GDPR PRIVACY POLICY 

www.openskysoul.com 

Controller: Marissa Shelton, Queensland, Australia 

Contact: marissa.e.shelton@gmail.com

Effective date: 6th August, 2025.

This Privacy Policy explains how Open Sky Soul collects and processes personal data in connection with the website www.openskysoul.com, related pages, and purchasing flows for digital content, services, and merchandise. The controller for purposes of Regulation (EU) 2016/679, the General Data Protection Regulation, is Marissa Shelton, operating from Queensland, Australia. References to “we”, “us”, or “our” mean the controller named above.

Nothing in this Policy limits rights available under applicable privacy statutes, including the GDPR, the United Kingdom GDPR and Data Protection Act 2018 for UK users, and the Australian Privacy Act 1988 (Cth) including the Australian Privacy Principles. Where laws conflict, the rules most protective of the individual apply.

1. Scope and Relationship to Other Notices

1.1 This Policy covers personal data processed through the Site, our email subscription program, customer support channels, order fulfillment, and connected third-party integrations. A separate Cookie Policy will provide details about cookies, analytics tags, and advertising technologies. The Terms and Conditions govern contractual matters, including purchases, returns, and refunds.

1.2 If a page or feature presents a product-specific notice at the point of collection, that notice applies in addition to this Policy.

2. Categories of Personal Data We Collect

2.1 Data you provide directly (a) Contact and identity data, such as name, email address, and, for orders, shipping details and phone number if supplied. (b) Account or subscription data, such as newsletter opt in, preferences, and communication settings. (c) Transaction data, such as items ordered, amounts, currency, and order history. Payment card data is handled by our payment processor and is not stored by us. (d) Communications, such as emails and support requests, including any attachments you choose to send. (e) User-generated content, such as comments or feedback you submit on the Site or via social media pages that we operate.

2.2 Data collected automatically (a) Usage data, such as pages viewed, referring URLs, timestamps, and approximate location based on IP address. (b) Device and technical data, such as browser type, operating system, and similar diagnostic information. (c) Cookies and similar technologies. Essential cookies support core functions. Non-essential cookies, including analytics and advertising tags, operate only with consent where required. Details appear in the Cookie Policy.

2.3 Data from third parties (a) Hosting and site platform providers, including Squarespace, which supply logs and performance metrics. (b) Analytics providers, including Google Analytics, that generate aggregated and pseudonymous usage metrics. (c) Advertising and monetization partners, including Google AdSense when enabled, that may receive or generate identifiers if you consent in the EEA or the UK, and Amazon Associates. (d) Social platforms, including Pinterest and Instagram, when you interact with embeds or share content. (e) Payment and fulfillment partners, which provide confirmations necessary to complete your order and manage returns. (f) Storage and productivity tools, including Google Drive, that we use for secure file storage and internal administration.

3. Purposes and Legal Bases for Processing

Processing occurs only where a legal basis applies. For EU and UK residents, the principal bases under Articles 6 and 9 GDPR are listed below.

3.1 Providing the Site, processing orders, delivering digital content, and handling returns Legal basis: performance of a contract or steps at your request prior to entering a contract, Article 6(1)(b); compliance with legal obligations such as tax and accounting, Article 6(1)(c).

3.2 Email newsletters and promotional communications Legal basis: consent, Article 6(1)(a). You may withdraw consent at any time by using unsubscribe links or by contacting us.

3.3 Non-essential analytics and advertising technologies in the EEA and the UK Legal basis: consent, Articles 6(1)(a) and 5 of the ePrivacy rules as implemented by Member States. Analytics and ad personalization will not activate unless you consent through the consent banner or settings.

3.4 Security, fraud prevention, service integrity, and abuse detection Legal basis: legitimate interests, Article 6(1)(f), to protect the Site, users, and our business, balanced against your interests and rights. Where local law requires consent for certain device access, we will obtain it.

3.5 Customer support, quality assurance, and service improvement Legal basis: legitimate interests, Article 6(1)(f), including to understand how features are used and to develop new offerings. In the EEA and the UK, analytics that are not strictly necessary will rely on consent as described in Section 3.3.

3.6 Legal claims and compliance with requests from public authorities Legal basis: legal obligation, Article 6(1)(c), and legitimate interests, Article 6(1)(f), to establish, exercise, or defend legal claims.

3.7 Special categories of data We do not intentionally collect special categories of personal data within the meaning of Article 9(1). If you voluntarily submit such data, we will delete or restrict it unless a clear legal basis applies.

4. How We Share Personal Data

4.1 Service providers acting on our behalf We engage vetted processors to provide hosting, content management, analytics, security, email delivery, storage, payment processing, and shipping. These processors act under written data processing terms that meet Article 28 GDPR requirements.

4.2 Business partners and integrations With your consent where required, certain third parties set cookies or receive limited data when you interact with their features, for example embedded social posts or advertising tags. Their privacy practices apply to subsequent use.

4.3 Corporate and legal disclosures We may disclose data to professional advisers, auditors, insurers, or authorities where necessary for compliance or to protect rights, security, and property. If we reorganize the business, personal data may transfer to a successor that assumes obligations consistent with this Policy.

We do not sell personal data for monetary consideration. If we engage in interest-based advertising, the Cookie Policy will explain choices, including consent, withdrawal, and opt out mechanisms.

5. International Data Transfers

5.1 Our operations are based in Australia. When we transfer personal data from the EEA or the UK to countries without an adequacy decision, we implement appropriate safeguards, including the European Commission Standard Contractual Clauses and, for the UK, the International Data Transfer Addendum or the UK International Data Transfer Agreement, as applicable. Supplementary measures are applied where needed, taking into account the nature of the data and the services used.

