FREE SHIPPING

DISCOVER OUR NEW COLLECTION NOW

Cecile Lavelle Logo

Your shopping cart is currently empty.

Check out this collection

Dresses

Privacy Policy

Last updated: 02.11.2025

Data Controller and Scope

The data controller is:
E-Commerce QJ
Kreilerhof 33, 2151 PJ Nieuw-Vennep, Netherlands
Email: info@cecilelavelle.com
Phone: +33 7 56 75 67 75

For data protection inquiries, please contact: info@cecilelavelle.com

This privacy policy applies to visitors and customers from Germany and Austria who www.cecilelavelle.com visit ("the website"), shop through it, or otherwise interact with us.

We comply with applicable data protection laws, especially the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and the Telecommunications-Digital-Services-Data-Protection Act (TDDDG) in Germany, as well as the Data Protection Act (DSG) and the Telecommunications Act (TKG 2021) in Austria.

Introduction

This privacy policy explains how Cecile Lavelle ("the website," "we," "us," or "our") collects, uses, transmits, and protects personal data when you use our services, make a purchase, or otherwise interact with us. This policy also describes your privacy rights and how you can exercise them.

Digital Accessibility

We continuously work to make our website accessible in accordance with the German Accessibility Enhancement Act (BFSG) as well as the relevant Austrian regulations. If you encounter barriers or difficulties using our website, please contact us at info@cecilelavelle.com, so that we can implement improvements.

Consent and Use
Please read this privacy policy carefully. By accessing our website and using the services, you agree to the collection, processing, and disclosure of your personal data in accordance with this privacy policy. If you do not agree with this policy, please do not use our website.

We apply the principles of data minimization, transparency, and Privacy by Design according to Art. 5 and 25 GDPR.

Changes to this privacy policy
We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or technical developments. The current version is always available on our website. The date under "Last updated" indicates the status of the latest revision. In case of significant changes, we will inform you in accordance with Art. 13 para. 3 GDPR, for example by email or a notice on the website.

How we collect and use your personal data
We process personal data exclusively within the framework of applicable data protection laws. The processing is based on the following legal grounds according to Art. 6 GDPR, § 1 DSG (AT), and § 25 TDDDG (DE):

  • Contract Fulfillment – for processing orders, payments, and customer inquiries

  • Legal obligation – to comply with tax and commercial law requirements

  • Legitimate interest – to improve the website, prevent fraud, ensure IT security, and internal administration

  • Consent – for marketing, analysis, or cookies, freely revocable at any time

We collect personal data from various sources, e.g., directly from you (order, customer account, contact form), via our website, through payment service providers, or technical analysis tools (e.g., Shopify, Google Analytics, Meta Ads). In addition to the purposes listed below, we may also use your data to communicate with you, fulfill legal obligations, enforce our terms of use, and protect our rights or the rights of third parties.

We do not process sensitive data within the meaning of Art. 9 GDPR.

Technical data collection and security
When you visit our website, server logs are automatically recorded (e.g., IP address, time of access, browser type, operating system). These data serve system security, error analysis, and protection against misuse.
Server logs are automatically deleted after a maximum of 30 days and are not merged with other data sources.
Our website is secured with up-to-date SSL/TLS encryption to protect the transmission of confidential content and personal data and to prevent access by unauthorized third parties.

Cookies
Our website uses cookies and similar technologies to provide certain functions, operate the website securely, and analyze usage. Cookies are small text files stored on your device that may contain information about your usage.

We distinguish the following categories:

  • Necessary cookies – required for the operation and basic functions of the website (e.g., shopping cart, login)

  • Functional cookies – serve user-friendliness and personalization

  • Analytics cookies – help us measure reach, statistics, and performance (e.g., Shopify Analytics, Google Analytics)

  • Marketing and tracking cookies – are used to tailor advertising and content to your interests (e.g., Google Ads, Meta Pixel, Shopify Audiences)

The storage or reading of non-essential cookies only takes place with your explicit consent in accordance with Art. 6 para. 1 lit. a GDPR, § 25 TDDDG (DE), and § 165 TKG 2021 (AT).
Analysis and marketing data are stored for a maximum of 24 months unless deleted earlier.
You can revoke your consent at any time via our cookie banner or through your browser settings.

