Email signup popups and discount codes
This section explains what happens to your data when you interact with our website's email signup popup — the gamified popup that may offer you a discount code in exchange for your email address. It supplements the rest of this privacy policy; the standard sections above (your rights, retention, contact, supervisory authority complaint right, etc.) continue to apply.
What we collect when the popup appears
- A random visitor ID stored in your browser's
localStorageasci_vid. It contains no personal information — we use it only to remember whether you've already seen, dismissed, or claimed a popup so we don't show it to you again. - The campaign ID of the popup shown (no personal data).
-
UTM parameters from the page URL
(
utm_source,utm_medium, etc.) so we can measure which marketing channels work. - Your IP address, temporarily (maximum 1 hour, in our short-term cache only) to prevent spam and abuse. We never store your IP address in our database.
What we collect when you submit your email
The popup form asks for two separate consents before processing your submission:
- Terms and privacy policy acceptance (required) — you confirm that you have read and accept this privacy policy. Without this, the form will not submit.
- Marketing email subscription (optional) — you confirm that you want to receive marketing emails from us. You can leave this unchecked and still claim your discount code; we just won't add you to our marketing list.
After submission we store:
- Your email address.
- A record of both consents (which text you accepted, when, for which campaign) — this is required by GDPR Art. 7 so we can prove you gave consent if asked.
- A 6-digit verification code we email to you, valid for 2 minutes only, then auto-deleted.
What we collect when you redeem a discount
- The discount code we issued to you.
- The order ID from Shopify, passed to us via Shopify's order webhook when you complete a purchase using the code.
- Whether the code was used.
What we do NOT collect
- Your name, address, or phone number.
- Browser fingerprint or User-Agent string.
- Cookies that track you across other websites.
Why we process this data (legal basis under GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Show you a popup and remember if you've already seen it | Legitimate interest (Art. 6(1)(f)) |
| Verify your email by sending you a 6-digit code | Performance of contract (Art. 6(1)(b)) — you asked for a discount |
| Issue a discount code in your name | Performance of contract (Art. 6(1)(b)) |
| Add you to our marketing email list | Your explicit consent (Art. 6(1)(a)) — only if you tick the optional second checkbox |
| Prevent spam and abuse (IP-based rate limit) | Legitimate interest (Art. 6(1)(f)) |
| Keep tax and order records once a code is used | Legal obligation (Art. 6(1)(c)) |
Who we share popup data with
- Klaviyo (our email service provider, based in the United States) — receives your email address only if you ticked the optional marketing checkbox, and only after we have verified your email via the 6-digit code. Klaviyo also sends you the discount code itself — that is a transactional email, sent regardless of marketing opt-in, because it's the service you asked for. Klaviyo's privacy policy: klaviyo.com/legal/privacy. Data is transferred under the EU Standard Contractual Clauses.
- Shopify — the discount code is created in our Shopify store; Shopify's privacy policy applies to that data: shopify.com/legal/privacy.
We do not sell your data. We do not share popup data with advertising networks.
How long we keep popup data
| Data | Retention |
|---|---|
| Visitor ID, popup interaction log | Until you ask us to delete it, or 3 years of inactivity |
| Email verification code | 2 minutes (then auto-deleted) |
| Consent record | 3 years from the date of consent (standard marketing-consent audit period per EDPB WP259); anonymized — not deleted — if you ask for erasure, to preserve the audit trail required by GDPR Art. 7(1) |
| Discount code (not redeemed) | Until you redeem it or it expires |
| Discount code (redeemed) | Permanent (tax records); your email anonymized if you ask for erasure |
| IP address | Maximum 1 hour in our short-term cache (rate limit only); never persisted |
How to withdraw consent for marketing emails
- Click the unsubscribe link at the bottom of any marketing email we send you. This is the fastest way and works at any time (GDPR Art. 7(3)).
- Or contact us using the details in the contact section above.
Unsubscribing only removes you from marketing emails. Transactional emails (verification codes, discount code delivery) will still be sent if you submit the popup form, because they are necessary to fulfil your discount request.
Your other rights for popup data
The standard data subject rights described elsewhere in this privacy policy also apply to popup data: access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority. Email us using the contact details above.