Privacy Policy

1. Introduction

Tourbillon Watch Co. ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

By using our website, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use our services.

2. Information We Collect

2.1 Personal Information

We may collect personal information that you voluntarily provide to us, including:

• Name and contact information (email address, phone number)
• Billing and shipping addresses
• Payment information (processed securely through Stripe)
• Account credentials and preferences
• Birth date and demographic information (optional)

2.2 OAuth Authentication Information

When you use third-party authentication services to create or access your account, we collect:

• Google OAuth: Email address, full name, profile picture, and Google user ID
• Microsoft OAuth: Email address, full name, profile picture, and Microsoft user ID

We only request the minimum information necessary to create and manage your account. You can revoke our access to your social media accounts at any time through your account settings on the respective platforms.

2.3 Order and Transaction Information

When you make a purchase, we collect:

• Order details (products, quantities, prices)
• Shipping address and delivery preferences
• Stripe payment session ID and transaction status
• Order history and tracking information

2.4 User Preferences and Activity

We store information about your interactions with our website:

• Favorite watches and wishlist items
• Shopping cart contents
• Product views and browsing history
• Newsletter subscription preferences

2.5 Contact Form Information

When you submit a message through our contact form, we collect:

• Your name and email address
• Phone number (optional)
• Message content
• Submission timestamp

2.6 Automatically Collected Information

We automatically collect certain information when you visit our website:

• IP address and device information
• Browser type and version
• Pages visited and time spent on our site
• Referring website information
• Cookies and similar tracking technologies

3. How We Use Your Information

We use the information we collect for various purposes, including:

• Order Processing: Processing and fulfilling your orders, handling payments through Stripe
• Account Management: Creating and maintaining your user account, including profile, favorites, and order history
• Customer Support: Responding to your inquiries submitted through our contact form
• Communication: Sending order confirmations, shipping updates, and important account notifications
• Marketing: Sending newsletter emails about new products, exclusive offers, and promotions (with your consent)
• Internal Notifications: Sending customer inquiries to our support team via Telegram for timely response
• Service Improvement: Analyzing usage patterns to improve our website, products, and services
• Security: Preventing fraud, unauthorized access, and ensuring the security of our platform
• Legal Compliance: Complying with legal obligations and responding to legal requests

4. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties for marketing purposes. We may share your information only in the following circumstances:

4.1 Service Providers

We work with trusted third-party service providers who assist us in operating our website and conducting our business:

• Supabase: Secure database backend for storing user profiles, orders, favorites, contact messages, and newsletter subscriptions. Data is encrypted at rest and in transit. Location: US-based servers with global CDN.
• Stripe: Payment processing for all transactions in CAD (Canadian Dollars). We do not store credit card information on our servers. All payment data is handled by Stripe in compliance with PCI DSS standards.
• Google: OAuth authentication service. We only receive basic profile information (email, name, profile picture) necessary for account creation.
• Microsoft: OAuth authentication service for Microsoft account sign-in. We only collect essential profile information.
• Telegram: Internal notification system for customer service. When you submit a contact form, your message is securely transmitted to our support team via Telegram Bot API.
• Shipping Companies: Your shipping address and order details are shared with delivery partners for order fulfillment.

All service providers are contractually obligated to keep your information confidential and use it only for the services they provide to us.

4.2 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal requests from law enforcement or government authorities
• Court orders or legal processes
• Protection of our legal rights and the safety of our users
• Investigation of fraud or security issues

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you via email and/or prominent notice on our website of any change in ownership or use of your personal information.

4.4 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

5. Data Security

We implement comprehensive security measures to protect your personal information:

5.1 Technical Security

• Encryption: All data is encrypted in transit using HTTPS/TLS and at rest in our Supabase database
• Row Level Security (RLS): Database policies ensure users can only access their own data
• Secure Authentication: Passwords are hashed using industry-standard algorithms; OAuth tokens are securely managed
• Payment Security: All payment data is processed through Stripe's PCI DSS Level 1 compliant infrastructure
• Access Controls: Strict access controls limit who can view and modify user data

5.2 Operational Security

• Regular security assessments and vulnerability scanning
• Automated monitoring for suspicious activities
• Secure backup and disaster recovery procedures
• Employee training on data protection best practices

Important Note: While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to protect your information using industry best practices.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our website:

6.1 Types of Cookies We Use

• Essential Cookies: Required for authentication, shopping cart functionality, and basic website operation
• Functional Cookies: Remember your preferences, favorite watches, and user settings
• Analytics Cookies: Help us understand how visitors use our website to improve user experience
• Authentication Cookies: Manage your login session and keep you signed in

6.2 Local Storage

We use browser local storage to save:

• Shopping cart contents (persists across browser sessions)
• User authentication tokens (for session management)
• User preferences and settings

6.3 Your Cookie Choices

You can control cookies through your browser settings. Most browsers allow you to:

• View and delete cookies
• Block third-party cookies
• Block all cookies (this may affect website functionality)
• Clear cookies when you close your browser

Please note that disabling essential cookies may prevent you from using certain features like shopping cart, user accounts, and checkout.

