Exquisite Studio Privacy Policy

Applies to purchases and visits on Exquisite Studio.

Last updated: 14 July 2026

1. Controllers, roles, and contact details

Exquisite Studio operates Exquisite Studio and is the controller for seller decisions such as product fulfilment, buyer support, seller communications, and store-specific legal obligations. Contact the store through store support or at rongai 00800, Nairobi, Kenya, Nairobi, Nairobi Area, Kenya, 0080, Kenya 0080, Kajiado, Kajiado, 00206, Kenya.

3DIMLI separately determines how account, security, storefront, checkout, delivery, refund, and platform records are processed to provide and protect the platform. Its role and contact details are described in the incorporated 3DIMLI Privacy Policy. The seller and 3DIMLI may each be an independent controller for their own purposes; a payment provider is normally a separate controller under its own notice.

Send a request to the party responsible for the relevant activity. Store-order or product-support requests go to the store; platform-account, security, or 3DIMLI requests go through the 3DIMLI contact page.

2. Personal data and where it comes from

  • Identity and contact data: name, username, email address, billing contact details, and support correspondence.
  • Transaction and fulfilment data: cart contents, order identifiers, product, variant, licence, amount, currency, payment status, invoice details, downloads, delivery, bookings, refunds, disputes, and related evidence.
  • Payment data: gateway and transaction references, payment method category, and status. Full card numbers, bank passwords, and payment credentials are handled by the selected payment provider and are not supplied to the store.
  • Technical and security data: IP address, device and browser information, timestamps, request and error logs, authentication events, cookie choices, fraud signals, and access or download history.
  • Content and preference data: reviews, messages, form answers, saved preferences, marketing choices, and any files or other information you choose to submit.

Data is obtained directly from you, generated when you use the storefront, received from 3DIMLI platform services, or received from payment, authentication, delivery, fraud-prevention, and communication providers involved in your request.

Do not provide special-category or highly sensitive personal data unless the store expressly requests it for a lawful and necessary purpose. The storefront is not intended for children under 16, consistently with the 3DIMLI platform policy.

3. Purposes and GDPR legal bases

  • Contract and pre-contract steps: operate the cart and checkout, process an order, deliver a product or booking, verify a licence, provide a receipt, answer a product question, and administer a refund or cancellation.
  • Legal obligations: keep tax, accounting, transaction, consumer-protection, sanctions, fraud, and compliance records and respond to lawful requests.
  • Legitimate interests: secure accounts and content, prevent abuse and fraud, diagnose errors, maintain service records, defend legal claims, and improve the store, provided those interests are not overridden by your rights and freedoms.
  • Consent: use non-essential analytics or marketing technologies, send optional promotional communications, or carry out another activity where consent is required. Consent may be withdrawn at any time without affecting earlier lawful processing.

Where information is required to enter into or perform a contract, refusing to provide it may prevent checkout, delivery, support, or a refund review. Optional fields and consent-based processing are not required for the core purchase unless clearly stated.

4. Recipients and service providers

Personal data may be disclosed only where relevant to the stated purposes, including to:

  • 3DIMLI platform services that host the storefront and provide accounts, checkout, delivery, licences, refunds, communications, and security.
  • The payment gateway selected at checkout, banks, and payment networks needed to authorise, settle, reverse, or investigate a transaction.
  • Cloud hosting, storage, email, authentication, analytics, customer-support, anti-fraud, and security providers acting under appropriate terms.
  • Professional advisers, auditors, insurers, prospective business transferees, courts, regulators, law enforcement, or authorities where lawfully required.
  • Other recipients you direct or authorise, or that are disclosed when the information is collected.

The 3DIMLI privacy policy contains more information about platform providers and processing. The selected payment gateway and any seller-enabled third party may publish a separate privacy notice that also applies to its processing.

5. International transfers

The seller, 3DIMLI, a payment provider, or another service provider may process personal data outside your country, including outside the European Economic Area. Where the GDPR applies and the destination is not covered by an adequacy decision, the responsible controller must use an approved transfer mechanism such as the European Commission's Standard Contractual Clauses, together with supplementary safeguards where required, or another lawful GDPR transfer basis.

Contact the relevant controller for information about the transfer mechanism and, where available, a copy of the relevant safeguards. A copy may be redacted where necessary to protect confidential or security information.

6. Retention

Personal data is kept for the shortest period reasonably necessary for the purpose for which it was collected, then deleted, anonymised, or securely isolated unless a longer period is required by law.

  • Cart, session, and transient technical records are kept only for their operational or security lifecycle.
  • Order, payment, licence, tax, refund, and accounting records are retained for the period required by applicable financial, consumer, and limitation laws.
  • Support, dispute, fraud, and security records are retained while the matter is active and for a proportionate period needed to establish, exercise, or defend legal claims.
  • Consent and preference records are retained while the choice is active and for a limited evidentiary period after withdrawal.

Retention periods are reviewed using the purpose, sensitivity, risk, legal requirements, account status, and unresolved-claim criteria above.

7. Security and incident handling

The seller and 3DIMLI use proportionate technical and organisational measures intended to protect personal data, including access controls, authentication, transport security, logging, backups, and provider oversight where applicable. No online service can guarantee absolute security.

Suspected account compromise, unauthorised disclosure, or security issues should be reported promptly through the store contact and the 3DIMLI contact page. The responsible controller will assess notification duties to affected people and supervisory authorities under applicable law.

8. Your GDPR and privacy rights

Where the GDPR applies, you may have the right to:

  • Be informed and obtain access to your personal data and related processing information.
  • Correct inaccurate or incomplete personal data.
  • Request erasure or restriction where the legal conditions are met.
  • Receive qualifying data you provided in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Object to processing based on legitimate interests and object at any time to direct marketing.
  • Withdraw consent at any time for future consent-based processing.
  • Request safeguards concerning a qualifying decision based solely on automated processing, including human review where required by law.

Send a store-specific request through store support. For platform-account or 3DIMLI processing, use the 3DIMLI contact page. The recipient may request proportionate information to verify identity and route the request.

A GDPR request will be answered without undue delay and normally within one month. Where permitted, that period may be extended by up to two further months for complex or numerous requests, with notice. Rights can be limited where an exemption applies or data must be retained for legal obligations or claims.

9. Complaints, automated checks, and marketing

You may complain to the data-protection authority for your habitual residence, workplace, or the place of the alleged infringement, and may seek a judicial remedy. Contacting the store or 3DIMLI first may allow the issue to be resolved more quickly but is not a condition of complaining.

Checkout and account-security systems may use automated signals to identify fraud, abuse, duplicate activity, or payment risk. If a decision produces legal or similarly significant effects and GDPR safeguards apply, you may request human intervention, express your view, and contest the decision.

Optional marketing can be stopped through the unsubscribe or preference control provided, or by contacting the sender. Transactional, security, and service messages may still be sent when necessary for a contract, legal obligation, or legitimate interest.

10. Cookies, changes, and further information

Cookie and similar-technology choices are explained in this store's Cookie Policy.

This notice may be updated when processing, providers, or law changes. Material changes will be highlighted where required, and the date at the top identifies the current version. Processing is governed by the version applicable when it occurs.

For the platform's fuller processing details, international-transfer information, and privacy contacts, read the 3DIMLI Privacy Policy.