PRIVACY POLICY

LAST UPDATED 08/04/2026

This Privacy Policy describes how Deep Roots Studio (“Deep Roots”, “we”, “us”, or “our”) collects, uses, stores, and shares your personal data when you visit deeproots.dk, make a purchase, contact us, or otherwise use our services (the “Services”).

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act. If you are located outside Denmark or the EU/EEA, local mandatory laws may also apply to your personal data.

By using our Services, you acknowledge that you have read this Privacy Policy.
01. DATA CONTROLLER

Deep Roots Studio
Østervangsvej 9
6715 Esbjerg N
Denmark
CVR: 37904856
E-mail: info@deeproots.dk

Deep Roots Studio is the data controller for the personal data covered by this Privacy Policy. Under Shopify, you are generally the controller of your customers’ data, even though Shopify also processes certain personal data to provide its services and, in some cases, for its own purposes.

02. PERSONAL DATA WE COLLECT

We may collect the following categories of personal data, depending on how you interact with our Services:

a) Information you provide directly

  • Name
  • E-mail address
  • Phone number
  • Billing address
  • Shipping address
  • Account login details
  • Order details
  • Messages or information you send to customer service
  • Information you submit when signing up for newsletters, waitlists, or marketing communications

b) Payment and transaction information

  • Payment confirmation
  • Order value
  • Purchased, returned, exchanged, or cancelled items
  • Delivery and fulfillment information

We do not store full payment card details ourselves; payments are processed by our payment service providers. Shopify and payment providers may process payment-related data to complete transactions.

c) Information collected automatically

  • IP address
  • Browser type and version
  • Device information
  • Network connection information
  • Time zone
  • Usage information, including pages viewed, products viewed, clicks, session activity, and interactions with the Services
  • Cookie, pixel, and similar tracking information

d) Information from third parties

We may receive personal data from third parties such as:

  • Shopify
  • Payment providers
  • Shipping and logistics partners
  • Analytics providers
  • Advertising or social media partners, where used
  • Fraud prevention and security providers

This structure reflects the kinds of data Shopify says are commonly processed when customers interact with merchant stores and Shopify consumer services.

03. HOW WE COLLECT PERSONAL DATA

We collect personal data:

  • directly from you, when you place an order, contact us, subscribe to marketing, create an account, or otherwise interact with us;
  • automatically, through cookies, pixels, logs, and similar technologies when you browse our website; and
  • from service providers and partners, such as Shopify, payment processors, delivery services, and analytics providers.
04. PURPOSES OF PROCESSING

We use your personal data to:

  • provide, operate, and improve our Services;
  • sprocess and fulfill orders, payments, returns, and refunds;
  • sarrange shipping and delivery;
  • scommunicate with you about your orders, account, or customer support requests;
  • provide and manage customer accounts;
  • detect, prevent, and investigate fraud, abuse, and security issues;
  • comply with accounting, tax, consumer protection, and other legal obligations;
  • send newsletters and marketing communications where permitted by law;
  • measure and improve website performance, advertising effectiveness, and user experience;
  • personalize content, product recommendations, and advertising, where enabled and permitted.
05. LEGAL BASES FOR PROCESSING (GDPR)

Where GDPR applies, we rely on one or more of the following legal bases:

  • Performance of a contract - for processing necessary to take your order, accept payment, ship your products, manage returns, and provide customer service.
  • Legal obligation - for accounting, bookkeeping, tax, fraud prevention, and other compliance duties.
  • Legitimate interests - for securing our Services, preventing fraud, improving our website and operations, responding to customer inquiries, and administering our business, provided those interests are not overridden by your rights.
  • Consent - for non-essential cookies, certain analytics and advertising technologies, and direct marketing where consent is required. You may withdraw consent at any time. GDPR requires that you be told the legal basis used for processing.
06. COOKIES, PIXELS, AND SIMILAR TECHNOLOGIES

We use cookies and similar technologies to:

  • ensure the website works properly;
  • remember your preferences;
  • support cart and checkout functionality;
  • understand how visitors use our site;
  • improve our Services;
  • support marketing and advertising, where enabled.

Under Danish and EU rules, consent is required before placing non-essential cookies on a user’s device. Necessary cookies may be used without consent where they are required for the website to function.

You can manage your preferences through our cookie banner or, in some cases, through your browser settings. Blocking certain cookies may affect the functionality of the site. Shopify provides customer privacy settings and consent tools for merchants, including cookie banners and privacy controls.

07. MARKETING COMMUNICATIONS

If you subscribe to our newsletter or otherwise consent to marketing, we may send you updates about products, launches, campaigns, and related offers.

You can unsubscribe at any time by:

  • clicking the unsubscribe link in any marketing email; or
  • contacting us at info@deeproots.dk.

