Privacy Policy

Last updated: 9 April 2026

This Privacy Policy explains how B.Glamorous (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you visit our website b-glamorous.com, place an order, or contact us. We process your data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679 — “GDPR”) and the Maltese Data Protection Act (Cap. 586 of the Laws of Malta).

1. Who we are (Data Controller)

B.Glamorous
Commercial D, Capital Height
Victoria (Rabat), Gozo
Malta
Email: shop@b-glamorous.com

For any privacy-related question, please contact us at the email address above. As a small business we are not required to appoint a Data Protection Officer under Article 37 GDPR, but you can address all data protection enquiries to the contact above.

2. What personal data we collect

Depending on how you interact with us, we may collect and process the following categories of personal data:

  • Identification and contact data: first name, last name, email address, telephone number.
  • Delivery and billing data: postal address, country, postcode.
  • Order data: products ordered, order value, order date, order history, delivery preferences, notes you add to the order.
  • Payment data: we do not store full card details on our servers. Payments are processed by our payment provider (see Section 5). We only retain a transaction reference, the amount, and the payment status.
  • Account data (optional): if you create a customer account, we store your username, hashed password, and the data above.
  • Communication data: messages you send us via the contact form, email, social media, or in-store enquiries.
  • Technical data: IP address, browser type and version, device type, operating system, time zone, the pages you view, and the time and date of your visit. This is collected automatically through cookies and server logs.
  • Marketing data (optional): if you subscribe to our newsletter, your email address and your consent record.

We do not knowingly collect special categories of personal data (such as health, religion, or political views) and we do not process biometric data.

3. Why we process your data and on what legal basis

We process personal data only when we have a lawful basis under Article 6 GDPR. The table below sets out, for each purpose, the data involved and the legal basis we rely on.

PurposeData usedLegal basis (Article 6 GDPR)
Process and deliver your ordersIdentification, contact, delivery, payment, order dataPerformance of a contract — Art. 6(1)(b)
Manage your customer accountAccount data, order historyPerformance of a contract — Art. 6(1)(b)
Respond to your enquiries (contact form, email, social media)Contact and communication dataLegitimate interest — Art. 6(1)(f) (responding to customer enquiries)
Comply with Maltese tax, VAT, and consumer-protection lawOrder, payment, billing dataLegal obligation — Art. 6(1)(c)
Send newsletters, promotions, new collection announcementsEmail, marketing dataConsent — Art. 6(1)(a) (you can withdraw at any time)
Display the website and prevent fraud and abuseTechnical data, IP addressLegitimate interest — Art. 6(1)(f) (security and operation of the website)
Analytics and audience measurement (only if you accept the cookie banner)Technical data, browsing behaviourConsent — Art. 6(1)(a)
Defend or pursue legal claimsAny of the above, as relevantLegitimate interest — Art. 6(1)(f)

4. How long we keep your data

  • Order, billing, and payment records: retained for the period required by Maltese tax and commercial law (currently 10 years from the end of the financial year in which the transaction occurred).
  • Customer account data: retained for as long as your account is active. If your account is inactive for 3 years and you have not placed an order, we may delete or anonymise it.
  • Marketing data (newsletter): retained until you unsubscribe or withdraw consent. After unsubscribing, we keep a minimal “do not contact” record so we do not accidentally email you again.
  • Contact form messages and email correspondence: retained for up to 2 years from the last contact, then deleted.
  • Server logs and technical data: retained for up to 12 months for security and troubleshooting.
  • Cookies: see Section 7 below.

5. Who we share your data with

We never sell your personal data. We only share it with the following categories of recipients, and only to the extent necessary for the purposes set out above:

  • Payment service providers — to process card payments securely. They act as independent controllers for the payment transaction and are PCI-DSS compliant.
  • Shipping and courier companies — to deliver your order to the address you provided.
  • IT service providers and web hosting — to host the website, store the database, and provide email services. These providers act as data processors on our instructions and are bound by a written data processing agreement under Article 28 GDPR.
  • Email and marketing tool providers — only if you have subscribed to our newsletter.
  • Maltese tax and regulatory authorities — where we are legally required to disclose information (for example, the Office of the Commissioner for Revenue).
  • Legal advisors, courts, or law enforcement — where necessary to defend our legal rights or respond to a lawful request.

6. International transfers

We aim to keep your personal data within the European Economic Area (EEA). Where a service provider is located outside the EEA (for example, a payment processor or analytics provider), we only transfer data when:

  • the country has been recognised by the European Commission as offering an adequate level of data protection (Article 45 GDPR), or
  • the transfer is governed by Standard Contractual Clauses approved by the European Commission (Article 46 GDPR), or
  • another lawful safeguard under Chapter V of the GDPR applies.

You can request a copy of the safeguards we have in place by emailing shop@b-glamorous.com.

7. Cookies and similar technologies

Our website uses cookies to provide essential functionality and, with your consent, to measure how visitors use the site. The first time you visit, we ask for your consent through a cookie banner. You can change or withdraw your consent at any time via the cookie settings link.

  • Strictly necessary cookies — required for the cart, checkout, login, and security. These do not require consent.
  • Functional cookies — remember your preferences (such as language or currency).
  • Analytics cookies — only set if you accept them. They help us understand how the site is used so we can improve it.
  • Marketing cookies — only set if you accept them. They may be used to show you relevant promotions.

8. Your rights under the GDPR

You have the following rights regarding your personal data. To exercise any of them, contact us at shop@b-glamorous.com. We will respond within one month, as required by Article 12(3) GDPR.

  • Right of access (Art. 15) — obtain confirmation that we process your data and request a copy.
  • Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — ask us to delete your data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18) — ask us to limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format and have it transferred to another controller.
  • Right to object (Art. 21) — object to processing based on our legitimate interests, including for direct marketing purposes.
  • Right to withdraw consent (Art. 7(3)) — withdraw your consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.
  • Right not to be subject to automated decision-making (Art. 22) — we do not carry out solely automated decisions that have legal or similarly significant effects on you.

9. Right to lodge a complaint

If you believe that our processing of your personal data infringes the GDPR or Maltese data protection law, you have the right to lodge a complaint with the Maltese supervisory authority:

Office of the Information and Data Protection Commissioner (IDPC)
Floor 2, Airways House, High Street
Sliema SLM 1549, Malta
Tel: +356 2328 7100
Email: idpc.info@idpc.org.mt
Website: idpc.org.mt

You also have the right to seek a judicial remedy under Articles 78 and 79 GDPR.

10. Is providing your data mandatory?

Providing your contact, delivery, and payment data is a contractual requirement when you place an order: without it we cannot process or deliver the order. Subscribing to our newsletter is entirely voluntary.

11. Children

Our website and shop are intended for adults. We do not knowingly collect personal data from children under the age of 16 (the age threshold set in Maltese law for information-society services under Article 8 GDPR). If you become aware that a child has provided personal data to us, please contact us and we will delete it.

12. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include HTTPS encryption, access controls, security plugins, regular software updates, and restricted database access. No method of transmission over the internet is 100% secure, but we work to protect your data using industry-standard practices.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or the law. The most recent version will always be available on this page, with the “Last updated” date at the top. Significant changes will be highlighted on the website.

14. Contact

For any question about this Privacy Policy or how we handle your personal data, please email us at shop@b-glamorous.com.