Subscribe to Our Newsletter and Get 15% Off

We use cookies 🍪
We use cookies and other similar technologies to improve your browsing experience and the functionality of our site. Learn more in our Privacy Policy.
Free shipping all orders over on $200
30 days easy and hassle-free returns
30 days easy and hassle-free returns
Bag0 item(s) - $0.00 0

  • Your shopping cart is empty!

0

GDPR Policy

1. Data Controller and Contact Information​

  • Identity of the Data Controller: The operating entity of www.goma.vip (hereinafter referred to as "we"). Registered address and legal information can be found in the "About Us" section of the website.​
  • Data Protection Officer (DPO): BECK, Contact: gomavip@126.com
  • Regulatory Communication: EU users may file complaints with the data protection authority (DPA) of their respective member state (e.g., CNIL in France, BfDI in Germany). Contact information for relevant authorities is available on the official website of the European Data Protection Board (EDPB).​

2. Scope of Application​

This policy applies to all activities involving the collection, storage, use, transmission, and sharing of personal data of natural persons within the European Economic Area (EEA) (hereinafter referred to as "users") in the course of our providing website services. Regardless of whether the data processing takes place within or outside the EU, this policy and the GDPR shall apply if the processing involves EEA users' data or provides goods/services to EEA users.​

3. Collection and Processing of Personal Data​

3.1 Types of Personal Data Collected​

Data Category​

Specific Content​

Collection Scenarios​

Identity Data​

Name, email address, phone number, address, etc.​

User registration, service booking, order submission​

Interaction Data​

Service usage records, inquiry content, feedback​

Customer service communication, feature usage, review submission​

Technical Data​

IP address, browser type, device information, Cookie data​

Website visits, page browsing, feature adaptation​

Transaction Data​

Payment information, order details, logistics information​

Product purchases, service payments, order fulfillment​

3.2 Legal Bases for Data Processing​

We process personal data based on the following legal grounds:​

  • User Consent: Applicable to scenarios such as Cookie usage and marketing information push. Users may withdraw consent at any time with the same ease as granting it.​
  • Performance of a Contract: Necessary for fulfilling contractual obligations such as order delivery and service provision (e.g., collecting addresses for product shipping).​
  • Legal Obligations: Responding to judicial investigations, fulfilling tax declaration requirements, and other statutory obligations.​
  • Legitimate Interests: Where not prejudicial to users' rights, e.g., using access data to optimize website performance and ensure service security.​
  • Protection of Vital Interests: For safeguarding the life, health, or other vital interests of users or other individuals in emergency situations.​

3.3 Principles of Data Processing​

We strictly adhere to the seven core principles of the GDPR:​

  1. Lawfulness, Fairness, and Transparency: All processing activities have a legal basis, and details of data processing are clearly communicated to users through this policy.​
  1. Purpose Limitation: Data is processed only for specific, stated purposes. For example, order data shall not be used for unauthorized marketing.​
  1. Data Minimization: Only the minimum amount of data necessary to achieve the stated purpose is collected; irrelevant information (e.g., religious beliefs, health status) is not obtained.​
  1. Accuracy: A data update mechanism is established to ensure user data is timely and accurate.​
  1. Storage Limitation: Data is retained for the following periods and will be deleted or anonymized immediately upon expiration:​
  • Transaction Data: Retained for 1 year after order completion (in compliance with tax filing requirements);​
  • Service Data: Retained for 6 months after service termination;​
  • Marketing Data: Deleted immediately upon user withdrawal of consent or explicit refusal.​
  1. Integrity and Confidentiality: Technical and organizational measures (e.g., encrypted storage, access authorization, operation logs) are implemented to protect data.​
  1. Accountability: Complete records of data processing activities are maintained to demonstrate compliance for regulatory inspections at any time.​

4. Core Rights of Data Subjects​

EEA users are entitled to the following data rights, and we will respond to requests within 1 month (complex cases may be extended by an additional 2 months with prior notification):​

