Legal
Privacy Policy
Last updated: June 7, 2026
1. Who We Are
Mystic Moments ("we", "us") operates mysticmoments.com. We are the data controller for personal data collected through this site. Contact: [email protected].
2. Data We Collect
| Data | Why |
|---|---|
| Name, email, password | Account creation, order fulfilment, login |
| Shipping address, phone | Delivery, COD coordination |
| Order & transaction history | Purchase records, balance management |
| Payment data | Processed by Stripe — we never see or store raw card numbers |
| Uploaded videos | QR video feature — stored on Cloudflare R2 |
| IP address, browser info | Security, rate limiting, fraud prevention |
3. Legal Basis (GDPR Art. 6)
- Contract — processing orders, managing accounts, delivering products.
- Legitimate interest — site security, fraud prevention, basic analytics.
- Legal obligation — tax and regulatory record-keeping.
- Consent — marketing emails (you may withdraw at any time).
4. Third-Party Processors
| Service | Purpose |
|---|---|
| Stripe | Card payments & top-ups |
| Cloudflare R2 | Video & image storage |
| Resend | Transactional emails (account creation, resets) |
| PocketBase (self-hosted) | User accounts, orders, transactions |
| Vercel | Site hosting & edge delivery |
All processors are bound by appropriate data processing agreements. Stripe and Cloudflare may transfer data outside the EEA under Standard Contractual Clauses.
5. Video Content
Videos uploaded via the QR feature are stored on Cloudflare R2 under a private, unguessable URL. They are:
- Accessible only via the unique QR link.
- Automatically deleted after 1 year (expiry date shown in your dashboard).
- Deleted immediately upon your request.
6. Data Retention
- Order & transaction records: 7 years (tax/legal obligation).
- Account data: for the life of the account + 30 days after deletion.
- Videos: 1 year from upload, or until deleted by you/us.
7. Your Rights (GDPR)
Under the GDPR you have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate data.
- Erasure — request deletion ("right to be forgotten").
- Restriction — limit how we use your data.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — unsubscribe from marketing at any time.
To exercise any right, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.
8. Cookies
We use only essential cookies required for authentication and cart persistence. No third-party tracking or advertising cookies are set. No consent banner is required for essential-only cookies under the ePrivacy Directive.
9. Security
We use HTTPS, server-side token validation, and role-based access controls. Passwords are hashed. Payment card data is handled entirely by Stripe and never touches our servers.
10. Children
The site is not directed at children under 16. We do not knowingly collect data from minors. Contact us if you believe we have inadvertently done so.
11. Changes
We may update this policy. The date at the top reflects the latest revision. Continued use of the site after changes constitutes acceptance.
12. Contact
Data controller: Mystic Moments
Email: [email protected]