Privacy Policy

Cherish Her Data Protection Policy

 

By using the cherisherbox.com website (hereinafter referred to as the "Website"), or registering as a user, you entrust GULI OÜ (hereinafter referred to as the "Company" or "we") with your personal data and grant us the right to process it in accordance with this policy (hereinafter referred to as the "Policy") and the Terms and Conditions of Purchase and Sale of Goods in the Cherish Her online store (hereinafter referred to as the "Terms"), as specified in scope, methods, and purposes.

If you do not agree with the Terms, this Policy, or certain individual conditions, we may not be able to provide you access to all or some of the services offered by the Company (hereinafter referred to as the "Services").

This Policy provides all the information regarding what data we collect and process, how we use the data, and how long we retain it, among other details. This information is important—we expect you to read it carefully.

Please note that we may modify, supplement, and update both the Policy and the Terms. While we will notify you of significant changes to the Policy and Terms, we recommend reviewing them periodically to stay informed about the latest version.

Personal data refers to any information that enables the identification of a specific natural person. According to the European Union General Data Protection Regulation (GDPR), personal data includes both directly and indirectly identifiable information.

We respect your confidentiality, and the security of your personal data is our priority. We implement appropriate organizational and technical measures to ensure that your personal data is always securely protected and that data processing operations comply with data protection laws and our internal policies.

The Company collects and processes the personal data listed in this Policy based on the following legal grounds:
– Consent to the conditions set forth in the Terms and this Policy;
– Legitimate interest;
– Compliance with legal obligations applicable to and required of the Company;
– Fulfillment of a contract in which you are a party.

Depending on the scope and conditions outlined by applicable legal regulations, one or more of the above legal bases may apply to the processing of your personal data.

1. What data do we process and why?

1.1. Registration, Verification, Management, and Communication

When registering as a user and agreeing to the Terms and Privacy Policy, you provide us with the profile data listed below. Some data required for registration is mandatory, and without providing it, it is not possible to create a profile or use the services. By registering, you confirm that the personal data provided is correct and that you are at least 18 years old. We are not responsible for any incorrect, incomplete, or misleading data submitted.

Profile data processed for account creation and management:

  • Types of data: Your first name, last name, address, email address, and phone number.

  • Legal basis for data processing: Contract (your agreement to the Terms) for using services under the conditions specified in the Terms.

  • Data processing period: If your account has been inactive for more than three years, we will send you a notification to continue using the services. If you do not log in within three months after receiving the notification, your profile data will be deleted.

How and for what purposes do we use your personal data?

Based on your profile data, we create a unique profile on the website and/or application that identifies you as a registered user and allows you to use services offered to registered users under the Terms and this Policy.

We also identify you based on the provided profile data, for example, if you want to update or modify your data, contact us to provide certain personal data, or exercise your rights regarding data processing.

Additionally, we use the contact details you provide (email address, phone number) to communicate with you, including responding to inquiries, providing important information about services, their provision, and/or changes to this Policy, contacting you if you forget to collect your purchases, or if we detect an issue with your transactions.

It is important that the profile data provided is accurate and correct. If incorrect data is provided, not updated, or forgotten, we may face difficulties in ensuring service provision, which may cause issues in exercising your rights. We are not responsible for any damages caused due to incorrect or incomplete personal data provided by you.

If your data changes, you must notify us immediately by updating the relevant data in the registration form on the website or application.

The Company has no means to verify the accuracy and validity of the provided data. Therefore, we assume that by filling out the registration form, you have submitted accurate and correct data and that all your consents have been given freely after thoroughly reviewing this Policy and the Terms.

 

1.2. Managing Your Account, Ensuring Website and Application Functionality and Security

We process personal data to manage your account, ensure the proper functioning of the website and application, secure your account and the website, and comply with technical standards.

Data processed for account management, website maintenance, and security:

  • Types of data: Data provided when registering on the website or application, account data upon login, activities within the account, website, and/or application, technical browsing data (customer code, login and browsing technical information, technical information about the used device).

  • Legal basis for data processing: Contract (your agreement to the Terms) to use the account under the conditions specified in the Terms.

  • Data processing period:

    • Data provided during website or application registration is retained as long as you are an account user. If your account is inactive, profile data will be deleted after 3 years and 3 months.

    • Account login data, account activities, website and/or application browsing data are stored for no longer than 24 months.

Your consent to use an account on the website or application is considered given when you have completed the necessary steps for account creation according to the Terms and confirmed registration.

If you use the website or application as an unregistered visitor, we process your technical browsing data (e.g., login and browsing technical information, technical information about the device you use, your activities on the website or application) based on our legitimate interest in maintaining the proper functioning and security of the website and application. We retain this data for up to 24 months.

