Privacy policy
PRIVACY POLICY
Last Updated: June 23, 2026
At YTHRAL (accessible from us.ythral.com), your privacy is of paramount importance to us. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you visit or make a purchase from our Site, which serves customers in the United States, United Kingdom, Canada, and Australia.
- CORPORATE DETAILS AND DATA CONTROLLER
The Site and the brand YTHRAL are operated by YTHRAL. For the purposes of applicable data protection laws — including the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act (CCPA/CPRA), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the Australian Privacy Act 1988 — YTHRAL acts as the Data Controller for the personal data collected from users of this Site.
For any privacy-related inquiries, data requests, or support, please contact our compliance team at contact@ythral.com.
- PERSONAL DATA WE COLLECT
We collect information about you in three ways: information you provide directly, information collected automatically, and information from third parties.
A. Information Collected Automatically When you access or browse our Site, we automatically collect certain technical details about your device and interaction:
- Identifiers: IP address, unique device identifiers, operating system, and web browser type.
- Usage and Behavioral Data: The specific pages or products you view, search terms that led you to the Site, session duration, scroll depth, click tracking, and interaction with checkout elements.
- Cookies and Tracking Technologies: We collect this data using cookies, log files, web beacons, and embedded scripts.
B. Information You Provide to Us When you buy from us or interact with our services, we collect:
- Customer Identifiers: First and last name, billing address, shipping address, email address, and telephone number.
- Transaction Details: Ordered items, order date, total transaction value, and preferred payment method.
- Payment Credentials: To protect your security, all payment card processing is encrypted and handled by our PCI-DSS compliant secure payment gateways. We do not collect, view, or store your raw credit card numbers or bank passwords.
- Support Interactions: Records of email communication or chats when you request support.
- LEGAL BASIS FOR PROCESSING
Our legal basis for collecting and using your personal information is to operate our business and provide you with a premium, secure shopping experience:
- Performance of a Contract: To fulfill our contract with you — specifically to process your payment, pack your order, and ship it to your address in accordance with our Terms of Service.
- Consent: When you explicitly opt-in to receive our newsletters or accept marketing cookies.
- Legitimate Interests: To prevent fraud, protect Site security, analyze user behavior to improve our storefront, and run targeted retargeting campaigns.
- Compliance with Legal Obligations: To comply with tax, customs, and consumer protection laws in the jurisdictions we serve.
- HOW WE USE YOUR PERSONAL INFORMATION
We use your data to operate our business and provide you with a premium experience:
- Fulfilling Orders: Processing secure payments, coordinating international shipping, issuing invoices, and facilitating returns or exchanges in accordance with our Return and Refund Policy.
- Fraud and Risk Prevention: Analyzing IP addresses and customer order traits to protect our brand and our gateways from fraudulent transactions and chargebacks.
- Customer Relations: Providing shipping status updates, responding to queries, and offering customer support.
- Targeted Marketing and Retargeting: Using data to serve you targeted ads on platforms like Facebook and Instagram.
- Site Auditing and Session Insights: Utilizing behavioral recording tools to identify technical bugs on our Site and optimize checkout performance.
- DATA SHARING AND SUB-PROCESSORS (THIRD-PARTY SERVICE PROVIDERS)
We do not sell, rent, or trade your personal information. We share your data only with trusted partners and service providers required to run our business. These third parties are contractually bound to protect your data:
- Shopify: We use Shopify to host and power our online store. You can read how Shopify processes your information here: https://www.shopify.com/legal/privacy
- Secure Payment Gateways: To complete transactions, your payment details are processed directly by our secure payment gateway partners in accordance with their respective privacy standards.
- Fulfillment and Shipping Partners: We share your shipping address, recipient name, and phone number with our international logistics partners (iThink Logistics, FedEx International) and local last-mile delivery couriers in your country to deliver your orders.
- Microsoft Clarity: We partner with Microsoft Clarity to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replays. This enables us to fix bugs and improve usability. For more information on how Microsoft collects and uses your data, please see the Microsoft Privacy Statement.
- Judge.me: We share your order information (email and purchased products) with Judge.me to automate product review requests after your order is delivered.
- Meta Ads (Facebook/Instagram): We use the Meta Pixel and Conversions API to measure ad performance, build custom audiences, and serve retargeting ads. Data regarding your purchase behavior is shared securely with Meta.
- INTERNATIONAL DATA TRANSFERS
YTHRAL serves customers in the United States, United Kingdom, Canada, and Australia from our global operations. Your personal data may be transferred to, stored, and processed outside of your country of residence, including in North America (Shopify's cloud infrastructure) and our primary operations hubs in India.