Users who do not consent to optional cookies or marketing tracking will not be disadvantaged in using the website. Access to essential content and functions remains guaranteed at all times.

Detailed information about the cookies used on a Shopify basis can be found at:
https://www.shopify.com/legal/cookies

We use cookies to manage our website, analyze usage, and improve the user experience. Selected third parties (e.g., Shopify, Google, Meta) may set cookies to tailor content and advertising to you.

We comply with the Google EU User Consent Policy. For Google services, we use Consent Mode v2; data flows for measurement and advertising are only activated after your consent.

Most browsers accept cookies automatically. You can change your browser settings to delete or reject cookies. Please note that blocking cookies may limit the website’s functionality. Certain data processing may still occur if based on legitimate interests or legal obligations.

How we share personal data
We only share personal data with third parties if legally permitted, especially according to Art. 6 para. 1 lit. b, c, or f GDPR and § 1 DSG (AT).
Disclosure only occurs if necessary for contract fulfillment, compliance with legal obligations, or protection of legitimate interests.

Categories of Recipients of Personal Data

  • Service Providers (Processors):
    Companies that perform services on our behalf, such as IT administration, payment processing, data analysis, cloud storage, customer service, order processing, and shipping.

  • Business and Marketing Partners:
    This includes platforms like Shopify, Google, Meta, or similar providers that support technical infrastructure, web analytics, marketing automation, and personalized advertising.

  • Payment Service Providers:
    Providers such as PayPal Europe S.a.r.l., Shopify Payments, Stripe, Klarna, and others that ensure secure payment processing. These service providers process data independently according to their respective privacy policies.

  • Shipping Service Providers:
    Logistics and delivery companies such as DHL, DPD, UPS, GLS, Austrian Post, and others, for delivering your order. We only transmit the data necessary for shipping (e.g., name, delivery address, phone number).

  • Affiliated Companies and Business Partners:
    As part of our legitimate interest in unified management and internal administration, data may be shared within the group.

  • Authorities and Public Bodies:
    Only if we are legally obliged to do so, for example for fraud prevention, risk mitigation, or to fulfill tax and commercial law retention obligations.

  • Third parties in the context of business transfers:
    For example, in mergers, restructurings, or in the event of a company sale, if this is necessary for the continuation of business operations and legally permissible.

No disclosure of sensitive personal data within the meaning of Art. 9 GDPR takes place.

Shopify – Roles & Responsibilities
We use Shopify’s infrastructure and services to provide our online shop.

  • Data Processing (Art. 28 GDPR): For the operation of our shop (e.g., hosting, checkout, payment processing within the shop system), Shopify processes personal data on our behalf as a data processor.

  • Independent Responsibility: For certain independent purposes (e.g., operating own websites/apps, security and fraud prevention systems, platform analytics, or app store functions), Shopify is an independent controller.

  • Joint Responsibility (only if applicable): To the extent that Shopify provides for joint responsibility under Art. 26 GDPR for certain functions (including Shopify Audiences), the responsibilities described there apply. Details can be found in the Shopify Privacy Policy at shopify.com/legal/privacy.

Requests regarding data subject rights that concern Shopify as an independent controller can be submitted directly via the Shopify Privacy Portal (privacy.shopify.com).

Data Processing
We have Data Processing Agreements with all service providers who process personal data on our behalf, in accordance with Art. 28 GDPR, which ensure the security and lawful processing of the data.
A list of essential subprocessors can be provided upon request.

Transfer to third countries
Data transfers to countries outside the European Economic Area (EEA) – especially to the USA, Canada, China, or other third countries – only take place if the recipients ensure an adequate level of data protection.
The legal basis for this is the Standard Contractual Clauses (SCCs) of the European Commission or equivalent protective mechanisms approved by the competent supervisory authority according to Art. 46 GDPR.

