NO-MERCY MEGA DEAL: 40% OFF FOR ALL PRODUCTS
| Ends in --:--:--
Enter email to get your code:

  • Your shopping cart is empty!

Privacy Policy

Privacy Policy

LustMonster.com | 144 Fishponds Rd, Eastville, Bristol BS5 6PT, United Kingdom

sales@lustmonster.com

Effective Date: 18 June 2025

This Privacy Policy governs the manner in which LustMonster ("we", "our", "us") collects, uses, maintains, and discloses information collected from users ("User" or "you") of the website https://lustmonster.com ("Website"). We are fully committed to protecting your privacy and operating in compliance with the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and all applicable international and local data protection laws.

1. Information We Collect

LustMonster collects specific categories of information to deliver orders, secure our platform, comply with legal requirements, optimise customer experience, and protect our business operations. We do not collect any data beyond what is necessary for the legitimate functioning of our services.

1.1 Personal Data

Personal data refers to any information that can be used to directly or indirectly identify a natural person. We collect such data only when you actively interact with our website or services. This includes:

  • Full legal name – for billing, tax documentation, and shipping label generation.
  • Email address – for transactional updates, customer service, and marketing where you have opted in.
  • Shipping address – required for product delivery.
  • Billing address – used for tax calculation, card verification, and fraud screening.
  • Phone number – optional, used for delivery coordination and required by certain carriers or customs authorities.
  • Order comments or contact messages – retained as part of your user history.

We explicitly do not collect any special categories of personal data as defined under Article 9 of the GDPR, including racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health status, or sexual orientation.

1.2 Non-Personal Data

We automatically collect non-personal information when you interact with our website, including device specifications, browser data, session behaviour (page visits, click sequences, scroll depth), approximate geographic region (based on anonymised IP), and time zone. This data is anonymised wherever feasible and used for business intelligence and fraud detection purposes.

1.3 Payment Data

LustMonster does not directly process or store full payment credentials. All financial data is securely processed by third-party PCI-DSS Level 1 certified gateways. We retain only limited payment metadata for transactional integrity and fraud prevention, including card brand, last 4 digits, billing postcode, transaction reference IDs, and digital wallet identifiers. These records are retained for a minimum of 7 years in compliance with financial obligations.

1.4 Automated Data Collection Technologies

To protect our infrastructure and improve user experience, we deploy the following automated tools:

  • Cookies and session identifiers – to maintain login states, cart contents, and language preferences.
  • Tracking pixels – for opt-in email tracking and campaign performance.
  • Browser fingerprinting – in limited cases as part of automated fraud prevention.
  • JavaScript-based monitoring scripts – to detect bots or malicious scripts.

Third-party tools deployed include Google Analytics (with IP anonymisation), Meta Pixel (only with explicit consent), Cloudflare security suite, and Shopify analytics. You may opt out of non-essential cookies via our Cookie Consent Manager.

2. How We Use Your Information

LustMonster processes personal and non-personal data only for lawful, specific, and limited purposes in accordance with GDPR Article 5. Every processing activity is mapped to one of the following legal bases: contractual necessity, legal obligation, legitimate interest, or explicit consent.

2.1 Order Processing and Fulfilment

We use your data to validate and confirm orders, calculate shipping, generate invoices, notify you of order and shipment status, and resolve delivery exceptions. Shipping details including name, address, and phone number may be shared with carriers and customs authorities as required.

2.2 Payment Verification and Fraud Prevention

We use payment metadata to screen transactions for fraud, comply with AML and KYC regulations where applicable, and assist with chargeback or dispute resolution. High-risk orders may be flagged and cancelled automatically or manually.

2.3 Customer Support

All support correspondence and metadata is retained to verify identity, review past orders, provide technical assistance, and resolve disputes. Support interactions are logged for internal accountability and training.

2.4 Legal Compliance and Regulatory Reporting

We may process or retain your data to comply with tax reporting obligations, cooperate with law enforcement under lawful warrant or court order, and maintain records required by applicable retention laws.

2.5 Essential Service Communications

We use your contact information to send order confirmations, shipping notifications, password resets, and important updates about policy or platform changes. These are transactional messages and do not require prior consent. You cannot opt out unless you delete your account entirely.

2.6 Marketing and Promotional Communications

By providing your email address — whether during account registration, order placement at checkout, newsletter subscription, or any other interaction with our website — you agree to receive marketing communications from LustMonster.com, including promotional offers, product updates, and newsletters.

You may withdraw your consent and unsubscribe at any time by clicking the "Unsubscribe" link included in every marketing email or by contacting us at sales@lustmonster.com. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. We do not engage in cold email marketing or third-party list purchases.

