PRIVACY POLICY

Privacy Policy

Full Disclosure & Security Protocol

OVERVIEW

Last Updated: May 6, 2026

This Privacy Policy describes how personal information is collected, used, and shared when you visit or make a purchase from epiclootshop.com (the "Site"). The Site and the Epic Loot Shop brand (collectively, the "Company," "we," "us," or "our") are committed to protecting your privacy.

For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), the Personal Information Protection and Electronic Documents Act (PIPEDA - Canada), and the Australian Privacy Act, the Company is the Data Controller responsible for your personal information. Our service is offered globally, including to customers in the United States, the European Union, the United Kingdom, Australia, Canada, and the EMEA region. Personal data may be transferred between jurisdictions under appropriate safeguards, including Standard Contractual Clauses (SCCs) where required.

Full registration and contact details are provided at the end of this Policy under "Questions and Contact Information."

SECTION 1 - WHAT DO WE DO WITH YOUR INFORMATION?

When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us such as your name, address and email address.

When you browse our store, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system.

Email marketing (if applicable): With your permission, we may send you emails about our store, new products and other updates.

Legal Basis for Processing (GDPR / UK GDPR)

If you are a resident of the European Economic Area (EEA) or the United Kingdom, our legal basis for collecting and using the personal information described in this Privacy Policy depends on the personal information concerned and the specific context in which we collect it. We rely on the following legal bases:

• Consent (Art. 6(1)(a) GDPR): For marketing communications, including SMS marketing and email newsletters. You may withdraw your consent at any time.
• Contract (Art. 6(1)(b) GDPR): To process and fulfill your orders, manage payments, and provide customer support.
• Legitimate Interests (Art. 6(1)(f) GDPR): To prevent fraud, secure our Site, conduct analytics, and improve our products and services - balanced against your rights and freedoms.
• Legal Obligation (Art. 6(1)(c) GDPR): To comply with tax, accounting, and other legal requirements applicable to our business.

SECTION 2 - CONSENT

How do you get my consent?

When you provide us with personal information to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase, we imply that you consent to our collecting it and using it for that specific reason only.

If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your expressed consent, or provide you with an opportunity to say no.

How do I withdraw my consent?

If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at anytime, by contacting us at support@epiclootshop.com.

How Can I Stop Receiving Marketing Communications?

Each commercial email Epic Loot Shop sends contains an unsubscribe link through which you may easily opt-out of receiving future commercial emails from us. If you do not wish to receive additional commercial emails from Epic Loot Shop, simply click the unsubscribe link and follow the instructions to unsubscribe your e-mail address or to change your preferences about the types of e-mail we send you.

Similarly, each commercial e-mail sent by one of our customers through Epic Loot Shop service contains an unsubscribe link. Simply click on that link and follow the instructions to unsubscribe your e-mail address.

If you have unsubscribed but continue to receive e-mail from us or from one of our customers, or if you receive any other types of marketing communications and want to unsubscribe please contact support@epiclootshop.com. Unsubscribe and opt-out requests are processed immediately upon receipt; please allow a brief processing window for our systems to fully update.

SMS / TEXT MARKETING PROGRAM - TERMS & CONDITIONS

Program Description: By subscribing to the Epic Loot Shop SMS marketing program, you agree to receive recurring automated marketing text messages (including cart abandonment reminders) from Epic Loot Shop at the mobile phone number you provided when you subscribed. Message content may include promotional offers, discounts, new product launches, exclusive deals, abandoned shopping cart reminders, and other promotional information.

How You Sign Up (Single Opt-In): Consent is provided by you when you submit your mobile phone number through one of our subscription forms (such as a website pop-up, checkout page, or keyword opt-in) and click "Subscribe," "Sign Up," "Submit," or a similar button confirming your enrollment. Upon submission, you may immediately receive a marketing or welcome text message confirming your subscription. By submitting your number, you expressly consent to receive automated marketing text messages from Epic Loot Shop.

Automated Technology: You acknowledge that messages may be sent using an automatic telephone dialing system (ATDS) or other automated technology. Consent to receive automated marketing text messages is NOT a condition of any purchase.

