Legal

Privacy Policy

Last updated: February 2026

1. Data Controller

The data controller is Mystic Revelation. For contact details, see our Imprint page. If you have questions about data processing, contact us through our Contact page.

2. Data We Collect

We collect the following personal data:

  • Order data: Name, email address, phone number, shipping and billing address — for order processing and delivery.
  • Account data: Email address and password (hashed) — if you create an account.
  • Payment data: Processed by PayU (we do not store card numbers or bank details).
  • Communication data: Name, email, and message content when you use our contact form.
  • Newsletter data: Email address — only with your explicit consent.
  • Technical data: IP address, browser type, device information — collected automatically for security and analytics (only with cookie consent).

3. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): Processing order data is necessary to fulfill your purchase contract.
  • Legal obligation (Art. 6(1)(c)): We retain order and invoice data as required by tax and accounting laws.
  • Consent (Art. 6(1)(a)): Newsletter subscription, marketing cookies, and analytics cookies are based on your explicit consent, which you may withdraw at any time.
  • Legitimate interest (Art. 6(1)(f)): Website security and fraud prevention.

4. Data Retention

  • Order data: Retained for 5 years after the order for legal and tax compliance.
  • Account data: Retained until you delete your account.
  • Newsletter data: Retained until you unsubscribe.
  • Contact form data: Retained for 12 months after resolution of your inquiry.
  • Technical logs: Retained for a maximum of 90 days.

5. Third-Party Processors

We share your data with the following third-party processors, all of whom process data in accordance with GDPR:

  • Supabase (USA, EU data region): Database hosting and authentication. Data stored in EU region.
  • PayU (Poland): Payment processing. Subject to PayU's own privacy policy.
  • Resend (USA): Transactional and marketing emails. Standard contractual clauses apply.

6. International Data Transfers

Some processors are located outside the EU/EEA. Transfers are safeguarded by EU Standard Contractual Clauses (SCCs) or equivalent measures per GDPR Chapter V.

7. Your Rights (GDPR Art. 15–22)

You have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
  • Restriction: Request restricted processing of your data.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Withdraw any previously given consent at any time without affecting the lawfulness of processing done before withdrawal.

To exercise these rights, contact us through our Contact page. We will respond within 30 days.

8. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. In Poland, this is the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warszawa.

9. Cookies

We use cookies on our website. For detailed information about the cookies we use and your choices, see our Cookie Policy.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a new "Last updated" date.