Privacy Policy

Last updated: April 2026

Vox Arcana ("we", "us", "our") operates the website voxarcana.myshopify.com (the "Site"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you visit the Site or make a purchase.

1. Information We Collect

Information you provide: Name, email address, shipping address, billing address, phone number, and payment information when you place an order or create an account.

Information collected automatically: IP address, browser type, operating system, referring URLs, pages viewed, time spent on pages, and cookies. This data is collected through standard web technologies (cookies, log files, and similar technologies).

2. How We Use Your Information

  • To process and fulfil your orders
  • To communicate with you about your order (confirmations, shipping updates)
  • To respond to your enquiries and provide customer support
  • To send marketing communications (only with your explicit consent)
  • To improve our website, products, and services
  • To comply with legal obligations
  • To prevent fraud and maintain the security of our Site

3. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

  • Performance of a contract: Processing necessary to fulfil your order
  • Legitimate interests: Improving our services, preventing fraud
  • Consent: Marketing communications (you may withdraw consent at any time)
  • Legal obligation: Tax, accounting, and regulatory compliance

4. Sharing Your Information

We share your information only with:

  • Payment processors: Stripe, PayPal, Shopify Payments — to process transactions securely
  • Shipping carriers: To deliver your orders
  • Email service providers: To send order confirmations and, where consented, marketing emails
  • Analytics providers: Google Analytics (anonymised data)

We do not sell, rent, or trade your personal information to third parties.

5. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required by law (e.g., tax records: 10 years under New Mexico law). You may request deletion of your data at any time (see Section 7).

6. Cookies

We use cookies for:

  • Essential cookies: Required for the Site to function (cart, session, checkout)
  • Analytics cookies: To understand how visitors use the Site (Google Analytics)
  • Marketing cookies: Only with your consent, for personalised advertising

You can manage cookie preferences through your browser settings or our cookie consent banner.

7. Your Rights

EU/EEA residents (GDPR): You have the right to access, correct, delete, restrict processing of, and port your personal data. You also have the right to object to processing and to withdraw consent. Contact us at support@vox-arcana.org to exercise these rights.

California residents (CCPA): You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.

New Mexico residents (FADP): You have the right to access, correct, and delete your personal data under the United States federal and state privacy laws (including CCPA/CPRA where applicable).

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including SSL encryption for all data transmission, secure payment processing through PCI-DSS compliant providers, and restricted access to personal data.

9. International Transfers

Your data may be transferred to and processed in countries outside your country of residence (including the United States for payment processing). We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

10. Children's Privacy

Our Site is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us for immediate deletion.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top indicates when the latest changes were made. We encourage you to review this policy periodically.

12. Contact Us

For privacy-related enquiries:
Vox Arcana
8206 Louisiana Blvd NE, No. Suite A, Albuquerque, NM 87113
Email: support@vox-arcana.org
Phone:

13. Supervisory Authority

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection authority. For New Mexico: Office of the Privacy Commissioner for Personal Data (PCPD). For the EU: Your local Data Protection Authority.

Your data protection rights

If you are located in the European Union, the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR / UK-GDPR / Swiss DPA):

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / "right to be forgotten" (Art. 17)
  • Right to restrict processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right not to be subject to automated decision-making (Art. 22)
  • Right to lodge a complaint with a supervisory authority

To exercise any of these rights, please submit a request via our Privacy Request form, or email privacy@vox-arcana.org. We will respond within 30 days as required by GDPR Article 12(3); this may be extended once by a further 60 days where necessary, taking into account the complexity and number of requests, with written justification.

International data transfers

New Mexico does not have an EU adequacy decision under GDPR Article 45. Where personal data is transferred from the European Union to Vox Arcana LLC in New Mexico, or onwards to processors outside the EU, the transfer is conducted under the European Commission's Standard Contractual Clauses (Decision 2021/914) or other lawful transfer mechanism under Article 46.

California (CCPA / CPRA) and other US state privacy laws

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). These include the rights to know, delete, correct, opt out of sale or sharing of personal information, and limit the use of sensitive personal information. To exercise these rights, please use our Your Privacy Choices link or submit a Privacy Request.

Equivalent rights are available to residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Tennessee, Rhode Island, Indiana, and Kentucky, subject to the specific provisions of each law.

Global Privacy Control (GPC)

We honour the Global Privacy Control (GPC) signal as a valid request to opt out of the sale or sharing of personal information for residents of California, Colorado, Connecticut, Oregon, New Jersey, Delaware, and Maryland. When your browser sends the Sec-GPC: 1 header or equivalent signal, our consent management platform records and applies the opt-out automatically.

US state privacy laws (CCPA/CPRA)

If you are located in New Mexico, your personal data is also protected under the Personal Data (Privacy) Ordinance (Cap. 486) ("state privacy laws"). You have rights of access and correction under the state privacy laws, exercisable by emailing privacy@vox-arcana.org.

Children

Our services are not directed to anyone under 16. We do not knowingly collect personal data from anyone under 16. If you become aware that a child has provided us with personal data, please contact us so we can delete it. The "child" threshold may be lower in some EU Member States (e.g. 13 in BE/DE/PT, 14 in IT/ES/AT, 15 in FR); in all cases, we apply the strictest standard (16) by default.

Third-party processors (full schedule)

The processors listed below receive personal data on our behalf under data processing agreements. Categories and purposes are described above; this section names each processor explicitly:

  • Shopify Inc. — order processing, hosting, payments orchestration (Canada/EU/US data centres; SCCs)
  • Stripe Payments — card processing (US/EU; SCCs)
  • Klaviyo, Inc. — email and SMS marketing (US; SCCs)
  • ActiveCampaign LLC — automation and CRM (US; SCCs)
  • Meta Platforms (Facebook, Instagram pixels and Conversions API) — advertising measurement (US/EU; SCCs)
  • Google LLC — Google Analytics 4 and Google Ads (US/EU; SCCs)
  • Cloudflare, Inc. — CDN, DNS, email routing (US/EU; SCCs)
  • Postmark (ActiveCampaign LLC) — transactional email (US; SCCs)
  • Anthropic PBC — content generation tooling (US; SCCs; no customer PII processed)
  • Make.com (Celonis) — workflow orchestration (EU)

Personal-data breach notification (GDPR Article 33)

Where we determine that a personal-data breach is likely to result in risk to the rights and freedoms of natural persons, we notify the lead supervisory authority within 72 hours of becoming aware of the breach, in line with Article 33 GDPR. Where the risk is high, affected data subjects are notified without undue delay under Article 34. Internal escalation procedures, severity classification, and a 72-hour clock owner are documented in our incident-response policy.

California Privacy Rights Act — request response time

If you submit a request to opt out of sale or sharing of personal information, to limit the use of sensitive personal information, or to exercise any other right under the California Consumer Privacy Act / California Privacy Rights Act, we will action your request within 15 business days of receipt, in line with §1798.135(c)(4) of the CCPA/CPRA. Requests for access, deletion, and correction are actioned within 45 calendar days, extendable once by an additional 45 days where reasonably necessary, with notice.