Last Updated: October 27, 2025

1. Who we are

• Controller: Goldshape (trading as Artbeats)
• Registered office: Berchem, 2600, Belgium
• Company/VAT: BE0783422577
• Contact for privacy matters: hello@artbeatjewels.com (or via our website contact form)
• No Data Protection Officer appointed.
• We sell and ship worldwide. For UK customers, we currently operate without a UK establishment. If a UK GDPR representative is required, we will appoint one and update this notice.

2. Scope This policy explains how we collect, use, disclose, transfer, and retain personal data when you browse our website, use our camera-based heartbeat capture tool, place orders, make payments, receive support, or subscribe to marketing communications.

3. What we collect

• Identifiers and contact data: name, email, phone, billing/shipping addresses, account credentials (for registered users), order number.
• Commercial data: products purchased, order history, delivery preferences, returns/after-sales information.
• Heartbeat design data: a processed, derived waveform segment is briefly uploaded to generate an SVG design; only the SVG is stored with your order. No camera images or video are uploaded or stored.
• Payment-related data: we do not store full card numbers. We receive limited metadata from WooPayments (Automattic/Stripe) and PayPal (e.g., transaction status, method/brand, last 4 digits, transaction ID).
• Shipping/logistics data: name, address, phone/email for delivery and tracking via Sendcloud and carrier partners.
• Technical/usage data: device/browser type, IP address, country/region (derived from IP), pages viewed, interactions, consent choices. Some of this is collected via cookies and similar technologies.
• Communications/support: messages via contact forms, email, live chat (Tidio), or WhatsApp, and our responses.

We do not seek to collect special category data. The heartbeat waveform/design is not used to uniquely identify you or to infer health information; it is purely artistic.

4. Camera and heartbeat capture

• Activation: Camera/torch run only after you tap Start and grant permission in your browser. You can revoke permission in browser/device settings at any time.
• On-device processing: The camera feed is processed entirely in your browser to extract a PPG signal. No raw video or images are uploaded.
• Minimal upload for rendering: The browser sends only a derived numeric waveform segment and indices to our server endpoint for a moment to render your custom SVG. We do not store the uploaded waveform or the server-generated SVG; we return it to your browser.
• Storage with the order: The returned SVG (your custom design) is saved with the WooCommerce order as order-item meta to produce your jewelry and for order records.
• No medical use: We do not analyze the waveform for medical purposes or health inferences.

5. Purposes and legal bases (GDPR/UK GDPR/LGPD)

• Contractual necessity: processing orders and payments, crafting and delivering custom jewelry, providing customer service, storing the design with the order record, and communicating about your order.
• Consent: camera access; non-essential cookies/analytics/marketing; newsletters (MailPoet); US “sharing” opt-outs via our consent tools.
• Legitimate interests: site security (e.g., Wordfence, server logs), debugging and improving services, fraud prevention, protecting our rights, ensuring quality of fulfillment and customer experience. We balance these interests against your rights.
• Legal obligations: invoicing, tax and accounting; responding to lawful requests.

6. Payments

• Providers: WooPayments (Automattic/Stripe) and PayPal. Local methods such as iDEAL and Bancontact may be offered via these providers.
• What we receive: payment status and limited card/payment metadata. 3‑D Secure and tokenization are handled by the payment providers where applicable. Providers may perform fraud screening under their own privacy policies.
• Cookies/local storage: Stripe and PayPal set session/fraud-prevention cookies and local storage items that enable checkout and prevent abuse.

7. Shipping and fulfillment

• Sendcloud is used to generate labels, handle carriers, and provide tracking. We share the data required for delivery (name, address, contact details, parcel information). Carriers receive your contact data for notifications and delivery.

8. Marketing, analytics, and embedded content

• Email marketing: MailPoet (Automattic) for newsletters and promotions, only with your opt-in. You can unsubscribe at any time.
• Analytics/ads: Google Analytics 4 and Google Ads, Meta/Facebook Pixel. These tools operate under consent where required and may use cookies or similar identifiers. For some uses (e.g., advertising, reCAPTCHA), Google/Meta may act as independent controllers and may combine data with other information they have, in accordance with their policies.
• Source attribution: Sourcebuster JS (sbjs_* cookies) helps attribute traffic sources and campaigns (statistics).
• Content-related statistics: Elementor sets an anonymous statistics cookie to record content rendering/performance events.
• Live chat: Tidio may set state cookies/local storage to provide chat functionality.
• reCAPTCHA: Google reCAPTCHA protects forms from spam/abuse and collects device and usage data.
• Fonts and maps: Google Fonts (if loaded from Google’s CDN) and Google Maps (when embedded) can receive your IP address and browser details when these assets load.
• Social media embeds: Instagram embeds are loaded only with your consent and can set cookies that support personalized advertising by Instagram/Meta.

