Privacy Policy

Last Updated: January 15, 2026

1. Introduction

CalyxStudio Ltd. ("CalyxStudio", "we", "us", or "our") is the data controller responsible for your personal data. We are a company registered in Ireland (CRO No. 634218) with our registered office at 42 Pearse Street, Dublin 2, D02 YX88, Ireland. We sell home-growing kits including seedlings, herb starter sets, and vegetable growing systems to customers primarily in Ireland and across the European Union.

This Privacy Policy explains what personal data we collect when you visit our website at www.calyxstudio.ie, place an order, register for our email list, or interact with us in any other way. It also describes how we use that data, the legal grounds we rely on, who we share data with, and what rights you have under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Irish Data Protection Act 2018.

We are committed to protecting your privacy and handling your data transparently. Please read this policy carefully. If you have any questions, you can contact us at any time using the details provided at the end of this document.

2. What Personal Data We Collect

Depending on how you interact with our website and services, we may collect the following categories of personal data:

• Identity data: First name, last name, and username or similar identifier.
• Contact data: Email address, telephone number, delivery address, and billing address.
• Order data: Details of products you have purchased or expressed interest in, order history, and transaction records.
• Financial data: Payment card details (processed securely through our payment provider; we do not store full card numbers on our servers).
• Technical data: IP address, browser type and version, operating system, device type, screen resolution, time zone setting, and browser plug-in types.
• Usage data: Pages visited on our website, links clicked, time spent on pages, referring URLs, search terms used on our site, and browsing patterns.
• Preference data: Your growing space selection, product interest preferences, and communication preferences.
• Cookie data: Information collected through cookies and similar tracking technologies (see Section 10 below).
• Communication data: Records of correspondence if you contact us by email, phone, or through our website form, including the content of your messages.

We do not collect any special categories of personal data (such as data about your health, race, ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, or sexual orientation).

3. How We Collect Your Data

We collect personal data through the following methods:

• Direct interactions: When you fill in our recommendation form, create an account, place an order, subscribe to our email list, contact our customer support team, or leave a product review. You provide this data directly to us.
• Automated technologies: As you navigate our website, we automatically collect technical data and usage data through cookies, server logs, and similar technologies. We use Google Analytics 4 to understand how visitors use our site. If you have consented to marketing cookies, we may also use the Meta Pixel (Facebook/Instagram) to measure the effectiveness of our advertising campaigns.
• Third parties: We may receive data from payment processors (Stripe) when you complete a transaction, and from delivery partners (An Post) regarding the status of your shipment.
• Timezone detection: We use your browser's timezone setting (via the Intl API) to estimate your general location for the purpose of displaying relevant delivery information and pricing. This does not involve GPS tracking or precise geolocation.

4. Why We Collect Data and Our Legal Basis

Under GDPR Article 6, we must have a valid legal basis for processing your personal data. The table below summarises our purposes and the corresponding legal basis:

Where we rely on consent, you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms.

5. How We Use Your Data

We use your personal data for the following specific purposes:

• Service delivery: To process your orders, arrange delivery via An Post, handle returns and refunds, and provide after-sale support including growing advice specific to the kit you purchased.
• Personalisation: To generate growing recommendations based on your available space, light levels, and the types of plants you expressed interest in when completing our form. This helps us suggest products and growing tips that are relevant to your specific situation.
• Marketing communications: If you have opted in, we send monthly emails with seasonal growing tips, new product announcements, and occasional promotional offers. Every email includes a clear unsubscribe link.
• Analytics: To understand how visitors use our website so we can improve page layouts, content, and the overall user experience. We use aggregated and anonymised data wherever possible for this purpose.
• Legal compliance: To maintain accounting records as required by Irish tax law (Revenue Commissioners), to comply with consumer protection legislation, and to respond to lawful requests from regulatory authorities.

We will never use your personal data for automated decision-making or profiling that produces legal effects or similarly significant effects on you.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. The specific retention periods are:

• Recommendation form data (name, email, preferences): 2 years from the date of submission, or until you request deletion, whichever comes first.
• Order and transaction records: 6 years from the date of the transaction, as required by Irish tax legislation (Taxes Consolidation Act 1997).
• Customer support correspondence: 2 years from the date of the last communication in a thread.
• Marketing email list data: Until you unsubscribe or request deletion. We also automatically remove contacts who have not engaged with any email for 18 consecutive months.
• Cookie and analytics data: 13 months from the date of collection (aligned with the default Google Analytics 4 retention period).
• Server logs (IP addresses, access times): 90 days, after which they are automatically deleted.

When data is no longer required, we securely delete or anonymise it so that it can no longer be associated with you.

