Skip to content

Cart

Your cart is empty

Privacy policy

Last Updated: February 8, 2026

Welcome to CUKATU, a luxury footwear brand offering handmade shoes crafted in Spain and delivered worldwide. We are committed to protecting your personal information with the same care and integrity that we devote to our artisan craftsmanship. This Privacy Policy explains how we collect, use, and share your information when you interact with our website or services, in compliance with international data protection laws including the EU General Data Protection Regulation (GDPR) and Spain’s Ley Orgánica 3/2018 de Protección de Datos y Garantía de Derechos Digitales (LOPDGDD), as well as U.S. privacy laws like the California Consumer Privacy Act (CCPA) (as amended by the CPRA) and other applicable regulations. By using our site, you agree to the practices described in this policy. Our goal is to be transparent and respectful of your privacy rights in every region we serve.

 

Information We Collect

 

We collect personal information that you voluntarily provide to us, as well as some information automatically, as detailed below:

 

Order and Contact Information: When you make a purchase or attempt to do so, we collect information necessary to process your order. This includes your name, shipping and billing address, email address, phone number, and order details (e.g. products and size). For example, as part of the buying process you may provide your name, address and email. We use this information to fulfill your orders and keep you updated. If you create a customer account on our site, we will also collect login credentials (like username and password) and maintain your order history and preferences in your account profile.

 

Payment Information: If you purchase products, payment details (such as credit card numbers or other payment information) are collected through our payment processor (e.g. Shopify Payments or PayPal). We do not store your full credit card numbers on our own servers. Payment transactions are encrypted and processed via secure third-party gateways in compliance with PCI-DSS security standards. This means your card data is handled securely by the payment provider and only stored as long as necessary to complete the transaction, then deleted or tokenized.

 

Device and Usage Information: When you visit our site, we automatically receive and log certain data about your device and browsing activity. This Device Information can include your web browser type, IP address, time zone, the URL that referred you to our site, and details about how you interact with our webpages (such as pages viewed, clicks, and browsing duration). We collect this via technologies like cookies, log files, pixels, and similar tracking tools (see Cookies & Tracking below for more). This usage data helps us understand and improve your experience on our website.

 

Cookies and Similar Technologies: Our site uses cookies (small data files placed on your device) and related technologies like web beacons and tags to remember your preferences and collect information about your usage of our site. For example, we use cookies to keep you logged in, remember items in your shopping cart, and gather analytics on site traffic. Some cookies are essential for site functionality, while others are used for analytics and advertising (with consent where required). See Cookies & Tracking for more details on what cookies we use and your choices.

 

Communication Preferences: You may opt to provide your email or phone number for marketing communications (such as newsletters or SMS alerts). We will collect your contact details and marketing preferences when you subscribe or opt-in. With your permission, we use this information to send you updates on new products, exclusive offers, and events. You can unsubscribe from marketing emails or texts at any time.

 

Customer Service Information: If you contact us for support or inquiries (via email, chat, or phone), we will collect the information you choose to share in those communications (such as your questions or feedback, and any contact info you provide). We use this to assist you and improve our services.

 

We refer to all of the above as “Personal Information.” If we ever collect any additional categories of personal data or sensitive information, we will inform you at the point of collection and ensure compliance with relevant laws. We do not knowingly collect any information from children under the age of 13 (see Children’s Privacy below).

 

How We Use Your Information

 

We use your Personal Information for the following purposes, all aimed at providing you with our products and improving your experience:

 

Order Fulfillment & Service Delivery: First and foremost, we process your Personal Information to fulfill your orders and provide the services you request. This includes processing payments, arranging for shipping from Spain or our warehouses, delivering the products to you, and sending you order confirmations or invoices. We also use your details to handle returns, exchanges, or warranty claims as necessary.

 

Customer Communication: We may use your contact information to communicate with you about your orders and account. For example, we send email/SMS notifications to confirm your order, shipping status, or if we need to notify you of any issues (such as stock or delivery problems). We will also respond to you regarding any inquiries or customer support requests you send us. With your consent, we may also send newsletters or marketing messages about new product launches, special promotions, or events (you can opt-out at any time).

