Skip to main content

Privacy Notice

1. Data Controller

The data controller is Bruma Collective , an online store for Costa Rican memorabilia, domiciled in Costa Rica.

  • Cédula jurídica (business ID): TBD
  • Contact email: orders@brumacollective.com
  • Registered address: To be confirmed

This notice complies with Costa Rican Law 8968 on the Protection of Individuals from the Processing of Their Personal Data and its regulations, as well as with resolutions of the Data Protection Agency for Inhabitants (PRODHAB). It also applies to non-resident customers purchasing from abroad.

2. Data We Collect

We collect only the data necessary to process your order and meet our legal obligations:

  • Identification data: full name, and national ID number when required for payment receipts.
  • Contact data: email address and phone number.
  • Delivery data: postal address or selected pickup location.
  • Order data: items purchased, amounts, currency, discounts applied, and SINPE Móvil payment proof where applicable.
  • Technical data: IP address and user agent (browser) at the time of purchase, for fraud prevention.

We do not collect sensitive data (health, ideology, religion, sexual orientation) or full banking details: SINPE Móvil payments are processed directly between your bank and ours, so Bruma Collective never has access to your account number.

3. Legal Basis for Processing

We process your personal data on the following bases:

  • Performance of a contract: to process, ship, and deliver the order you place.
  • Compliance with a legal obligation: accounting and tax record retention under the Código de Comercio and the rules of the Dirección General de Tributación.
  • Informed consent: by ticking the agreement box at checkout, you consent to the processing described in this notice. Consent may be withdrawn at any time.

4. Purposes of Processing

Your data is used exclusively to:

  1. Process and dispatch your order.
  2. Issue receipts and keep accounting records.
  3. Communicate order status updates.
  4. Handle claims, returns, and customer-service requests.
  5. Comply with legal obligations and valid requests from competent authorities.
  6. Prevent fraud and protect store security.

We do not sell, rent, or share your data with third parties for commercial purposes. We do not perform automated profiling that produces legal effects on you.

5. Retention Periods

We keep your data only as long as strictly necessary:

  • Payment proofs: 12 months after the order reaches a terminal state (delivered, cancelled, or refunded), then deleted.
  • Email events (delivery, bounces): 12 months.
  • Orders, order items, and audit logs: 5 years, per Article 234 of the Código de Comercio.
  • IP address and user agent associated with the order: erased (nulled) after 90 days.

Once these periods expire, data is securely deleted unless a specific legal obligation requires longer retention.

6. Recipients of Data

We share your data only with providers strictly necessary to run the store:

  • Correos de Costa Rica or other carriers, to deliver your order.
  • Supabase (United States): database and authentication provider. Data is hosted under contractual processing controls.
  • Resend (United States): transactional email provider (order confirmations and receipts).
  • Public authorities only where a valid legal request exists.

None of these providers uses your data for their own purposes.

7. Your Rights (ARCO Rights)

You have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Cancellation (deletion): request deletion of your data when no longer needed for the original purpose.
  • Objection: object to processing in the cases provided by law.
  • Withdrawal of consent, without retroactive effect.

To exercise any of these rights, email orders@brumacollective.com with your full name, the email used at checkout, and the right you wish to exercise. We will respond within legal deadlines (acknowledgement within 5 business days, substantive response within 10 business days, per Law 8968 regulations).

If you believe your rights have not been properly addressed, you may file a complaint with the Data Protection Agency (PRODHAB).

8. Cookies and Similar Technologies

Bruma Collective uses only strictly necessary cookies for site operation: session, shopping cart, and language preference. We do not use advertising cookies, third-party tracking, or device fingerprinting. A cookie-consent banner is not required because only essential technical cookies are used, in line with PRODHAB guidance.

9. Security

We apply reasonable technical and organisational measures to protect your data: TLS encryption in transit, access controls with multi-factor authentication for administrative staff, modification audit logs, and automated retention policies. No system is infallible, but we commit to notifying authorities and affected individuals of relevant incidents when legally required.

10. Minors

Bruma Collective is not directed at individuals under 18. We do not knowingly collect data from minors. If we become aware that we hold data from a minor, we will delete it as soon as it is identified.

11. Changes to This Notice

We may update this notice to reflect legal or operational changes. Each version is identified by a string of the form vN-YYYY-MM-DD and recorded in our policy history. The version applicable to your purchase is the one published at the time you accepted the consent box; it is stored with your order for future reference.

12. Contact

For any question about this notice or the processing of your data, contact us at orders@brumacollective.com.