Transfers to recipients in the USA certified under the EU-U.S. Data Privacy Framework are based on the corresponding adequacy decision of the European Commission; otherwise, we continue to use SCCs according to Art. 46 GDPR.

We ensure that all international data transfers only occur to partners who:

  • are contractually obligated to comply with GDPR standards,

  • have implemented appropriate technical and organizational measures (TOMs) according to Art. 32 GDPR,

  • and ensure data subject rights according to Chapter III GDPR.

Categories of recipients and purposes of disclosure

Category of personal data Purpose of processing Categories of recipients Legal basis
Identification Data (name, address, email, phone number) Order processing, shipping, customer communication Payment service providers, shipping companies, Shopify Art. 6 para. 1 lit. b GDPR
Payment data, billing information Payment processing, fraud prevention Payment providers (PayPal, Klarna, Shopify Payments, Stripe) Art. 6 para. 1 lit. b and f GDPR
Commercial Information (order history, customer service contacts) Customer service, complaints, analysis Shopify, CRM providers Art. 6 para. 1 lit. b GDPR
Internet / Network Data (IP address, browser, device type, usage duration) Website operation, security, statistics IT service providers, Shopify, Google Art. 6 para. 1 lit. f GDPR
Marketing Data (cookies, pixels, click data) Advertising, retargeting, campaign analysis Google Ads, Meta Ads, Shopify Audiences Art. 6 para. 1 lit. a GDPR (§ 25 TDDDG / § 165 TKG 2021)

We comply with the Google EU User Consent Policy. For Google services, we use Consent Mode v2; data flows for measurement and advertising are only activated after your consent.

Note on storage duration:  
Marketing and tracking data (e.g., cookies, pixels, click data) are stored for up to 24 months with consent, unless deleted earlier.

Disclosures in the last 12 months
In the past twelve months, personal data has only been disclosed for legitimate purposes stated in this policy:

Data category Recipient
Identification Data (name, email, address) Service providers, marketing and business partners, affiliated companies
Commercial Information (order data, service requests) Service providers, affiliated companies
Internet / Network Activities (IP address, browser data, usage statistics) IT and marketing partners (Shopify, Google, Meta)

We do not sell personal data as defined by the GDPR or national data protection laws.
Sharing with marketing partners takes place exclusively for advertising and analysis purposes, provided you have consented via our cookie banner.

User-Generated Content
Our services may allow you to post product reviews, comments, or other user-generated content. If you choose to post content in a public area of our website, this information will be publicly accessible.
You agree not to publish illegal, offensive, or third-party personal data without their explicit consent.
We have no control over who accesses this content and cannot guarantee that third parties will respect your privacy or handle your data securely.
We accept no liability for the publication, sharing, or misuse of such publicly accessible information.

Websites and links of third parties
Our website may contain links to external websites or third-party platforms. If you follow these links, please note that we have no control over the content, data collection, or privacy practices of these providers.
We recommend that you carefully read the respective privacy policies and terms of use of these third-party sites. We assume no responsibility or liability for their content, security, or data processing.

The integration of social media plugins (e.g., Meta, Instagram, TikTok) is only based on your explicit consent according to Art. 6 para. 1 lit. a GDPR and in compliance with § 25 TDDDG (DE) or § 165 TKG 2021 (AT).
Data transfers to third countries – such as the USA – only take place if appropriate safeguards are in place, particularly based on the EU Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework for certified recipients.

We comply with the Google EU User Consent Policy for all integrated services. Consent Mode v2 is used for Google services (e.g., Ads, Analytics); data collection for measurement or advertising purposes only occurs after your consent.

Data from children
Our services are not directed at children or minors. We do not knowingly process personal data of minors.
In Germany, the minimum age for independent consent to information society services is 16 years, and in Austria, it is 14 years, according to Art. 8 GDPR in conjunction with § 4 DSG (AT).
If you are a parent or legal guardian of a child who has provided us with personal data, please contact us immediately at info@cecilelavelle.com so that we can delete this data.