 

Personalization & Marketing (Opt-In): When in line with the preferences you have shared with us, we use your information to provide you with targeted content or marketing. This means we may offer recommendations or show you ads for our products that we believe may interest you, based on your purchase history or browsing behavior. We only send promotional emails or texts if you have opted in. You can withdraw your consent from marketing communications at any time (see Your Rights). We do not spam; we strive to send relevant, high-quality updates in a respectful cadence.

 

Fraud Prevention and Security: We use Personal Information to screen for fraudulent transactions or security risks. In particular, certain technical data (like IP address and device info) are used to detect and block suspicious or malicious activities. This helps protect our customers from fraud and helps maintain the integrity of our website.

 

Site Improvement and Analytics: Device and usage data are analyzed to improve and optimize our website and services. We examine how customers navigate our site, which pages or products are popular, and how effective our ad campaigns are, in order to enhance the user experience and troubleshoot any performance issues. This may involve generating aggregated analytics (that do not directly identify individuals) to guide our business decisions and marketing strategies.

 

Legal Compliance and Protection: We may process your information as required to comply with applicable laws and regulations, such as fulfilling tax and accounting obligations, or to respond to lawful requests by public authorities. Additionally, if necessary, we will use or disclose information to enforce our terms and policies, to protect our rights, privacy, safety or property, or those of our customers and partners, and to pursue available legal remedies or defend against legal claims. For example, we may retain transaction records to meet financial reporting laws, or provide information in response to a court order or subpoena.

 

We will not use your personal data for any wholly new, unrelated purposes without first notifying you and obtaining your consent when required.

 

Legal Bases for Processing (GDPR/EEA)

 

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data only when we have a valid legal basis to do so under GDPR. The legal justifications for our processing include:

 

Contractual Necessity: We process personal data to fulfill our contract with you. When you make a purchase or otherwise enter into an agreement with us, we need to use your data to deliver the product or service (e.g. to ship your order, provide customer support, etc.). In GDPR terms, this is necessary “for the performance of a contract” with you. Without this data, we cannot fulfill your orders or provide the requested services.

 

Legitimate Interests: We may process personal data for our legitimate business interests, provided such use is fair, balanced, and does not override your privacy rights. For instance, we have a legitimate interest in understanding how customers use our site so we can improve it, in sending limited marketing to existing customers, and in preventing fraud. We will rely on legitimate interests only for the purposes described in this policy (like security, analytics, improving services, or certain direct marketing), and we will ensure to consider and protect your rights in doing so. You have the right to object to processing based on legitimate interests (see Your Rights below).

 

Consent: In some cases, we will ask for your consent before collecting or using your information. For example, we seek your consent for email marketing (when you sign up for our newsletter) and for non-essential cookies or targeted advertising in jurisdictions where consent is required. Where we rely on consent, you have the choice to give, refuse, or withdraw your consent at any time; withdrawing will not affect the lawfulness of processing before that point.

 

Legal Obligation: We also process data when necessary for compliance with a legal obligation to which we are subject. This can include keeping transaction records for tax auditing, honoring data subject rights requests, or disclosing information when lawfully required by authorities. In such cases, the law provides the basis for processing and we will only do so in strict compliance with our legal duties.

 

If more than one legal basis applies to the same data (depending on context), we will rely on each as appropriate. We will clearly indicate when we are asking for consent versus when processing is required for other reasons. Note for Spanish users: in accordance with GDPR and Spain’s LOPDGDD, CUKATU acts as the Data Controller of your personal data, determining the purposes and means of processing.

 

International Data Transfers

 

CUKATU is a U.S.-based company that also operates in Spain (where our shoes are handcrafted). In order to provide our services to you, your personal information may be transferred and stored across international borders – for example, between the European Union (EU) and the United States. If you are located in the EU/EEA or other regions with data transfer restrictions, please note that your information will be processed in countries outside your own, including in the U.S. and possibly other jurisdictions where our partners or service providers are located. This means your data might not be protected by the exact same privacy laws as in your home country. However, we take steps to ensure that appropriate safeguards are in place to protect your information in line with this Privacy Policy and applicable law.

 

Data Transfers from the EU/EEA: Whenever we transfer personal data out of the EEA (for example, to the U.S. where our main servers and Shopify’s servers are located), we will ensure a similar degree of protection by implementing at least one of the following safeguards:

 

Standard Contractual Clauses: We may rely on the European Commission’s approved Standard Contractual Clauses (SCCs), which are legal contracts that oblige the recipient of the data to protect it according to EU privacy standards. These SCCs are incorporated into our agreements with relevant service providers (like Shopify) when processing European data abroad.

