Privacy Policy
Effective Date : [TO BE FILLED ON LAUNCH DAY — YYYY-MM-DD] Last updated : [TO BE FILLED ON LAUNCH DAY — YYYY-MM-DD]
This Privacy Policy describes how UNISHOP LLC ("we", "us", "our", or "GIGI FRANCE") collects, uses, discloses, and protects personal information when you visit, browse, or purchase from gigifrance.com (the "Site"). It applies to all visitors and customers in the United States, with specific provisions for residents of California, Colorado, Connecticut, Utah, Virginia, and other states with applicable comprehensive privacy laws, as well as a courtesy section for visitors from the European Economic Area (EEA) and the United Kingdom.
By using the Site, you acknowledge that you have read and understood this Privacy Policy.
1. Who we are (Data Controller)
| Legal entity | UNISHOP LLC, a New Mexico Limited Liability Company |
| Registered address | 102 Gold Ave SW #399, Albuquerque, NM 87102, United States |
| Trademark exploited | GIGI FRANCE® (registered with the United States Patent and Trademark Office) |
| Website | https://gigifrance.com |
| Contact email for privacy matters | contact@gigifrance.com |
UNISHOP LLC is the entity responsible for processing your personal information under this Privacy Policy. We are not legally required to designate a Data Protection Officer (DPO) under U.S. law. Privacy-related questions can be addressed to the contact email above.
2. Categories of personal information we collect
We collect only the personal information necessary to operate our Site, process your orders, communicate with you, and comply with our legal obligations. We group the data we collect into four categories.
2.1 Browsing and analytics data (all visitors)
When you browse the Site, we automatically collect:
- IP address (truncated for analytics purposes)
- Browser type and version
- Operating system
- Approximate geographic location (country and state level, derived from IP)
- Pages visited, time spent, referrer URL
- Device type (desktop, mobile, tablet)
This data is collected through our privacy-friendly analytics provider Plausible, which does not use cookies and does not track individuals across websites. See Section 9 (Cookies and tracking technologies) for details.
2.2 Order and customer data (purchasers)
When you place an order, we collect:
- Full name
- Shipping address (street, city, state, ZIP code)
- Billing address (if different)
- Email address
- Phone number (if voluntarily provided for shipping coordination)
- Order content (SKUs purchased, quantities, prices)
- Order date and order identifier
- Payment confirmation token from Stripe (we do not store credit card numbers, CVV, or full bank details — these are handled exclusively by Stripe under PCI-DSS compliance)
2.3 Contact form and support correspondence
When you contact us via email at contact@gigifrance.com or through any contact form on the Site, we collect:
- Your name
- Your email address
- The content of your message
- Any attached files (if applicable)
2.4 Admin account data (internal staff only)
The administrative interface of the Site (/admin) is restricted to a single authorized user (the company operator). We collect for this admin account:
- Email address
- Hashed password (using bcrypt, never stored in plain text)
- Session tokens (encrypted, short-lived)
- Login timestamps and IP addresses (for security audit)
This category does not apply to customers or visitors.
3. Purposes and legal bases for processing
We process personal information for the following purposes:
| Purpose | Categories used | Legal basis (U.S. / EU) |
|---|---|---|
| Display the Site and ensure technical functioning | Browsing data | Legitimate interest / Performance of contract (browse-wrap) |
| Measure aggregated site traffic | Browsing data (anonymized) | Legitimate interest |
| Process and fulfill your order | Order and customer data | Performance of contract |
| Send order confirmation, shipping notifications, and warranty information | Order data, email | Performance of contract |
| Respond to your inquiries | Contact form data | Performance of contract / Legitimate interest |
| Issue refunds and handle warranty claims | Order data | Performance of contract / Legal obligation |
| Comply with tax, accounting, and consumer protection laws | Order data | Legal obligation |
| Prevent fraud and abuse | Browsing data, order data | Legitimate interest |
| Secure the Site and the admin interface | Admin data, browsing data | Legitimate interest |
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not use your personal information to train any machine learning model, including large language models.