 

1.3. Processing Your Purchase Data

When providing you with services and various benefits, such as concluding and executing sales contracts, refunding money (in case of returned goods), offering discounts, etc., we process not only your registration data but also data about your purchase transactions (hereinafter referred to as "purchase data").

Purchase data processed for service provision:

  • Types of data: Your first name, last name, email address, phone number, delivery and residential addresses, signature (if you collect goods yourself), purchase and delivery date and time, names and quantities of goods, purchase prices, and any received discounts, payment method, and payment details.

  • Legal basis for data processing:

    • Contract (agreement to the Terms) for using services under the conditions specified in the Terms.

    • Compliance with legal obligations applicable to and required of the Company – retention of invoices with your personal data.

  • Data processing period: Purchase data is retained for 7 years from the purchase transaction date (the retention period is established by law). Your saved payment card details are retained as long as you use our services.

How do we use your purchase data?

We retain your purchase data for 7 years from the purchase transaction date, and upon expiration of this period, we destroy and/or reliably anonymize it, meaning we permanently separate it from your profile data and other identifiable information.

Our Company or our partners may also use purchase data if we organize competitions, games, and promotions in which you participate. In such cases, we use purchase data to randomly select winners who meet the conditions of the competition or game and, with your separate consent, transfer your data to the organizer of the competition for prize delivery. You can always opt out of our competitions by changing your personal profile privacy settings on the website or application.

If the information provided in this Policy, your website account, or application is insufficient, or if you want to obtain a history of purchase transactions for more than 12 months, you can always contact us under the conditions set out in section 6 of this Policy.

 

1.4. Participation in our promotional contests and games

With your consent, we may use purchase data ourselves or share it with partners if you participate in our contests, games, or promotions. We use your purchase data to randomly select winners and distribute prizes. You can opt out of contests by changing your privacy settings on the website or application.

Personal data processed for offers and information purposes:

  • Data Types: Your first name, last name, email address, phone number, personal code (only for winners), bank account (only for monetary prize winners), signature (only for winners).

  • Legal Basis for Data Processing: Your consent to participate in specific contests, games, and promotional campaigns.

  • Compliance with a legal obligation – personal data is processed for tax payments on behalf of the contest, game, or promotional campaign winners.

  • Data Processing Period: Your personal data is processed as long as you are an active account user and participate in special campaigns. If you win, your data is stored for 7 years as required by law.

You can choose preferred communication channels in your account privacy settings on the website or application. You can change these settings at any time.

You may opt out of receiving offers and news at any time or modify your preferred notification methods (channels). Refusal to receive offers and news does not prevent the use of Services.

1.5. Sending offers and newsletters

When you agree to receive offers and news, we process your personal data to send you newsletters, offers, discounts, and promotions, invite you to participate in games, and request your feedback on services. We send information via your account, application, or selected channels, such as email or SMS.

Personal data processed for newsletters and offers:

  • Data Types: Your first name, last name, email address, and/or phone number.

  • Legal Basis for Data Processing: Your consent to receive offers and news.

  • Data Processing Period: Your personal data is processed as long as you have an active account and have agreed to receive offers. Your consent and proof of it may be stored longer to protect us against claims, complaints, and lawsuits.

You may opt out of receiving offers and news or modify notification preferences at any time. Opting out does not affect your ability to use Services.

1.6. Statistics, market research, and behavior analysis

We always strive to ensure that our product range, promotions, and discounts best meet our customers’ needs.

Personal data processed for statistics, market research, and behavior analysis:

  • Data Types: Residence, purchase data (including purchase date and time, item names and quantities, total purchase price, and received discount amounts).

  • Legal Basis for Data Processing: Our legitimate interest in analyzing data and preparing reports necessary for business operations, assessing our performance, and creating value for both you and our business.

  • Data Processing Period: 5 years after data collection.

We use anonymized data for automated analysis to compile statistics, study the market and customer behavior, and create reports necessary for business operations. Identifiable personal data, such as name or contact information, is not processed. This analysis helps in making business decisions, such as developing product ranges and setting pricing, but it does not have legal or significant consequences for you.

1.7. Handling your inquiries, complaints, requests, and feedback, and improving our services

We use your personal data to respond to your inquiries, complaints, and requests and manage your feedback (hereinafter "inquiry").

Personal data processed for handling inquiries and improving services:

  • Data Types: Your submitted personal and contact details: first name, last name, phone number, email address, and residence.

  • Content of your inquiry: Event related to the inquiry, its circumstances, date, location, your request, claim, or feedback, product, customer card number (if applicable), and any other information included in the inquiry.

  • Other documents and/or data submitted with the inquiry, such as receipt data, photos.