 

Adequacy Decisions: Where applicable, we may transfer data to countries that the European Commission has determined provide an “adequate” level of data protection under Article 45 of the GDPR. (For example, data sent from the EU to Canada may be covered by Canada’s adequacy status, and data sent to U.S. companies certified under the EU-U.S. Data Privacy Framework would be protected by that framework.)

 

Contractual Necessity & Consent: In certain cases, we may rely on GDPR derogations for specific situations (Article 49) – for instance, when an international transfer is necessary for the performance of a contract with you (e.g. to ship an order internationally at your request) or when you have explicitly consented to the proposed transfer after being informed of any risks.

 

No matter where your data is processed, we will enforce safeguards such as encryption, access controls, and strict contractual obligations for recipients to handle the data securely and only for the purposes we specify. You can request more information about the safeguards we have in place for cross-border transfers by contacting us (see Contact Information at the end of this policy).

 

Sharing Your Personal Information

 

We do not sell your personal information to third parties for profit. However, we do share certain categories of personal data with trusted third parties and service providers who help us run our business. We only share the minimum information necessary, and only for the purposes described in this Policy. The types of third parties with whom we may share data include:

 

E-Commerce Platform (Hosting Provider): Our online store is built on the Shopify platform. Shopify Inc. provides us with the e-commerce infrastructure, website hosting, and data storage. Your data is stored through Shopify’s secure databases and application, on their servers protected by firewalls. Shopify is contractually committed to protecting customer data. We share information with Shopify as needed to operate our site (for example, your order details are stored in our Shopify account). For more details, you can review Shopify’s own Privacy Policy and Terms. If we ever switch website platforms in the future, we will ensure any new provider offers equivalent protections.

 

Payment Processors: We use third-party payment gateways (such as Shopify Payments (Stripe), PayPal, or credit card processors) to handle payment transactions. These processors will receive your payment details to process the transaction. As noted, they adhere to PCI-DSS and other stringent security standards. We share the necessary billing information with them, but they may process and store your payment data directly on their secure servers. We do not have access to your full financial account numbers except as needed for refund transactions or similar operations. Payment providers may have their own privacy policies governing the data we must provide for your purchase; we encourage you to review those policies for further information.

 

Shipping and Logistics Partners: Because we ship our products globally, we will share your shipping details (name and delivery address, and sometimes phone/email for tracking) with postal services or courier companies (e.g. UPS, FedEx, DHL, national postal services) in order to deliver your orders. These third-party carriers are authorized to use your information only to carry out shipping and delivery services. If your order is being shipped internationally, the carrier and customs authorities in the destination country will process your data for customs clearance and delivery. We provide them only the data required (generally, contact name, address, and contents/value for customs).

 

Analytics and Performance Tools: We engage certain analytics providers such as Google Analytics to better understand how customers use our website. These tools use cookies or similar identifiers to collect Usage Data (e.g. pages visited, time on site, referral source, and possibly IP address, though we may configure GA to anonymize IP in the EU). The information collected by such analytics services is typically processed in aggregate form (not tied to your name) and helps us improve the site’s functionality and marketing. Google Analytics may set cookies on your browser; you can read how Google uses data here, and if you wish, you can opt-out of Google Analytics tracking by using the Google Analytics Opt-Out Browser Add-on or other methods.

 

Advertising and Marketing Partners: We may share certain limited information (such as cookies or hashed email addresses) with advertising partners like Facebook (Meta), Google Ads, Klaviyo or similar, to facilitate targeted advertising and measure campaign effectiveness. For example, we might use the Facebook Pixel or Google Ads tags on our site, which can inform us and those platforms that you visited our site or took certain actions (like adding to cart). This allows us to show you relevant ads on their networks. These partners may act as independent “controllers” of your data for their own advertising purposes. You have choices to limit this kind of sharing (see Cookies & Tracking and Your Rights – California Privacy Rights for opt-out options). For instance, you can opt out of targeted ads through industry tools like the Network Advertising Initiative or Digital Advertising Alliance opt-out websites. We will only engage in cross-context behavioral advertising in compliance with applicable laws (obtaining consent where required, and honoring opt-out signals as described below).