9. Cookies and consent management

• Consent tool: We use Complianz to manage regional consent and to block non-essential cookies (e.g., analytics, marketing) until you consent in jurisdictions where this is required (e.g., EU/EEA/UK, Brazil, South Africa).
• Categories used by our banner: Functional (strictly necessary), Preferences, Statistics, Marketing/Tracking. You can change or withdraw consent at any time via the cookie preferences link or banner settings.
• Cookie details: For the current list of cookies, their purposes, providers, and retention periods (including WooCommerce cart/session cookies; Sourcebuster JS; MailPoet; Automattic tk_qs; Elementor; Woo Multi-Currency; Wordfence; Google Fonts; Google reCAPTCHA; Google Maps; Stripe and PayPal storages; Tidio), see our Cookie Policy powered by Complianz. That Cookie Policy is the authoritative source for cookie names and lifetimes.
• Global Privacy Control (GPC) and US opt-out: We honor opt-out preferences for “sale”/“sharing” where supported by our consent platform and applicable law.

10. Disclosures to processors and service providers We do not sell your personal information. We disclose data to the following under data processing agreements where required; some act as independent controllers for certain activities:

• Hosting and backups: Combell; All‑in‑One WP Migration (ServMask) for backup functionality.
• Platform: WordPress/WooCommerce (Automattic).
• Payments: WooPayments (Automattic/Stripe) and PayPal (including their anti-fraud cookies and device signals).
• Shipping/logistics: Sendcloud and carriers it integrates.
• Security: Wordfence (application firewall/malware monitoring, security cookies).
• Analytics/ads: Google Analytics 4, Google Ads (Google), Meta/Facebook Pixel (Meta), Sourcebuster JS (first-party attribution).
• Email/comms: MailPoet (Automattic), transactional email, Tidio live chat, WhatsApp (if you contact us there).
• Abuse prevention and embeds: Google reCAPTCHA, Google Fonts, Google Maps, Instagram embeds.
• Other operational plugins: Elementor; Woo Multi‑Currency; additional plugin cookies noted in the Cookie Policy may be used for site operations and are often limited to logged-in admins.

Examples of provider privacy notices:

• Automattic (WooCommerce/MailPoet/WooPayments): https://automattic.com/privacy/
• Stripe: https://stripe.com/privacy
• PayPal: https://www.paypal.com/legalhub/privacy-full
• Sendcloud: https://www.sendcloud.com/privacy-policy/
• Tidio: https://www.tidio.com/privacy-policy/
• Google (Analytics/Ads/reCAPTCHA/Maps/Fonts): https://policies.google.com/privacy
• Meta (Facebook/Instagram): https://www.facebook.com/privacy/policy
• Wordfence: https://www.wordfence.com/privacy-policy/
• Combell: https://www.combell.com/en/about-combell/privacy-policy/
• ServMask: https://servmask.com/privacy

11. International data transfers Some providers (e.g., Automattic, Google, Meta, PayPal, Tidio) process data globally, including in the United States. For transfers from the EEA/UK, we rely on adequacy decisions where available and otherwise on EU Standard Contractual Clauses (and UK IDTA/addenda where required), plus supplementary safeguards as appropriate. When you load embedded content (e.g., Instagram, Google Maps) or remote assets (e.g., Google Fonts), your browser may connect directly to those services in the US or other countries.

12. Retention

• Orders, invoices, accounting records: retained for 7 years (Belgian law) or longer if required by law or to establish, exercise, or defend legal claims.
• Heartbeat design (SVG): retained with the order record for as long as we maintain order records to support manufacturing, warranty, and potential reorders. If you request erasure, we will assess and honor it where no overriding legal or contractual need requires retention; if deletion is not possible, we will restrict access and retain only what is strictly necessary.
• Customer accounts: retained while active and for a reasonable period of inactivity, then minimized or deleted unless we must retain for legal reasons.
• Communications/support: retained as needed for service quality and legal purposes, then minimized or deleted.
• Marketing lists: retained until you unsubscribe or after a period of inactivity; we periodically cleanse inactive contacts.
• Security/server logs: retained per Combell/Wordfence defaults for security and troubleshooting.
• Cookies: retained as described in the Complianz Cookie Policy and your consent settings.

