Privacy Policy

Hannïa ("we", "us", "our") is a fashion brand based in Prishtina, Kosovo, operating the website hannia.co. We are committed to protecting your personal data in accordance with Kosovo Law No. 06/L-082 on Personal Data Protection and the principles of the European General Data Protection Regulation (GDPR).

This Privacy Policy explains what personal data we collect when you visit or make a purchase on hannia.co, why and how we process it, how long we retain it, with whom we share it, and what rights you have.

Company: Hannïa — Website: hannia.co — Contact: contact@hannia.co — Location: Prishtina, Kosovo

Data you provide directly: When you create an account or sign in: first name, last name, email address, phone number, and a securely hashed password. When you place an order or checkout: first name, last name, email, phone, delivery address (street, city, country), and optional order notes. When you subscribe to the newsletter or participate in the Spin & Win: email address.

Data collected automatically: Your IP address and approximate country (derived from IP, not stored individually), pages you visit, referrer URL, browser and device type — collected via Vercel Analytics and Vercel Speed Insights. Page performance data (load times, Core Web Vitals) via Vercel Speed Insights. Session and cart state stored in cookies on your device.

Contract performance (Art. 6(1)(b)): processing and fulfilling your orders, managing your account, sending transactional emails (order confirmation, receipts, OTP codes), and processing payments.

Consent (Art. 6(1)(a)): newsletter subscriptions, Spin & Win participation, and optional analytics cookies.

Legal obligation (Art. 6(1)(c)): retaining order and invoice records for accounting and tax compliance.

Legitimate interests (Art. 6(1)(f)): preventing fraud, maintaining site security, and basic server-level logging.

We share your data only when necessary with the following trusted providers:

Supabase Inc. (United States) — authentication, user accounts, and database storage. Privacy policy: supabase.com/privacy.

Stripe Inc. (United States) — card payment processing, PCI-DSS Level 1 certified. We never store your full card number or CVC. Privacy policy: stripe.com/privacy.

Vercel Inc. (United States) — website hosting, analytics, and performance monitoring. Privacy policy: vercel.com/legal/privacy-policy.

Google LLC (United States) — optional sign-in via Google OAuth. Privacy policy: policies.google.com/privacy.

ProCredit Bank / Quipu (Kosovo) — local bank card payment gateway.

POST System Kosovo — logistics and delivery partner for order fulfilment.

Email/SMTP provider — sending transactional emails (order confirmations, receipts, OTP codes).

We do not sell your personal data. We do not use your data for advertising purposes.

Some service providers (Supabase, Stripe, Vercel, Google) are based in the United States. Data transfers to these providers are covered by Standard Contractual Clauses (SCCs) or equivalent safeguards, ensuring adequate protection of your personal data.

Order records and invoices: retained for the period required by Kosovo accounting and tax legislation (generally 5-10 years).

Account data: retained for the duration of your account, or deleted within 90 days of an account deletion request.

Newsletter and marketing subscriptions: retained until you unsubscribe.

Analytics data: anonymised/aggregated data retained per Vercel's retention policy.

Session and cart cookies: expire at the end of your browser session or within 7 days.

We use cookies and similar technologies on our website. For full details, please see our Cookie Policy at hannia.co/cookie-policy. In summary: essential cookies are required for the site to function (cart, authentication session); analytics cookies are optional and require your consent.

Under Kosovo Law No. 06/L-082, you have the following rights regarding your personal data:

Right of access — request a copy of the data we hold about you. Right to rectification — request correction of inaccurate or incomplete data. Right to erasure — request deletion of your data ("right to be forgotten"), subject to legal retention obligations. Right to restriction — request that we limit how we use your data in certain circumstances. Right to data portability — receive your data in a portable, machine-readable format. Right to object — object to processing based on our legitimate interests. Right to withdraw consent — withdraw any consent at any time, without affecting prior lawful processing.

Right to lodge a complaint: you may file a complaint with the Agency for Information and Privacy (AIP) of Kosovo at aip-ks.org.

To exercise your rights, contact us at contact@hannia.co.

We implement industry-standard security measures including HTTPS encryption, secure authentication via Supabase, and PCI-DSS certified payment processing. No transmission or storage method is 100% secure; we continuously review and improve our controls.

We may update this Privacy Policy from time to time. The latest version will always be available at hannia.co/privacy. Continued use of the website following any changes constitutes your acceptance of the updated policy.

For privacy questions, data requests, or complaints, contact us at: contact@hannia.co