2.7 Analytics and Service Optimisation

We process anonymised usage data to analyse sales trends, optimise navigation and product display, identify errors, and measure campaign performance. All analytics data is anonymised where possible and never used to create behavioural profiles or sold to third parties. We do not perform automated decision-making or profiling under GDPR Article 22.

2.8 Security Monitoring and Abuse Prevention

We log and process data related to suspicious login attempts, abuse of promotional codes, checkout tampering, scraping violations, and attempts to bypass geo-restrictions. This data may be shared with hosting providers, CDN security layers, and threat intelligence vendors under strict agreements, and is retained for up to 36 months.

3. Legal Basis for Processing (GDPR)

This section applies to individuals in the EEA, UK, and Switzerland. Every processing activity performed by LustMonster is mapped to one or more of the lawful bases under GDPR Article 6(1).

3.1 Contractual Necessity – Art. 6(1)(b)

Processing required to accept and process orders, manage payments and refunds, deliver goods, provide order-related support, and verify identity for account matters.

3.2 Legal Obligation – Art. 6(1)(c)

Processing required by tax and customs regulations, accounting and recordkeeping laws, consumer protection legislation, and law enforcement cooperation (e.g., fraud investigations, data preservation under subpoena).

3.3 Legitimate Interests – Art. 6(1)(f)

Processing for fraud and abuse detection, security event logging, IT infrastructure protection, defence against legal claims, service improvement, anonymised analytics, and demand-based inventory management. We conduct documented Legitimate Interest Assessments (LIAs) to ensure proportionality. You have the right to object at any time.

3.4 Consent – Art. 6(1)(a)

Processing based on freely given, specific, informed, and unambiguous consent. Examples include: opting in to marketing emails or newsletters, accepting non-essential cookies or tracking pixels, participating in surveys, and requesting restock notifications.

You may withdraw consent at any time by clicking the unsubscribe link in marketing emails, adjusting cookie preferences, or contacting sales@lustmonster.com. Withdrawal does not affect the lawfulness of prior processing.

4. Your Rights Under GDPR

If you are located in the EEA or UK, you are entitled to the following rights under GDPR Articles 12–23. Requests may be submitted to sales@lustmonster.com. We will respond within 30 calendar days of receiving a verified request.

4.1 Right to Access (Art. 15)

Request confirmation of whether we process your personal data and obtain a copy, including processing purposes, data categories, recipients, retention periods, and sources.

4.2 Right to Rectification (Art. 16)

Request correction of inaccurate, incomplete, or outdated personal data. Certain fields may be archived rather than overwritten for audit integrity.

4.3 Right to Erasure (Art. 17)

Request deletion of your personal data when it is no longer necessary, when you withdraw consent, when you object and there are no overriding legitimate grounds, or when it has been unlawfully processed. Exceptions apply for legal compliance, fraud prevention, and active contractual obligations.

4.4 Right to Restriction of Processing (Art. 18)

Request suspension of data processing while contesting accuracy, during objection assessment, or when processing is unlawful but you prefer restriction over deletion.

4.5 Right to Data Portability (Art. 20)

Request your personal data in a structured, machine-readable format (e.g., JSON, CSV) where processing is based on consent or contract and carried out by automated means.

4.6 Right to Object (Art. 21)

Object to direct marketing at any time — this right is absolute and will be actioned immediately. You may also object to processing based on legitimate interests; if we cannot demonstrate compelling overriding grounds, we will cease processing.

4.7 Automated Decision-Making (Art. 22)

We do not engage in automated decision-making that produces legal or equivalent significant effects on users. Any fraud scoring or risk assessment is subject to human oversight.

4.8 Right to Lodge a Complaint (Art. 77)

If you believe your rights have been violated, you may lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/board/members_en. We encourage you to contact us first at sales@lustmonster.com so we can attempt to resolve the issue directly.

5. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you are entitled to specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), effective January 1, 2023.

5.1 Categories of Personal Information Collected

In the past 12 months, LustMonster has collected the following categories of personal information about California residents:

 

Category (CCPA §1798.140)

Examples

Source

Shared With

A. Identifiers

Name, email, address, phone, IP

Direct from user

Service providers

B. Commercial information

Products purchased, order history, refund records

Direct from user

Payment processors

C. Internet activity

Page views, session duration, cart activity

Automated

Analytics vendors

D. Geolocation data

General region based on IP (country/state)

Automated

None

F. Payment metadata

Payment type, masked card ID, billing ZIP

Payment gateway

Fraud screening

G. Inferences (anonymised)

Product category interest (non-personal)

Analytics

Internal only

 

We do not collect sensitive personal data as defined in Cal. Civ. Code §1798.140(ae), biometric or health data, or government identifiers. We do not sell personal information or engage in cross-context behavioural advertising.