 

Email & Communication Services: We use third-party platforms to send our email newsletters and possibly SMS updates (for example, an email marketing service provider). If you have subscribed to our communications, your name and email address will be stored with that provider for the purpose of sending you emails. They are not allowed to use your info for any other purpose. Similarly, if we implement features like customer chat support or product review widgets, those might be provided by third-party companies that process data on our behalf (e.g. your email and message when you contact support via a chat widget). All such providers are bound by contracts to only use your data under our instructions and to keep it secure.

 

Business Partners and Affiliates: In the future, we might partner with other companies or brands for joint marketing initiatives, or allow you to link your account with third-party services. We will inform you and obtain any necessary consent before sharing personal data with business partners outside of our core services. If we ever share information with co-marketing partners or affiliates, it will be for specific, explained purposes (such as organizing a co-sponsored event or giveaway that you choose to enter). We do not currently sell or rent customer lists to other brands for their own marketing. If that ever changes, we will update this policy and provide opt-out or opt-in mechanisms as required by law.

 

Legal and Safety Disclosures: We may also disclose personal information to third parties when required by law or necessary to protect rights. For example, if we receive a legally binding request (such as a subpoena, court order, or inquiry from law enforcement), we may provide the requested information. We may also share information in connection with investigating or preventing fraud, security threats, or other illegal activities, or to enforce our Terms of Service or other agreements, or to collect owed amounts. We will always evaluate such requests carefully and only provide what is legally required or justified.

 

Each third-party service provider we use has been evaluated for their data protection practices, and we strive to only work with partners who meet high privacy and security standards. We contractually require service providers to keep personal information confidential and use it only for the purposes we specify. If any third-party needs access to personal data beyond these purposes, we will obtain your consent. Additionally, some third parties (like payment processors or analytics companies) may operate in multiple countries, so your data might be transferred to or processed in a jurisdiction different from yours (see International Data Transfers above). Those providers may also be subject to the laws of that jurisdiction (for instance, data stored in the U.S. may be subject to lawful access requests by U.S. authorities). Rest assured, we will continue to protect the data we share with them under this policy.

 

Finally, if our business undergoes a merger, acquisition, financing, or sale of assets, personal information may be transferred to a new owner as part of that transaction. If such a change occurs, we will ensure the new owner is contractually obligated to handle your data in accordance with this Privacy Policy or we will notify you and obtain any required consent. (For example, if CUKATU is acquired by another company, your customer information would likely be one of the transferred assets so that the new company can continue to serve you.)

 

Your Rights

 

We respect your rights to control your personal information. Depending on your location and applicable privacy laws, you may have some or all of the following rights regarding the personal data we hold about you:

 

Rights of Individuals in the EU/EEA and UK

 

If you are in the European Union, European Economic Area, or United Kingdom, you have significant rights under the GDPR (and UK GDPR) regarding your personal data. These include:

 

Right to Access: You may request a copy of the personal information we hold about you, and to obtain information about how we process it. This allows you to confirm if we are processing your data and to check that we are doing so lawfully. We will provide this data in a commonly used electronic format.

 

Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to ask us to correct or update it. We encourage you to keep your account information current, and you can also contact us to fix any errors.

 

Right to Erasure (Right to be Forgotten): You can request that we delete your personal information in certain circumstances – for example, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent and we have no other legal basis to keep it. Upon valid request, we will erase your data (and instruct our processors to do so) unless an exemption applies (such as if we are required to keep certain data for legal compliance or if the data is needed to establish or defend legal claims).

 

Right to Restrict Processing: You have the right to ask us to limit the processing of your data in certain situations – for instance, while we verify your data correction request or if you object to our processing and we are considering that objection. If you request restrictions, we will still store your data but not use it until the issue is resolved (except to the extent allowed by you or required for legal reasons).

 

Right to Data Portability: You can request to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transmit that data to another controller where technically feasible. This right applies when the processing is based on your consent or a contract with you and is carried out by automated means. We will assist in transmitting your data to a third party if you desire, when legally required.

 

Right to Object: You have the right to object to our processing of your personal data when our basis is of legitimate interests. If you do so, we must stop the processing unless we have compelling legitimate grounds that override your rights or we need to continue processing for the establishment, exercise, or defense of legal claims. You also have an unconditional right to object to your data being used for direct marketing purposes at any time – if you object, we will stop using your data for marketing.

