Privacy policy
kurtens.com — Last updated: 25 March 2026
1. Introduction
This privacy policy (the “Policy”) describes how your personal data is collected, used, stored and protected when you visit and use the kurtens.com website (the “Site”).
This Policy is drawn up in accordance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the “GDPR”), French Law No. 78-17 of 6 January 1978 as amended on information technology, data files and civil liberties (the “French Data Protection Act”), and with the recommendations of the European supervisory authorities (in particular the European Data Protection Board - EDPB).
By browsing the Site or placing an order, you acknowledge that you have read this Policy. We invite you to read it carefully.
2. Identity and contact details of the data controller
The controller of the personal data collected on the Site is:
|
Information |
Details |
|
Company name |
WAVE LLC (Kurtens is a brand of WAVE LLC) |
|
Legal form |
LLC registered in New Mexico (United States) |
|
Registration number |
0008083440 |
|
Registered office |
1209 Mountain Road Pl NE, Ste N, 87110 Albuquerque, NM, United States |
|
|
contact@kurtens.com |
|
Phone |
+33 1 84 16 06 10 |
|
Website |
kurtens.com |
Extraterritorial application of the GDPR: Although WAVE LLC is an entity established in the United States, it is subject to the GDPR under Article 3(2), since it offers goods to persons located in the European Union. As the Site’s target market is mainland France, the GDPR applies to all processing of personal data related to the Site.
Data Protection Officer (DPO): No DPO has been appointed to date, as the company is not subject to the obligation set out in Article 37 of the GDPR. For any question relating to the protection of your data, you can contact us at: contact@kurtens.com.
3. Personal data collected
We collect different categories of personal data depending on your interactions with the Site:
3.1. Data you provide directly
When creating an account, placing an order or getting in touch, you may be required to provide us with the following data: surname and first name, email address, phone number, postal delivery and billing address, and the content of your messages to customer service.
3.2. Data collected automatically
As you browse the Site, certain data is collected automatically through cookies and similar technologies: IP address, browser type and version, operating system, screen resolution, pages visited and time spent, traffic source (search engine, direct link, social network), cookie and session identifiers, interaction data (clicks, scrolls, mouse movements — via Microsoft Clarity).
3.3. Payment data
Bank details (card number, expiry date, security code) are at no point collected or stored by the Seller. They are processed directly and exclusively by the secure payment providers Shopify Payments, PayPal and Apple Pay, under their own security and privacy policies, which comply with the PCI-DSS standard.
4. Purposes and legal bases of processing
Each processing of personal data is based on a specific legal basis, in accordance with Article 6 of the GDPR. The table below details the purposes pursued and their respective legal basis:
|
Purpose |
Description |
Legal basis |
|
Order management |
Processing, made-to-measure manufacturing, shipping and tracking of orders; issuing invoices. |
Performance of the contract (Art. 6.1.b GDPR) |
|
Delivery |
Transmission of the data needed by the carrier to deliver the parcel. |
Performance of the contract (Art. 6.1.b GDPR) |
|
Customer service |
Responding to enquiries, complaints and after-sales tracking requests. |
Performance of the contract (Art. 6.1.b GDPR) |
|
Account creation and management |
Creating a personal account, saving preferences and order history. |
Performance of the contract (Art. 6.1.b GDPR) |
|
Marketing emails and newsletters |
Sending commercial communications, promotional offers and newsletters via Klaviyo. |
Consent (Art. 6.1.a GDPR) |
|
Targeted advertising and remarketing |
