Privacy Policy

Privacy Policy

Last updated: 11 July 2026

CapyOnsen makes calm, honest self-care products, and we want to be just as calm and honest about your data. This policy explains what we collect, why we collect it, how long we keep it, and what say you have over it. We've tried to write it the way we'd explain it to a friend — plainly, without the legal fog — while still covering everything the law requires us to tell you.

If anything here is unclear, email us at [email protected] and we'll explain it properly.

Who we are

The data controller responsible for your personal data is:

We are based in Cyprus, which means the Cyprus Commissioner for Personal Data Protection is our lead supervisory authority under the General Data Protection Regulation (GDPR).

What we collect, and why

We only collect what we actually need to run CapyOnsen. Here's a breakdown by what you're doing on the site.

Joining the waitlist / newsletter (pre-launch site)

While CapyOnsen is in its pre-launch phase, the main thing you can do on capyonsen.com is join our waitlist so we can tell you when we launch. If you sign up, we collect:

  • Your email address
  • Your language preference (so we email you in the right language)
  • The timestamp of your signup

We do not collect or store your IP address as part of this signup. Your waitlist details are currently stored on our own server (an EU-based virtual private server), which we manage directly. This is a provisional setup while we're small. We plan to move waitlist and newsletter management to a dedicated email service provider with double opt-in confirmation (a two-step process where you confirm your email address before you're added to the list) as we grow — we'll update this policy when that happens.

Creating a store account (optional)

When our store opens, you'll be able to check out as a guest or create an account. If you create an account, we store the details needed to run it: your name, email address, and your order history, so you don't have to re-enter everything each time you shop.

Placing an order

To fulfil an order, we need:

  • Your name
  • Your shipping address
  • Your email address
  • Your phone number (optional — only if you choose to give it, usually to help the courier reach you)
  • Details of what you ordered and your order history

This is the minimum information a physical product business needs to get your order to your door and keep proper records.

Product reviews

If you leave a review, we display your name (or the name you choose to show) alongside your review text. We mark reviews as "verified buyer" when they come from someone who has actually purchased the product, which means we check your review against your order history.

Wishlist

If you save products to a wishlist, we store which products you've saved against your account so the list is there next time you visit.

Newsletter subscription (store)

Once our store is live, newsletter sign-ups there use double opt-in — you'll get a confirmation email and need to click a link before you're actually subscribed. This confirmed subscription status is stored within our WordPress/WooCommerce store.

The legal basis for each of these

Under GDPR, we need a valid legal reason to process your data for each purpose. Here's ours:

  • Waitlist / newsletter signup: your consent (Article 6(1)(a)). You can withdraw it at any time by unsubscribing.
  • Store accounts: your consent to create the account, and performance of a contract (Article 6(1)(b)) once you're using it to shop.
  • Orders and shipping data: performance of a contract (Article 6(1)(b)) — we can't ship you a product without your address, and legal obligation (Article 6(1)(c)) for the accounting and tax records we're required to keep.
  • Product reviews: your consent — you choose to submit a review, and you can ask us to remove it.
  • Wishlist: your consent, given by using the feature while logged in.
  • Newsletter (store): your consent, confirmed through double opt-in.

We do not use your data for any purpose beyond what's listed above without asking you first.

Who we share your data with

We don't sell your data, ever. We share it only with the specific partners who need it to make CapyOnsen work:

  • Selfnamed SIA (Riga, Latvia) — our manufacturing and fulfilment partner. When you place an order, we share your name, shipping address, and order contents with Selfnamed so they can produce and ship your order. This is essential to fulfilling your purchase and is covered under performance of a contract.
  • Payment providers
  • Cloudflare, Inc. (a US company) — we use Cloudflare as a content delivery network and security/proxy layer in front of our website. This means some traffic to our site passes through Cloudflare's infrastructure. See "International transfers" below for how this is safeguarded.
  • Our hosting provider

We do not share your data with advertisers, data brokers, or any other third party, and we do not build advertising profiles from it.

International data transfers

Wherever possible, we keep your data within the European Union. Our server is EU-hosted, and Selfnamed (our fulfilment partner) is based in Latvia, within the EU.

The one partner based outside the EU is Cloudflare, which is a US company. Cloudflare is certified under the EU-U.S. Data Privacy Framework (DPF), which the European Commission recognises as providing an adequate level of protection for personal data transferred from the EU to certified US companies. This means Cloudflare has committed to a set of enforceable privacy obligations that meet EU standards, even though the company itself is based outside the EU.

How long we keep your data

  • Waitlist signups: until we launch and you either convert to a customer or unsubscribe — you can unsubscribe at any time.
  • Order and invoice records: for as long as the law requires us to keep accounting and tax records. In Cyprus this is typically in the range of 6–10 years, depending on the type of record [placeholder — to be confirmed against current Cyprus tax and accounting law before launch]. We keep this data purely for legal compliance, not for marketing.
  • Store accounts: for as long as your account is active. If you ask us to delete your account, we will, subject to anything we're legally required to retain (like invoice data, as above).
  • Reviews and wishlist data: for as long as your account exists, or until you ask us to remove a specific review.

When data is no longer needed for any of the purposes above, we delete or anonymise it.

Your rights

Under GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Erase your data ("right to be forgotten"), subject to any legal retention requirements we've described above
  • Restrict how we use your data in certain circumstances
  • Object to processing based on our legitimate interests or for direct marketing
  • Port your data — receive it in a structured, commonly used format, or have it transferred to another provider
  • Withdraw consent at any time, where we rely on consent, without affecting the lawfulness of processing before you withdrew it

To exercise any of these rights, email us at [email protected]. We'll respond within the timeframes required by law.

You also have the right to lodge a complaint with a supervisory authority. As we're based in Cyprus, our lead authority is:

  • The Office of the Commissioner for Personal Data Protection, Cyprus

If you live in another EU/EEA country, you can also complain to your own national data protection authority.

Automated decisions and profiling

We do not use your data for profiling, and we do not make any decisions about you using automated processing. No algorithm decides what you see, what you pay, or how we treat you — real people run CapyOnsen.

Cookies and similar technologies

Our website currently uses only the cookies necessary to make it function. We do not use analytics cookies, advertising cookies, or tracking pixels.

The essential cookies we use are:

  • WordPress session cookies — keep you logged in and the site working correctly as you browse.
  • WooCommerce cart cookies — remember what's in your shopping cart as you move between pages.
  • Language preference cookie — remembers which language you'd like to browse in.

These essential cookies don't require your consent under EU cookie rules, because the site can't function properly without them.

We also load fonts from Google Fonts, a Google service, to display our brand typography. When your browser requests these fonts, it connects to Google's servers, which may process your IP address as part of that request. We're aware this raises data protection considerations, and we're working on serving these fonts directly from our own server instead, which would remove this external connection entirely. We'll update this policy once that change ships.

If we ever introduce analytics, advertising, or tracking cookies in the future, we will update this policy and ask for your consent first, in line with EU cookie law.

Children

CapyOnsen is not directed at children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it.

Changes to this policy

We may update this policy from time to time — for example, as we add an email service provider, introduce analytics, or launch new features. When we make material changes, we'll update the "Last updated" date at the top of this page, and where the change is significant, we'll let you know directly (for example, by email to our waitlist and customers).

Contact us

Questions, requests, or just want to double-check something about your data? Email us any time at [email protected].