Message Frequency: Message frequency is recurring and varies. You may receive up to 10 messages per month, depending on your interaction with our store.

Costs: Message and data rates may apply based on your mobile carrier plan. Epic Loot Shop is not responsible for any charges incurred from your wireless carrier.

Carriers: Carriers, including but not limited to AT&T, T-Mobile, Verizon, Sprint, US Cellular, Boost, MetroPCS, and others, are not liable for delayed or undelivered messages. Supported carriers may change without notice.

How to Opt-Out: You can cancel the SMS service at any time by replying STOP, END, CANCEL, UNSUBSCRIBE, or QUIT to any text message you receive from us. After you send the opt-out message, we will send you a confirmation message acknowledging your unsubscribe. You will no longer receive SMS messages from us. If you wish to rejoin the program, just sign up again as you did the first time and we will start sending SMS messages to you again.

How to Get Help: Reply HELP to any message for customer support information, or contact us directly at support@epiclootshop.com.

Eligibility: You must be at least 18 years of age (or the age of majority in your jurisdiction) to subscribe to our SMS program. You also represent that you are the owner or authorized user of the mobile phone number you provide and authorized to incur any applicable charges.

Opt-Out Methods: You understand and agree that attempting to opt-out by any means other than texting the opt-out commands above is not a reasonable means of opting out.
SMS DATA — NO SHARING OR SALE TO THIRD PARTIES

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All categories of personal information described in this Privacy Policy specifically exclude text messaging originator opt-in data and consent; this information will NOT be shared, sold, rented, leased, or otherwise transferred to any third parties or affiliates under any circumstances.

Information collected through our SMS program (including your mobile phone number, opt-in consent records, and message history) is used exclusively by Epic Loot Shop to deliver the SMS marketing program you signed up for. The only parties with whom this data is shared are essential service providers who help us operate the SMS program (such as our SMS platform provider, Klaviyo) and only to the extent strictly necessary to deliver the messages to you. These providers are contractually prohibited from using your data for their own marketing or any other purpose.

SECTION 3 - DISCLOSURE

We may disclose your personal information if we are required by law to do so or if you violate our Terms of Service. Beyond these circumstances and the limited service-provider sharing described elsewhere in this Policy, we do not sell, rent, or trade your personal information to third parties for their own marketing purposes.

SECTION 4 - SHOPIFY

Our store is hosted on Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our products and services to you.

Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.

Payment:

If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.

All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.

For more insight, you may also want to read Shopify’s Terms of Service or Privacy Statement.

SECTION 5 - THIRD-PARTY SERVICES

In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.

However, certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions.

For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers.

International Data Transfers: Certain providers may be located in or have facilities that are located in a different jurisdiction than either you or us (including the United States, the European Union, and other regions). If you elect to proceed with a transaction that involves the services of a third-party service provider, then your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to countries that have not received an adequacy decision, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum to ensure that your data continues to be protected to GDPR standards.

Once you leave our store’s website or are redirected to a third-party website or application, you are no longer governed by this Privacy Policy or our website’s Terms of Service.

SECTION 6 - SECURITY

To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.

If you provide us with your credit card information, the information is encrypted using secure socket layer technology (SSL) and stored with a AES-256 encryption. Although no method of transmission over the Internet or electronic storage is 100% secure, we follow all PCI-DSS requirements and implement additional generally accepted industry standards. The data controller responsible for processing this information is Michal Kapah, operating under tax/VAT identification number 203399894 within the EMEA region; all processing activities are carried out in accordance with applicable PCI-DSS, GDPR, and ISO 27001-aligned operational standards.

SECTION 7 - COOKIES

Here is a list of cookies that we use. We’ve listed them here so you that you can choose if you want to opt-out of cookies or not.

  • _session_id: unique token, sessional, Allows Shopify to store information about your session (referrer, landing page, etc).
  • _shopify_visit: no data held, Persistent for 30 minutes from the last visit, Used by our website provider’s internal stats tracker to record the number of visits.
  • _shopify_uniq: no data held, expires midnight (relative to the visitor) of the next day, Counts the number of visits to a store by a single customer.
  • cart: unique token, persistent for 2 weeks, Stores information about the contents of your cart.
  • _secure_session_id: unique token, sessional.
  • storefront_digest: unique token, indefinite. If the shop has a password, this is used to determine if the current visitor has access.