 

Rights Related to Automated Decisions: We currently do not make any legally significant decisions about you solely by automated means (without human involvement). However, if we ever do, you have rights to request human review of any purely automated decision that significantly affects you, and to express your point of view or contest the decision.

 

Right to Withdraw Consent: Where we rely on your consent to process data (e.g. for newsletter subscriptions or certain cookies), you have the right to withdraw that consent at any time. Once you withdraw consent, we will stop the specific processing that was based on consent. (Note that this will not affect any processing already done before you withdrew, and if we have another legal basis for the processing – such as contractual necessity – we may continue on that basis).

 

To exercise any of these EU/UK rights, please contact us (see Contact Information below). We may ask you to verify your identity before fulfilling the request, to ensure we do not disclose data to the wrong person. We will respond to your request within one month (or inform you if we need additional time as allowed by law). There is generally no fee for exercising these rights, but if a request is manifestly unfounded or excessive we may charge a reasonable fee or decline to comply. Finally, EU and UK individuals have the right to lodge a complaint with a Data Protection Authority (DPA) if you believe we have infringed your privacy rights. For example, in Spain the supervisory authority is the AEPD (Agencia Española de Protección de Datos), and in the UK it is the ICO (Information Commissioner’s Office). We would, however, appreciate the chance to address your concerns directly before you approach a regulator, so please feel free to contact us first.

 

California Privacy Rights (CCPA/CPRA)

 

If you are a resident of California, you are protected by the California Consumer Privacy Act (CCPA) of 2018, as amended by the California Privacy Rights Act (CPRA) of 2020. Even if we are not strictly required to comply (for instance, if our company is below certain size thresholds), CUKATU aims to provide California consumers with CCPA-equivalent rights as a courtesy. These rights (some of which overlap with the above) include:

 

Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell. This includes the specific pieces of personal data we have about you, as well as the categories of personal information collected, the categories of sources, the business or commercial purposes for collecting or sharing the information, and the categories of third parties with whom we share it. Essentially, you can ask for a report detailing the personal information we’ve collected about you in the past 12 months and how we have handled it.

 

Right to Access & Data Portability: Similar to above, you may request access to the personal data we hold about you, and obtain it in a portable format. We will provide either a downloadable report or other readily usable format containing your information from the relevant period (note that CCPA currently allows you to request data from the last 12 months, and we will include data beyond 12 months if required by law or if you request it and it is feasible to provide).

 

Right to Delete: You have the right to request that we delete personal information we have collected from you (and direct our service providers to do the same), with certain exceptions. Upon verifying such a request, we will erase your personal data from our records (and notify service providers to delete it from theirs), unless retaining the information is necessary for us or our service providers to complete a transaction you requested, detect security incidents, exercise legal rights, comply with a legal obligation, or other CCPA-recognized exception. We will inform you of any such exception that applies if we cannot fulfill a deletion request in full.

 

Right to Correct: Under the CPRA amendments, California consumers have the right to request correction of inaccurate personal information maintained by us. If you find any personal data we hold is incorrect, please let us know and we will promptly rectify it and ensure our service providers do the same.

 

Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising. CUKATU does not sell your data for money; however, the law defines “sale” and “sharing” broadly to include certain uses of cookies and advertising. If our use of advertising cookies or third-party analytics is considered a "sale" or "share" under CCPA, you can opt out. We have provided a “Do Not Sell or Share My Personal Information” link on our website (usually found in the footer) to enable you to easily exercise this right. You may also send us an opt-out request via the contact methods below. Once we receive your opt-out request, we will stop any "selling" or "sharing" of your data. Additionally, we honor opt-out preference signals (such as the Global Privacy Control (GPC) browser signal) as a valid opt-out of sale/sharing request, as required by California law. In other words, if our site detects a GPC signal from your browser, we will treat it as if you had clicked the "Do Not Sell or Share" link.

 

Right to Limit Use of Sensitive Personal Information: CCPA/CPRA gives consumers the right to limit a business’s use of sensitive personal information (SPI) if it’s used for purposes beyond what is necessary to provide goods or services. Examples of SPI include precise geolocation, race or ethnic origin, health information, etc. We do not collect or use sensitive data in any way that would trigger this right (we mainly collect basic personal identifiers and purchase information). In the event we ever did handle SPI (for example, if you shared health-related needs for product customization), you would have the right to direct us to restrict its use to only what is necessary.