5.2 Your Rights

  • Right to Know – Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and sharing. Up to twice per 12-month period.
  • Right to Delete – Request deletion, subject to legal retention obligations, active contracts, or fraud prevention needs.
  • Right to Correct – Request correction of inaccurate data, subject to identity verification.
  • Right to Opt Out – We do not sell personal data. If this changes, a "Do Not Sell or Share My Personal Information" link will appear on our homepage.
  • Right to Non-Discrimination – We will not deny goods, charge different prices, or provide a reduced level of service based on the exercise of your CCPA rights.

To submit CCPA requests, contact sales@lustmonster.com with subject line "CCPA Request". We will respond within 45 calendar days.

6. Cookies and Tracking Technologies

LustMonster uses cookies and tracking technologies to enable core functionality, protect platform security, analyse performance, and enhance customer experience. Our use complies with the EU ePrivacy Directive, GDPR, UK PECR, and CCPA/CPRA.

6.1 Categories of Cookies We Use

Strictly Necessary – Essential for the website to function. Cannot be disabled. Includes authentication tokens, cart sessions, security tokens, and load balancing cookies.

Performance and Analytics – Collect anonymised data on visitor interactions to improve usability. Includes Google Analytics (IP anonymised) and Shopify Analytics. Activated only after opt-in consent in the EU/UK.

Functional – Remember your preferences (language, currency, region). Disabling them may reduce site functionality.

Targeting and Advertising – Used for audience segmentation or campaign tracking. Disabled by default; activated only with prior affirmative consent.

6.2 Third-Party Services That May Set Cookies

  • Google Analytics – Performance metrics. Opt-out: https://tools.google.com/dlpage/gaoptout
  • Meta Pixel – Retargeting (only if explicitly opted in)
  • Cloudflare – Bot mitigation and security (essential, no opt-out)
  • Shopify Core – Cart, checkout, localisation (essential, no opt-out)

6.3 Consent Management

Users in the EEA and UK are presented with a cookie consent banner on first visit, allowing granular control over cookie categories. Consent is valid for 12 months or until withdrawn. No non-essential cookies are deployed before consent is obtained. You may update preferences at any time via the "Cookie Settings" link in our footer.

6.4 Managing Cookies via Your Browser

Most browsers allow you to view, delete, or block cookies. Disabling all cookies may prevent use of key features including checkout, login, and account access. Browser-specific instructions are available via your browser's help documentation.

7. Third-Party Service Providers

We engage a limited number of external service providers to assist with specific technical and operational functions. All providers are bound by strict legal and contractual obligations, including GDPR-compliant Data Processing Agreements (DPAs).

  • Infrastructure and Security – Server hosting, traffic routing, SSL/TLS encryption, DDoS protection. Providers do not access personal data directly unless legally compelled.
  • Payment Processors – PCI-DSS Level 1 certified gateways (e.g., Stripe, PayPal). We receive only non-sensitive transaction metadata.
  • Shipping and Logistics – Name, address, and phone number shared solely for delivery purposes. Partners are prohibited from reusing this data for marketing.
  • Email and Communication Services – For transactional messages and newsletters (with consent). Providers cannot reuse or analyse your messages.
  • Analytics and Optimisation – Anonymised technical data only, with your consent where required.
  • Legal, Financial and Compliance Partners – Licensed accountants, tax advisors, legal counsel, and law enforcement (only when legally required).

We do not permit third-party marketing trackers, retargeting ad networks, or embedded SDKs that collect personal information beyond the contracted scope.

8. International Data Transfers

We are based in the United Kingdom and store the majority of customer data within the UK and EEA. Where data is transferred internationally, we ensure compliance with applicable data protection laws through the following mechanisms:

  • Adequacy Decisions – Where the European Commission or UK ICO has confirmed adequate protection levels.
  • Standard Contractual Clauses (SCCs) – Contractually binding GDPR-equivalent safeguards for transfers without an adequacy decision.
  • Supplementary Measures – Data encryption, role-based access, data minimisation, and pseudonymisation applied where required.

Typical transfer scenarios include payment tokenisation (US/UK-routed), email infrastructure, and cloud-based fraud detection. All data exports are logged and monitored. We encrypt sensitive fields at rest (AES-256) and in transit (TLS 1.2+).

You may request information about transfer countries, applicable SCCs, or request that your data not be transferred outside your jurisdiction (subject to service limitations) by contacting sales@lustmonster.com.

9. Data Retention

LustMonster retains personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods are category-based and subject to scheduled deletion or anonymisation.

