Privacy policy

Effective Date: October 23, 2025

1. WHO WE ARE AND HOW THIS POLICY WORKS

1.1. This Privacy Policy (“Policy”) explains what personal data AromaCore Limited (a company registered in England and Wales, No. 16788959; address: College House, 2nd Floor, 17 King Edwards Road, Ruislip, London, HA4 7AE, United Kingdom) (“AromaCore”, “we”, “us”, “our”) collects, how and why we use it, to whom we disclose it, and what rights you have.

1.2. The Policy applies to all interactions with our websites, stores, mobile applications, devices, cartridges, and support services (collectively, the “Services”), regardless of the user’s country of residence. The Policy is an integral part of our Terms of Service and supplements them.

1.3. We comply with applicable data protection laws, including the UK GDPR / Data Protection Act 2018, EU GDPR, CCPA/CPRA (California), LGPD (Brazil), and the Privacy Act (Australia). If mandatory laws in your jurisdiction grant you additional rights, they remain in force.

2. DATA CONTROLLER AND CONTACTS

2.1. The controller of your personal data is AromaCore Limited.

2.2. For questions about personal data, exercising data subject rights, or complaints, please contact us:
Email: aromacoreltd@gmail.com
Postal address: College House, 2nd Floor, 17 King Edwards Road, Ruislip, London, HA4 7AE, United Kingdom.

2.3. You also have the right to file a complaint with your local data protection authority (for example, the ICO in the United Kingdom or the relevant authority in your EU country).

3. WHAT DATA WE COLLECT

We minimize the amount of data collected and process it lawfully and transparently.

3.1. Registration and order data: name, email address, phone (optional), shipping/billing address, order and payment details (processed via payment providers), purchase history.

3.2. Technical and analytical data: IP address, device/browser identifiers, language/region, cookies and similar technologies, visit logs, on-site/app events, referral URLs. This data is used to ensure the proper functioning of the Services and for analytics (e.g., Google Analytics, Meta Pixel).

3.3. Device and application data (when using the smart diffuser and mobile app): device operation parameters, firmware/app version, basic Bluetooth identifiers, diagnostic information. We do not record the content of personal communications.

3.4. Communications: correspondence with support, reviews, warranty and return requests.

3.5. Marketing preferences: consents/unsubscribes for email, push, and SMS communications (including cart reminders and purchase notifications). For text messages, separate consent/opt-out procedures apply, including STOP/HELP commands and possible carrier fees.

3.6. Cookies data: functional, analytical, and marketing cookies. You can manage cookie settings via your browser and the consent banner.

Note: We do not sell personal data to third parties. Under CCPA/CPRA, we do not engage in the “sale” or “sharing” of personal information as defined by these laws.

4. LEGAL BASIS AND PURPOSES OF PROCESSING

4.1. We process personal data based on the following legal grounds:

Contract performance (Art. 6(1)(b) GDPR): account management, order processing and delivery, warranty support.
Legitimate interest (Art. 6(1)(f) GDPR): ensuring security, fraud prevention (3D Secure, address/IP verification), website/app analytics, improving products and customer service.
Consent (Art. 6(1)(a) GDPR): marketing communications (email, push, SMS), analytical/marketing cookies, satisfaction surveys.
Legal obligations (Art. 6(1)(c) GDPR): accounting/tax compliance, responding to government requests, consumer rights protection.

4.2. The purposes of processing include order fulfillment, invoicing, payment processing, delivery, customer support, product/app improvement, update notifications, marketing (with consent), legal compliance, and defense against claims.

4.3. Where processing is based on consent, you may withdraw it at any time — this does not affect the lawfulness of processing prior to withdrawal.

5. WHO WE SHARE DATA WITH

We share data only when necessary and with appropriate safeguards.

5.1. Payment providers and banks (Shopify Payments, Stripe, PayPal, Apple Pay, Google Pay) — for payment processing. We do not store card details; processing is handled by providers in compliance with PCI DSS standards.

5.2. Logistics and customs partners — for shipping and import/export clearance.

5.3. IT and marketing service providers — website hosting, analytics (Google Analytics, Meta), email campaigns, customer support, and ticketing systems. We sign Data Processing Agreements (DPAs) and require confidentiality compliance.

5.4. Law and protection — when required by law, court, or government authority; to protect our rights, users, and public safety; to prevent fraud and abuse.

5.5. Corporate changes — in case of reorganization, merger, or sale of assets, data may be transferred to the successor, provided that the same level of protection is maintained.

5.6. No data “sales”. We do not transfer personal data to third parties for their own marketing “sales” or “exchange.” Users may opt out of AromaCore marketing at any time.

6. INTERNATIONAL TRANSFERS AND DATA LOCATION

6.1. General provisions. AromaCore processes user data within the jurisdictions of the United Kingdom and the European Union, except where international transfer is required to fulfill orders or provide services.

6.2. Transfers outside the UK/EU. If data is transferred outside the UK or EU (for example, to the USA, Canada, Australia, or Asia), such transfers are carried out using international data protection mechanisms, including Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or other recognized safeguards.

6.3. Suppliers and partners. Our IT providers (hosting, analytics, email services) are required to maintain protection equivalent to GDPR standards. We verify partner compliance certificates (e.g., ISO 27001 or SOC 2).

6.4. App data. Data transmitted through the mobile app (such as device parameters, Bluetooth identifiers) is stored on servers located within the EU/UK and is not exported abroad unless required for technical support.

