Privacy policy

Who We Are

Brōta Riot ("we", "our", "us") is a color-forward maximalist home decor brand operated by:

Legal Entity Name: Rodrigo Ávila Luna · persona física con actividad empresarial

Registered Address: México central · CP 76269

Tax ID: AILR8602055R9

Email Privacy Officer: privacy@brota-home.com

Website: https://brota-home.com

What Data We Collect

When you browse our site

  • IP address (anonymized) · for analytics + fraud prevention
  • Browser type · device · OS · for site optimization
  • Pages visited · time spent · clicks · for analytics (Google Analytics 4, Pinterest Tag, Shopify native)
  • Cookies (see Cookie section below)
  • Referrer URL (where you came from)

When you place an order

  • Name · Email · Phone
  • Shipping address · Billing address
  • Payment method details (processed by Shopify Payments / PayPal / etc. — we never see full card numbers)
  • Order history
  • Customer notes / requests

When you subscribe to newsletter

  • Email · First name (optional)
  • Browsing behavior for personalization (via Klaviyo)
  • Email engagement (opens · clicks)

When you contact customer support

  • Email · Name · Order number
  • Conversation content (kept for support quality + reference)

Legal Basis for Processing (GDPR · EU customers)

Data

Legal basis

Order processing

Contractual necessity (Art. 6(1)(b) GDPR)

Shipping fulfillment

Contractual necessity

Customer support

Legitimate interest (Art. 6(1)(f))

Marketing emails

Consent (Art. 6(1)(a)) · opt-in only · revocable anytime

Analytics cookies

Consent (Art. 6(1)(a)) · via cookie banner

Fraud prevention

Legitimate interest (Art. 6(1)(f))

Legal compliance

Legal obligation (Art. 6(1)(c))

How We Use Your Data

1. To process and fulfill your orders (shipping, payment, customer service)

2. To send transactional emails (order confirmation, shipping notification, refund updates)

3. To send marketing emails (only if you opt-in · newsletter, new product launches, sales)

4. To improve our site and products (analytics, A/B testing)

5. To prevent fraud (anonymized risk scoring)

6. To comply with legal obligations (tax records, customs, dispute resolution)

We do NOT:

  • Sell your data to third parties
  • Share your data with advertisers (beyond cookie consent for retargeting · revocable)
  • Use your data for AI training without explicit consent

Who We Share Data With

We share necessary data with carefully selected service providers:

Service

Purpose

Data shared

Shopify

Platform · payments · order management

Name · email · address · order details

Shopify Payments / PayPal / Stripe

Payment processing

Payment details (we never see full card)

Klaviyo

Email marketing (if you opt-in)

Email · name · purchase history

CJ Dropshipping / Spocket

Order fulfillment

Name · shipping address · items ordered

US/EU shipping carriers (USPS · UPS · DHL · etc.)

Delivery

Name · shipping address

Google Analytics

Anonymized analytics

Anonymized IP · browsing behavior

Pinterest Tag

Conversion tracking · retargeting (if consented)

Anonymized browsing + conversion events

Customer support tools (Shopify Inbox)

Customer service

Email · conversation content

Legal counsel · accounting

Compliance

Aggregated revenue data, tax records

All providers are bound by GDPR-compatible data processing agreements (DPAs).

Data Transfers Outside EU

Some of our service providers are based in the United States (Shopify, Klaviyo, Google). Transfers comply with:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • EU-US Data Privacy Framework where applicable
  • Adequacy decisions where available

You can request copies of these safeguards by emailing privacy@brota-home.com.

Cookies

We use cookies (small text files) for:

1. Strictly necessary (always on) · cart functionality, security, language preference

2. Functional (optional) · remembered preferences, account info

3. Analytics (optional) · Google Analytics, Shopify analytics

4. Marketing (optional) · Pinterest Tag, email retargeting via Klaviyo

Base legal cookies (RGPD Art. 6(1)(a) · ePrivacy Directive):

  • Strictly necessary cookies: legitimate interest (no consent required)
  • Functional/Analytics/Marketing cookies: explicit consent via banner before any tracking activates (Pinterest Tag · Google Analytics · Klaviyo · Meta pixel)

You can manage cookie preferences via the cookie banner (first visit) or anytime via the "Cookie Preferences" link in the footer. Rejecting analytics/marketing cookies will not affect your ability to shop. We log your consent choices for compliance audit.

For California residents: you have the right to opt-out of "sale" of personal information. Use the "Do Not Sell My Personal Information" link in the footer or visit our Privacy Choices page.

Your Rights (GDPR · EU customers)

You have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data ("right to be forgotten", Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Withdraw consent for marketing (Art. 7(3))
  • Lodge complaints with your supervisory authority (España: AEPD · UK: ICO · etc.)

To exercise any right, email privacy@brota-home.com. We respond within 30 days.

Your Rights (LFPDPPP · Mexico customers · ARCO rights)

You have the right to:

  • Acceso (access your data)
  • Rectificación (correct inaccurate data)
  • Cancelación (delete your data)
  • Oposición (object to specific uses)

To exercise ARCO rights, email privacy@brota-home.com with copy of identification. We respond within 20 business days per LFPDPPP requirements.

Your Rights (CCPA · California residents)

You have the right to:

  • Know what data we collect about you
  • Delete your data
  • Opt-out of "sale" of personal information (via /pages/data-sharing-opt-out)
  • Non-discrimination for exercising privacy rights

Data Retention

Data type

Retention period

Order records (tax obligation)

5-10 years (MX · CFF Art. 30 + SAT statute of limitations) · 7 years (USA) · 6 years (EU)

Customer support conversations

2 years after last contact

Email marketing subscribers

Until unsubscribe · then 90 days backup

Anonymized analytics

14 months (GA4 default)

Account data (if you created account)

Until account deletion · then 30 days backup

Cookies

30 days to 12 months depending on type

Children's Privacy

Brōta Riot is not directed at children under 16. We do not knowingly collect data from children. If you believe we have collected data from a minor, email privacy@brota-home.com and we'll delete it immediately.

Data Security

We protect your data with:

  • HTTPS encryption (SSL/TLS · validated by Shopify)
  • PCI DSS Level 1 compliant payment processing (via Shopify Payments)
  • Encrypted databases at rest (AWS / Shopify infrastructure)
  • Access controls limiting employee data access
  • Regular security audits
  • Incident response plan (data breach notification within 72 hours per GDPR Art. 33)

Changes to This Policy

We may update this policy. Material changes will be:

  • Posted on this page with updated "Last updated" date
  • Notified to subscribers via email if changes are significant
  • Effective 30 days after posting (unless required immediately by law)

Contact

Privacy Officer: privacy@brota-home.com

General Legal: legal@brota-home.com

Postal Address: México central · CP 76269