Detailed Cookies Policy

epiclootshop.com ("us", "we", or "our") uses cookies on the website. By using the Service, you consent to the use of cookies. Cookies are small pieces of text sent by your web browser by a website you visit. A cookie file is stored in your web browser and allows the Service or a third-party to recognize you and make your next visit easier and the Service more useful to you.

HOW EPICLOOTSHOP.COM USES COOKIES: We use cookies to enable certain functions, and to track behavior with analytics tools such as Facebook Pixel, Hotjar and Google Analytics. We record and review your (scrolling, clicking, buying) behavior on the website in order to improve your experience.

Your Choices Regarding Cookies

If you'd like to delete cookies or instruct your web browser to delete or refuse cookies, please visit the help pages of your web browser:

Chrome Internet Explorer Firefox Safari

SECTION 8 - YOUR PRIVACY RIGHTS

Rights Under GDPR (EU / UK / EEA Residents)

If you are a resident of the European Economic Area, the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention obligations.
• Right to Restriction of Processing: Request that we limit how we use your data.
• Right to Data Portability: Request your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Withdraw consent at any time, where processing is based on consent.
• Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority.

Rights Under CCPA / CPRA (California Residents)

If you are a California resident, you have the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: Request deletion of personal information we have collected.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: Opt out of the "sale" or "sharing" of personal information. Note: Epic Loot Shop does not sell or share personal information as defined under the CCPA.
• Right to Limit Use of Sensitive Personal Information.
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising any of your CCPA rights.

Rights Under PIPEDA (Canada) and the Australian Privacy Act

Residents of Canada and Australia have rights to access and correct their personal information held by us, and to make complaints to the Office of the Privacy Commissioner of Canada (OPC) or the Office of the Australian Information Commissioner (OAIC), respectively.

How to Exercise Your Rights

To exercise any of the rights described above, please contact us at support@epiclootshop.com. We will respond to verifiable requests within the timeframes required by applicable law (generally 30 days under GDPR, 45 days under CCPA). We may need to verify your identity before fulfilling certain requests.

SECTION 9 - DATA RETENTION

We retain personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law:

• Order & Transaction Records: Retained for up to 7 years following the date of purchase, in compliance with tax, accounting, and consumer protection laws.
• Customer Account Information: Retained for as long as your account is active, plus a reasonable period thereafter, or until you request deletion.
• Email Marketing Data: Retained until you unsubscribe or withdraw consent, after which your data is removed from active marketing lists.
• SMS Marketing Data (phone numbers, opt-in consent records, message logs): Retained for as long as you remain subscribed to the SMS program. Upon opt-out, your phone number is suppressed and consent records are retained only as required for legal/regulatory proof of consent under TCPA (typically 4 years).
• Website Analytics & Cookies: Retained according to the lifespan of each cookie as listed in Section 7.
• Customer Support Communications: Retained for up to 3 years after the last interaction.

When personal data is no longer needed, it is securely deleted or anonymized.

SECTION 10 - AGE OF CONSENT

By using this site, you represent that you are at least the age of majority in your state or province of residence, or that you are the age of majority in your state or province of residence and you have given us your consent to allow any of your minor dependents to use this site. We do not knowingly collect personal information from children under the age of 13 (or 16 in the EEA/UK). If we become aware that we have collected such information, we will take steps to delete it promptly.

SECTION 11 - CHANGES TO THIS PRIVACY POLICY

We reserve the right to modify this privacy policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, we will provide at least 30 days' advance notice by posting a prominent notice on our Site and/or notifying you by email or SMS (where you have provided consent for such communications).

Merger or Acquisition: If our store is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to sell products to you.

QUESTIONS AND CONTACT INFORMATION

If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, exercise any of your privacy rights described in Section 8, or simply want more information, please contact our Privacy Compliance Officer at:

support@epiclootshop.com