Holy infa on top of the city wallpaper

Merch Store Policy

Privacy and data handling policy for Holy Infa™ merchandise store purchases.

Merch Store PolicyNewsletter Policy

Last updated: 15.05.2026

Holy Infa™ ("we," "us," or "our") values your privacy. This Privacy Policy explains how we collect, use, and protect your personal information when you make purchases from our merchandise store or browse our website.

1. Information We Collect

When you place an order:

  • Contact information (name, email address, phone number for delivery).
  • Shipping address (street, city, postal code, country for delivery). Stored encrypted at rest with AES-256.
  • Order details (products purchased, quantities, prices, order date).
  • Payment information (processed securely through third-party providers — we never see your card details).
  • Communication records (customer support inquiries and responses).
  • Cookie consent preferences (see Section 2).

When you browse the site (analytics, opt-out available):

  • A first-party visitor identifier and session identifier stored in cookies on your device (see Section 2).
  • Pages visited, referring page, link clicks, and campaign or UTM parameters from the URL.
  • Approximate country derived from your IP address (using MaxMind GeoIP). Your IP itself is hashed with a daily-rotating salt before storage — we never keep the raw IP in our analytics.
  • Browser type, operating system, device class, screen size, and preferred language.

2. Cookies & Tracking Technologies

Essential (always on):

  • cookie_consent — stores your cookie preferences (1 year).
  • holyinfa-merch-currency — remembers your selected currency.
  • Cart and checkout session state (kept only for the duration of your purchase).

Analytics (loaded only with your consent):

  • _hi_vid, _hi_sid, _hi_sid_t — first-party identifiers for our own analytics dashboard. Never shared with third parties.
  • Google Analytics: _ga, _gid, _gat.

Marketing (loaded only with your consent):

  • Meta (Facebook) Pixel cookies: fr, _fbp,_fbc.

Opt-out behaviour: If you decline analytics or marketing cookies, the corresponding cookies and session storage are deleted from your device. We still record aggregate counts but stop persisting any identifier that would link those counts back to you across sessions.

3. How We Use Your Information

We use your data to:

  • Process and fulfill your merchandise orders.
  • Send order confirmations, invoices, and shipping updates.
  • Handle returns, exchanges, and customer support requests.
  • Comply with legal obligations (tax records, consumer protection).
  • Measure aggregate site and campaign performance for our own marketing analytics.
  • Improve our products and services based on feedback.

We do not sell your information. We do not share your contact details with third parties for their own marketing.

4. Legal Basis for Processing

We process your data based on:

  • Contract Performance – necessary to fulfill your order (GDPR Art. 6(1)(b)).
  • Legal Obligation – compliance with tax and consumer protection laws (GDPR Art. 6(1)(c)).
  • Legitimate Interest – fraud prevention, aggregate website performance measurement, and service improvement (GDPR Art. 6(1)(f)).
  • Consent – analytics cookies, marketing cookies, and any optional marketing communications (GDPR Art. 6(1)(a)).

5. Data Sharing

We share your data only with:

  • Printful – our print-on-demand fulfillment partner (for order production and shipping).
  • Shipping carriers – DHL, UPS, FedEx (for delivery).
  • Payment processors – for secure payment handling.
  • Google reCAPTCHA – protects our forms against bots. Google receives your IP address and browser information during verification.
  • Google Analytics – aggregate visitor statistics, only if you accept analytics cookies.
  • Meta Conversions API – only if you accept marketing cookies and arrived from a Meta (Facebook or Instagram) ad. We send a SHA-256 hash of your email plus your IP and user-agent so Meta can attribute the action to its ad campaign. This is the standard Meta CAPI flow.
  • MaxMind GeoIP – server-side IP → country lookup for analytics. No personal data shared back.
  • IONOS – our email delivery provider for order emails and customer support replies.
  • Legal authorities – when required by law.

6. Your Rights & Opt-Out

Under GDPR, you have the right to:

  • Access your personal data.
  • Correct inaccurate data.
  • Request deletion of your data (where legally permitted).
  • Restrict or object to processing.
  • Data portability.
  • Withdraw cookie consent at any time via the cookie banner.
  • Lodge a complaint with your local data protection authority.

Right to erasure (GDPR Art. 17): You can ask us to delete your personal data by emailing contact@holyinfa.com. We respond to verified requests within 30 days, in line with GDPR Art. 12(3). We first confirm the request comes from the email address being erased. Note that German bookkeeping law (HGB §257) requires us to retain invoices and trading records for 6 to 10 years; for orders still in that window, shipping PII is erased but the underlying financial record is kept until retention expires.

7. Data Retention

  • Order records: 7–10 years (German tax law requirements).
  • Support inquiries: 3 years after resolution.
  • Marketing consent: Until you withdraw it.
  • Analytics events: up to 90 days. Aggregated daily rollups may be kept longer.
  • IP hashes: tied to a daily-rotating salt, so older hashes become un-correlatable across days.

8. Security

We protect your data with HTTPS / TLS encryption, AES-256 encryption of shipping addresses at rest, secure payment processing handled by certified providers, hashed IPs in analytics, access controls, and regular security audits.

9. Contact Us

For questions or data requests, email us at contact@holyinfa.com.