Displaying personalized advertising via Google Ads, Meta Pixel, Pinterest Tag. |
Consent (Art. 6.1.a GDPR) |
|
Audience measurement and analysis |
Analysis of traffic and visitor behavior via Google Analytics. |
Consent (Art. 6.1.a GDPR) |
|
Behavioral analysis |
Heatmaps, anonymized session recordings via Microsoft Clarity to improve usability. |
Consent (Art. 6.1.a GDPR) |
|
Legal and accounting obligations |
Retention of invoices and transaction data in accordance with tax and accounting obligations. |
Legal obligation (Art. 6.1.c GDPR) |
|
Fraud prevention |
Detection and prevention of payment fraud and fraudulent orders. |
Legitimate interest (Art. 6.1.f GDPR) |
|
Site improvement |
Technical optimization, bug fixing, improvement of the user experience. |
Legitimate interest (Art. 6.1.f GDPR) |
5. Recipients of the data
Your personal data may be disclosed to the following categories of recipients, strictly to the extent necessary to fulfil the purposes described above:
|
Recipient |
Role |
Location |
|
Shopify Inc. |
Hosting of the Site, order management, payment processing (Shopify Payments) |
Canada / United States |
|
La Poste or shipping partner |
Transport and delivery of parcels |
France / Belgium / Switzerland / Luxembourg |
|
Klaviyo Inc. |
Management of email campaigns, newsletters and marketing segmentation |
United States |
|
Google LLC (Analytics, Ads, GTM) |
Audience measurement, targeted advertising and remarketing |
United States |
|
Meta Platforms Inc. |
Targeted advertising and remarketing via the Meta Pixel |
United States |
|
Pinterest Inc. |
Targeted advertising via the Pinterest Tag |
United States |
|
Microsoft Corporation (Clarity) |
Behavioral analysis (heatmaps, session recordings) |
United States |
|
PayPal |
Processing of PayPal payments |
Luxembourg / United States |
|
Apple Inc. (Apple Pay) |
Processing of Apple Pay payments |
United States |
Apart from the cases listed above, your data is neither sold, rented nor transferred to third parties for commercial purposes.
6. Data transfers outside the European Union
As part of the processing described above, your personal data may be transferred to countries located outside the European Union and the European Economic Area (EEA), in particular to the United States (registered office of WAVE LLC, servers of Shopify, Google, Meta, Klaviyo, Microsoft, Pinterest and Apple) and Canada (Shopify servers).
6.1. Safeguards in place
These transfers are governed by the following protection mechanisms, in accordance with Chapter V of the GDPR (Articles 44 to 49):
a) Adequacy decision — Canada
Canada benefits from an adequacy decision of the European Commission (Decision 2002/2/EC), guaranteeing a level of data protection essentially equivalent to that of the EU. Transfers to Shopify in Canada are covered by this decision.
b) EU-U.S. Data Privacy Framework — United States
Since the European Commission’s adequacy decision of 10 July 2023, transfers to U.S. companies certified under the EU-U.S. Data Privacy Framework (DPF) benefit from an adequate level of protection. Google LLC, Meta Platforms Inc., Microsoft Corporation, Klaviyo Inc. and Pinterest Inc. participate in this framework.
c) Standard contractual clauses (SCCs)
For transfers not covered by an adequacy decision or the DPF, the Seller relies on the standard contractual clauses adopted by the European Commission (Implementing Decision 2021/914), supplemented where necessary by additional measures (encryption, pseudonymization) in accordance with Recommendations 01/2020 of the European Data Protection Board (EDPB).
6.2. Transfers to WAVE LLC
As WAVE LLC is the data controller established in the United States, the personal data of European users is processed in the United States. This transfer is governed by the standard contractual clauses vis-à-vis the processors concerned and by compliance with the safeguards provided for in Chapter V of the GDPR. The Seller undertakes to implement appropriate technical and organizational security measures.
