Privacy Policy - BirdsNest

1. Introduction

This Privacy Policy explains how BirdsNest (“we”, “us”, “our”) collects, uses, discloses, and protects personal data in connection with your use of the website located at https://www.birdsnest-gallery.com (the “Site”). We are committed to handling personal data in a lawful, fair, and transparent manner and in accordance with applicable data protection laws, including, where relevant, the EU/UK General Data Protection Regulation (GDPR) and U.S. state privacy laws such as the California Consumer Privacy Act (CCPA), as amended by the CPRA.

By using the Site, you acknowledge that you have read this Privacy Policy. If you do not agree with its terms, please do not use the Site.

Effective date: 14 December 2025

2. Who We Are and How to Contact Us

Controller: BirdsNest is the controller of personal data processed via the Site, meaning we determine the purposes and means of processing that data.

Data Protection Officer (DPO): You can contact our DPO for any questions about this Privacy Policy or our data practices.

Email: privacy@birdsnest-gallery.com

General contact: For general privacy inquiries or to exercise your rights (see Section 9), you may also contact us using the contact details provided on the Site.

3. Personal Data We Collect

We collect the following categories of personal data:

Information you provide directly: identification and contact details (e.g., name, email address, telephone number), account credentials (if you create an account), billing and shipping information (if purchases are offered), preferences (e.g., newsletter choices), content you submit (e.g., messages, inquiries, forms), and any information you include in communications with us.
Automated data: device and technical data (e.g., IP address, device identifiers, browser type and version, operating system, language settings), usage data (e.g., pages visited, time spent, clicks, scrolling), approximate location (derived from IP), and cookie identifiers and similar technologies.
Data from third parties: payment processors (limited payment details and transaction confirmations), analytics providers (aggregated or pseudonymous usage metrics), social media or sign-in services (if you choose to connect), and shipping/logistics companies (delivery updates).

We do not intentionally collect special categories of personal data (e.g., health, ethnicity) through the Site. Please avoid sharing such information unless requested and strictly necessary.

4. Purposes and Legal Bases for Processing

We process personal data for the purposes and under the legal bases described below (legal bases apply where GDPR or similar laws are applicable):

Provide and maintain the Site and services: to operate the Site, enable features (such as account access and content viewing), process transactions, and deliver customer support. Legal basis: performance of a contract; legitimate interests in running our services.
Communications: to respond to inquiries, send service-related notices, and manage your requests. Legal basis: performance of a contract; legitimate interests in communicating with users.
Marketing and newsletters: to send updates, event invitations, promotions, and news about BirdsNest, subject to your consent where required. Legal basis: consent (where required by law); legitimate interests in promoting our services (where consent is not required).
Personalization: to remember preferences and tailor content. Legal basis: consent for non-essential cookies where required; legitimate interests in providing a better user experience.
Analytics and performance: to understand usage of the Site, improve functionality, and develop new features. Legal basis: consent for analytics cookies where required; legitimate interests in improving our services.
Security and fraud prevention: to protect the Site, detect and prevent fraud and abuse, and ensure network and information security. Legal basis: legitimate interests; compliance with legal obligations.
Compliance and legal obligations: to comply with applicable laws, regulatory requests, tax and accounting obligations, and to establish, exercise, or defend legal claims. Legal basis: compliance with legal obligations; legitimate interests in defending our rights.

Where we rely on consent, you can withdraw it at any time (see Section 9). Where we rely on legitimate interests, we balance our interests against your rights and freedoms.

5. Cookies and Similar Technologies

We use cookies and similar technologies (e.g., pixels, tags, local storage) to operate the Site, enable certain features, analyze performance, and, where applicable, deliver marketing. Cookies may be “session” cookies (deleted when you close your browser) or “persistent” cookies (stored for a defined period).

Types of cookies we may use:

Strictly necessary: essential for the Site to function (e.g., page navigation, security). These cannot be switched off in our systems.
Functional: remember choices and preferences to provide enhanced features.
Analytics: help us understand how the Site is used to improve performance and user experience.
Advertising: used to deliver relevant ads and measure campaign effectiveness (used only where applicable and subject to consent where required).

Managing cookies: You can manage cookies via your browser settings (e.g., blocking or deleting cookies). Where required by law, we present a consent banner allowing you to accept or reject non-essential cookies. If you disable cookies, some features may not function as intended.

