arrangements may change over time as operational requirements evolve.
Stripe is a payment processor with operations in multiple jurisdictions including the European Union, the United Kingdom, the United States, and elsewhere. Data necessary to process payments is transmitted to Stripe in accordance with its own data-protection arrangements.
Carriers receive shipping data necessary to deliver to the destination address, which may be in any jurisdiction.
These technical and operational arrangements do not alter the governing law applicable to personal data processed by the State, which remains subject exclusively to Kaharagian data protection law and sovereign jurisdiction.
Data Retention
- Browsing and basket data is retained only as long as necessary for operational purposes; abandoned baskets are cleared on a routine schedule.
- Order records are retained for the period required by Kaharagian commercial, tax, and customs law, typically extending several years beyond the date of the transaction.
- Account data is retained for the lifetime of the account; on account closure, it is deleted or anonymised, save where retention is required for an outstanding Order or by law.
- Payment metadata is retained for the period required for refund, chargeback, and audit purposes.
- Customer-support correspondence is retained for a reasonable period after the matter is closed.
Security Measures
The State implements reasonable technical and organisational measures to protect personal data processed through the Shop:
- Encryption in transit using current TLS standards, with disk-level encryption of underlying storage
- Account passwords stored only in securely hashed form
- Payment-card data never received or stored by the State (handled by Stripe)
- Role-based access controls limiting backend access to authorised personnel
- Logging and audit of administrative access
- Network segmentation between the public storefront, the administrative interfaces, and the database
Notwithstanding these measures, no system can be guaranteed to be absolutely secure.
Rights of Data Subjects
Subject to applicable legal provisions, Customers may:
- Request confirmation of whether personal data concerning them is being processed
- Access personal data held concerning them
- Request correction of inaccurate personal data
- Request deletion of personal data, subject to retention required for completed Orders or by law
- Withdraw consent for any processing based on consent
For payment-card data, requests should be directed to Stripe under its own privacy policy.
Children and Minors
The Shop is not directed at children under the age of thirteen (13). We do not knowingly accept Orders from individuals under this age. Customers under the age of majority in their jurisdiction should obtain the consent of a parent or guardian before placing an Order.
Contact and Enquiries
For Order-related enquiries, please use the support channel published on the Shop.
For data-protection enquiries:
Office of Digital Government & Cybersecurity, Secretariat of State
digital@state.kaharagia.org
For matters of Kaharagian data protection law: justice@state.kaharagia.org. For correspondence from foreign data protection authorities: legal@state.kaharagia.org.
Amendment and Revision
This Privacy Notice may be amended at any time without prior notice. Continued use of the Shop following publication constitutes acceptance.
Governing Law
This Privacy Notice is governed exclusively by the laws of the Principality of Kaharagia.