13. Your rights

• EEA/UK (GDPR/UK GDPR): rights to access, rectification, erasure, restriction, portability, objection, and to withdraw consent without affecting prior processing. You may complain to your local authority or the Belgian Data Protection Authority.
• Brazil (LGPD): rights to confirmation, access, correction, anonymization/blocking/deletion of unnecessary or excessive data, portability, information about sharing, and revocation of consent. You may contact the ANPD.
• Canada (PIPEDA): rights to access and correct personal information and to withdraw consent subject to legal/contractual limits; you may contact the Office of the Privacy Commissioner of Canada.
• United States (CPRA/other state laws): rights to know/access, correct, delete, and to opt out of “sale” or “sharing” of personal information for cross‑context behavioral advertising. We do not sell data for money. We may “share” identifiers and internet/usage data for advertising/analytics when you consent to marketing cookies. You can opt out via the cookie preferences or a “Do Not Sell or Share My Personal Information” option; we also honor Global Privacy Control signals where supported. Non‑discrimination applies. Appeals: If we deny your request, reply with “Privacy Appeal” within 30 days and we will review.

How to exercise your rights

• Use our website contact form or email hello@artbeatjewels.com. For verification, we may ask you to confirm your email and provide your order number or other limited information. We will respond within statutory timelines (GDPR: one month; CPRA: 45 days).

14. Children Our website and products are intended for adults. We do not knowingly collect personal data from children under 13 (or under the applicable age in your jurisdiction without parental consent). If you believe a child has provided personal data, contact us and we will delete it where required.

15. Security We use HTTPS/TLS, Combell hosting and backups, and Wordfence firewall/malware monitoring. Admin access is restricted and protected by 2‑factor authentication. We apply least‑privilege access, keep WordPress/core/plugins updated, and monitor for vulnerabilities. While no system is 100% secure, we implement technical and organizational measures commensurate with risk.

16. Additional transparency about the heartbeat design flow

• What is uploaded: only a numeric waveform segment and indices (no images or video).
• Server behavior: the endpoint generates an SVG and returns it; it does not store the uploaded waveform or the SVG.
• What is stored: the returned SVG is saved with your order in WooCommerce, used solely to create your custom jewelry and maintain order records.
• No identification/health inferences: the waveform/design is not used for identification or medical purposes.
• Choice: you can opt not to use the camera tool. For custom heartbeat jewelry, the SVG is necessary to fulfill the order.

17. California “Notice at Collection” Categories collected include identifiers (e.g., name, email, phone, addresses, IP/device IDs), commercial information (orders), payment metadata (via providers), internet/usage data (cookies/analytics), approximate geolocation (from IP), and user‑generated design data (heartbeat SVG). Purposes: order fulfillment, customer support, security/fraud prevention, analytics and site improvement, and advertising where consented. Retention: as described in Retention and in the Cookie Policy for cookie lifetimes. Selling/sharing: we do not sell personal information for money. We may “share” for advertising/analytics when you consent to marketing cookies; opt out at any time via the cookie preferences or “Do Not Sell or Share My Personal Information.” We honor Global Privacy Control signals where supported.

18. International users By using our services from outside Belgium, you understand that your data may be processed in Belgium and other countries where our providers operate. Where required, we rely on adequacy decisions or SCCs (and UK IDTA/addenda) with supplementary measures.

19. Third‑party content and links If you choose to load embedded content (e.g., Instagram or Google Maps), those providers receive your IP address, URL, and device information and may set cookies as described in our Cookie Policy. Our site may link to third‑party sites; their privacy practices are independent.

20. Final sale of heartbeat jewelry Custom heartbeat jewelry is made to your specifications and is final sale (no cancellation/return/exchange) consistent with Article 16(c) of the EU Consumer Rights Directive 2011/83/EU.

21. Changes to this policy We will post updates with a new “Last Updated” date and notify you of material changes where required.

22. Contact Email: hello@artbeatjewels.com Or use our website contact form