Privacy Policy
Last updated: 02 June 2026 — This policy explains how Iboga Culture collects, uses and protects your personal data in compliance with the EU General Data Protection Regulation (GDPR).
1. Data Controller
Iboga Culture is the data controller responsible for your personal data. We operate in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation) and applicable national data protection legislation.
2. Data We Collect
We collect personal data only when necessary and to the minimum extent required to provide our services. The categories of data we may process include:
| Category | Examples | Source |
|---|---|---|
| Identity data | Full name, company name | Provided by you at checkout or via contact form |
| Contact data | Email address, postal address, phone number | Provided by you at checkout or registration |
| Transaction data | Order history, products purchased, payment records | Generated when you place an order |
| Technical data | IP address, browser type, device identifiers, pages visited | Collected automatically via our website |
| Professional data | Institutional affiliation, professional role | Provided voluntarily in contact forms or order notes |
| Communication data | Email correspondence, support enquiries | Provided by you when contacting us |
We do not collect special category data (e.g. health information, biometric data) and do not knowingly collect data from individuals under 18 years of age.
3. Legal Basis for Processing
All processing of your personal data is grounded in one of the following legal bases under Article 6 GDPR:
Processing necessary to fulfil your order, manage your account and deliver the contracted service.
Processing required to comply with tax, customs (CITES) and anti-fraud obligations.
Security monitoring, fraud prevention, improving our website and maintaining business records.
Marketing communications, non-essential cookies. Consent may be withdrawn at any time.
4. How We Use Your Data
- Process and fulfil your orders, including CITES export documentation where required
- Send order confirmations, shipping updates and invoices
- Respond to enquiries submitted via our contact form
- Maintain records required by EU tax and customs law
- Detect and prevent fraudulent or unauthorised transactions
- Improve the functionality and content of our website (aggregated, anonymised analytics only)
- Send marketing communications about new products or research publications — only with your explicit consent, and only to verified professional contacts
We never sell, rent or trade your personal data to third parties for marketing purposes.
5. Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Order and transaction records | 7 years | EU tax and accounting obligations |
| CITES export documentation | 10 years | CITES Appendix II regulatory requirements |
| Account data | Duration of account + 2 years after last activity | Contractual record-keeping |
| Marketing consent records | Until consent withdrawn + 3 years | Accountability under GDPR Art. 7(1) |
| Website technical logs | 90 days | Security and fraud prevention |
| Support correspondence | 3 years from last interaction | Legitimate interests |
6. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights. To exercise any of them, please use our contact form. We will respond within 30 days.
Obtain a copy of the personal data we hold about you and information on how it is processed.
Request correction of inaccurate or incomplete personal data without undue delay.
Request deletion of your data where there is no lawful basis for continued processing.
Request that we restrict processing in defined circumstances, including where accuracy is contested.
Receive your data in a structured, machine-readable format for transfer to another controller.
Object to processing based on legitimate interests, including for direct marketing purposes.
If you believe we have not handled your data lawfully, you have the right to lodge a complaint with your national data protection authority. In the EU, you may find your authority at edpb.europa.eu.
7. Cookies
Our website uses cookies — small text files stored on your device. We categorise our cookies as follows:
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly necessary | Session management, shopping cart, security tokens | No — essential to site function |
| Functional | Language preferences, saved user settings | No — legitimate interests |
| Analytics | Aggregated page view statistics (anonymised) | Yes — opt-in consent |
| Marketing | Interest-based advertising, retargeting | Yes — opt-in consent |
You may manage or withdraw cookie consent at any time through your browser settings or our cookie preference centre.
8. International Data Transfers
Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place in accordance with GDPR Chapter V. This includes:
- Transfers to countries covered by an EU adequacy decision
- Use of Standard Contractual Clauses (SCCs) approved by the European Commission
- Transfers to processors certified under recognised frameworks equivalent to EU standards
9. Third-Party Data Processors
We engage a limited number of third-party service providers who process data on our behalf under data processing agreements (DPAs) in compliance with GDPR Art. 28:
| Processor | Purpose | Location |
|---|---|---|
| Payment gateway provider | Secure payment processing | EEA / adequacy decision country |
| Hosting provider | Website and data hosting | EU-based servers |
| Shipping carrier | Order fulfilment and delivery | EEA |
| Email service provider | Transactional and order emails | EEA / SCC-protected |
All processors are contractually bound to process data only on our documented instructions and to implement appropriate technical and organisational security measures.
10. Contact & Data Protection Enquiries
For any questions about this Privacy Policy or to exercise your data subject rights, please contact us:
Iboga Culture
Submit a request via our contact form
We will acknowledge your request within 72 hours and respond fully within 30 calendar days. For complex requests, we may extend this period by a further 60 days with notification.
This policy was last reviewed on 02 June 2026. We will notify users of material changes by posting a notice on our website and, where appropriate, by email.