Tsara Tea Privacy Policy
1) Who We Are & Contact Details
Controller: Tsara Tea (Galaboda Group) (“Tsara Tea,” “we,” “our,” “us”).
Manufacturing address: Galaboda Estate, Galle Road, Akuressa, Sri Lanka.
Primary office mailing address: [Primary Office Mailing Address].
Customer service: support@tsaratea.com • sales@tsaratea.com
Privacy contact / Data Protection Officer: [Name/Title], privacy@tsaratea.com
2) Scope; Changes
This Policy governs our processing of personal information in connection with our websites at tsaratea.com and any page that links to this Policy, and with our email, SMS, social media, and other communications channels. We may update this Policy from time to time. If changes are material, we will update the “Last updated” date and provide additional notice as required by law. Your continued use of the Services after an update constitutes acceptance of the revised Policy.
3) Information We Collect
A. Information You Provide
- Identifiers & contact: name, email, phone, billing and shipping addresses, account credentials.
- Commercial data: products viewed, cart contents, purchases, returns, order history, preferences.
- Payment data: card/token and transaction details processed by PCI-compliant processors (e.g., Shopify Payments/Stripe/PayPal). We do not store full card numbers.
- Communications & user content: messages to support, reviews, survey responses, uploaded media.
- Marketing choices: newsletter/SMS opt-in, currency (USD/EUR/CAD/GBP), interests.
B. Information Collected Automatically
- Internet/network activity: IP address, device and browser type, operating system, pages viewed, links clicked, session timestamps, referring URLs, error logs.
- Cookies & similar technology: cookies, pixels, tags, local storage for authentication, cart, checkout, analytics, personalization, fraud prevention, and advertising measurement.
- Approximate location: derived from IP for currency, shipping options, and regional compliance.
C. Information from Third Parties
- Marketing/analytics platforms (e.g., Google, Meta) and email/SMS platforms (e.g., Klaviyo/Mailchimp).
- Payment, fulfillment, and shipping providers; anti-fraud/security vendors.
- Social networks when you interact with our accounts or social logins.
4) How We Use Information
- Provide & operate the Services: process orders and payments, fulfill and deliver, handle returns, manage accounts, and provide customer support.
- Improve & personalize: diagnostics, analytics, A/B testing, performance, content relevance, recommendations, currency and shipping settings.
- Marketing & communications: newsletters, offers, product updates (you may opt out at any time).
- Security & fraud prevention: detect, investigate, and prevent malicious, fraudulent, or illegal activity.
- Compliance & enforcement: tax and accounting, regulatory requests, enforcing our Terms.
- With consent where required: certain cookies, SMS marketing, and region-specific activities.
We may aggregate or de-identify information so that it no longer identifies you; such information may be used for any lawful purpose.
7) Your Choices & Legal Rights
- Email marketing: unsubscribe via any email footer or contact us.
- SMS marketing: if enabled and you have opted in, reply STOP to opt out; HELP for help. Carrier rates may apply.
- Regional rights: subject to your location, you may have rights to access, correct, delete, port, restrict or object to processing, and to opt out of targeted advertising or certain sharing. Submit requests at support@tsaratea.com (subject: “Privacy Request”) or via Your Privacy Choices. We will verify your identity and respond within statutory timelines.
8) International Transfers
We operate in Sri Lanka with service providers and infrastructure in Sri Lanka, the United States, Canada, and other jurisdictions. Your information may be transferred to countries that may not offer the same level of protection as your home jurisdiction. Where required, we implement appropriate safeguards (e.g., contractual clauses) for such transfers.
9) Retention
We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, including to satisfy legal, accounting, or reporting requirements. Typical retention periods include:
- Orders/transactions: up to 7–10 years (tax/audit).
- Marketing records: until you opt out or after a period of inactivity.
- Support, reviews, and operational logs: for the duration of business need and legal obligations.
When information is no longer required, we delete or anonymize it or, if deletion is not immediately feasible, securely store and isolate it until deletion.
10) Security
We implement administrative, technical, and physical safeguards appropriate to the nature of the information, including encryption in transit, access controls, logging, and least-privilege practices. No method of transmission or storage is completely secure; you are responsible for maintaining the confidentiality of your account credentials.
11) Children
The Services are not directed to children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal information from such children. If you believe a child has provided information, contact us at privacy@tsaratea.com and we will delete it.
12) Region-Specific Disclosures
United States – California (CPRA) and Other State Laws (e.g., Texas TDPSA)
We collect, use, and disclose the categories of personal information outlined in Annex A. We may “share” personal information for cross-context behavioral advertising (e.g., with ad platforms). Your state law rights may include: right to know/access, delete, correct, data portability, opt-out of selling/sharing/targeted advertising, and non-discrimination. To exercise rights, use Your Privacy Choices or email support@tsaratea.com. Where applicable, we honor GPC signals as an opt-out preference.
Canada – PIPEDA & CASL
Subject to PIPEDA, you may request access to and correction of your personal information, and withdraw consent to marketing communications at any time. We comply with CASL for commercial electronic messages; use the unsubscribe links or contact us.
EU/EEA, UK & Switzerland – GDPR/UK GDPR
Legal bases include performance of a contract (orders, accounts), legitimate interests (security, analytics, improvements, limited direct marketing), consent (certain cookies/SMS/email), and legal obligations (tax, accounting). You may have rights to access, rectify, erase, restrict, object, and port data, and to withdraw consent without affecting prior processing. Contact privacy@tsaratea.com. You may lodge a complaint with your local supervisory authority.
13) Third-Party Sites & Social Media
Our Site may contain links to third-party websites or integrations (e.g., social media). Those parties’ policies govern their practices; we are not responsible for their privacy or security practices. Review their policies carefully.
14) Financial Incentives
We may offer discounts, loyalty, or referral programs (e.g., newsletter sign-up). Participation is voluntary. The value of the incentive reasonably relates to the value of your contact information for marketing and loyalty purposes. You may withdraw at any time via unsubscribe or by contacting us.
15) How to Contact Us
Email (general/privacy requests): support@tsaratea.com • privacy@tsaratea.com
Mail: [Primary Office Mailing Address]
Your Privacy Choices: https://www.tsaratea.com/privacy-choices
Annex A — Data Map (Categories, Sources, Purposes, Disclosures, Retention)
| Category | Examples | Sources | Purposes | Disclosed To | “Sold/Shared” (US) | Typical Retention |
|---|---|---|---|---|---|---|
| Identifiers | Name, email, phone, addresses, account ID | You | Orders, fulfillment, account, support, marketing with consent, security | Ecommerce host, CRM/helpdesk, email/SMS, shipping | May be shared for ad measurement/targeting (opt-out available) | Order/account lifecycle + legal |
| Commercial info | Viewed items, cart, orders, returns | You; Site | Process orders, recommendations, analytics | Ecommerce, analytics, fulfillment | Not sold; limited sharing for measurement | 7–10 years (orders) |
| Payment info | Card/token, transaction data | You → payment processor | Process payments, prevent fraud | PCI processors (Shopify/Stripe/PayPal) | No | As required by law/processors |
| Internet / network | IP, device, browser, pages, clicks, cookies | Automatically | Core site functions, performance, security, analytics, ads | Analytics & ad partners; security vendors | May be shared for cross-context ads (opt-out) | Cookie lifetimes/analytics windows |
| User content | Reviews, survey answers, messages | You | Support, moderation, product improvement | Moderation/support tools | No | Business need + legal |
| Approx. location | Region/country (from IP) | Automatically | Currency, shipping, compliance | Ecommerce; analytics | No | Short-term |