 

Data Category

Retention Period

Rationale

Order & transaction data

7 years

Tax, accounting, fraud prevention, statutory limitation periods

Account data (active users)

While account is active

Required to deliver services and support

Account data (inactive > 24 months)

Deleted or anonymised after 24 months

Data minimisation and GDPR compliance

Customer support correspondence

3 years from last interaction

Service history, legal defence, dispute resolution

Marketing consent & preferences

Until opt-out + 2 years

Proof of consent under GDPR and marketing law

Email marketing activity (anonymised)

24 months

Analytics and business performance

IP addresses & user agents (logs)

30 days

Security monitoring and fraud detection

Payment tokens / identifiers

5 years max

Repeat orders and fraud review (no card numbers stored)

Security & fraud event logs

36–60 months

Abuse detection, chargeback defence, GDPR Art. 32

Tax, VAT, and legal records

6–10 years (jurisdiction-dependent)

Mandatory statutory retention obligations

Abuse reports / confirmed fraud records

Permanently or until appeal

Blacklist enforcement and litigation

Once retention periods expire, data is either permanently deleted from all active and backup systems, or anonymised in accordance with ISO/IEC 20889 standards, rendering it non-identifiable.

Data involved in pending litigation, fraud investigations, regulatory inquiries, or tax audits may be retained beyond standard periods until the matter is formally resolved.

To request deletion of your data, contact sales@lustmonster.com with the subject line "Data Deletion Request". We will respond within 30 calendar days, explaining what can and cannot be erased and why.

10. Security Measures

LustMonster implements a layered, risk-based security framework to ensure the confidentiality, integrity, and availability of all user data.

10.1 Technical Controls

  • TLS 1.3 HTTPS encryption for all traffic including checkout and account login.
  • Hardened, firewall-protected hosting with AES-256 encryption of data at rest.
  • Adaptive password hashing (e.g., bcrypt); passwords never stored in plaintext.
  • Web Application Firewall (WAF) and DDoS protection with rate-limiting on all endpoints.
  • Input validation, output encoding, and security headers against SQL injection and XSS.
  • Nightly encrypted off-site backups for disaster recovery.

10.2 Organisational Controls

  • Role-based internal access, reviewed quarterly and revoked upon role change or contract termination.
  • All staff and contractors bound by NDAs and Data Processing Agreements.
  • Staff devices protected by antivirus, OS patches, and full-disk encryption.
  • Administrative action logging for accountability and anomaly detection.

10.3 Incident Response

In the event of a data breach or confirmed unauthorised access, we commit to: immediately isolating and containing the breach; investigating scope using forensic tools; notifying affected customers within 72 hours where required by GDPR, UK GDPR, or CCPA; cooperating with legal authorities; and documenting the incident and prevention improvements.

Security researchers who discover vulnerabilities may report them to sales@lustmonster.com. We pledge to acknowledge good-faith reports within 7 business days and not to pursue legal action against responsible disclosures.

11. Children's Privacy

Our website, products, and services are strictly intended for adults aged 18 and over (or the age of majority in your jurisdiction, whichever is higher). We do not knowingly collect, solicit, or process personal information from anyone under 18. If we become aware that we have inadvertently collected data from a minor, we will immediately delete all associated data and disable any related account or order.

We implement age-gating mechanisms and visible warnings to discourage access by underage individuals. Parents and guardians who believe a minor has accessed our site should contact sales@lustmonster.com (subject: "Minor Data Concern"). We will respond within 7 business days.

This policy aligns with GDPR Article 8, COPPA (US), the UK Children's Code, and PIPEDA guidance on minors.

12. Your Rights and Choices

To exercise any of the rights described in this Privacy Policy, contact us at:

sales@lustmonster.com

Please include your name, the email address linked to your account or order, a description of your request, and proof of identity. We will respond within 30 calendar days; complex requests may take up to 60 days with written notice.

You may also contact your local data protection authority:

  • EU residents: your national data protection authority (list at https://edpb.europa.eu)
  • UK residents: the Information Commissioner's Office (ICO) at https://ico.org.uk
  • Bulgaria: Commission for Personal Data Protection (CPDP) at https://www.cpdp.bg
  • California residents: California Privacy Protection Agency (CPPA) at https://cppa.ca.gov

13. Final Provisions

This Privacy Policy is binding upon all users of LustMonster.com. By accessing or interacting with our website, placing an order, or submitting any personal data, you confirm that you have read and understood this Privacy Policy and accept the terms stated herein.

We reserve the right to modify this policy at any time to reflect changes in law, business practices, or security guidance. Material changes will be published on our homepage and, where applicable, notified via email. Continued use of the site constitutes acceptance of the updated version.

Effective Date: 18 June 2025

LustMonster | 144 Fishponds Rd, Eastville, Bristol BS5 6PT, United Kingdom | sales@lustmonster.com