 

Right of Non-Discrimination: We will never discriminate or retaliate against you for exercising any of your CCPA rights. This means if you choose to exercise your privacy rights (such as opting out or requesting deletion), we will not deny you goods or services, charge you a different price, or provide a different level of quality because of your choice. CUKATU values all customers equally, regardless of your privacy preferences. However, please note that in some cases we may not be able to provide a service or benefit if it relied on using your data (for example, if you ask us to delete all your data, we won’t have record of your past purchases to honor loyalty benefits). Any such difference in service is always tied to the data’s value and never punitive.

 

Submitting Requests: California residents can exercise their rights by contacting us via the methods in Contact Information below. For requests to know, access, delete, or correct, we will need to verify your identity to a reasonable degree of certainty. This typically involves matching information you provide with information we have on file (we may ask you to provide identifying details such as your past order info or email address). You may also designate an authorized agent to make a request on your behalf. If you do so, we will require proof of the agent’s identity and authority (for example, signed permission from you). We aim to respond to verified consumer requests within 45 days as required by CCPA (or notify you if we need more time). Opt-out of sale/sharing requests will be honored within 15 business days, and we will notify third parties as required.

 

For more information about your California privacy rights, you can also visit the California Attorney General’s website or review Section 1798.100 of the California Civil Code. If you are a California resident under age 18 and a registered user of our services, you have the right to request removal of certain posted content; however, our site is not intended for minors (see below).

 

Other Jurisdictions

 

If you reside in a region with additional privacy rights not listed above (for example, other U.S. states with new privacy laws, or countries like Canada, Australia, Japan, etc.), we will gladly address those as well. For instance, Canadian users have a right to access and correction under PIPEDA, and can withdraw consent to marketing. We strive to honor all valid privacy requests regardless of origin. You may contact us to inquire about your specific privacy rights, and we will explain what measures we can take. Our approach is to be as transparent and accommodating as possible within the bounds of applicable law.

 

Cookies & Tracking Technologies

 

Cookies are small text files placed on your device (computer, smartphone, etc.) by websites you visit. We use cookies and similar tracking technologies to provide, optimize, and personalize our services. When you visit our site for the first time, you will see a cookie consent banner (for jurisdictions that require it) informing you about our use of cookies and giving you the option to accept or decline non-essential cookies. Here’s more about how we use cookies:

 

Necessary Cookies: These cookies are essential for the basic functioning of our website. They enable core features such as the shopping cart and checkout process, user login, and account management. For example, Shopify uses a cookie like _session_id to maintain your session and remember your cart contents. Without these cookies, the website would not operate properly. They are always active and do not require consent.

 

Analytics Cookies: We use analytics or performance cookies to collect information about how visitors use our site – for instance, which pages are visited, how long people stay, and any errors encountered. This data is aggregated and does not directly identify you. It helps us improve website functionality and understand user engagement. For example, we use Google Analytics, which sets cookies (_ga, _gid, etc.) to collect usage statistics. These cookies may track information such as your IP address (with IP anonymization when required), browser type, and referring pages. We use this data to generate reports and insights about our website traffic. You can opt out of Google Analytics as noted above, or generally refuse analytics cookies via our cookie banner or your browser settings.

 

Functional Cookies: These cookies remember choices you make to enhance your experience. For instance, if our site offers an option to save your preferred currency or language, a functional cookie might store that preference so you don’t have to select it each time. They might also enable certain UI features or remember if you dismissed a notification so it doesn’t pop up again. While not strictly necessary, these cookies improve convenience and personalization.

 

Advertising Cookies: Advertising or targeting cookies are used to deliver ads relevant to you and measure the effectiveness of advertising campaigns. They may be set through our site by third-party advertising networks (with our permission). For example, if we use Facebook or Instagram ads, the Facebook Pixel on our site drops a cookie that helps retarget you with ads on Facebook after you’ve visited our site. Similarly, Google Ads cookies may track your visit to inform whether our ads lead to conversions. These cookies might collect data like your device identifier or browsing activity across sites to infer your interests. We only use advertising cookies where we have obtained your consent, where required by law. You can manage your preferences for these cookies via our cookie settings tool or browser controls. Additionally, you can opt-out of many ad cookies from multiple companies via the Network Advertising Initiative’s opt-out page or the DAA’s WebChoices tool . Keep in mind that opting out of targeted ads doesn’t mean you will see no ads at all, only that they will be less tailored to you.

