Scope and Applicability

This Data Protection Notice describes how SheffLaces (the website shefflaces.com) processes personal data in accordance with the General Data Protection Regulation (GDPR) where it applies, while aligning with applicable privacy laws in the United States of America. It applies to personal data we collect online through our website and related services that compare medications, provide evidence-based alternatives, and display prices and availability from licensed pharmacies where permitted.

For the purposes of this notice, “personal data” means any information relating to an identified or identifiable natural person. Certain information relating to health may be considered special category personal data under GDPR and sensitive personal information under some U.S. state laws.

Identity of the Data Controller

The data controller for personal data processed via SheffLaces is:

ASTRA IFAME
160 Spear St, San Francisco, CA 94105, United States of America
Email: [email protected]

Categories of Personal Data We Process

  • Identifiers and contact details: name, email address, telephone number, mailing address, and account credentials.
  • Demographics and preferences: language, communication preferences, and optional information you choose to provide.
  • Health-related information (special category data): conditions, symptoms, medications, dosages, treatment preferences, and other information you voluntarily submit in order to receive comparisons, alternatives, or pricing. We process this only as described below and with appropriate safeguards.
  • Transaction and inquiry data: requests you make, saved comparisons, messages to support, and records necessary to respond to your inquiries.
  • Device, usage, and analytics data: IP address, device identifiers, browser type, operating system, referring URLs, pages viewed, time spent, and interactions collected via cookies and similar technologies.
  • Location data: non-precise location derived from IP address; if you provide a ZIP code or city to refine results.
  • Inferences: limited inferences drawn from your interactions to tailor content or remember preferences.

Purposes and Legal Bases (GDPR)

Provide and Improve Services (Contract)

To create and manage accounts, deliver requested comparisons and price lookups, respond to inquiries, and provide customer support. Legal basis: performance of a contract or steps prior to entering into a contract (GDPR Art. 6(1)(b)).

Consent-Based Processing

We rely on your consent for: processing special category data (e.g., health information you submit), sending certain marketing communications, and using non-essential cookies/analytics in jurisdictions requiring consent. Legal bases: consent and, for special categories, explicit consent (GDPR Art. 6(1)(a) and Art. 9(2)(a)). You may withdraw consent at any time without affecting prior processing.

Legitimate Interests

We process personal data to secure and maintain our services, prevent fraud, measure audience, and improve features. Legal basis: legitimate interests (GDPR Art. 6(1)(f)), balanced against your rights and expectations. Where required, we will seek consent instead.

Legal Obligations

We may process and retain data to comply with applicable laws, regulatory requirements, tax and accounting obligations, and to respond to lawful requests. Legal basis: legal obligation (GDPR Art. 6(1)(c)).

Sources of Personal Data

  • Directly from you: information you enter on our site, correspondence, and preferences you set.
  • Automatically: through cookies and similar technologies when you use our website.
  • From service providers and partners: for example, cloud hosting, analytics, communications providers, payment and security vendors, and price/availability partners who supply market data; we do not receive your protected health information from covered entities unless you provide it to us.

Special Note on Health Information and HIPAA

SheffLaces is not a healthcare provider or a covered entity under HIPAA. Information you provide about health or medications is used to furnish informational comparisons and price lookups and is handled with enhanced confidentiality and security safeguards. We obtain your explicit consent where required by law and do not use such information for unrelated marketing without your consent.

Cookies and Similar Technologies

We use cookies, pixels, and similar technologies to operate the website, remember preferences, perform analytics, and measure the effectiveness of our content. Where required (e.g., in the EEA/UK), we obtain consent before setting non-essential cookies. You can withdraw consent or manage cookies via your browser/device settings.

We respect browser-level preference signals where applicable, including Global Privacy Control (GPC), as an opt-out signal for certain data disclosures under U.S. state privacy laws.

Disclosures to Processors and Other Recipients

We do not disclose personal data except as described below:

  • Service providers/processors: cloud hosting, data storage, analytics, email/SMS communications, customer support, security and fraud prevention, and IT maintenance—bound by contract to process data only on our instructions.
  • Price and availability partners: to retrieve current pricing and availability information you request (e.g., using your provided ZIP code or parameters). We take steps to minimize shared data.
  • Professional advisors and auditors: under confidentiality obligations.
  • Authorities and legal compliance: to comply with law, enforce terms, or protect rights, safety, and property.
  • Corporate transactions: in connection with mergers, acquisitions, financing, or sale of assets, subject to appropriate safeguards.