  • Phone call recordings, if you contact our customer support.

  • Additional information for resolving the complaint or inquiry, including technical information about your activity on the website or application, account data, purchase or order history, and other necessary details.

  • Legal Basis for Data Processing: Legal obligation to investigate and respond to consumer inquiries, as well as our legitimate interest in evaluating feedback to improve our services.

  • Data Processing Period: Inquiries and related data are processed and stored for at least 6 months after resolution, depending on the inquiry type.

 

2. From what sources do we collect your personal data?

Most of your personal data is obtained directly from you. You provide profile data yourself, for example, by filling out registration forms, and we collect purchase data when you use our services.

We also receive data directly from you when you submit an inquiry using any method of your choice: sending us an email or a written inquiry, calling our customer support hotline, etc.

If additional information needs to be collected or key facts clarified to handle your inquiry objectively and thoroughly, we may link the data related to the inquiry with existing and/or newly collected data, such as purchase transactions, account usage history, or employee interviews.

 

3. In what cases and to which third parties do we disclose your data?

Your data may be shared with third parties who assist us in providing services and managing customer inquiries. These may include software and database management service providers, cloud service and data center operators, marketing, market research, or business analytics service providers. Data is shared only to the extent necessary for the provision of a specific service.

All data processors process your personal data solely under our instructions, do not use it for other purposes, and do not disclose it to third parties without our consent. They are also required to ensure data security in accordance with applicable laws and contractual obligations.

When offering services that allow you to use our partners' services (e.g., loyalty programs), we make part of your data available to our partners only for service provision or fulfillment of cooperation terms.

If an event described in an inquiry is classified as an insurance case, we forward your inquiry and related data to insurers with whom we have liability, property, or other insurance coverage in relation to the event in question. Insurance providers process your data as independent data controllers based on their established terms and policies.

Data may also be shared with competent government or law enforcement authorities, such as the police or regulatory agencies, but only upon their request and when required by applicable law or in legally defined situations, to protect our rights, ensure the security of our customers, employees, and resources, and to evaluate, present, or defend legal claims.

When using website analytics services (e.g., Google Analytics) to understand how you interact with the website or application, we may share anonymized data with third parties. This data helps evaluate website or application usage, generate reports on its performance, and provide related services. For more details, please see our Cookie Policy.

We confirm that all transfers of your data strictly comply with applicable data protection laws. We ensure respect for your privacy by implementing necessary security measures at every stage of the process.

 

4. In which territories and jurisdictions do we process your personal data?

We process your personal data only within the territory of the European Union. We do not transfer or plan to transfer your personal data to third countries in the future.

 

5. What rights do you have under data protection laws, and how can you exercise them?

Data protection laws grant you several rights that you can exercise at your discretion, and we are obligated to ensure that you can do so. You can find information about your specific rights and how to exercise them in this section.

 

5.1. Right to access your processed personal data

You have the right to receive confirmation of whether we process your personal data, as well as the right to access the personal data that we process. Additionally, you have the right to know the purposes of data processing, the categories of processed data, the categories of recipients of the data, the data processing period, the sources of data collection, the nature of automated decision-making, including profiling, as well as the significance of such activities and your rights regarding their consequences.

Most of the information mentioned above is provided in this Policy for your reference.

5.2. Right to rectify personal data

If the data you provided during registration has changed, or if the information processed about you is inaccurate or incorrect, you have the right to request the modification, review, or correction of this data. You can make corrections to your data in your website account or application. You may also contact us using the methods described in Section 6 of this Policy to request corrections or modifications to your data.

5.3. Right to withdraw consent

If we process your personal data based on your consent, you have the right to withdraw that consent at any time. Once consent is withdrawn, we will stop processing the corresponding data. In some cases, this may mean that we can no longer provide you with services. For example, you may withdraw your consent to receive offers and newsletters or for data profiling at any time.

Withdrawing consent does not prevent you from continuing to use our services, but in that case, we will not be able to provide you with personalized offers or information tailored to your needs.

You can modify, withdraw, or reissue your consents by submitting an updated registration form, changing the settings in your website or application account, or by contacting us as outlined in Section 6 of this Policy.

Upon the expiration, withdrawal, or revocation of your consent, we will delete the relevant data or, in the cases specified in this Policy, render it reliably and irreversibly anonymous.

In certain cases, we may retain proof of your consent for a longer period if necessary to protect against potential claims, complaints, or legal actions.

5.4. Right to lodge a complaint

If you believe that we are processing your data in violation of data protection laws, we encourage you to contact us first. We believe our efforts will be sufficient to address your concerns, fulfill your requests, and correct any errors if necessary.