7. Data retention period
Personal data is kept for the period strictly necessary for the purposes for which it was collected, in compliance with the applicable statutory limitation periods:
|
Data category |
Retention period |
Basis |
|
Order-related data (name, address, order details) |
Duration of the commercial relationship + 5 years from the last order |
Ordinary civil limitation period (Art. 2224 of the French Civil Code) |
|
Invoices and accounting data |
10 years from the close of the accounting year |
Accounting obligations (Art. L. 123-22 of the French Commercial Code) |
|
Customer account data |
Lifetime of the account + 3 years after the last activity |
GDPR recommendation |
|
Commercial prospecting data (marketing emails) |
3 years from the last active contact (email open, click, purchase) |
GDPR recommendation |
|
Browsing data / cookies |
13 months maximum from placement |
ePrivacy Directive and European recommendations (max. 13 months) |
|
Customer service requests |
Processing period + 3 years |
Civil limitation period |
|
Consent-related data (proof) |
Duration of the consent + 3 years as proof |
Accountability principle (Art. 5.2 GDPR) |
At the end of these periods, the data is securely deleted or irreversibly anonymized.
8. Your rights
In accordance with the GDPR and the French Data Protection Act, you have the following rights over your personal data:
8.1. Right of access (Article 15 of the GDPR)
You can obtain confirmation as to whether or not data concerning you is being processed and, where this is the case, access that data as well as the information provided for in Article 15.
8.2. Right to rectification (Article 16 of the GDPR)
You can obtain the rectification of inaccurate or incomplete personal data.
8.3. Right to erasure (Article 17 of the GDPR)
You can request the erasure of your personal data, subject to legal exceptions (in particular accounting and tax obligations).
8.4. Right to restriction of processing (Article 18 of the GDPR)
You can request the restriction of the processing of your data in the cases provided for by the GDPR (contesting accuracy, unlawful processing, etc.).
8.5. Right to data portability (Article 20 of the GDPR)
You can receive your personal data in a structured, commonly used and machine-readable format, and transmit it to another controller, where the processing is based on consent or the performance of a contract and is carried out by automated means.
8.6. Right to object (Article 21 of the GDPR)
You can object at any time to the processing of your data based on the Seller’s legitimate interest. With regard to commercial prospecting, this right to object is absolute and may be exercised at any time, without justification.
8.7. Right to withdraw consent
Where processing is based on your consent, you can withdraw it at any time, without this affecting the lawfulness of the processing carried out before the withdrawal. For marketing emails, an unsubscribe link is included in every communication.
8.8. Directives on the fate of data after death
In accordance with Article 85 of the French Data Protection Act, you can set directives regarding the retention, erasure and disclosure of your personal data after your death.
8.9. How to exercise your rights
You can exercise all of these rights by contacting us by email at: contact@kurtens.com, attaching a copy of your ID in the event of reasonable doubt about your identity, in accordance with Article 12.6 of the GDPR.
We undertake to respond to your request within one (1) month of receiving it. This period may be extended by a further two (2) months due to the complexity or number of requests, in which case you will be informed.
8.10. Right to lodge a complaint with a supervisory authority
If, after contacting us, you consider that the processing of your personal data constitutes a breach of the GDPR or of the legislation applicable in your country, you have the right to lodge a complaint with the supervisory authority of your place of residence:
In France: Commission nationale de l’informatique et des libertés (CNIL) — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 | Site: www.cnil.fr
In Belgium: Autorité de protection des données (APD) — Rue de la Presse 35, 1000 Brussels | Site: www.autoriteprotectiondonnees.be
In Luxembourg: Commission Nationale pour la Protection des Données (CNPD) — 15, Boulevard du Jazz, L-4370 Belvaux | Site: cnpd.public.lu
In Switzerland: Fédéral Data Protection and Information Commissioner (FDPIC) — Feldeggweg 1, CH - 3003 Bern | Site: www.edoeb.admin.ch
9. Cookie policy
9.1. What is a cookie?
A cookie is a small text file placed on your device (computer, tablet, smartphone) when you visit a website. It allows the site to remember information relating to your browsing (language preferences, cart contents, session identifiers, etc.).
9.2. Legal basis
In accordance with the European "ePrivacy" Directive (2002/58/EC) and applicable local regulations, the placement of cookies strictly necessary for the operation of the Site does not require your prior consent. All other cookies (analytics, advertising, marketing), however, are only placed after obtaining your explicit consent via the cookie management banner displayed on your first visit.