4. Third parties and sub-processors
To operate the Site, we work with a small number of carefully selected service providers who act as sub-processors. They process personal information only on our instructions, under contract, and only for the purpose stated below.
| Sub-processor | Role | Data shared | Location | Safeguards |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing, sales tax calculation | Name, billing address, email, payment data (handled directly by Stripe — we never see card numbers) | USA (PCI-DSS Level 1) | Stripe Privacy Policy, PCI-DSS compliance |
| Amazon.com Services LLC (Multi-Channel Fulfillment) | Order fulfillment and shipping | Name, shipping address, order content, phone (if provided) | USA | Amazon MCF Terms |
| Resend (Resend.com Inc.) | Transactional emails (order confirmation, shipping notifications) | Email address, order data shown in email body | USA | Resend DPA |
| Plausible Insights OÜ | Privacy-friendly analytics (no cookies, no personal identifiers) | Aggregated, anonymous traffic data | European Union (Germany hosting) | Plausible DPA; GDPR-compliant by design |
| Hostinger International Ltd. | Web hosting (VPS) | All Site data stored on the server | Hosting region: United States (or as configured) | Hostinger Terms; access restricted by SSH key |
| Sentry (Functional Software Inc.) | Server-side error monitoring (server logs only; no browser SDK) | Stack traces, server-side error context (may incidentally include URL paths or request data) | USA | Sentry DPA |
| Backblaze, Inc. | Encrypted backups of database (orders, accounts) | Encrypted backup files | USA | AES-256 encryption at rest |
We do not share personal information with advertising networks, data brokers, social media platforms, or any other third party for marketing purposes. We do not participate in "data sales" as defined under California, Colorado, Connecticut, Virginia, or Utah privacy law.
In the rare event of a legal request from a competent authority (subpoena, court order, valid government request), we will comply with applicable law and, where legally permitted, notify the affected user.
5. International data transfers
UNISHOP LLC is a U.S. entity, and all primary data processing takes place in the United States. Some sub-processors (Plausible) host data in the European Union, which we consider equivalent or higher protection than U.S. standards. For visitors located in the European Economic Area or the United Kingdom, transfers to U.S.-based sub-processors are governed by the Standard Contractual Clauses (SCCs) approved by the European Commission, or by sub-processors' certifications under the EU-U.S. Data Privacy Framework where applicable.
6. How long we retain personal information
We retain personal information only for as long as necessary to fulfill the purpose for which it was collected, or as required by law.
| Data category | Retention period |
|---|---|
| Browsing and analytics data (Plausible) | Aggregated, retained 24 months max |
| Server logs (Pino, raw IP) | 14 days |
| Order data (name, address, items, amount) | 7 years (U.S. tax and accounting recordkeeping standard; CCPA-compliant) |
| Stripe payment tokens | As long as required by Stripe under PCI-DSS standards (typically 7 years post-transaction) |
| Contact form correspondence | 24 months from last interaction, unless related to a warranty claim (then 7 years) |
| Warranty claim data | 7 years from claim resolution |
| Admin account data | Active duration of the operator role + 1 year |
| Backups (Backblaze) | 30 days (daily); 12 months (weekly) |
After retention periods expire, data is permanently deleted or anonymized.
7. Your rights
Depending on your state of residence, you have the following rights under U.S. state privacy laws. These rights apply free of charge and we will respond within the time limit set by applicable law (typically 45 days from receipt, extendable once by an additional 45 days when reasonably necessary).
7.1 Universal rights (all visitors)
- Right to know / access — request a copy of the personal information we hold about you
- Right to correct — request that we correct inaccurate personal information
- Right to delete — request that we delete your personal information (subject to legal retention obligations such as tax records)
- Right to opt out of sale or share — although we do not sell or share personal information for behavioral advertising, you may submit this request as a formal record
- Right to non-discrimination — we will not deny service, charge different prices, or provide a different quality of service because you exercised your privacy rights
7.2 Additional rights for California residents (CCPA / CPRA)
- Right to know categories and specific pieces of personal information collected
- Right to know categories of sources and categories of third parties with whom information has been shared
- Right to limit use of sensitive personal information — we do not knowingly collect sensitive personal information (as defined under CPRA) in normal operation
- Right to opt out of automated decision-making — we do not use automated decision-making with legal or similarly significant effects
- Right to recognize Global Privacy Control (GPC) signals — our Site automatically honors GPC signals for opt-out requests where applicable
7.3 Additional rights for Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other applicable state residents
The rights granted by each state's comprehensive privacy law are substantially similar to those listed above. You may exercise your applicable rights by contacting us using the methods in Section 7.5.
For Connecticut residents (effective July 1, 2026): we confirm that we do not collect, use, or sell personal data for the purpose of training large language models.
7.4 Rights for EEA / UK visitors (courtesy notice)
If you visit our Site from the European Economic Area or the United Kingdom, you have rights under the General Data Protection Regulation (GDPR) and UK GDPR, including: access, rectification, erasure, restriction of processing, data portability, and the right to lodge a complaint with your local supervisory authority. We will honor these requests on a best-effort basis even though our primary jurisdiction is the United States.