International Data Transfers

We are based in the United States and store personal data primarily in the U.S. When we transfer personal data from the EEA/UK/Switzerland to the U.S. or other countries without an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and implement supplementary measures as needed. Where applicable and available, we may rely on additional lawful transfer mechanisms. Copies of relevant safeguards may be requested via the contact details below.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this notice, including to meet legal, accounting, or reporting requirements. Typical retention periods include: account data for the life of the account plus up to 24 months; support and inquiry records for up to 36 months; log and security data for up to 24 months; and transaction/records required by law for up to 7 years. We will delete or anonymize data when it is no longer needed, unless a longer retention period is required by law.

Security Measures

  • Encryption in transit and at rest, where appropriate.
  • Access controls following the principle of least privilege and role-based access.
  • Multi-factor authentication for administrative access.
  • Audit logging, monitoring, and vulnerability management.
  • Employee confidentiality obligations and training.

No method of transmission or storage is completely secure; however, we maintain administrative, technical, and physical safeguards designed to protect personal data.

Your Rights Under GDPR

Where GDPR applies, you have the following rights, subject to conditions and exemptions:

  • Access: obtain confirmation and a copy of your personal data.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion of your data in certain circumstances.
  • Restriction: ask us to limit processing in certain cases.
  • Portability: receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Objection: object to processing based on legitimate interests and to direct marketing.
  • Withdraw consent: at any time, where processing is based on consent.
  • Complaint: lodge a complaint with a supervisory authority. We welcome the opportunity to address your concerns first.

U.S. State Privacy Rights

Residents of certain U.S. states (including, without limitation, California, Colorado, Connecticut, Utah, and Virginia) may have rights to access, correct, delete, receive a copy of their personal information, and opt out of certain processing such as targeted advertising or certain profiling. We do not sell personal information for monetary consideration. If we engage in activities deemed “sharing” or targeted advertising under applicable laws, you may opt out, and we honor recognized opt-out preference signals such as Global Privacy Control where required. We will not discriminate against you for exercising your rights.

California Notice at Collection

Categories collected may include identifiers, contact information, internet/usage data, geolocation (non-precise), inferences, and health-related information you provide. We collect for purposes including service delivery, customer support, security, debugging, analytics, and to improve services. We retain data as described in the Data Retention section. We do not sell personal information for money. We disclose personal information to service providers under written contracts and, where applicable, may process data for targeted advertising only with appropriate notice and choice.

Automated Decision-Making and Profiling

We do not engage in automated decision-making that produces legal or similarly significant effects about you. We may use limited profiling to tailor content or remember preferences. You may object to profiling where GDPR provides that right.

Children’s Data

Our services are not directed to children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided us personal data, please contact us to request deletion.

Exercising Your Rights

You may exercise your rights or contact us with questions by emailing [email protected]. To protect your data, we may need to verify your identity (for example, by confirming control of your email address or requesting limited additional information). We will respond without undue delay and within one month under GDPR (extendable where permitted) and within timelines required by applicable U.S. state laws (generally 45 days, extendable).

Authorized agents may submit requests on behalf of California residents, subject to verification and proof of authorization. Requests are generally free of charge unless manifestly unfounded or excessive.

Updates to This Notice

We may update this notice from time to time to reflect changes in our practices or legal requirements. The updated version will indicate its effective date and will become effective when posted.

Contact Information

ASTRA IFAME
160 Spear St, San Francisco, CA 94105, United States of America
Email: [email protected]

Effective date: 2025-09-26

Archive

Anemia Explained: Causes, Symptoms & Treatment Guide
Anemia Explained: Causes, Symptoms & Treatment Guide
How to Prevent Atrophic Gastroenteritis: Practical Tips & Strategies
How to Prevent Atrophic Gastroenteritis: Practical Tips & Strategies
Ciprodex Ophthalmic Solution vs. Common Eye Drop Alternatives: A Practical Comparison
Ciprodex Ophthalmic Solution vs. Common Eye Drop Alternatives: A Practical Comparison
Financial Planning Guide for Myeloma Patients & Families
Financial Planning Guide for Myeloma Patients & Families

Write a comment

© 2025. All rights reserved.