60% OFFLimited timeFree US shippingFast 2-5 day delivery30-day money-backLimited stock

Privacy Policy

Last updated: May 25, 2026

Contents

  1. Data controller
  2. Scope and legal bases
  3. Data we collect
  4. Purposes
  5. Processors and recipients
  6. International transfers
  7. Retention
  8. Your rights (GDPR + CCPA)
  9. Security
  10. Minors
  11. Cookies
  12. Analytics and advertising
  13. Changes
  14. Contact and complaints

1. Data controller

The data controller for personal information processed in connection with Nail Pop (the “Service”) is:

NOVIANTIS INC, a Florida Profit Corporation P25000046433
8400 NW 36th Street, Suite 450, Doral, FL 33166, USA
Privacy contact: hello@popnail.co
General contact: hello@popnail.co

We have not appointed a Data Protection Officer; processing does not fall within the mandatory designation cases of GDPR Article 37. Single point of contact for any privacy matter: hello@popnail.co.

2. Scope and legal bases

This policy applies to all personal data collected through popnail.co, its subdomains, and related support channels. Legal bases under GDPR Article 6:

  • Performance of contract (Art. 6.1.b): order processing, fulfillment, customer support.
  • Legal obligation (Art. 6.1.c): invoice retention, anti-fraud, tax records, lawful requests.
  • Legitimate interest (Art. 6.1.f): security, abuse prevention, service improvement.
  • Consent (Art. 6.1.a): optional marketing emails, SMS notifications.

For U.S. customers, processing is governed by applicable state privacy laws including the California Consumer Privacy Act (CCPA) as amended by the CPRA.

3. Data we collect

3.1 Order data

  • Email address (required)
  • Shipping address (full name, street, city, state, ZIP, country)
  • Phone number (optional, used only for delivery coordination if provided)
  • Billing address (collected by Stripe, may differ from shipping)
  • Order contents, quantities, prices, promotion codes applied

3.2 Payment data

  • Stripe customer reference ID
  • Card last 4, brand, expiry month/year (returned by Stripe for display)
  • Transaction history (amounts, dates, status, refunds)

Full card numbers are never sent to or stored by Nail Pop or Noviantis. All payments are processed by Stripe in a PCI-DSS Level 1 environment.

3.3 Technical data

  • IP address (anonymized after 30 days in logs)
  • Browser user-agent
  • Request timestamps
  • Essential session cookies (cart, checkout state)

3.4 Marketing data (consent-based)

  • Email opt-in for product drops and exclusive deals (if checked at checkout)
  • SMS opt-in for shipping notifications and deals (if checked at checkout)

4. Purposes

  • Process and fulfill your orders (charge payment, ship product, send confirmation).
  • Provide customer support and respond to inquiries.
  • Send order-related transactional emails (confirmation, shipping, delivery).
  • Send marketing communications if you opted in (you can opt out at any time via the unsubscribe link).
  • Prevent payment fraud, chargeback abuse, and Terms violations.
  • Comply with legal obligations (accounting, tax, judicial requests).
  • Improve the Service through aggregated, anonymized analytics.

We never sell your personal data. We do not perform automated decision-making producing legal effects on you.

5. Processors and recipients

We rely on the following sub-processors, each bound by appropriate data processing agreements:

  • Vercel Inc. (USA) — storefront hosting and CDN.
  • Railway Corp (USA) — backend application and database hosting.
  • Stripe Payments Inc. (USA) — payment processing.
  • Resend Inc. (USA) — transactional and marketing email delivery.
  • Cloudflare Inc. (USA) — DNS, DDoS protection, edge CDN.
  • A U.S.-based third-party logistics (3PL) provider — order fulfillment and shipping. Identity disclosed upon request at hello@popnail.co.

6. International transfers

Several sub-processors are located in the United States. For data subjects in the European Economic Area, the United Kingdom, or Switzerland, transfers outside your region are secured by:

  • EU-U.S. Data Privacy Framework (DPF): Vercel, Stripe, Resend, and Cloudflare are DPF-certified, providing an adequate protection level recognized by the European Commission’s adequacy decision of 10 July 2023.
  • Standard Contractual Clauses (SCC) 2021/914: for non-DPF processors, we have signed Modules 2 and 3 SCCs with supplementary technical measures (encryption in transit, minimization, fast deletion).

Copies of the SCCs and corresponding transfer impact assessments are available on request at hello@popnail.co.

7. Retention

  • Order data: 10 years (legal accounting and tax obligations).
  • Customer support correspondence: 3 years after last interaction.
  • Marketing consent records: until consent withdrawal + 3 years.
  • Technical logs: 90 days.
  • Encrypted backups: 30-day rolling window.

8. Your rights (GDPR + CCPA)

Under GDPR and the CCPA, you have the following rights:

  • Access: obtain a copy of your data.
  • Rectification: correct inaccurate data.
  • Erasure: delete your data (subject to mandatory legal retention).
  • Restriction of processing.
  • Portability: export your data in a structured format.
  • Objection to processing based on legitimate interest.
  • Withdraw consent at any time for consent-based processing.
  • CCPA — Right to know, delete, opt-out of sale: we do not sell any data.

Send any request to hello@popnail.co. We respond within 30 days, extendable by 60 days for complex requests. Identity verification may be required.

9. Security

  • TLS 1.3 encryption in transit.
  • AES-256 encryption at rest for database and object storage.
  • Strict per-customer data isolation.
  • Internal least-privilege access policy.
  • Automated dependency audits.
  • Responsible disclosure: hello@popnail.co.

In case of a data breach posing a risk to your rights and freedoms, we will notify the competent authority within 72 hours and inform you without undue delay as required by GDPR Article 34.

10. Minors

The Service is restricted to persons aged 18 and over. We do not knowingly collect data from minors. Parents or guardians who believe a minor has provided us data may write to hello@popnail.co for immediate deletion.

11. Cookies

Nail Pop uses only strictly necessary cookies (cart session, checkout state, payment processing). No advertising or third-party analytics cookies are set without your consent. When we add advertising or analytics tools (see Section 12), we will deploy a consent management interface to record and respect your preferences.

12. Analytics and advertising

As of the last-updated date above, no analytics or advertising tools are active on popnail.co. When we deploy such tools (e.g., Meta Pixel, TikTok Pixel, Google Analytics), we will update this section and present a consent banner where required by applicable law.

13. Changes

Material changes to this policy will be notified by email at least 14 days before they take effect for customers with an active marketing opt-in. The last-updated date appears at the top of this page.

14. Contact and complaints

Questions: hello@popnail.co.

You have the right to lodge a complaint with the CNIL (3 Place de Fontenoy, 75007 Paris, France — cnil.fr), your national supervisory authority in the EEA, or, for U.S. residents, the relevant State Attorney General.