 

Web Beacons & Pixels: In addition to cookies, we and our partners may use small graphic images or code snippets (often called web beacons, tracking pixels, or tags) in our web pages or emails. These are typically invisible to you but help us understand user interactions. For example, we might include a pixel in our email newsletter that lets us know if you opened the email or clicked a link, which helps us gauge engagement. On the website, pixels like the Facebook Pixel or Twitter Pixel help with advertising analytics. These technologies usually work in conjunction with cookies (they rely on cookies to track when the same user returns). So if you disable cookies, these may have limited functionality.

 

Do Not Track Signals: “Do Not Track” (DNT) is a preference you can set in some web browsers to signal that you do not wish to be tracked across websites. Currently, our site does not alter its data collection practices in response to DNT browser signals (in part because there is not yet a consensus on how to interpret DNT signals). However, as noted, we do honor the more specific Global Privacy Control (GPC) signal for opting out of sale/sharing of data (which is required under CCPA/CPRA regulations). If a GPC signal is detected, we treat it according to the legal requirements (as an opt-out of sale/sharing). Aside from GPC, we recommend using our provided cookie consent tools or the opt-out methods described above to directly control what data is collected.

 

Cookie Management: You have the right to decide whether to accept or reject cookies (aside from the strictly necessary ones). When you first visit, you can choose your preferences on the cookie consent banner. If you wish to change your choice later, you can usually do so by clearing cookies in your browser and revisiting the site, or by using a provided settings icon (if available on our site) to adjust cookie settings. Additionally, most web browsers allow you to control cookies through their settings preferences. You can set your browser to refuse all or some cookies, or to prompt you before accepting. Note that if you disable certain cookies, some parts of our site might become inaccessible or not function correctly (for example, blocking “all cookies” might prevent the cart from remembering items).

 

For more information about cookies and how to manage or disable them, you can visit AllAboutCookies.org, which provides browser-specific guidance.

 

Data Security

 

CUKATU takes the security of your personal information very seriously. We implement a variety of technical and organizational measures to safeguard your data against unauthorized access, alteration, disclosure, or destruction. These measures include:

 

Encryption: Our website uses HTTPS (SSL/TLS encryption) for all communications. This means that any personal data you transmit (for example, entering your credit card or password) is encrypted in transit to prevent eavesdropping. If you provide payment information, those details are additionally encrypted and handled by PCI-compliant payment processors. We also encrypt sensitive data at rest where applicable.

 

Access Controls: We limit access to personal information to only those employees and service providers who need it to perform their duties (principle of least privilege). Our team members are trained on confidentiality and data protection. Our databases and systems require authentication and are protected by firewalls and monitoring to prevent unauthorized access.

 

Secure Infrastructure: We rely on reputable hosting providers (like Shopify) that employ state-of-the-art security protections at the server and network level. This includes firewalls, intrusion detection systems, regular security audits, and redundancy/backups to protect data integrity and availability.

 

PCI-DSS Compliance: For handling payment card data, we adhere to the Payment Card Industry Data Security Standards. As noted, our checkout is secured and all card transactions are processed by PCI-DSS compliant services. We do not store full card numbers or sensitive authentication data on our systems after the transaction is complete.

 

Vulnerability Management: We keep our software and platforms updated to patch security vulnerabilities. We also employ anti-malware tools and perform periodic security assessments. Any suspected breaches or security issues are investigated and addressed promptly with appropriate remediation steps.

 

While we strive to protect your data, it’s important to note that no method of transmission over the Internet or electronic storage is 100% secure. Thus, we cannot guarantee absolute security. However, we do follow industry best practices and continuously improve our security posture to minimize risks. In the unlikely event of a data breach that affects your personal information, we will notify you and the relevant authorities as required by law.

 

You also play a role in keeping your data secure. We encourage you to use a strong, unique password for your account (if you create one) and to keep your login credentials confidential. If you become aware of any unauthorized use of your account or any security incident, please contact us immediately.

