I. Data Controller Information

The data controller is DENIM TRADE LTD INC. If you have any questions, complaints, or needs regarding the processing of your personal data, please contact us through the following methods:

• Business Email: business@tradeindenim.com
• Official Website: tradeindenim.com (You can contact customer service through the online inquiry function)

II. Categories of Personal Data Collected

To achieve legitimate purposes such as product sales, order fulfillment, and customer service, we may collect the following personal data:

1. Identity and Contact Data: Including name, company name (if applicable), email address, telephone number, mailing address, etc., for order communication, goods delivery, and after-sales coordination;
2. Transaction and Payment Data: Including order information and payment method information (excluding sensitive payment details such as complete bank card passwords), for completing transaction settlement and retaining order records;
3. Technical Data: When you visit our official website, we may automatically collect technical data such as IP address, browser type and version, access time, and page browsing history to optimize website performance, improve user experience, and ensure website security;
4. Other Data: Other personal data related to cooperation collected with your explicit consent. The specific data category and purpose of collection will be clearly stated before collection.

Please note that we do not proactively collect special categories of personal data such as race or ethnicity, origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data, or health data, unless based on specific legal scenarios and with your explicit written consent.

III. Legal Basis for Data Processing

We process personal data based on legal grounds stipulated by GDPR, specifically including:

1. Fulfilling Contractual Obligations: To complete the signing and performance of contracts between you and us, such as the purchase of cups, including the delivery of goods and settlement of payments. This is the core legal basis for processing personal data;
2. Data Subject Consent: When you explicitly check the consent box and proactively provide personal data for a specific purpose (such as receiving product update information), we will process the data based on your consent. You can withdraw your consent at any time;
3. Legitimate Interests: To achieve our reasonable business interests without harming your legitimate rights, such as optimizing product design, improving customer service quality, and ensuring business operation security. This processing will fully balance our interests with your data rights;
4. Legal Obligations: To comply with the requirements of relevant EU and member state laws and regulations, such as retaining transaction records to meet tax regulatory requirements.

IV. Purpose of Use of Personal Data

The personal data we collect will only be used for the following specific and explicit purposes, and will not be processed beyond those purposes:

1. Order Fulfillment: This includes confirming order details, arranging production, logistics and delivery, after-sales support, and handling order-related complaints and inquiries;
2. Product and Service Optimization: Based on non-identifiable aggregated data analysis of user needs, improve the quality and style of cup products and the user experience of the official website;
3. Business Communication: Respond to your inquiries and requests for quotes, inform you of order progress, and important product-related notices (such as delivery delays);
4. Compliance and Security: Comply with relevant laws and regulations, prevent security risks such as fraud and data breaches, and protect the legitimate rights and interests of both us and you.

V. Data Retention Period

We will strictly adhere to the "storage limitation principle" and retain personal data only for the shortest period necessary to achieve the data processing purpose. The specific retention periods are as follows:

1. Order-related data: Retained for no more than 5 years after order completion and resolution of all after-sales issues. If legal retention requirements such as tax compliance are required, the maximum legal retention period will apply;
2. Technical data: Retained for no more than 6 months, unless extended retention is necessary to ensure website security and necessary security measures have been implemented;
3. Data collected based on consent: Retained until the date you withdraw your consent, or the shortest time required to achieve the agreed purpose.

After the data retention period expires, we will completely delete or anonymize your personal data through secure methods (such as encrypted deletion and physical destruction) to ensure that the data subject cannot be identified.

VI. Data Sharing and Cross-border Transfer

1. Data Sharing

We will not sell or rent your personal data to any third party. Data will be shared only in the following limited scenarios, and the scope of sharing will be strictly controlled:

1. Service Providers: For order fulfillment (e.g., logistics providers), website technical maintenance (e.g., compliant cloud service providers), etc., necessary data will be shared with entrusted third-party service providers. Such providers must strictly comply with our data processing instructions, sign data processing agreements, and take sufficient security measures;
2. Legal Requirements: Necessary data will be disclosed to relevant law enforcement agencies and regulatory authorities in accordance with EU and member state laws, regulations, judicial decisions, or administrative orders;
3. With Your Consent: Data will be shared with third parties designated by you only with your explicit written consent.

2. Cross-border Transfer

If personal data collected within the EU needs to be transferred to countries or regions outside the EU (including the location of our data storage servers), we will take the following compliance safeguards:

1. Transfer to countries or regions recognized by the European Commission as having an “adequate protection level”;
2. Sign EU Standard Contractual Clauses (SCCs) with the recipient;
3. Take encryption, anonymization, and other technical measures to ensure that the security and protection level during data transmission is no less than EU requirements.

VII. Rights of Data Subjects

According to GDPR, you, as a data subject, have the following rights, and we will respond to your reasonable requests free of charge:

1. Right to Know: You have the right to know the categories, purposes, legal basis, sharing partners, and retention periods of your personal data that we collect;
2. Right to Access: You have the right to request a copy of your personal data;
3. Right to Correction: You have the right to request that we correct any inaccurate or incomplete personal data promptly;
4. Right to Erasure (Right to Be Forgotten): You have the right to request that we delete your personal data if the purpose of data processing has been achieved, you have withdrawn your consent, we have no legitimate reason to continue retaining it, or it violates legal requirements;
5. Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data in situations where you dispute the accuracy of the data, or where the purpose of processing has disappeared but it needs to be retained for legal dispute resolution;
6. Right to Object: You have the right to object to our processing of your personal data based on "legitimate interests," and we will cease processing unless we can prove a legitimate reason prior to your rights or necessary to fulfill legal obligations;
7. Right of Data Portability: You have the right to request that we provide your personal data in a structured, commonly used, and machine-readable format, and the right to transfer it to other data controllers.

To exercise the above rights, please submit a written request to us through the contact information listed in Section 1 of this policy. We will respond within one month of receiving your request, which may be extended to three months in complex cases (you will be informed of the reasons for the extension in advance).

VIII. Data Security Measures

We attach great importance to personal data security and have adopted technical and organizational security measures that comply with GDPR requirements to prevent unauthorized access, use, disclosure, alteration, or destruction of personal data:

1. Technical Measures: Data storage systems are encrypted, access control technologies (such as account passwords and hierarchical access control) are employed, security software is regularly updated, and cyberattacks are prevented;
2. Organizational Measures: Job responsibilities and confidentiality obligations for data processing personnel are clearly defined, relevant employees receive GDPR and data security training, and data security risk assessments are conducted regularly;
3. Emergency Response: In the event of a personal data breach, we will immediately activate our emergency response mechanism, assess the risk of the breach, and notify the relevant EU data protection authorities and affected data subjects within 72 hours (if the breach poses a high risk to the rights and interests of the data subjects).

IX. Policy Updates and Notifications

We may revise this policy in accordance with updates to EU data protection regulations or business adjustments. Revised policies will be published prominently on our official website (tradeindenim.com) and marked with the "Last Updated Date". If the revisions involve significant changes to your personal data rights, we will notify you separately via our business email or other contact methods you provided.

X. Complaint Channels

If you believe that our processing of your personal data violates the GDPR or related regulations, you may first contact us through the contact methods listed in this policy to resolve the issue. If you are not satisfied with the outcome of the communication, you have the right to file a complaint with the Data Protection Authority (DPA) of your EU member state.