📋 Plain English Summary
✅We collect your name, email, address and order details to fulfil your purchase
✅We use Shopify, Stripe and Judge.me — all trusted, secure platforms
✅We send marketing emails only if you opt in — unsubscribe any time
✅We never sell your personal data to third parties
✅EU customers have full GDPR rights (access, erasure, portability)
✅Email us any time at admin@candylens.com with privacy questions
01 Data Controller & Owner
The data controller responsible for your personal data is:
Milkyway Beauty Sdn Bhd
Kajang, Selangor, Malaysia
Website: candylens.com
Email: admin@candylens.com
02 Data We Collect
Data you provide directly
-
Account & order data: First name, last name, email address, phone number, shipping address (street, city, state/province, postcode, country)
-
Prescription data: Sphere (power), base curve, diameter, and left/right eye designation — provided when ordering powered lenses
-
Payment data: Processed directly and securely by Stripe. We do not store full card numbers on our servers
-
Communications: Messages sent to us via contact forms or email
-
Reviews: Any product review content submitted via Judge.me
Data collected automatically
-
Usage data: Pages visited, time on site, referral source, browser type, device type
- IP address and approximate location
-
Cookies and tracking data — see Section 5 for details
Prescription data is sensitive. We collect eye prescription details solely to fulfil your order. This data is not used for any other purpose and is not shared with any third party beyond what is necessary to process your order.
03 How We Use Your Data
| Purpose |
Data Used |
Legal Basis (GDPR) |
| Process and fulfil your order |
Name, address, email, prescription, payment |
Contract performance |
| Send order confirmation & shipping updates |
Email, name, order details |
Contract performance |
| Customer support |
Email, order details, communications |
Contract performance / Legitimate interest |
| Marketing emails & newsletters |
Email, name |
Consent (opt-in only) |
| Website analytics & improvement |
Usage data, IP, cookies |
Legitimate interest |
| Fraud prevention & legal compliance |
IP, order data, payment data |
Legal obligation / Legitimate interest |
| Review collection |
Email, name, purchase history |
Legitimate interest |
We will never use your data for purposes incompatible with those listed above without first seeking your consent.
04 Third-Party Services
We use the following trusted third-party services to operate our store. Each acts as a data processor on our behalf and is contractually bound to protect your data.
| Service |
Purpose |
Data Shared |
Privacy Policy |
| Shopify Inc. |
E-commerce platform & order management |
All order & customer data |
View policy |
| Stripe Inc. |
Payment processing |
Payment & billing data |
View policy |
| Judge.me |
Product reviews |
Name, email, purchase history |
View policy |
| Google Analytics |
Website traffic analysis |
Anonymised usage & cookie data |
View policy |
| Shopify Email / Brevo |
Email marketing & newsletters |
Email, name |
View policy |
| Cloudflare Inc. |
Security, DDoS protection & CDN |
IP address, traffic data |
View policy |
| Quantium Solutions |
Shipping & delivery (Singapore) |
Name, address, phone |
— |
We do not transfer your personal data to countries without appropriate safeguards in place.
05 Cookies
Cookies are small text files stored on your device when you visit our website. We use the following types:
Essential cookies
Required for the website to function — shopping cart session, login state, and checkout process. You cannot opt out of these without breaking core site functionality.
Analytics cookies (Google Analytics)
Help us understand how visitors use the site. Data is aggregated and anonymised where possible.
Marketing & preference cookies
Used to remember your preferences and, if you have consented, to personalise content and offers.
Managing cookies: You can control cookies through your browser settings via Settings → Privacy. Disabling non-essential cookies will not prevent you from shopping on our site.
06 Data Retention
We retain your personal data only for as long as necessary for the purposes set out in this policy, or as required by law.
-
Order & transaction records: 7 years (Malaysian tax and accounting law requirements)
-
Customer account data: For the life of your account, plus 2 years after last activity
-
Marketing email consent: Until you unsubscribe or withdraw consent
-
Analytics data: 26 months (Google Analytics default)
-
Support communications: 3 years from the date of resolution
You may request deletion of your data at any time — see Section 8 for your rights.
07 Data Sharing & Selling
We do not sell your personal data. Your information is never sold, rented, or traded to third parties for their own marketing purposes.
We share data only in the following limited circumstances:
- With service providers listed in Section 4, strictly to operate our business
- With shipping carriers, solely to deliver your order
- When required by law, court order, or government authority
- To protect the rights, property, or safety of CandyLens, our customers, or others
In the event of a business sale or merger, customer data may be transferred as part of the business assets. We will notify affected customers in advance.
08 Your Rights
Regardless of your location, you have the following rights over your personal data:
👁️
Right to Access
Request a copy of the personal data we hold about you
✏️
Right to Rectification
Ask us to correct inaccurate or incomplete data
🗑️
Right to Erasure
Request deletion of your data (subject to legal retention obligations)
⏸️
Right to Restrict
Ask us to limit how we process your data in certain circumstances
📦
Right to Portability
Receive your data in a structured, machine-readable format
🚫
Right to Object
Object to processing based on legitimate interest, including marketing
To exercise any of these rights, email us at admin@candylens.com. We will respond within 30 days.
You may unsubscribe from marketing emails at any time by clicking "Unsubscribe" in any email we send.
09 EU Customers — GDPR
If you are located in the European Union, GDPR applies to our processing of your personal data. In addition to the rights in Section 8, you have the right to:
-
Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing
-
Lodge a complaint with your local Data Protection Authority if you believe we have mishandled your data
Our legal bases for processing EU personal data: (a) Contract — to fulfil your order; (b) Consent — for marketing communications; (c) Legitimate interest — for analytics and fraud prevention; (d) Legal obligation — for tax and accounting records.
10 Security
We take reasonable technical and organisational measures to protect your data, including:
- SSL/TLS encryption on all pages (HTTPS)
- Payment processing via PCI-DSS compliant Stripe — we never store raw card data
- Cloudflare WAF for traffic filtering and DDoS protection
- Access controls limiting who within our team can access customer data
No method of internet transmission is 100% secure. In the event of a data breach affecting your rights, we will notify you and relevant authorities as required by law.
11 Children's Privacy
Our website is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with data without parental consent, please contact admin@candylens.com and we will delete it promptly.
12 Changes to This Policy
We may update this Privacy Policy from time to time. The "Last Updated" date at the top will reflect any changes. For significant changes, we will notify customers by email where reasonably practicable. Your continued use of the website after changes constitutes acceptance of the updated policy.