  • Right to Information: The right to know the purposes, types, legal bases of data processing, and recipients of shared data (fully disclosed in this policy).​
  • Right of Access: The right to request a copy of their personal data held by us in a format that is easy to save and use.​
  • Right to Rectification: The right to correct inaccurate or incomplete data through the account center independently or by contacting us for assistance.​
  • Right to Erasure (Right to be Forgotten): The right to request data deletion under the following circumstances:​
  • The data is no longer necessary for the original processing purpose;​
  • The user withdraws consent and there is no other legal basis for processing;​
  • The user objects to data processing and there are no overriding legitimate interests;​
  • The data processing violates the GDPR.​
  • Right to Restriction of Processing: The right to request suspension of processing if there is a dispute over the accuracy of the data until verification is completed.​
  • Right to Object: The right to object at any time to processing based on legitimate interests (e.g., marketing, profiling).​
  • Right to Data Portability: The right to request export of personal data in a structured format (e.g., CSV, JSON) for transfer to another service provider.​
  • Right to Object to Automated Decision-Making: The right to object to legally binding decisions based solely on automated processing and request human review.​

How to Exercise Rights: Send an email to gomavip@126.com with the subject "Data Rights Request" and specific requirements. We may request identity verification to ensure data security.​

5. Data Security and Breach Response​

5.1 Security Protection Measures​

  • Technical Level: Implement measures such as SSL-encrypted transmission, encrypted database storage, and regular vulnerability scanning;​
  • Management Level: Establish a hierarchical employee access permission system and conduct regular data protection training;​
  • Emergency Level: Develop a data security incident response plan and conduct regular drills.​

5.2 Data Breach Notification​

In the event of a data breach that may jeopardize users' rights, the following actions will be completed within 72 hours of discovery:​

  1. Notify the relevant EU data protection supervisory authorities;​
  1. Send email notifications to affected users, explaining the content of the breach, potential impacts, and remedial measures.​

6. Third-Party Data Processing and International Transfers​

6.1 Scope of Third-Party Cooperation​

Data is only shared with the following rigorously screened third parties, all of which have signed Data Processing Agreements (DPAs):​

  • Payment Service Providers: e.g., PayPal – only necessary transaction data is shared for payment processing;​
  • Logistics Service Providers: e.g., DHL – only addresses and contact information required for delivery are provided;​
  • Cloud Service Providers: e.g., AWS (EU regional nodes) – used for data storage and website operation.​

6.2 Compliance with International Data Transfers​

If data needs to be transferred outside the EU, the following safeguards will be implemented:​

  1. Prioritize transfers to countries with an EU "adequacy decision" (e.g., Japan, Switzerland);​
  1. For countries without an adequacy decision, sign EU Standard Contractual Clauses (SCCs) and supplement with measures such as encrypted transmission;​
  1. Prohibit transfers of any personal data to regions without adequate safeguards.​

7. Protection of Children's Data​

When providing services to children under the age of 16, explicit consent from their legal guardians is required before collecting any data. Guardians may request to view, delete, or withdraw consent for children's data at any time, and we will prioritize responding to such requests.​

8. Violation Liabilities and Dispute Resolution​

8.1 Violation Penalties​

Violations of the GDPR may result in penalties imposed by EU regulatory authorities, with a maximum fine of up to 4% of global annual turnover or EUR 20 million (whichever is higher).​

8.2 Dispute Resolution​

Users with objections to data processing may first contact us to resolve the issue through negotiation. If negotiation fails, users may file a complaint with the data protection authority of their respective member state or claim rights through the EU Online Dispute Resolution platform.​

9. Policy Updates and Inquiries​

  • After updates to this policy, notifications will be posted on the website homepage and sent to users' registered email addresses. The updated content shall take effect 15 days after the notification is sent.​
  • For inquiries about this policy, send an email to gomavip@126.com, and we will respond within 3 business days.