 

Data Retention

 

We will retain your personal information only for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. In practice, this means:

 

Customer & Order Data: If you make a purchase, we will keep your order information in our records as long as your account remains active or as long as needed to provide you services. Even if you delete your account, we may retain certain information about past transactions for record-keeping (for example, to process returns, honor warranties, or for tax obligations). By default, we retain order records indefinitely unless you request deletion, in order to maintain your purchase history and for our internal accounting. However, you have the right to request deletion of this data earlier (see Your Rights), and we will honor such requests provided we do not need to keep the data for legal reasons.

 

Account Information: If you create an account on our site, we will retain your profile information and credentials until you deactivate your account or request deletion. If an account remains inactive for an extended period, we may contact you to confirm if you wish to keep it; if not, we may delete or anonymize the account data.

 

Marketing Data: We keep information like your email or phone number for marketing purposes until you opt-out or unsubscribe. If you withdraw consent or ask to be removed from our marketing list, we will delete or anonymize your contact information in our marketing database, and in any case stop sending you marketing communications. (We may retain a suppressed list of opted-out contacts to ensure we respect future opt-out requests.)

 

Cookies: Cookies and similar tracking data are retained for varying periods depending on their purpose. Some cookies (like session cookies) expire as soon as you close your browser, while others (like persistent cookies for preferences or analytics) may last a certain number of days or until you clear them. We follow recommended expiration practices for cookies (for example, Google Analytics cookies might persist for 14 months unless you delete them). We refresh consent for cookies as required by law.

 

Legal Retention Requirements: In some cases, we need to retain data for longer periods if required by law. For instance, financial records (including certain personal data in invoices or transaction logs) may be kept for 7 years or more to comply with tax law or accounting standards. Also, if we are handling a dispute or legal claim involving personal data, we will retain the data as necessary through the resolution of the matter.

 

After the retention period has elapsed, or upon your valid deletion request, we will securely dispose of your personal information. This can include erasing electronic records or anonymizing data so it can no longer be linked to you. We may retain anonymized or aggregated data (which is not personally identifiable) for analytical purposes indefinitely, as it no longer constitutes personal information.

 

Children’s Privacy

 

Our products and services are not directed to children, and we do not knowingly collect personal information from individuals under the age of 13 (or under the age of 16 in certain jurisdictions, such as under the GDPR without parental consent). The Site is intended for use by adults. By using this site, you represent that you are at least the age of majority in your state or province of residence, or that you are using the site under the supervision and consent of your parent or guardian if you are a minor. If we learn that we have inadvertently collected personal data from a child under 13 without proper consent, we will take steps to delete that information promptly.

 

Parents or guardians: If you become aware that your child has provided us with personal information without your consent, please contact us and we will remove the data and unsubscribe the minor from any of our services. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce this Privacy Policy by instructing their children never to provide personal information on our Site without permission.

 

Changes to This Privacy Policy

 

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make material changes, we will notify you by (for example) posting a prominent notice on our website or sending an email to the contact address we have on file. Any changes will be effective when posted, unless otherwise indicated. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. The “Last Updated” date at the top indicates when the latest changes were made. If we update the policy, we will revise that date and, if significant changes are made, we will provide a clear notice so that you are aware of what has changed. Your continued use of our site or services after any update constitutes acceptance of the revised Privacy Policy.

 

Contact Information

 

CUKATU values your privacy and we’re here to address any questions or concerns you may have about this policy or your personal data. Please feel free to reach out using the contact details below:

 

Email: You can contact our Privacy Officer at Support@cukatu.com (or info@cukatu.com) for any privacy-related inquiries, including to exercise your rights of access, correction, deletion, or to ask questions/complaints. We will respond as promptly as possible.

 

If you have a complaint about our data practices, we will do our best to resolve it directly. However, if you are in the EU and believe we have not adequately addressed your concerns, you have the right to contact your local Data Protection Authority. In Spain, for example, you can reach out to the AEPD (www.aepd.es):contentReference[oaicite:56]{index=56}. In California, if you have concerns about how we handled your CCPA request, you can contact the California Privacy Protection Agency or the Attorney General’s office. We sincerely hope it never comes to that and pledge to work with you in good faith to resolve any issues.

 

Thank you for entrusting CUKATU with your personal information. We are dedicated to safeguarding your privacy and providing a luxury experience not just in our products but in how we treat you. If you have any questions or need further clarification on any aspect of this Privacy Policy, please do not hesitate to contact us. Your confidence and peace of mind are extremely important to us.