7. Who We Share Your Data With

We do not sell, rent, or trade your personal data to any third party. We share data only with the following categories of service providers who process data on our behalf under written data processing agreements:

• Payment processor: Stripe Payments Europe Ltd. (Dublin, Ireland) processes your payment card data securely. They operate as a data processor under a GDPR-compliant data processing agreement.
• Delivery partner: An Post receives your name and delivery address to fulfil shipments within Ireland. For EU deliveries, we use DPD Ireland.
• Email service provider: We use Mailchimp (The Rocket Science Group LLC, operated by Intuit Inc.) to manage our email list and send marketing communications. Data transferred to Mailchimp is covered by Standard Contractual Clauses (see Section 8).
• Website hosting: Our website is hosted on servers within the European Economic Area (EEA) by our hosting provider.
• Analytics: Google Analytics 4 (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) collects aggregated website usage data.
• Advertising measurement: If you have consented to marketing cookies, Meta Platforms Ireland Limited receives limited data via the Meta Pixel for the purpose of measuring advertising performance.

We may also disclose your data if required by law, court order, or a binding request from a regulatory authority such as the Irish Data Protection Commission.

8. International Data Transfers

Most of our data processing takes place within the European Economic Area (EEA). However, some of our service providers are based in the United States. When personal data is transferred outside the EEA, we ensure appropriate safeguards are in place:

• Mailchimp (Intuit Inc.): Transfers are governed by the EU-US Data Privacy Framework and supplemented by Standard Contractual Clauses (SCCs) approved by the European Commission under Commission Implementing Decision (EU) 2021/914.
• Google (Google LLC): Google Ireland Limited acts as the data controller for Google Analytics in the EEA. Where data is processed by Google LLC in the US, this is covered by the EU-US Data Privacy Framework.
• Meta (Meta Platforms, Inc.): Meta Platforms Ireland Limited is the data controller for Meta services in the EEA. Transfers to Meta Platforms, Inc. in the US are covered by Standard Contractual Clauses.

You may request a copy of the relevant safeguard documentation by contacting us at [email protected].

9. Your Rights Under GDPR

Under Articles 15 to 22 of the GDPR, you have the following rights in relation to your personal data:

• Right of access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how we process it.
• Right to rectification (Article 16): You can ask us to correct any inaccurate or incomplete personal data.
• Right to erasure (Article 17): You can request that we delete your personal data, subject to certain conditions (for example, we must retain order records for tax purposes).
• Right to restriction of processing (Article 18): You can ask us to temporarily stop processing your data in certain circumstances, such as while we verify the accuracy of data you have challenged.
• Right to data portability (Article 20): You can request that we provide your data in a structured, commonly used, machine-readable format (e.g. CSV) so that you can transfer it to another service provider.
• Right to object (Article 21): You can object to processing based on legitimate interest. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent (Article 7(3)): Where processing is based on consent, you can withdraw it at any time by clicking the unsubscribe link in our emails, adjusting your cookie preferences, or contacting us directly.

To exercise any of these rights, please email us at [email protected]. We will respond within 30 days. We may ask you to verify your identity before processing your request. There is no fee for exercising your rights unless a request is manifestly unfounded or excessive.

You also have the right to lodge a complaint with the Irish Data Protection Commission (DPC) if you believe we have not handled your data correctly. The DPC can be contacted at:

10. Cookies and Tracking Technologies

Cookies are small text files stored on your device when you visit our website. We use the following types of cookies:

Essential Cookies

These are necessary for the website to function properly. They enable core features such as security, session management, and remembering your cookie consent preference. You cannot opt out of essential cookies as the website would not work without them. Duration: session-based or up to 12 months for your consent preference.

Analytics Cookies

We use Google Analytics 4 to collect anonymised data about how visitors interact with our website. This includes pages visited, time on site, bounce rate, and traffic sources. GA4 does not collect personally identifiable information when configured as we have done (IP anonymisation is enabled). Duration: up to 13 months. These cookies are only placed if you click "Accept" on our cookie banner.

Marketing Cookies

If you accept marketing cookies, we may place the Meta Pixel on your browser to measure how effective our Facebook and Instagram advertisements are. This allows us to show you relevant advertisements on those platforms and to measure conversions. Duration: up to 13 months. These cookies are only placed with your explicit consent.

Managing Your Cookies

When you first visit our website, a cookie consent banner appears in the bottom-right corner. You can choose to accept or reject non-essential cookies. Your choice is stored in your browser's local storage. You can change your preference at any time by clearing your browser's local storage or cookies, which will cause the banner to reappear on your next visit. You can also control cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that blocking essential cookies may prevent our website from functioning correctly. For more detailed information, please see our Cookie Notice.

11. Children's Privacy

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16 without verified parental consent, we will take steps to delete that data as quickly as possible. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected].

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make significant changes, we will notify you by posting a prominent notice on our website and, where appropriate, by sending an email to the address you provided when you registered. The "Last Updated" date at the top of this page will always reflect the most recent revision. We encourage you to review this page periodically. Continued use of our website after changes are posted constitutes your acceptance of the revised policy. For material changes that affect how we process your data, we will provide at least 14 days' notice before the changes take effect.

13. Contact Details

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a concern about how we handle your personal data, please contact our privacy team:

We aim to respond to all privacy-related enquiries within 5 business days and to resolve data subject access requests within 30 calendar days of receiving a verified request.