Privacy Policy

1. Who we are

This Privacy Policy describes how Agni Natural Living ("Agni", "we", "us") handles your personal information when you visit agnishop.com or interact with us through email. Agni is based in Ontario, Canada. Our trademark "AGNI LIVING" is filed in Canada (Class 21, Application 2469907). This policy applies only to agnishop.com — purchases through future channels like Amazon, Etsy, or Faire are governed by those platforms' privacy policies.

2. Privacy Officer

You can reach the person responsible for our privacy practices at [email protected]. We respond within one business day.

3. What information we collect

From the email signup form: your email address; optionally your first name.

From the wholesale inquiry form: your name, business name, email, optional phone, business type, estimated quantity, branding interest, country/region, timeline, and any message you send.

From the contact form: your name, email, subject, and message.

Automatically, when you visit the site: your IP address and basic request metadata, processed by Cloudflare for security and to deliver the site to you. Aggregate traffic data via Cloudflare Web Analytics (cookieless and unable to identify individuals).

We do not collect: payment information (we don't accept payment through this site yet), location beyond country (no GPS, no precise geolocation), behavioural advertising profiles, or data from third-party data brokers.

4. Why we use your information

We use what you give us to: respond to your inquiry, send you updates and offers you've consented to receive, fulfill orders (when we begin selling), keep the site secure and prevent fraud, and improve our content and product range.

We do not use your information to: build advertising profiles, sell to third parties, train AI models, or share with anyone outside the service providers listed below.

5. Legal basis (for visitors in the EU and UK)

If you are located in the EU or UK, we rely on the following legal bases under the GDPR / UK GDPR:

• Consent (Article 6(1)(a)) — for marketing emails. You opt in when you submit a form. You can withdraw consent at any time by unsubscribing or emailing us.
• Legitimate interests (Article 6(1)(f)) — for site security, fraud prevention, and aggregate analytics. We've balanced these interests against your privacy and concluded the impact is minimal because the data is short-lived and de-identified.
• Contract (Article 6(1)(b)) — when we begin processing orders, for the purpose of fulfilling your purchase.

6. Service providers we use

We use a small number of third-party services to run the site and our email program. Each is a "processor" under privacy law — they handle your data on our instructions, not their own.

• Klaviyo (Boston, MA, USA) — manages our email list and the data you submit through the wholesale, contact, and signup forms. We have a Data Processing Addendum (DPA) with Klaviyo. For visitors in the EU and UK, transfers to the US are covered by Standard Contractual Clauses included in Klaviyo's DPA.
• Cloudflare (San Francisco, CA, USA) — hosts the site, provides our DNS, CDN, security/WAF, and Web Analytics. Cloudflare may process your IP address and request metadata at the edge for security purposes. Cloudflare Web Analytics is cookieless, server-side, and does not fingerprint visitors or track them across sites.
• Hostinger (Limassol, Cyprus / EU) — handles the agnishop.com domain registration and incoming/outgoing email at @agnishop.com.
• Google Fonts (Google LLC, USA) — fonts loaded from fonts.googleapis.com. Google sees your IP address as part of the font request. We're evaluating self-hosting fonts to remove this dependency.
• GitHub (Microsoft, USA) — stores the source code for this website. No customer data is in the repository.

7. International data transfers

Because we use US-based services (Klaviyo, Cloudflare, GitHub) and an EU-based service (Hostinger), your information leaves Canada when we use them. For EU and UK visitors, transfers to the US rely on Standard Contractual Clauses approved by the European Commission and the UK addendum. We've reviewed our processors' privacy commitments and consider their protections comparable to Canadian standards under PIPEDA Principle 4.1.3.

8. Cookies and tracking

We do not set cookies on your device. Our analytics provider (Cloudflare Web Analytics) is cookieless. Klaviyo does not load tracking scripts on this site — only its API is called from a form submission, which doesn't create a tracking profile. If we ever add a payment system or richer personalization that requires cookies, we'll update this policy and add a cookie consent banner.

9. Marketing emails (CASL)

Canada's Anti-Spam Legislation (CASL) requires us to get your express consent before sending marketing email, identify ourselves clearly in every message, and offer a one-click unsubscribe in every email. We do all three. You can unsubscribe at any time using the link in any email or by emailing us. We retain proof of your opt-in consent for the period CASL requires, plus a reasonable buffer (typically 24 months from the last interaction).

10. How long we keep your information

• Email subscribers: until you unsubscribe, plus 24 months for proof-of-consent records.
• Wholesale leads: 24 months from your last contact with us, then deleted unless we have an active business relationship.
• Contact form submissions: until the matter is resolved, plus 12 months.
• Security logs (Cloudflare): approximately 30 days.

11. Your rights

You have the right to:

• Access the personal information we hold about you.
• Correct information that's inaccurate.
• Delete your information (we'll do this unless we have a legal reason to keep it, like CASL consent records).
• Withdraw consent at any time, including unsubscribing from marketing.
• Portability — receive your data in a machine-readable format (Quebec residents have an explicit right to this since September 2024; we extend it to all visitors).
• Object to processing or restrict it (EU/UK visitors).
• Lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca), the Commission d'accès à l'information du Québec, the UK Information Commissioner's Office, or your local EU supervisory authority.

To exercise any of these rights, email [email protected]. We respond within 30 days.

12. Children's privacy

This site is not directed to children. We do not knowingly collect information from anyone under 13 (Canada / US), under 14 (Quebec), or under 16 (EU). If you believe a child has submitted information to us, please email [email protected] and we'll delete it.

13. Security

The site runs over HTTPS with a current TLS configuration. Form submissions are transmitted encrypted. Our processors (Klaviyo, Cloudflare) maintain SOC 2 / ISO 27001 controls. We restrict internal access to personal information on a need-to-know basis. No system is perfectly secure, but we aim for reasonable, current, industry-standard safeguards.

14. Data breach notification

Under PIPEDA, we are required to notify the Office of the Privacy Commissioner of Canada and affected individuals if a breach of security safeguards creates a real risk of significant harm. Quebec's Law 25 has parallel obligations through the CAI. We take both seriously and will notify you promptly if such an event occurs.

15. Automated decision-making

We do not make decisions about you using automated profiling or AI without human review. If we ever do, we'll update this policy and tell you about your right (under Quebec Law 25 and the GDPR) to request human review.

16. Changes to this policy

We may update this policy as our practices change. The "Last updated" date at the top reflects the most recent revision. If we make material changes, we'll let you know by email (if you're subscribed) and ask for fresh consent where required. Older versions are kept on request.

17. Contact us

For any privacy question, request, or complaint:

Privacy Officer, Agni Natural Living
[email protected]
Ontario, Canada