Loading
VivyVeilVivyVeil

The curated archive for Asian alternative fashion.

콘셉트

  • VivyVeil 소개
  • 프로세스
  • 용어집
  • 자주 묻는 질문
  • 컨시어지

아틀리에

  • 아카이브 둘러보기
  • 내 주문
  • 주문 추적
  • 계정

서비스

  • 환불 정책
  • 배송 및 관세
  • 이용약관
  • 개인정보
  • 쿠키
  • 사용 규정
  • 정품 · 지식재산
  • 접근성
  • support@vivyveil.com
© 2026 VivyVeil LLC
EN中日한
NOT AFFILIATED WITH ANY BRAND LISTED
Legal · Privacy Policy

Privacy Policy

What we collect, why we collect it, who we share it with.

EFFECTIVE · 2026-05-30

This Privacy Policy explains how VivyVeil LLC ("VivyVeil", "we", "us") collects, uses, shares, and protects personal data when you visit vivyveil.com, place an order, or contact us. It applies to all visitors and customers globally. Where the laws of your jurisdiction grant you specific rights, those are described in §8.

— 01

Who we are and the scope of this Policy

VivyVeil LLC is the operator of vivyveil.com and is responsible (as data controller, under GDPR / UK GDPR) for personal data processed in connection with the Site. The legal entity is registered in Wyoming, USA with its registered office at 30 N Gould St Ste N, Sheridan, WY 82801, USA.

Where this Policy refers to "you", it means any visitor or customer whose personal data we process. Where it refers to "we", "us", or "VivyVeil", it means VivyVeil LLC.

— 02

What we collect

We collect personal data in three ways: information you provide, information we receive about your transactions, and information that is collected automatically.

Information you provide. Account name, email address, password (stored as a hash), shipping addresses, phone number, locale preference, any notes or photos you submit as part of a sourcing request or customer-update reply, and the content of any message you send to support.

Transaction information. Order numbers, item details, payment status, refund history, the breakdown of fees per item, customs acknowledgment timestamp, and any in-product notes you attach to a cart line. Payment-card details are not stored by us; they are handled by Stripe, our card-payment processor, who returns to us only the last four digits, expiry month and year, brand, and a tokenised reference. For PayPal payments we receive only your PayPal payer email and payer id; we never see your PayPal account password or any underlying funding-instrument number. Magic-link sign-in tokens are stored briefly and destroyed at use.

Automatically collected information. Device and browser metadata (user-agent, IP address, language, time zone), basic logs of the requests you make (URL, status code, latency), and the values of essential cookies described in §9. We do not run third-party advertising trackers or build behavioural profiles for marketing.

— 03

How we use personal data

We process personal data to:

  • create and operate your account;
  • fulfil orders (including transmission of shipping address to our carrier and consolidation partner);
  • communicate transactional information (confirmations, balance reminders, dispatch notices);
  • detect and prevent fraud, chargeback abuse, and unauthorised access;
  • respond to support enquiries and after-sales requests;
  • comply with our legal and tax obligations;
  • improve the Site and the catalogue (aggregated, non-identifying analysis).

We send marketing email only with your opt-in, and you can withdraw consent from any marketing email or in your account settings at any time.

— 04

Legal bases (EU / UK consumers)

Where the EU General Data Protection Regulation or the UK GDPR applies, we rely on the following legal bases:

  • Performance of a contract with you (Art. 6(1)(b)) for account, order, shipping, customs, and support processing.
  • Compliance with a legal obligation (Art. 6(1)(c)) for tax-record retention, customs declarations, and fraud-reporting where required.
  • Legitimate interests (Art. 6(1)(f)) for security, fraud prevention, abuse detection, and Site-improvement analytics.
  • Consent (Art. 6(1)(a)) for marketing emails and any cookie that is not strictly necessary.

For each processing activity that relies on Art. 6(1)(f) legitimate interests, we conduct and document a Legitimate Interests Assessment (LIA) that weighs our interests against your rights and freedoms and considers less-intrusive alternatives. The LIA records are retained internally and a written summary of the LIA for any specific activity is available on request from the supervisory authority and, where relevant, from data subjects who exercise their rights under Art. 21 (right to object).

— 05

Sub-processors we share data with

We rely on a small list of established processors. Each only receives the minimum data required to perform its function.