If you are not satisfied with our proposed solution or believe that we have not taken the necessary measures in response to your request, you have the right to file a complaint with the supervisory authority of the Republic of Estonia, which is the national data protection inspectorate.

5.5. Right to object to data processing based on legitimate interests

You have the right to object to the processing of your personal data based on our legitimate interests. However, given the purpose of the services and the balance of legitimate interests between both parties (you as the data subject and us as the data controller), your objection may mean that if we stop processing your data based on our legitimate interest, we may no longer be able to provide you with access to the services.

To exercise the right set out in this section, please submit a written request to our Data Protection Officer.

5.6. Right to data erasure

Under certain circumstances specified in data protection laws (such as unlawful processing of personal data or the absence of a legal basis for data processing), you have the right to request the deletion of your personal data. To exercise this right, please submit a written request to our Data Protection Officer.

It is important to note that if you stop using the services and delete your account, your profile data will be deleted automatically without a separate request, and other data will be deleted or rendered reliably anonymous.

5.7. Right to restrict data processing

Under certain circumstances specified in data protection laws (for example, if personal data is processed unlawfully, data accuracy is disputed, if you object to data processing based on our legitimate interest, etc.), you also have the right to restrict the processing of your data. However, please note that due to data processing restrictions, we may not be able to provide you with services during the period such restrictions are in place.

To exercise the right set out in this section, please submit a written request to our Data Protection Officer.

5.8. Procedure for handling requests

To protect our customers' data from unauthorized disclosure, upon receiving a request for access to your data or to exercise other rights, we are required to verify your identity. To do this, we may ask you to provide the relevant profile data submitted during registration (e.g., first name, last name, email address, or phone number), and we will check whether the provided data matches the corresponding profile information.

As part of identity verification, we may also send a verification message to the contact information listed in the registration form (via SMS or email), requesting an authorization action. If the identity verification process fails (e.g., the provided profile data does not match the registered data or you do not authorize the received SMS or email), we are required to conclude that you are not the subject of the requested data and must deny your request.

After receiving your request to exercise your rights and successfully completing the identity verification process described above, we must provide you with information about the actions we have taken in response to your request as soon as possible, but in any case no later than one month from the date we received your request and completed the verification process.

Considering the complexity and number of requests, we have the right to extend the one-month period by an additional two months, notifying you before the end of the first month and providing reasons for the extension.

If you submit a request electronically, we will respond electronically unless this is not possible (e.g., due to a large volume of information) or unless you request a response in another format.

If the circumstances specified in the law justify rejecting your request, we will send you a written, reasoned response explaining our decision.

 

6. How can you contact us?

For all questions regarding data processing, you can contact us using the following methods:

Customer support contact details:
Email: cherisherbox@gmail.com
Website: https://cherisherbox.com/

 

7. How secure is your data?

We use various security technologies and measures to protect your personal data from unauthorized access, use, or disclosure. We carefully select our service providers and require them to implement appropriate measures to ensure the confidentiality and security of your personal data.

However, we cannot guarantee the security of data transmission over the internet or mobile networks; therefore, any data transmission to us through these channels is at your own risk.

 

8. Extended data retention

Once the data processing and retention period specified in this Policy has expired, we will either delete your data or, in cases outlined in this Policy, render it reliably and irreversibly anonymous as soon as possible, considering a reasonable and practical timeframe for such actions.

Your personal data may be retained for a longer period than specified in this Policy only if:

  • It is necessary to protect against claims, disputes, or legal actions and to exercise our rights;

  • There is a justified suspicion of unlawful activity that is under investigation;

  • Your data is necessary for the proper resolution of a dispute or complaint;

  • It is needed for backup and similar purposes;

  • Other legal grounds exist as specified in applicable regulations.

 

9. Cookies

We use cookies, which are small text files stored in your computer or other device’s (e.g., mobile phone) browser when you visit our website. The purpose of cookies is to store data that allows us to recognize you as a user of our services when you visit our website. Cookies also enable us to link your purchase history and other data collected while using our services with your browsing behavior. The information collected through cookies allows us to provide you with a better browsing experience, offer attractive promotions, gain more insights into our website users’ behavior, analyze trends, and improve both our website and the services we offer you.

How to manage cookies?

You can change your cookie settings at any time by clicking the "Cookie Settings" button on this page. From there, you can specify your preferences by selecting or deselecting the checkboxes and clicking "Allow Selection" or "Allow All Cookies." In some cases, you may need to refresh the page for the new settings to take effect.

You can also control the use of analytical, functionality, and marketing cookies by adjusting your browser settings.

 

10. Policy Validity and Amendments

This policy has been in effect since July 24, 2025. If we make changes to this policy, we will post the updated version on this page.