Privacy Policy
How Athena Suits handles your personal data.
Effective 2026-05-09
1. Data Controller
Athena Suits ("we", "our", "us") is the data controller for the personal data described in this policy. Contact: privacy@athenasuits.fi Postal address: [TODO — replace with real registered address]
2. What Data We Collect
Account data — when you sign up: name, email, phone, preferred contact method, language, region. Order data — fabric choice, preferred date, location notes, order history, payment status. Body measurements — chest, waist, hips, shoulder, sleeve, neck, and other measurements taken at your appointment, plus posture and asymmetry notes. Photographs — front, side, and back photos taken during your measurement appointment for production reference. Payment data — handled directly by Stripe (Stripe Payments Europe, Ltd.). We do not store card numbers; we receive only a payment confirmation token and amount. Authentication data — password hash (if you use email signup), or your Google account identifier (if you use Google sign-in). Consent records — when you accepted these terms and our terms of sale, with timestamp and (where reasonable) the IP address. Audit log — internal record of meaningful actions on your order for dispute resolution and quality assurance.
3. Why We Collect It (legal bases under GDPR Article 6)
To fulfil the contract with you (Article 6(1)(b)) — processing your order, measurements, payment, and delivery. To meet legal obligations (Article 6(1)(c)) — Finnish Bookkeeping Act requires retaining transaction records for 7 years. Legitimate interests (Article 6(1)(f)) — fraud prevention, security, audit trails, and quality assurance. We balance these against your interests and rights. Consent (Article 6(1)(a)) — for any optional analytics or marketing cookies (see Cookies section below). You can withdraw consent at any time.
4. Sensitive Data
Body measurements and body photographs are personal data of an intimate nature. We process them only to make your suit and only share them as described in section 5. Access is restricted by role; only your assigned measuring tailor and the production atelier can read them.
5. Who We Share It With
Supabase (Supabase Inc., infrastructure in EU/Stockholm) — hosts our database, authentication, and file storage. Stripe (Stripe Payments Europe, Ltd., Ireland) — processes your payment. Resend (Resend, Inc., region EU/Frankfurt) — sends transactional email such as confirmations and password resets. Google (Google Ireland Limited) — only if you choose Google sign-in. The measuring tailor assigned to your order — sees your name, contact info, address, and measurements (with photos). The production atelier in Thailand — sees your measurements and photos to make the suit. Does NOT see your name, address, or payment information; you are identified by an anonymous order reference. We do not sell or share your data for advertising.
6. International Transfers
The production atelier is located in Thailand, which is outside the European Economic Area. Transfers are protected by Standard Contractual Clauses approved by the European Commission, plus pseudonymisation (the atelier never sees your identifying data). You may request a copy of the safeguards in place by contacting privacy@athenasuits.fi.
7. How Long We Keep It
Account data — until you delete your account. After deletion, personal fields are anonymised; transaction records remain for the legal retention period below. Measurements and photos — 5 years from your last order, so we can support re-orders and warranty claims; deleted earlier on request unless we are legally required to retain them. Payment records and invoices — 7 years (Finnish Bookkeeping Act). Audit log — 3 years. Cookie consent records — 12 months from your last visit.
8. Your Rights
Under GDPR you have the right to: • Access your data — visit /account → Download my data • Correct your data — visit /account → edit profile • Erase your account — visit /account → Delete my account; this anonymises personal fields. Records we are legally required to keep are retained but pseudonymised. • Receive your data in portable form — JSON download from /account • Object to or restrict processing — contact us • Withdraw consent at any time — manage cookies via the cookie banner trigger in the footer • Lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto): tietosuoja.fi Requests are handled within 30 days.
9. Cookies
See our cookie banner for full details. We use only essential cookies by default (authentication session, CSRF protection, language preference). Optional analytics cookies require your consent.
10. Changes to This Policy
We may update this policy. The "Effective" date at the top reflects the current version. If changes materially affect your rights, we will notify registered users by email.
11. Contact
For privacy questions or requests: Email: privacy@athenasuits.fi Post: [TODO — replace with registered address]