5.2 Copies of the core SCC terms can be requested using the contact details in Section 13, subject to redactions for security and confidentiality.

6. Data Retention

6.1 Retention periods depend on context and purpose. We apply the following indicative periods, after which data is deleted or irreversibly anonymized unless a longer period is required by law or necessary to establish, exercise, or defend legal claims. (a) Newsletter subscriptions, until you withdraw consent or your email hard bounces, then limited suppression data retained to honor opt outs. (b) Transaction records, generally retained for up to 7 years to meet tax and accounting obligations. (c) Customer support records, generally retained for up to 3 years after resolution. (d) Web server logs for security and performance, generally retained for up to 12 months, or longer if needed for investigation. (e) Analytics data, retained in accordance with the configuration of the relevant provider, summarized in the Cookie Policy.

7. Your Rights

7.1 EU and UK residents You have the rights of access, rectification, erasure, restriction, objection, and data portability under Articles 15 to 21 GDPR, together with the right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal. You also have the right to lodge a complaint with your local supervisory authority, for example the CNIL in France, the Data Protection Commission in Ireland, or the ICO in the UK.

7.2 Australia You have rights to request access to personal information and correction under the Australian Privacy Principles. Complaints can be raised with us first, then with the Office of the Australian Information Commissioner if unresolved.

7.3 Exercising rights Contact us using the details in Section 13. We may request information necessary to verify your identity and to locate data in our systems. Responses will be provided within the time frames required by law.

8. Children’s Data

8.1 The Site is not directed to children. We do not knowingly collect personal data from anyone under 16 in the EEA or the UK without valid consent from a holder of parental responsibility under local law. If you believe a child has provided personal data without appropriate consent, contact us so that we can take steps to delete it.

9. Security

9.1 We maintain technical and organizational measures appropriate to the risk, including access controls, encryption in transit, restricted administrative privileges, secure configuration of the hosting platform, and staff practices designed to limit processing to what is necessary. No method of transmission or storage is completely secure, yet we endeavor to protect personal data using industry-aligned safeguards and continuous review.

10. Analytics and Advertising, High-Level Summary

10.1 Analytics. We use analytics tools to understand aggregate Site usage and performance. In the EEA and the UK, analytics that are not strictly necessary operate only with consent recorded through the Site’s consent interface. IP address handling and data retention settings are configured to reduce identifiability where possible.

10.2 Advertising. When Google AdSense is enabled, ad cookies and identifiers may be set for ad delivery and reporting with your consent in the EEA and the UK. Interest-based advertising is controlled through the consent interface described above and through browser settings and platform tools. The Cookie Policy will list partners and provide detailed choices.

11. Social Features and User-Generated Content

11.1 The Site links to or embeds content from Pinterest and Instagram. Interactions with those platforms are governed by their policies. If you choose to submit comments, reviews, or images, do not post personal data that you prefer not to make public. Content you publish may be indexed by search engines.

12. Automated Decision Making and Profiling

12.1 We do not engage in automated decision making that produces legal effects or similarly significant effects within the meaning of Article 22 GDPR. Analytics and advertising segments may be used to measure interest in content or to show non-essential ads with consent. You can withdraw consent or object to such processing as described above.

13. How to Contact Us

Controller: Marissa Shelton Primary contact email: marissa.e.shelton@gmail.com Principal place of business: Queensland, Australia If you reside in the EEA or the UK and wish to contact a local representative, you may write to us using the address above. If we appoint an EU or UK representative under Article 27, we will update this Policy with the representative’s contact details.

14. Legal Bases and Key References

14.1 GDPR Articles 5 and 6, principles and lawfulness of processing. 

14.2 GDPR Articles 12 to 14, transparency obligations at collection. 

14.3 GDPR Articles 15 to 21, individual rights. 

14.4 GDPR Article 28, processor obligations. 

14.5 GDPR Chapter V, international transfers and safeguards. 

14.6 ePrivacy rules as implemented by Member States for cookies and similar technologies. 

14.7 Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles for Australian users.

15. Changes to This Policy

15.1 We may update this Policy to reflect legal, technical, or operational developments. Material changes will be signposted on the Site, and where required, we will seek your consent again for materially different uses of personal data. The date at the top indicates when the Policy took effect. Continued use of the Site after an update signifies that you have read the revised version.

16. Complaints

16.1 EU and UK residents may complain to their supervisory authority. Contact details are available from the European Data Protection Board or the ICO. You may also seek a remedy before competent courts. 

16.2 Australia. You may contact the Office of the Australian Information Commissioner. We request that you contact us first so that we have an opportunity to address your concerns.

17. Additional Information for Purchases and Returns

17.1 When you buy merchandise, we process personal data to fulfill the contract, manage shipping, handle returns or refunds, and comply with tax requirements. The lawful bases are Article 6(1)(b) and 6(1)(c). Retention for these records follows the periods set out in Section 6. 

17.2 Transactional messages about your order are service communications, not marketing. You receive these messages even if you opt out of newsletters.

18. Data Minimization and Accountability

18.1 We collect the minimum personal data needed for the purposes explained above. Access to personal data is limited to personnel and providers who require it to perform their tasks. We maintain internal records of processing activities and review our vendors and configurations at regular intervals to support compliance with the GDPR accountability principle.

Summary of Your Core Choices 

• Subscribe or unsubscribe to newsletters at any time. 

• In the EEA and the UK, grant or refuse consent for analytics and advertising cookies, and change that choice later through the Site’s consent settings. 

• Request access, correction, deletion, or portability using the contact in Section 13. 

• Object to processing based on legitimate interests and request restriction where applicable. 

• Lodge a complaint with your data protection authority.

If any provision in this Policy conflicts with mandatory law in your country of residence, the mandatory rule governs to the extent of the conflict.