ProcessorPurposeData shared
Stripe, Inc. (US)Payment processing (card, Apple Pay, Google Pay)Order ID, amount, currency, billing email, card data entered directly by you on Stripe's hosted element.
PayPal, Inc. (US) / PayPal (Europe) S.à r.l. et Cie, S.C.A. (EU)Payment processing (PayPal balance, linked card or bank)Order ID, amount, currency, your PayPal payer email and payer id returned to us on capture, and the shipping address we passed to the PayPal order to support PayPal's seller-protection program.
Cloudflare Workers (US)Edge compute, request routingRequest payloads in transit only; no at-rest storage in this layer.
Cloudflare D1 (US)Primary databaseAccount record, orders, products, addresses, refund history.
Cloudflare R2 (US)Object storageUploaded product photographs and customer-update images.
Cloudflare Images (US)Image transcoding & CDN deliveryThe same image objects, served via a delivery URL.
Cloudflare KV (US)Short-term key-value storageSession tokens, edge cache of computed pages.
Cloudflare Turnstile (US)Bot-protection challengeChallenge metadata, IP address, browser signal — no order or account content.
Cloudflare network (CDN, TLS, DDoS) (US)Network delivery and securityTLS termination, request metadata (URL, status, IP); flows through Cloudflare for delivery only.
Resend, Inc. (US)Transactional email deliveryRecipient email, subject, body, attachments.
EasyPost, Inc. (US)Shipping rate quotes and label generationOrigin/destination addresses, parcel weight, declared customs value.
Consolidation partner (mainland China)Receiving from atelier, inspection, photography, dispatchShipping name, address, phone; order-specific notes. Transfer covered by EU SCCs 2021/914 (Module 2: controller-to-processor) supplemented by a written Transfer Impact Assessment — see §6.

We do not sell personal data and we do not share it with third parties for their independent marketing.

— 06

International transfers

We are based in the United States. Our consolidation partner is based in mainland China.

Personal data transferred to the United States or to mainland China for the purposes set out in §3 is covered by a written data-processing agreement (DPA) with the relevant processor.

Transfer mechanism. Where the GDPR or UK GDPR applies to the transfer, we rely on the European Commission's Standard Contractual Clauses adopted by Implementing Decision (EU) 2021/914 of 4 June 2021 — Module 1 (controller-to-controller) or Module 2 (controller-to-processor) as appropriate per processor. For UK data we additionally apply the UK International Data Transfer Addendum (IDTA / Addendum to the EU SCCs) issued by the Information Commissioner's Office in March 2022. The current SCC text and the IDTA are publicly available on the European Commission and ICO websites respectively.

Transfer Impact Assessment — mainland China. Mainland China has no adequacy decision under Art. 45 of the GDPR. For our consolidation partner there we have completed a written Transfer Impact Assessment under the EDPB Recommendations 01/2020 (and the UK ICO's TRA guidance), which considers Chinese law on government access to personal data, the practical risk in light of the data categories actually transferred, and the supplementary measures we apply. Conclusion: the data we transfer is limited to the operational minimum needed to receive and inspect a parcel — shipping name, address, phone, and order-specific notes; we do not transfer payment data, account credentials, sign-in tokens, browsing history, or device identifiers — and that, in combination with the contractual safeguards in the SCCs and the partner's confidentiality and access-control commitments, brings the transfer to an essentially-equivalent level of protection. The full TIA summary is available on written request via the contact in §13.

For US-based processors (Stripe, PayPal, Cloudflare, Resend, EasyPost) we similarly rely on the 2021/914 SCCs plus, where the processor has self-certified, the EU-US Data Privacy Framework (adopted 10 July 2023) and its UK and Swiss extensions. We re-assess the framework's standing annually and on any material legal development.

— 07

Retention

We retain personal data only as long as needed for the purpose for which we collected it, plus any period required by applicable law.

Data categoryRetention
Account profile (name, email, address book, locale preference)Active life of the account, plus eighteen months after account closure for fraud, dispute, and reactivation handling.
Order and payment records (order details, payment status, refund history, customs declaration)Seven years from the order date, to meet US tax-record retention.
Support correspondenceThree years from last contact.
Marketing-email preferencesUntil you withdraw or close your account.
Magic-link sign-in tokensDestroyed at first use or after fifteen minutes, whichever is earlier.
Server access logs containing IP addressesNinety days.

After the applicable retention period, we delete the data or anonymise it irreversibly. Where one record category contains data needed for a longer category (for example the account profile is needed to reconcile a seven-year-old order), we retain only the minimum subset necessary, not the full account record.

— 08

Your rights

All visitors. You may close your account, request access to your data, ask us to correct it, or contact us with a privacy question at support@vivyveil.com.

EU / UK consumers (GDPR). You have the right to access, rectify, erase, restrict processing of, and port your personal data, and to object to processing based on legitimate interests. Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. You may also lodge a complaint with your supervisory authority.

California residents (CCPA / CPRA). You have the right to know what personal information we have collected, the right to delete and the right to correct personal information, the right to limit use of sensitive personal information, and the right to opt out of "sales" or "sharing" — though we do not sell or share for cross-context behavioural advertising. We do not discriminate against you for exercising any of these rights.

How to submit a request. Email support@vivyveil.com from the email address on your account with a one-line description of what you would like us to do (access, rectify, erase, port, restrict, or object). For guest orders, include a recent order number. Authorised agents must include written proof of authority and the data subject's own confirmation.