We may still send you non-marketing communications, such as order confirmations, delivery updates, or important service messages. Danish guidance notes that businesses will often need consent before contacting individuals for marketing purposes.

08. SHARING OF PERSONAL DATA

We may share personal data with the following categories of recipients where necessary:

  • Shopify, which hosts and powers our store and provides commerce-related services;
  • payment providers, to process payments and reduce fraud risk;
  • shipping, logistics, and fulfillment partners, to deliver your orders;
  • IT, hosting, cloud, and support providers;
  • analytics and marketing partners, where used and where permitted;
  • professional advisers, such as legal, accounting, or insurance advisers;
  • public authorities, courts, regulators, or law enforcement, where required by law or necessary to protect our rights.

Shopify states that merchants should review and verify privacy content in the Customer Privacy section and that Shopify may process data to provide services and, in some cases, enhanced features.

We do not sell your personal data in the ordinary meaning of the word.
09. SHOPIFY-SPECIFIC PROCESSING

Our store is powered by Shopify. When you use our store, some of your personal data is processed by Shopify in order to provide store functionality, checkout, payment support, fraud prevention, and related commerce services. Shopify also states that, where certain enhanced services or settings are enabled, it may process personal data for those features and may be responsible for certain parts of that processing.

We recommend also reviewing:

  • Shopify’s Consumer Privacy Policy
  • Shopify’s privacy controls and customer privacy information.
10. INTERNATIONAL TRANSFERS

Your personal data may be processed outside Denmark and outside the EU/EEA, including by Shopify or our service providers.

Where personal data is transferred outside the EU/EEA, we rely on recognized transfer mechanisms where required, such as:

  • European Commission adequacy decisions; or
  • Standard Contractual Clauses or equivalent lawful safeguards. GDPR requires that individuals be told whether their data will be transferred outside the EU and what safeguards apply.
11. DATA RETENTION

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including to:

  • provide the Services;
  • complete transactions;
  • maintain business and tax records;
  • resolve disputes;
  • enforce agreements; and
  • comply with legal obligations.

Retention periods vary depending on the data type and purpose. For example, order and accounting data may need to be kept longer to comply with legal and bookkeeping obligations. GDPR requires that individuals be told for how long their data will be kept, or the criteria used to determine that period.
12. YOUR RIGHTS

If GDPR or similar laws apply to you, you may have the right to:

  • request access to your personal data;
  • request correction of inaccurate or incomplete data;
  • request deletion of your data;
  • request restriction of processing;
  • object to processing based on legitimate interests;
  • request data portability;
  • withdraw consent at any time where processing is based on consent;
  • lodge a complaint with a supervisory authority.

Some rights are not absolute and may depend on the legal basis for processing or other legal exceptions. We may need to verify your identity before responding. Controllers must facilitate data subject rights and respond to such requests as required by law.

To exercise your rights, contact us at: info@deeproots.dk

If your request concerns data processed by Shopify for certain Shopify-controlled purposes, Shopify also provides privacy information and controls for those situations.

13. AUTOMATED DECISION-MAKING AND FRAUD PREVENTION

We may use tools that help detect fraud, suspicious transactions, or abuse of our Services. This may involve automated signals or risk screening. At this time, we do not make solely automated decisions that produce legal or similarly significant effects on you, except where permitted by law and appropriately safeguarded.

GDPR requires transparency where automated decision-making applies. Shopify also describes limited automated uses tied to privacy and fraud-related features.

14. SECURITY

We use appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure.

However, no security measure is completely secure, and we cannot guarantee absolute security. Shopify and EU guidance both note that privacy tools do not remove the merchant’s responsibility to manage data securely and lawfully.

15. CHILDREN

Our Services are not intended for children, and we do not knowingly collect personal data from children without appropriate legal basis or consent where required.

If you believe a child has provided us with personal data, please contact us at info@deeproots.dk so we can review and delete the data where appropriate. Shopify’s consumer privacy materials also include separate treatment of children’s data.

16. THIRD-PARTY LINKS

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices, content, or security of those third parties. Please review their privacy policies separately. This is standard and consistent with Shopify’s privacy policy language.

17. COMPLAINTS

If you have questions or complaints about how we process your personal data, please contact us first at info@deeproots.dk.

You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet), which is the independent authority supervising compliance with personal data protection rules in Denmark.
18. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our business practices, technology, legal requirements, or Shopify settings.

Any updates will be posted on this page with a revised “Last updated” date. Shopify’s privacy tooling also records certain privacy-setting changes inside the Shopify admin.

19. CONTACT

For questions about this Privacy Policy or our processing of your personal data, contact:

Deep Roots Studio
Østervangsvej 9
6715 Esbjerg N
Denmark
CVR: 37904856
E-mail: info@deeproots.dk