Retention: Non-essential cookies are typically retained for no longer than 13 months, and related analytics data is retained for no longer than 25 months, unless a shorter or longer period is required or permitted by applicable law.

6. Data Sharing and Disclosure

We may share personal data with:

Service providers: hosting, cloud storage, analytics, email delivery, customer support, security, payment processing, and logistics providers, acting on our instructions and under appropriate contractual safeguards.
Professional advisors: lawyers, auditors, and similar professionals under confidentiality obligations.
Authorities and legal recipients: when required by law, regulation, legal process, or to protect rights, property, or safety.
Business transfers: in connection with a merger, acquisition, restructuring, or asset sale, your data may be transferred as part of the transaction subject to appropriate protections.

We do not “sell” personal information as defined by the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising unless you have consented to advertising cookies where such consent is required. You may opt out of non-essential cookies and withdraw consent at any time (see Section 5 and Section 9).

7. International Data Transfers

We may transfer personal data to countries outside your country of residence, including, where applicable, outside the European Economic Area (EEA) or the United Kingdom. When we do so, we implement appropriate safeguards, such as:

Transfers based on an adequacy decision by the European Commission or the UK government.
Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum (IDTA), supplemented by additional measures when necessary.

Copies of the relevant transfer safeguards can be obtained by contacting our DPO (subject to redactions for confidentiality).

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy or as required by law. Retention periods depend on the type of data and purpose, for example:

Account information: retained while your account is active and for a reasonable period thereafter to manage queries and enforce our terms.
Transaction and billing data: retained for the period required by tax and accounting laws (up to 10 years, depending on jurisdiction).
Customer communications and inquiries: typically retained for up to 3 years after resolution.
Marketing data: retained until you unsubscribe or withdraw consent, plus a short period to implement your request.
Security logs and fraud prevention data: typically retained for up to 12 months, unless needed longer to investigate incidents.
Recruitment/applicant data: typically retained for up to 12 months unless you consent to a longer period as part of our talent pool.

We may retain data longer where necessary to establish, exercise, or defend legal claims.

9. Your Rights

Depending on where you reside, you may have some or all of the rights listed below. To exercise any rights, contact our DPO (see Section 2). We may ask for information to verify your identity and will respond within the timeframe required by law.

Access: obtain confirmation whether we process your personal data and receive a copy.
Rectification: correct inaccurate or incomplete personal data.
Erasure: request deletion of your personal data, subject to legal exceptions.
Restriction: request we limit processing in certain circumstances.
Portability: receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.
Object: object to processing based on legitimate interests and to direct marketing at any time (including profiling related to direct marketing).
Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
Complaints: lodge a complaint with a supervisory authority. If you are in the EEA or UK, you can contact your local data protection authority.

California residents: you may have the right to know/access, correct, delete, opt out of “sale” or “sharing” for cross-context behavioral advertising, and limit the use/disclosure of sensitive personal information (if we collect it). We do not sell personal information. To opt out of “sharing” for advertising, decline advertising cookies or adjust your preferences as described in Section 5, or contact our DPO.

We will not discriminate against you for exercising your rights.

10. Data Security

We implement appropriate technical and organizational measures to protect personal data, including encryption in transit, access controls and least-privilege principles, multi-factor authentication for administrative access, regular backups, monitoring and logging, vulnerability management, and staff training. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

11. Children’s Privacy

The Site is not directed to children under the age of 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, please contact our DPO so we can take appropriate steps, including deletion where applicable.

12. Third-Party Links and Services

The Site may include links to third-party websites, plug-ins, or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of every site and service you visit or use.

13. International Users

By using the Site from outside your country of residence, you acknowledge that your personal data may be processed in jurisdictions that may have different, and in some cases less protective, data protection rules than your jurisdiction. We will take steps to ensure an adequate level of protection as described in Section 7.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the “Effective date” above and, where appropriate, provide additional notice (such as a prominent notice on the Site). We encourage you to review this Privacy Policy periodically to stay informed about our data practices.

15. How to Contact Us and Our DPO

If you have questions about this Privacy Policy or our data practices, or if you wish to exercise your rights, please contact our Data Protection Officer:

Email: privacy@birdsnest-gallery.com

You may also contact us using the contact details provided on the Site. We will respond within the timeframes required by applicable law.