Home Catalog Quality & COA About Contact Cart
Language
English Français Deutsch Español Italiano Português Nederlands Русский 中文 日本語 العربية
Browse Catalog
Free shipping over $59 · $7.99 US (48h) · $14.99 worldwide (5 days) · Discreet Packaging · Crypto Accepted
Privacy Policy

Minimal collection, strong protection.

We collect what we need to fulfil your order and answer your support questions — nothing else. We don't sell your data, we don't run third-party advertising trackers, and we delete what we no longer need on a documented schedule.

Read the full policy Exercise a data right
2026-05-10Last updated
10Numbered sections
0Third-party ad trackers
At a glance

Four things we promise.

The full text below covers regulatory specifics. These four are the operating principles that drive every choice we make about your data.

Minimal collection

We collect only what's needed to ship your order and answer your support questions: shipping address, email, order contents, and a payment-handler reference. No tracking pixels, no behavioural profiles, no marketing lists you didn't sign up for.

We don't sell your data

Your personal information is never sold, rented, or shared with marketing networks, data brokers, or third-party advertisers. The only third parties that ever see your data are the carriers (UPS, DHL) and the payment orchestrator — and only what they need to do their job.

Strong encryption

All data in transit is TLS-encrypted (HTTPS only, HSTS enforced). Sensitive data at rest is encrypted on disk. Payment card details never touch our servers — they're handled by certified processors. Database backups are encrypted and access-logged.

Your right to delete

You can ask us to delete your personal data at any time, and we will — within 30 days, except where we are legally required to retain order records (e.g., tax law, customs documentation). The data we retain by legal obligation is documented and time-bound.

Effective date · 2026-05-10 · Supersedes all previous versions

This policy describes how IGF1 Shop (the operator of igf1shop.com) collects, uses, stores, shares and protects personal data submitted by customers and visitors of the site. It is written to comply with the GDPR (EU/EEA), UK GDPR, CCPA (California) and equivalent international privacy frameworks where applicable.

01

What data we collect

We collect only the categories of data we genuinely need:

  • <strong>Order data:</strong> shipping name, address, contact email, phone (only if required by carrier), order contents, total amount, and any customs / declaration preferences you provide.
  • <strong>Payment data:</strong> a transaction reference from the payment orchestrator (we never see your wallet keys, card numbers, or bank details — those are handled by the processor).
  • <strong>Communication data:</strong> any messages you send us via the contact form, email, or order notes — and our replies.
  • <strong>Technical data:</strong> minimal server access logs (IP address, user-agent, page URL, timestamp) retained for security and abuse-detection purposes only.

We do <strong>not</strong> collect: behavioural advertising profiles, cross-site tracking identifiers, biometric data, or any sensitive special-category data under GDPR Article 9.

02

How we use your data

We use your personal data only for the purposes for which it was collected:

  • To process and fulfil your order, including dispatch, customs declaration, and tracking
  • To communicate with you about the status of your order or any issues that arise
  • To answer support questions you send via the contact form
  • To meet legal and tax obligations (invoice retention, customs records)
  • To detect and prevent fraud, abuse, or unauthorised access

We do not use your data to send marketing emails unless you have explicitly opted in. We do not profile you for behavioural advertising. We do not run any A/B testing tied to identifiable users.

03

Cookies and analytics

The site uses a strict minimum of cookies:

  • <strong>Strictly necessary cookies:</strong> session cookies for cart state, CSRF protection, and login (where used). These are technically required for the site to function and cannot be disabled.
  • <strong>No analytics or tracking cookies by default.</strong> We don't run Google Analytics, Facebook Pixel, or any third-party behavioural tracker.

If we ever introduce optional analytics, it will be a privacy-friendly self-hosted aggregator (e.g., Plausible, server-side) with no cross-site identifiers, and a banner will request your consent before any non-essential cookie is set.

04

How we share data

We share your data only with third parties that need it to deliver your order. These are limited to:

  • <strong>Carriers (UPS, DHL):</strong> shipping name, address, phone (if requested by the carrier), package weight and customs description. Required to print the label and clear customs.
  • <strong>Payment orchestrator:</strong> transaction amount and order reference. The orchestrator processes the payment and returns a confirmation; we do not custody payment instruments.
  • <strong>Independent contract lab:</strong> shares no customer data — works exclusively with anonymised lot IDs from our synthesis chain.

We do not share your data with marketers, data brokers, advertising networks or analytics companies. We share with law-enforcement only when compelled by a valid, jurisdictionally-binding legal order.

05

Data retention

We retain personal data only as long as necessary for the purposes for which it was collected, plus any legally required retention period:

  • <strong>Order records:</strong> 7 years (tax and customs compliance).
  • <strong>Customer support correspondence:</strong> 24 months from last contact, then deleted.
  • <strong>Server access logs:</strong> 90 days, then auto-purged.
  • <strong>Payment processor references:</strong> retained as long as the order record (no actual payment data ever stored).

You can request deletion of any data not subject to legal retention at any time (see section 07).

06

International data transfers

IGF1 Shop operates from the EU. When your order ships internationally, the carrier (UPS, DHL) may transfer the shipping address across borders to deliver the package — this is unavoidable and intrinsic to international shipping.

Our payment orchestrator and infrastructure providers may operate in or transfer data through jurisdictions outside the EU/EEA. Where this is the case, we rely on adequacy decisions, Standard Contractual Clauses (SCCs), or equivalent safeguards under GDPR Chapter V.

For institutional buyers in jurisdictions with strict data-localisation requirements, write to us — we can document the data-flow path for your specific order on request.

07

Your rights

Under GDPR, UK GDPR, CCPA and equivalent frameworks you have the right to:

  • <strong>Access</strong> the personal data we hold about you, in a portable format
  • <strong>Rectify</strong> inaccurate data
  • <strong>Erase</strong> your data (subject to legal retention obligations described in section 05)
  • <strong>Restrict</strong> processing of your data in certain circumstances
  • <strong>Object</strong> to processing based on legitimate interests
  • <strong>Withdraw consent</strong> for any processing based on consent
  • <strong>Lodge a complaint</strong> with your national data-protection authority

To exercise any of these rights, write to us via the contact form with the subject line "Privacy request". We respond within 30 days, faster on uncomplicated requests.

08

Security

We protect your data with appropriate technical and organisational measures:

  • <strong>TLS encryption</strong> on all site traffic (HTTPS-only, HSTS enforced)
  • <strong>Encrypted database backups</strong> with restricted access
  • <strong>Principle of least privilege</strong> for staff and infrastructure access
  • <strong>Multi-factor authentication</strong> on all administrative interfaces
  • <strong>Server hardening</strong> with monitoring and intrusion detection
  • <strong>No payment data ever stored</strong> on our infrastructure

No system is perfectly secure. If we ever experience a personal-data breach affecting you, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33–34.

09

Children's privacy

The site, the catalogue, and the products are not directed at children. We do not knowingly collect personal data from anyone under the age of 18 (or the local age of majority, whichever is greater). If we become aware that personal data of a minor has been submitted, we will delete it promptly.

If you are a parent or guardian and become aware that your child has submitted personal data to us, write to us via the contact form and we will remove it.

10

Changes to this policy & contact

We may update this policy from time to time. The updated version will be posted on this page with a revised effective date at the top. Material changes will be summarised in the order-confirmation footer of subsequent orders for at least 30 days, and where required by law we will request your renewed consent.

For any privacy-related question, complaint, or rights request, write to us via the contact form with the subject "Privacy request". You also have the right to lodge a complaint with the data-protection authority of your country of residence.