7.5 How to exercise your rights
Send an email to contact@gigifrance.com with the subject line "Privacy Request — [your right requested]", including:
- Your full name
- Your email address used on the Site (if you placed an order)
- Your state of residence (so we can confirm which law applies)
- A clear description of the right you wish to exercise
We will verify your identity by responding from the email address associated with your order or by requesting confirmation of order details. We do not require excessive identity verification — only enough to ensure we don't release someone else's data.
You may also designate an authorized agent to submit a request on your behalf. We will require written authorization signed by you and verification of the agent's identity.
7.6 Appeal process
If we decline to act on your request, you may appeal by emailing contact@gigifrance.com with the subject "Privacy Appeal". We will respond within 60 days. If your appeal is denied, you may file a complaint with your state's Attorney General or, for California residents, with the California Privacy Protection Agency at https://cppa.ca.gov.
8. Do Not Sell or Share My Personal Information
UNISHOP LLC does not sell personal information for monetary or other valuable consideration, and does not share personal information for cross-context behavioral advertising. We confirm this status under the CCPA, CPRA, and equivalent state laws.
You can confirm this preference by sending an email to contact@gigifrance.com with the subject line "Do Not Sell or Share — Confirmation". We will register your request as a formal record. Since we do not engage in sales or behavioral sharing, no operational change is required, but we will provide written confirmation of your status within 15 business days.
A persistent link titled "Do Not Sell or Share My Personal Information" is provided in the Site footer for direct access to this confirmation process.
9. Cookies and tracking technologies
The Site uses a minimal number of cookies and tracking technologies. We do not use third-party advertising cookies, social media tracking pixels, behavioral retargeting, or any other tracking technology designed to follow you across the web.
9.1 Strictly necessary cookies
These cookies are essential for the Site to function. They cannot be disabled without breaking core functionality.
| Cookie | Purpose | Provider | Duration |
|---|---|---|---|
__Host-next-auth.csrf-token | Cross-site request forgery protection on the admin login | NextAuth (self-hosted) | Session |
__Secure-next-auth.session-token | Admin authentication session | NextAuth (self-hosted) | 30 days max |
cart-id | Cart persistence for guest checkout | First-party | 7 days |
| Stripe Checkout cookies | Set on Stripe's domain only during the checkout redirect (PCI-secure flow) | Stripe | Session |
9.2 Analytics (cookieless)
We use Plausible Analytics for website usage statistics. Plausible does not set any cookies, does not collect personal identifiers, and does not track users across sites or sessions. All metrics are aggregated and anonymous. See https://plausible.io/privacy-focused-web-analytics for details.
9.3 Cookie banner
Because we use only strictly necessary cookies and a cookieless analytics solution, we do not display an intrusive cookie consent banner. A discreet notice in the footer of the Site informs visitors of this minimal cookie usage and links to this Privacy Policy and to the Cookie Policy.
This approach is consistent with the European Court of Justice and CNIL guidance: strictly necessary cookies do not require consent. We aim for transparency over friction.
For full details, see the Cookie Policy.
10. Security
We implement reasonable administrative, technical, and physical safeguards to protect personal information, including:
- HTTPS / TLS 1.2+ encryption on all Site traffic
- Bcrypt hashing (rounds = 12) for the admin password
- HTTP security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options)
- Rate limiting on the login endpoint to deter brute-force attacks
- Encrypted backups (AES-256 at rest) on Backblaze B2
- Server access restricted to SSH key authentication only
- Logging of authentication attempts with anomaly detection
- Stripe payment flow (PCI-DSS Level 1; no payment card data ever touches our server)
- Sub-processors selected for their security posture (Stripe, Resend, Amazon, Plausible, Hostinger)
No system can be guaranteed 100% secure. We commit to notifying affected users and the appropriate regulators promptly in the event of a personal data breach, in accordance with applicable state and federal laws.
11. Children's privacy
The Site is intended for adults aged 18 and older. We do not knowingly collect personal information from children under 13 years of age, in compliance with the Children's Online Privacy Protection Act (COPPA). We also do not knowingly market or sell to minors under the age of 16 without verifiable parental consent, in accordance with applicable state laws.
If you believe we have inadvertently collected personal information from a minor, please contact us at contact@gigifrance.com and we will delete it promptly.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, in applicable law, or in the services we use. When we make material changes, we will:
- Update the "Effective Date" and "Last updated" at the top of this page
- Post the updated policy at https://gigifrance.com/privacy at least 14 days before the change takes effect
- For active customers, send a notice to the email address used for orders if the change materially affects how their data is used
Your continued use of the Site after the effective date of changes constitutes acceptance of the updated policy.
13. Contact
For any privacy-related question, request, or complaint:
Email : contact@gigifrance.com (subject line: "Privacy") Postal mail : UNISHOP LLC, 102 Gold Ave SW #399, Albuquerque, NM 87102, United States