Privacy Policy
1. Introduction and Controller
1.1 We are pleased that you are visiting firmlyflow and thank you for your interest. This Privacy Policy explains how we handle your personal data when you use our services. Personal data means any information relating to an identified or identifiable natural person.
1.2 The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:
firmlyflow Official Store: HONG KONG
Email: support@firmlyflow.com
The controller is the legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.
2. Data Collection When Visiting Our Website
2.1 Informational use of the website (server log files)
If you use our website for informational purposes only, we collect the following data transmitted by your browser to our server:
The website visited, Date and time of access, Amount of data transferred, Referrer URL, Browser type/version, Operating system, and IP address.
Legal Basis: Art. 6(1)(f) GDPR (Legitimate interest in stability and security).
2.2 SSL/TLS encryption
To protect the transmission of orders or inquiries, our website uses SSL or TLS encryption (recognized by “https://” and the lock symbol in your browser bar).
3. Hosting & Content Delivery Networks (CDN)
3.1 Shopify
We use Shopify International Limited (Ireland) and Shopify Inc. (Canada) for hosting and order processing.
Data Protection: Canada has an adequacy decision by the EU Commission. We have concluded a Data Processing Agreement (DPA) with Shopify.
3.2 AWS & Cloudflare
We use Amazon Web Services (AWS) and Cloudflare for infrastructure security and loading performance.
Data Transfer: For transfers to the USA, these providers rely on the EU-US Data Privacy Framework (DPF).
4. Cookies and Consent Management
We use cookies to enable website functions and for marketing.
Technical Cookies: Necessary for site operation (Art. 6(1)(b) GDPR).
Marketing/Analytics Cookies: Only processed with your explicit consent (Art. 6(1)(a) GDPR) granted via our Cookie Consent Tool. You may withdraw consent at any time.
5. Contact and Customer Support
5.1 Email Support
When you contact us via email, we process your email address and the content of your inquiry solely to handle and respond to your request.
Legal Basis: Art. 6(1)(b) GDPR (Performance of a contract or pre-contractual measures).
5.2 Review Reminders (Judge.me)
With your consent (Art. 6(1)(a) GDPR), we transmit your email and order data to Judge.me to send review requests after purchase.
6. Marketing and Newsletters (Klaviyo)
6.1 Our newsletters are sent via Klaviyo, Inc. (USA). We use a "Double Opt-In" procedure to ensure your consent.
Withdrawal: You can unsubscribe via the "Unsubscribe" link in any email or by contacting us directly.
Data Transfer: Klaviyo relies on the EU-US DPF and Standard Contractual Clauses (SCCs).
7. Order Processing and Shipping
7.1 Fulfillment
To fulfill your order, we transfer data to our fulfillment partners, including logistics partners located in Shenzhen, China.
Legal Basis: Art. 6(1)(b) GDPR (Performance of a contract).
7.2 Shipping Providers (e.g., DHL, FedEx, UPS)
We transmit recipient name and address to our shipping partners for delivery. Your email/phone is only shared with your consent (Art. 6(1)(a) GDPR) for delivery notifications.
7.3 Payment Service Providers
Depending on your choice, your payment data is processed by:
Shopify Payments, Airwallex, Apple Pay, Google Pay, PayPal, or Klarna. Data is shared only to the extent necessary for payment processing (Art. 6(1)(b) GDPR).
8. Online Marketing and Analytics
We use the following tools only with your prior consent (Art. 6(1)(a) GDPR):
Google Analytics 4: For user behavior analysis (IP anonymization active).
Meta Pixel: For tracking conversions from Facebook/Instagram ads.
Google Ads & Remarketing: For interest-based advertising.
Hotjar / PostHog: For optimizing website design and user experience.
9. International Data Transfers
As a Hong Kong-based company with fulfillment operations in Mainland China, your data may be accessed by our staff in these locations. We ensure appropriate safeguards (such as Standard Contractual Clauses) are in place to maintain a level of data protection equivalent to the GDPR.
10. Your Rights (Data Subject Rights)
Under the GDPR, you have the following rights:
Art. 15: Right to access your data.
Art. 16: Right to rectification.
Art. 17: Right to erasure ("Right to be forgotten").
Art. 18: Right to restriction of processing.
Art. 20: Right to data portability.
Art. 21: Right to object to processing based on legitimate interests.
Art. 7(3): Right to withdraw consent at any time.
To exercise these rights, please contact:support@dermynex.com
11. Storage Duration
We store personal data only as long as necessary for the purpose it was collected or to comply with legal retention periods (e.g., commercial and tax retention periods for accounting).
Last Updated: April 2, 2026