How we verify identity. We match the requesting email against the email on your account record. Where the match is ambiguous — for example, a closed account, a guest order, or a mismatched email — we will ask for an additional verification factor that is already known to both sides (typically a recent order number, the last four digits of the card used for an order, or a magic-link confirmation to the email on file). We never ask for new sensitive information solely for verification, and we never ask for a password or a full payment-card number.

We will respond to verifiable requests within thirty days, or within forty-five days where extended by law; for clearly unfounded or excessive requests (in particular, repetitive requests within a short window) we may charge a reasonable fee or refuse, as permitted by Art. 12(5) of the GDPR. We log the receipt time, the verification outcome, and the dispatch of our response for each request.

— 09

Cookies and similar technologies

We use the smallest set of cookies and local-storage entries that the Site needs to work. We do not run third-party advertising trackers.

NameTypePurpose
vivy.session_token (__Secure-vivy.session_token on HTTPS)Strictly necessarySign-in state
vivy_cartStrictly necessaryYour shopping bag (encrypted)
vivy.localeFunctionalLanguage preference
Cloudflare Turnstile and Cloudflare network cookiesStrictly necessaryBot protection and DDoS mitigation

Strictly necessary and functional cookies do not require consent.

If we later add any analytics, advertising, or conversion-tracking technology (for example Google Analytics, Meta Pixel, TikTok Pixel, or remarketing tags), we will surface a consent banner before any such technology runs, update this Policy to disclose it, and update the cookie table above. Until then, no such technology is in use.

— 10

Children

The Site is not directed to children, and we do not knowingly collect personal data from a child below the local digital-consent age. We apply a default minimum of sixteen years, with the following local overrides:

  • European Union member states that have set a lower digital-consent age under Art. 8(1) GDPR (between thirteen and sixteen, depending on the member state — for example, the United Kingdom and Ireland set thirteen) — we apply that local minimum for users resident there.
  • United States — we apply thirteen as the floor in line with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501-6506); we do not knowingly collect personal data from a child under thirteen.

Where local law sets a stricter (higher) digital-consent age than sixteen, the stricter local age applies. If you believe a child below the applicable age has provided us with personal data, contact us at support@vivyveil.com and we will delete it within thirty days.

— 11

Security

We use TLS in transit and encryption-at-rest for all stored payment-card tokens, magic-link tokens, and password hashes. Access to production systems is limited to personnel who need it. No system is perfectly secure.

Breach notification. If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority (the lead authority where the GDPR or UK GDPR applies, and any other competent authority under local law) without undue delay and where feasible no later than seventy-two hours after becoming aware, in line with GDPR / UK GDPR Art. 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay under GDPR / UK GDPR Art. 34, with a description of the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures we have taken or propose to take. For US state-level breach-notification laws (notably the CCPA / CPRA and state-specific statutes) we comply with each state's notification timing and content requirements in parallel.

— 12

Changes

We may update this Policy from time to time. Material changes are posted on the Site and, where you have an account, emailed to you. The version applicable to a given visit is the version in force on that visit; historic versions are available on request.

— 13

Contact

VivyVeil LLC · Privacy
Registered office: 30 N Gould St Ste N, Sheridan, WY 82801, USA
Email: support@vivyveil.com

EU representative (GDPR Art. 27) and UK representative (UK GDPR Art. 27). We are required, as a US-based controller offering goods to data subjects in the European Union and the United Kingdom, to designate a representative in each of those jurisdictions.

Current status — disclosed honestly. We acknowledge that the obligation to designate is not discharged by an "in process" notice. A supervisory authority examining our compliance during this gap would treat the absence of an appointed representative as a standalone non-compliance regardless of this disclosure; this paragraph is not an attempt to claim the obligation is met. The designation is a near-term priority and this paragraph will be replaced with the appointed representative's name and contact details as soon as the designation is in force.

Interim measures we apply while the designation is pending. (i) Every data-subject request from a person we identify as resident in the European Union or the United Kingdom is logged and handled as if a representative were already in place, with the receipt time, verification outcome, and dispatch of response recorded against the request. (ii) We respond within the timelines and to the standard set out in §8, with the same content a representative would supply, from support@vivyveil.com. (iii) We do not condition any EU / UK data-subject right on the presence of an appointed representative. (iv) support@vivyveil.com is the primary point of contact for all GDPR / UK GDPR matters — requests under Arts. 15-22, complaints, and any communication a supervisory authority would otherwise direct to the representative.

None of the above limits your right to lodge a complaint directly with your supervisory authority (in the EU, the data-protection authority of your country of residence; in the UK, the Information Commissioner's Office), and we will assist any supervisory authority that wishes to communicate with us during this gap.

VivyVeilVivyVeil
  • 고딕
  • 스위트
  • 클래식
  • 지뢰계
  • JK
  • 전체
  • 액세서리
  • 컨시어지
  • 주문 조회