Skip to content
PranasaltShop

Privacy Policy

Last updated: 12 June 2026

This Privacy Policy describes how PranaSalt B.V. ("Pranasalt", "we", "us") collects, uses, and shares personal data when you visit, use, or make a purchase from pranasalt.com (the "Site"). We comply with the EU General Data Protection Regulation (GDPR) and the Dutch Algemene Verordening Gegevensbescherming (AVG).

1. Data controller

PranaSalt B.V.

Herengracht 584, 1017 CJ Amsterdam, the Netherlands

Chamber of Commerce (KVK): 42016445

Dutch VAT (BTW): NL869305736B01

How to contact us:

  • Data-protection enquiries (data subject access requests, withdrawal of consent, deletion requests, complaints about how we process your personal data): privacy@pranasalt.com
  • All other matters (orders, product questions, customer support, press, partnerships): hello@pranasalt.com

Data Protection Officer: PranaSalt B.V. has not appointed a Data Protection Officer. Our processing activities do not meet the threshold criteria of Article 37(1) GDPR (no large-scale processing of special-category data, no systematic monitoring at scale). The threshold is re-tested when our active subscriber base grows materially (currently planned re-test at ~5,000 active subscribers).

2. Personal data we collect

When you visit the Site, place an order, or contact us, we collect:

  • Order information: name, billing and shipping address, email, phone, payment confirmation (we never see your full card number - payment is processed by Shopify Payments / Stripe).
  • Account information (if you create one): email and password hash.
  • Device and usage data: IP address, browser type, device identifier, pages viewed, referrer.
  • Communications: emails or messages you send us, including support requests.

3. How we use your data

  • Fulfil your orders and deliver products (Article 6(1)(b) GDPR - performance of contract).
  • Provide customer support and respond to enquiries.
  • Send order confirmations, shipping updates, and transactional emails.
  • If you subscribe to recurring delivery, process payment-method tokens (held by our payment provider, not by us) and order-cycle data for the duration of the subscription, on the basis of Article 6(1)(b) GDPR. You may cancel at any time via your account or by emailing hello@pranasalt.com - see our Terms of Service §6.
  • Send marketing emails - only if you have opted in (Article 6(1)(a) GDPR - consent). You can unsubscribe at any time.
  • Detect and prevent fraud, comply with legal obligations (Article 6(1)(c) GDPR), and exercise our legitimate interests in operating the Site (Article 6(1)(f) GDPR).

4. Sharing with third parties

We share personal data only with processors needed to operate the Site:

  • Shopify Inc. (Canada / Ireland) - e-commerce platform, hosting, checkout. For Shopify's own processing as a controller (hosting infrastructure, fraud-detection, Shop Pay, Shopify Audiences), see Shopify's Consumer Privacy Policy.
  • Shopify Payments / Stripe - payment processing.
  • Fulfilment and logistics partners (Huboo - order fulfilment from UK and NL warehouses; Kata Logistics - freight; postal and parcel carriers) - order fulfilment and delivery.
  • Vercel Inc. (USA) - website hosting and edge network for pranasalt.com.
  • Formspark - processing of waitlist form submissions (the email address you submit).
  • Email service providers - order and (if opted in) marketing emails.

We do not sell your personal data.

Where we transfer personal data outside the European Economic Area, we rely on the following safeguards:

  • Shopify Inc. (Canada): EU Commission adequacy decision for Canada (PIPEDA) of 20 December 2001.
  • Stripe Payments Europe Ltd (Ireland) with onward processing by Stripe Inc. (USA): EU-US Data Privacy Framework certification (active as of writing) and Standard Contractual Clauses (Module 2) of Commission Implementing Decision (EU) 2021/914.
  • Other US-based processors: Standard Contractual Clauses plus Transfer Impact Assessment.

A copy of any applicable SCCs is available on request to privacy@pranasalt.com.

5. Cookies and similar technologies

For full details of which cookies we use, what they do, their retention period, and how to withdraw consent, see our Cookie Policy. Non-essential cookies are set only after you have given explicit, granular, prior consent through our cookie banner. You can withdraw consent at any time by clicking "Cookie settings" in the footer of the homepage.

Market detection. To show you the right currency (EUR for the EU, GBP for the UK), the site calls its own same-origin endpoint /api/geo at page-load time. The endpoint runs on our hosting provider's (Vercel) edge network, which derives a two-letter country code (e.g. "NL", "GB") from your IP address as part of serving the request. Only the country code is returned and used; your IP address is not stored in any application log and is not shared with third parties for this purpose. If you use the country picker to override the detected market, your choice is stored in the ps_market_override cookie (12 months, first-party); see §2a and §5 of our Cookie Policy for the full mechanism.

6. Retention periods

CategoryRetentionBasis
Order and invoice records (incl. shipping address)7 years from end of fiscal year of the transactionArt. 52 Algemene wet inzake rijksbelastingen (Dutch tax law)
Account credentials (email + password hash)Until you request deletion or 3 years after last login, whichever is soonerLegitimate interest in dormant-account hygiene
Marketing-consent records and email logsUntil you unsubscribe + 12 months thereafter (proof of opt-out)Art. 7(1) GDPR accountability
Customer-service communications3 years from last contactArt. 6:191 BW general limitation period
Server log files (IP, user agent, request)30 days for security; aggregated thereafterArt. 6(1)(f) GDPR - IT-security legitimate interest
Cookie-derived analytics (consented)Maximum 14 monthsArt. 5(1)(e) GDPR storage limitation

7. Your rights under GDPR

You have the right to:

  • Access your personal data and receive a copy of it (Art. 15 GDPR).
  • Have inaccurate data corrected (Art. 16 GDPR).
  • Have your data erased (Art. 17 GDPR).
  • Restrict processing (Art. 18 GDPR).
  • Object to processing based on legitimate interests or for direct marketing (Art. 21 GDPR).
  • Receive your data in a portable format (Art. 20 GDPR).
  • Withdraw consent at any time without affecting the lawfulness of processing before withdrawal (Art. 7(3) GDPR).
  • You will not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects on you (Art. 22 GDPR). Pranasalt does not perform such automated decision-making.

To exercise any of these rights, email privacy@pranasalt.com. We will respond to your request without undue delay and in any event within one month of receipt (Article 12(3) GDPR). Where the request is complex or numerous, we may extend this period by up to two further months, in which case we will inform you within one month of the reasons for the delay.

If you believe we have not handled your data correctly, you may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl).

If you reside in the United Kingdom, the UK GDPR applies to our processing of your personal data. You may lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

8. Security

The Site uses TLS encryption in transit. Payment data is processed in PCI-DSS compliant infrastructure by our payment provider - we do not store card details on our servers.

9. Personal-data breach notification

In the unlikely event of a personal-data breach affecting your data, we will notify the Autoriteit Persoonsgegevens (and, where applicable, the UK Information Commissioner's Office) where required under Article 33 GDPR / UK GDPR, without undue delay and, where feasible, within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay under Article 34 GDPR / UK GDPR.

10. Changes

We may update this policy from time to time. Material changes will be notified by email (if you have an account) or via a notice on the Site.

11. Review cadence and ownership

This Privacy Policy is reviewed every six months and on each material change to our processors, geography, or processing purposes. Owner: PranaSalt B.V., privacy@pranasalt.com. Last reviewed: 12 June 2026. Next scheduled review: 8 November 2026.