9.3. Categories of cookies used
a) Strictly necessary cookies (exempt from consent)
These cookies are essential to the technical operation of the Site and cannot be disabled. They allow, in particular, the management of the shopping cart, authentication and session security.
b) Analytics and audience measurement cookies
These cookies make it possible to measure traffic to the Site, understand visitor behavior and improve the usability and performance of the Site.
c) Advertising and remarketing cookies
These cookies make it possible to display personalized advertising on third-party platforms based on your browsing on the Site.
d) Marketing cookies
These cookies are used to track interactions and personalize marketing communications by email.
9.4. Summary table of cookies
|
Cookie / Tool |
Provider |
Category |
Purpose |
Duration |
|
_shopify_s, _shopify_y, cart, secure_session_id |
Shopify |
Strictly necessary |
Cart management, user session, security |
Session to 2 years |
|
_ga, _ga_*, _gid |
Google Analytics |
Analytics |
Audience measurement, traffic statistics |
Up to 13 months |
|
_gcl_au, _gcl_aw, IDE, NID |
Google Ads / GTM |
Advertising |
Tracking of ad conversions, Google remarketing |
3 to 13 months |
|
_fbp, _fbc, fr |
Meta (Facebook) |
Advertising |
Conversion tracking, Facebook and Instagram remarketing |
3 to 13 months |
|
_pin_unauth, _pinterest_ct_ua |
|
Advertising |
Conversion tracking, Pinterest remarketing |
Up to 12 months |
|
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM |
Microsoft Clarity |
Analytics |
Heatmaps, session recordings, usability analysis |
Up to 13 months |
|
__kla_id |
Klaviyo |
Marketing |
Visitor identification for email personalization and segmentation |
Up to 13 months |
9.5. Managing your cookie preferences
You can change your cookie preferences at any time by clicking on the “Manage my cookies” link available in the footer of the Site. You can also configure your browser to accept or refuse cookies, or to be notified when a cookie is placed.
Refusing certain cookies may result in a degraded browsing experience (for example, the loss of your cart contents if functional cookies are disabled).
You can also use the “Your Online Choices” advertising preferences management platform (www.youronlinechoices.eu) to manage your targeted advertising preferences.
10. Data security
The Seller implements appropriate technical and organizational measures to ensure a level of security suited to the risk, in accordance with Article 32 of the GDPR, including in particular:
- Encryption of data in transit (HTTPS / TLS protocol) across the entire Site
- The use of PCI-DSS certified payment providers
- Access controls to data limited to authorized persons only
- Hosting on Shopify’s secure infrastructure (SOC 1, SOC 2, SOC 3 certifications)
- Regular backups and recovery procedures in the event of an incident
-
Regular staff awareness training on security best practices
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, the Seller undertakes to inform you as soon as possible, in accordance with Articles 33 and 34 of the GDPR, and to notify the competent supervisory authority within 72 hours.
11. Children’s data
The Site is not intended for persons under the age of 16. The Seller does not knowingly collect personal data concerning minors under the age of 16. If we discover that data of a minor under the age of 16 has been collected without the verifiable consent of their legal guardian, we will delete it as soon as possible.
In accordance with Article 8 of the GDPR and Article 45 of the French Data Protection Act, the processing of the data of a minor under the age of 15 in France requires the consent of their legal guardian.
12. Changes to this Policy
The Seller reserves the right to amend this Policy at any time in order to adapt it to legislative, regulatory or technical developments. The date of the last update is shown at the top of the document.
In the event of a substantial change affecting your rights, we will inform you by email or by a notice visible on the Site before the changes take effect. We recommend that you check this page regularly.
13. Contact
For any question regarding this Policy or to exercise your rights, you can contact us:
Email: contact@kurtens.com
Phone: +33 1 84 16 06 10
Mail: WAVE LLC, 1209 Mountain Road Pl NE, Ste N, 87110 Albuquerque, NM, United States
WAVE LLC — kurtens.com — contact@kurtens.com