Security and Retention of Your Data
We implement appropriate technical and organizational measures (TOMs) in accordance with Art. 32 GDPR to protect your personal data from unauthorized access, loss, misuse, or alteration. These include encryption, access control, and backup mechanisms.

The retention period of your personal data depends on the specific purpose of the processing:

  • Contract and order data are retained up to Stored for 10 years due to tax and commercial law obligations.

  • Communication and support data are generally deleted after a maximum of 3 years, unless legal retention obligations prevent this.

  • Data necessary for enforcing or defending legal claims may be retained until the expiration of statutory limitation periods.

Your Rights and Choices
Under the GDPR and the Austrian Data Protection Act, you have the following rights:
Access (Art. 15), correction (Art. 16), deletion (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), as well as withdrawal of consent with effect for the future (Art. 7 para. 3).

To exercise your rights, please contact us at info@cecilelavelle.com. We reserve the right to verify your identity before processing your request.
You can object to the processing of your data for direct marketing purposes at any time under Art. 21 para. 2 GDPR.

If you believe that the processing of your data violates applicable data protection law, you have the right to file a complaint with the competent supervisory authority:

  • Germany: The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Graurheindorfer Str. 153, 53117 Bonn

  • Austria: Data Protection Authority (DPA), Barichgasse 40–42, 1030 Vienna

Shopify Advertising Services
We use selected marketing features from Shopify Audiences and related services to show you personalized advertising and product recommendations. These services help us target our campaigns more effectively and improve your shopping experience.

Shopify processes data such as your email address, IP address, order history, or cookie information to create audience statistics and optimize ads.
If you do not want your data to be used for such purposes, you can withdraw your consent at any time via our cookie banner or find more information at https://privacy.shopify.com.

Shopify International Ltd. (Ireland) may act as a data processor, independent controller, or – in explicitly regulated cases – as a joint controller with us, depending on the processing operation.
The data protection roles of Shopify are outlined in the section "Shopify – Roles & Responsibilities" of this policy as well as in the official Shopify Privacy Policy.

Transparency in advertising according to the Digital Services Act (DSA)
We comply with the requirements of EU Regulation 2022/2065 (Digital Services Act) and clearly label all commercial content and advertisements as such.
We do not run personalized advertising based on profiling of minors or on special categories of personal data (Art. 9 GDPR).
We also comply with the requirements of the Google EU User Consent Policy. For Google services (e.g., Ads, Analytics), we use Consent Mode v2; data collection for measurement and advertising only occurs after your explicit consent.

International users
Please note that we may transfer, store, or process your personal data outside the European Union (EU) and the European Economic Area (EEA) – especially in the USA, Canada, China, or Hong Kong.
These transfers are carried out exclusively in accordance with the data protection provisions of the GDPR (Art. 44–49).

The legal basis is the EU Standard Contractual Clauses (SCCs) or other appropriate safeguards according to Art. 46 GDPR.
Transfers to recipients in the USA certified under the EU-U.S. Data Privacy Framework are based on the corresponding adequacy decision of the EU Commission; otherwise, we use SCCs.
All recipients are contractually obligated to ensure a level of protection that meets European standards.
If necessary, we obtain your explicit consent according to Art. 49 para. 1 lit. a GDPR before any data transfer takes place.
International data transfers are regularly reviewed to ensure that all partners continue to provide a GDPR-compliant level of protection.

For more information about our contractual terms, please see our General Terms and Conditions.

Customer Service
Support hours: Monday to Sunday, 9:00 AM – 5:00 PM (CET)
We strive to respond to all inquiries within 24 hours.
Email: info@cecilelavelle.com
Phone: +33 7 56 75 67 75

Company Information
E-Commerce QJ
Kreilerhof 33, 2151 PJ Nieuw-Vennep, Netherlands
Commercial Register (KvK): 94704635
VAT ID: NL866865342B01

This privacy policy complies with the requirements of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), the Telecommunications and Digital Services Data Protection Act (TDDDG), the Austrian Data Protection Act (DSG), and the Telecommunications Act (TKG 2021).