For customers in the United Kingdom, we rely on Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO) or equivalent safeguards to ensure your data is protected during international transfers. For customers in Canada, transfers are made in compliance with PIPEDA. For customers in Australia, transfers comply with Australian Privacy Principle 8. In all cases, we ensure that any service provider receiving your data is bound by contractual obligations to protect it to a standard consistent with applicable privacy laws.
- YOUR PRIVACY RIGHTS BY JURISDICTION
A. United States — California Residents (CCPA/CPRA)
12-Month Lookback Disclosure: In the preceding 12 months, we have collected, used, and shared for business purposes the following categories of Personal Information from consumers:
- Identifiers: Name, IP address, email, shipping address, and phone number. Shared with Shopify, payment processors, and shipping partners.
- Commercial Information: Transaction history and products viewed. Shared with Shopify and payment gateways.
- Internet or Network Activity: Browsing paths, search history, and interactions with the Site. Shared with Shopify, Microsoft Clarity, and Meta Ads.
- Geolocation Data: General location derived from your IP address. Shared with Shopify and shipping providers.
Sharing for Behavioral Advertising: We share internet activity and identifiers with Meta Ads for marketing and retargeting purposes. Under California law, this constitutes sharing for cross-context behavioral advertising. We do not sell personal information for monetary payment.
Exercising Your Rights:
- Opt-Out Request: You can opt-out of behavioral targeting or request data deletion by emailing contact@ythral.com with the subject "CCPA Request".
- Global Privacy Control (GPC): Our Site is configured via Shopify's standard tracking integrations to automatically honor browser-level opt-out signals, such as the Global Privacy Control (GPC). If your browser transmits a GPC signal, we will treat that as a valid request to opt-out of cross-context behavioral sharing on that device.
B. United Kingdom — UK GDPR
Under the UK General Data Protection Regulation, you have the following rights:
- Right of Access: You may request a copy of the personal data we hold about you.
- Right to Rectification: You may request correction of inaccurate or incomplete personal data.
- Right to Erasure: You may request deletion of your personal data where there is no compelling reason for its continued processing.
- Right to Restrict Processing: You may request that we limit how we use your data in certain circumstances.
- Right to Data Portability: You may request a copy of your data in a structured, commonly used, machine-readable format.
- Right to Object: You may object to processing based on legitimate interests, including direct marketing.
To exercise any of these rights, please email contact@ythral.com with the subject "UK GDPR Request". We will respond within 30 days of receiving your verified request. If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk.
C. Canada — PIPEDA
Under the Personal Information Protection and Electronic Documents Act, you have the right to:
- Access your personal information held by YTHRAL.
- Challenge the accuracy and completeness of your personal information and have it amended as appropriate.
- Withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.
To exercise any of these rights, please email contact@ythral.com with the subject "PIPEDA Request". If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca.
D. Australia — Privacy Act 1988
Under the Australian Privacy Principles, you have the right to:
- Access the personal information we hold about you.
- Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
- Complain about a breach of the Australian Privacy Principles.
To exercise any of these rights, please email contact@ythral.com with the subject "Australian Privacy Request". If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au.
- COOKIES AND TRACKING OPTIONS
We use cookies to maintain your shopping cart, analyze site performance, and remember your preferences.
- You can manage or disable cookies by adjusting your web browser settings.
- You can manage your tracking consent via the cookie consent banner displayed on our storefront.
- For UK customers: non-essential cookies (including analytics and marketing cookies) are only activated after you provide explicit consent through our cookie banner, in accordance with UK GDPR and the Privacy and Electronic Communications Regulations (PECR).
- DATA SECURITY AND RETENTION
We follow industry-standard security measures (including SSL encryption and PCI-DSS standards) to protect your data from unauthorized access or alteration.
We retain your transaction records for a minimum of seven (7) years in order to comply with applicable tax, accounting, and consumer protection regulations across the jurisdictions we serve. When your data is no longer required for regulatory or transactional purposes, we securely delete or anonymize it.
- MINORS AND AGE OF CONSENT
Our Site and products are designed for adults and are not directed to individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe we have accidentally collected data from a child, please contact us immediately to have it deleted.
- POLICY UPDATES
We may update this Privacy Policy periodically to reflect changes in our tech stack, logistics partners, or changes in applicable privacy laws. Any modifications will be posted immediately on this page with an updated Last Updated date at the top.
- DATA PROTECTION AND PRIVACY CONTACT
If you have any questions, concerns, or requests regarding this Privacy Policy or how your personal information is handled, please contact our privacy compliance team:
- Contact Email: contact@ythral.com
Note: All data protection inquiries and compliance requests will be acknowledged within 48 hours and resolved within the timeframes required by applicable law.