7. DATA STORAGE AND RETENTION PERIODS

7.1. We store personal data only as long as necessary to fulfill the purposes described in this Policy, including legal compliance, dispute resolution, and security.

7.2. Standard retention periods:

Account and order data — up to 6 years (as required by UK accounting and tax law).
Support correspondence — up to 3 years from the last contact.
Analytical and cookie data — up to 24 months, after which it is anonymized or deleted.
Marketing data (with consent) — until consent is withdrawn.

7.3. After retention periods expire, data is securely deleted or anonymized.

8. DATA SECURITY

8.1. Technical and organizational measures. AromaCore applies modern protection methods, including encryption (SSL/TLS), access control, log auditing, and backups. Data access is restricted to authorized personnel.

8.2. Transaction security. All payment operations are processed by certified providers under PCI DSS standards. AromaCore does not store card numbers or security codes.

8.3. Breach notification. In case of a data breach, AromaCore will notify users and relevant authorities within the legally required timeframe (within 72 hours under GDPR).

8.4. No centralized servers. AromaCore does not store user data on permanent servers outside the website. Synchronization between the app and web version occurs only when actively initiated by the user.

9. USER RIGHTS

9.1. Depending on jurisdiction, users have the following rights:

Access — request a copy of your data;
Rectification — update or correct inaccurate information;
Erasure (“right to be forgotten”);
Restriction of processing — temporarily suspend data processing;
Data portability — receive your data in a machine-readable format;
Objection — opt out of marketing communications or analytics.

9.2. To exercise your rights, send a request to aromacoreltd@gmail.com. We will respond within 30 days.

9.3. Users from California have additional rights under CCPA/CPRA, including the right to know, delete, and opt out of the “sale” of personal information. AromaCore does not sell data.

9.4. Users from Brazil (LGPD) and Australia (Privacy Act) have similar rights and may contact AromaCore or their national data protection authority.

9.5. Users also have the right to file a complaint with their local supervisory authority (e.g., ICO in the UK or CNIL in France).

10. COOKIES, ANALYTICS, AND SMS NOTIFICATIONS

10.1. Cookies. We use cookies and similar technologies to ensure website functionality, analytics, and content personalization. Types of cookies:

Essential (required for navigation and purchases);
Analytical (measuring traffic and user behavior);
Marketing (showing relevant ads).

10.2. Cookie settings. Users can modify or withdraw consent via the cookie banner or browser settings. Disabling cookies may limit certain functions.

10.3. Analytics. We use Google Analytics, Meta Pixel, and similar tools. These services may process limited data (e.g., IP address, on-site activity) in accordance with their privacy policies.

10.4. SMS and push notifications. By subscribing to SMS or push messages, the user provides separate consent.
Commands STOP / HELP are available to unsubscribe or get assistance.
Message frequency: no more than 5 per month (unless otherwise stated).
Carrier rates may apply.
Consent to SMS is not a condition of purchase.

10.5. Marketing opt-out. Users can unsubscribe from any marketing messages (email, push, SMS) at any time via the “Unsubscribe” link or by contacting aromacoreltd@gmail.com.

11. CHILDREN AND PRIVACY

11.1. AromaCore Services are not intended for individuals under the age of 13. We do not knowingly collect personal data from children.

11.2. If you are a parent or guardian and believe your child has provided us with data without your consent, please contact aromacoreltd@gmail.com. We will promptly delete such information.

11.3. Users aged 13–17 may use the Services only with parental or legal guardian consent.

11.4. We comply with COPPA (Children’s Online Privacy Protection Act, USA) and equivalent laws in other countries regarding children’s privacy.

12. INTERNATIONAL STANDARDS AND COOPERATION

12.1. AromaCore follows international principles of Accountability, Transparency, and Data Minimization under the OECD Privacy Guidelines, APEC CBPR (Cross-Border Privacy Rules), and other recognized international data protection standards.

12.2. We cooperate with data protection authorities (including ICO, EDPB, CNIL, OAIC) and provide compliance information when required by law.

12.3. For users from different regions, local adaptations of this Policy may apply, considering mandatory local law.

13. CHANGES TO THE POLICY

13.1. AromaCore reserves the right to update this Policy to reflect changes in our Services, legal requirements, or data processing practices.

13.2. The updated version will be published on our website, with the date of the last update indicated at the top.

13.3. When changes significantly affect your data processing, we will notify you via email or website notice.

13.4. Continued use of the Services after the updated version takes effect constitutes your acceptance of the changes.

14. LEGAL NOTICES

14.1. Nothing in this Policy limits your statutory rights under applicable data protection laws.

14.2. If any part of this Policy is found invalid or unenforceable by a court, the remaining provisions remain in effect.

14.3. Any disputes regarding interpretation or application of this Policy are governed by the laws of England and Wales.

14.4. Before going to court, the parties agree to attempt to resolve the dispute through negotiations.

14.5. If settlement is not possible, the dispute shall be referred to the London Court of International Arbitration (LCIA), unless otherwise required by the user’s local mandatory law.

15. CONTACT INFORMATION

If you have any questions, complaints, or requests related to personal data processing, please contact us:

AromaCore Limited
Company number: 16788959
Address: College House, 2nd Floor, 17 King Edwards Road, Ruislip, London, HA4 7AE, United Kingdom
Email: aromacoreltd@gmail.com
Jurisdiction: England and Wales

You may also contact your local data protection authority if you believe your rights have been violated.