7. Third-Party Services

Our website integrates with the following third-party services. Each service has its own privacy policy that governs how they handle your data:

• Supabase: Database and authentication backend - Supabase Privacy Policy
• Stripe: Payment processing and transaction management in CAD (Canadian Dollars) - Stripe Privacy Policy
• Google: OAuth authentication and Google Sign-In - Google Privacy Policy
• Microsoft: OAuth authentication and Microsoft account sign-in - Microsoft Privacy Statement
• Telegram: Internal notification system (your data is only sent to our designated bot) - Telegram Privacy Policy

We carefully select third-party services that maintain high standards of data protection and privacy. However, we are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

8. Your Rights and Choices

We respect your privacy rights. Depending on your location, you may have the following rights:

8.1 Account Management Rights

• Access: View and download your personal information through your account dashboard
• Correction: Update your profile information, shipping addresses, and preferences
• Deletion: Request deletion of your account and personal information
• Data Portability: Request a copy of your data in a machine-readable format

8.2 Communication Preferences

• Newsletter Unsubscribe: Click the unsubscribe link in any marketing email or manage preferences in your account
• Transactional Emails: You cannot opt out of essential emails (order confirmations, shipping updates, account security notifications)
• Marketing Opt-out: Unsubscribe from promotional communications while maintaining your account

8.3 OAuth and Social Login

• Revoke Access: You can revoke our access to your Google or Microsoft account through their respective account settings
• Disconnect Account: Contact us to disconnect your social media login from your account

8.4 How to Exercise Your Rights

To exercise any of these rights, you can:

• Log in to your account dashboard and manage your information
• Contact us at tourbillonme@outlook.com with "Privacy Request" in the subject line
• Unsubscribe from newsletters using the link in any email

We will respond to your request within 30 days. For security purposes, we may need to verify your identity before processing your request.

9. Data Retention

We retain your personal information based on the following criteria:

9.1 Retention Periods

• Account Information: Retained while your account is active and for 1 year after account deletion (for legal compliance)
• Order History: Retained for 7 years for tax and accounting purposes
• Payment Records: Transaction IDs and order amounts retained for 7 years; no credit card data stored
• Contact Messages: Retained for 3 years for customer service records
• Newsletter Subscriptions: Retained until you unsubscribe
• Favorites and Wishlist: Retained while your account is active
• Analytics Data: Aggregated and anonymized after 2 years

9.2 Deletion Process

When data is no longer needed:

• Personal information is securely deleted from our databases
• Backups are purged according to our retention schedule
• Some data may be retained in anonymized form for analytics

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own:

10.1 Data Locations

• Supabase Servers: United States (with global CDN)
• Stripe: Processes data in multiple regions according to your location
• Cloud Infrastructure: Uses servers in US and EU regions

10.2 Safeguards

We ensure appropriate safeguards are in place:

• Encryption of data in transit and at rest
• Contractual protections with service providers
• Compliance with applicable data protection regulations
• Standard Contractual Clauses (SCCs) where required

11. Children's Privacy

Our services are not intended for children under 13 years of age (or under 16 in the European Union). We do not knowingly collect personal information from children below these age thresholds.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at tourbillonme@outlook.com. We will take prompt steps to delete such information from our records.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: We do not sell personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at tourbillonme@outlook.com with "CCPA Request" in the subject line.

13. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, you have additional rights under GDPR:

• Legal Basis: We process your data based on consent, contract performance, legal obligations, and legitimate interests
• Right to Object: Object to processing based on legitimate interests
• Right to Restrict: Request restriction of processing in certain circumstances
• Right to Lodge Complaint: File a complaint with your local data protection authority

For GDPR-related requests, contact us at tourbillonme@outlook.com with "GDPR Request" in the subject line.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

14.1 How We Notify You

• We will update the "Last updated" date at the top of this page
• For material changes, we will send an email notification to your registered email address
• We may display a prominent notice on our website
• We will provide at least 30 days notice before material changes take effect

14.2 Your Continued Use

By continuing to use our services after changes become effective, you acknowledge and agree to the updated Privacy Policy. If you do not agree with any changes, please discontinue use of our services and contact us to delete your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, we're here to help:

15.1 General Inquiries

Tourbillon Watch Co.
Email: tourbillonme@outlook.com
Customer Service: Available 24/7

15.2 Privacy-Specific Requests

For privacy-related matters, please include one of the following in your subject line:

• "Privacy Request" - General privacy inquiries
• "Data Access Request" - To access your personal information
• "Data Deletion Request" - To delete your account/data
• "CCPA Request" - California privacy rights
• "GDPR Request" - European privacy rights

15.3 Response Time

We aim to respond to all privacy-related inquiries within 30 days. For complex requests, we may need additional time and will keep you informed of our progress.

15.4 Contact Form

You can also reach us through the contact form on our Info & Support page. Your message will be sent securely to our customer service team.