Privacy Policy

PP/12.9.1 Changes to Cookies

Cookies and their associated purposes may change over time as the platform or third-party services update their technologies.

While reasonable efforts are made to ensure the accuracy and currency of this list, completeness or error-free status cannot be guaranteed due to factors such as, but not limited to, the following examples:

• cookies may be added, modified, or removed without direct control.
  
  
• information provided by third-party vendors regarding cookies may be outdated or incomplete.

PP/12.9.2 Extent and Limitations

• The list covers cookies set by the Shopify platform exclusively. Third-party applications or integrations utilised on the website may set additional cookies not listed herein.
  
  
• LocalStorage keys or other non-cookie storage mechanisms are excluded from this list, as they do not constitute cookies under technical definitions.

PP/12.9.3 Verification and Liability Disclaimer

For the most current and detailed information regarding cookies set on varelmz.com, independent tools and services may be utilised to scan and review cookie usage.

By continuing to use the website, users acknowledge and accept that the website excludes liability for any inaccuracies, omissions, or changes in cookie usage to the fullest extent permitted by law.

PP/13.0 Disclosure and Sharing of Data

Personal Data may be shared by VARELMZ internally and externally, in strict accordance with applicable Data Protection Laws and only where necessary for legitimate business purposes, compliance obligations, or where explicit consent has been provided.

PP/13.1 Internal Access

Access to Personal Data by authorised personnel of VARELMZ shall be strictly limited to what is necessary for the performance of their duties. Such access shall be granted solely on a need-to-know basis and shall be subject to all applicable Data Protection Laws, as well as VARELMZ’s internal policies and procedures governing data security and confidentiality.

Personal Data may also be shared with other entities within the VARELMZ group of companies — including affiliates, subsidiaries, and parent organisations — for purposes such as internal reporting, operational management, provision of products and services, system support and hosting, or in connection with corporate restructuring.

PP/13.2 Third-Party Processors and Partners

Third-party service providers engaged by VARELMZ may process Personal Data on its behalf. These may include:

• e-commerce platform providers (e.g. Shopify);
  
  
• payment Processors and 'buy now, pay later' finance providers;
  
  
• logistics and delivery partners, including warehouse and returns carriers;
  
  
• accounting and bookkeeping software providers;
  
  
• IT service providers supporting websites, applications, and business systems.
  

Such third parties shall be contractually obligated to act only on VARELMZ’s instructions, not to use the data for their own purposes, and to implement appropriate technical and organisational measures to safeguard Personal Data.

PP/13.2.1 Data Processor Obligations

All data Processors acting on behalf of VARELMZ are contractually prohibited from using Personal Data for their own purposes. They may only process Personal Data for specified purposes in accordance with VARELMZ’s documented instructions and under strict confidentiality obligations. VARELMZ requires all Processors to implement appropriate safeguards in compliance with Data Protection Laws.

PP/13.2.2 Anonymised and Aggregated Data

VARELMZ may use and share anonymised or aggregated data that does not identify any individual. Such data may be used for business analysis, service optimisation, marketing performance, or statistical research.

PP/13.3 Use by Marketing and Analytics Partners

Personal Data may be shared with trusted third-party providers for purposes relating to marketing, advertising, and analytics. These providers may include web analytics services such as Google Analytics and Shopify Analytics, online advertising networks and search engines, as well as social media platforms and their associated marketing tools.

Such processing may involve the delivery of personalised advertisements, product suggestions, or other targeted content to data subjects while browsing third-party websites or using social media platforms.

PP/13.3.1 Consent and Third-Party Obligations

Where legally required, explicit consent shall be obtained prior to the sharing of Personal Data for these purposes.

All third parties engaged by VARELMZ in this context are contractually bound to:

• act in accordance with applicable Data Protection Laws;
  
  
• process data strictly in accordance with VARELMZ’s documented instructions;
  
  
• implement appropriate safeguards to ensure the security and confidentiality of Personal Data.

PP/13.4 Government or Legal Disclosure

Personal Data may be disclosed to governmental authorities, regulatory bodies (including HM Revenue & Customs), courts, tribunals, law enforcement, or public agencies in compliance with a legal obligation, subpoena, court order, or other lawful request. Personal Data may also be disclosed where necessary to establish, exercise, or defend the legal rights of VARELMZ, its personnel, or affiliates.

In certain cases, such authorities may act as independent data controllers. VARELMZ shall not be liable for their use or processing of the Personal Data once disclosed. Data subjects are advised to contact those third parties directly for more information.

PP/13.4.1 Fraud Prevention and Risk Management

Personal Data may be shared with third-party organisations for fraud detection, credit risk assessment, and other risk management purposes. This includes relevant financial institutions, fraud prevention agencies, and other service providers engaged to protect the integrity of business operations.

PP/13.5 Corporate Transactions

In the event of a merger, acquisition, divestiture, restructuring, dissolution, insolvency, or sale of business assets, Personal Data may be disclosed to prospective or actual buyers, investors, advisers, or counterparties, as required for due diligence or completion of the transaction. Such disclosures shall be subject to appropriate confidentiality safeguards and carried out in compliance with applicable data protection legislation.

PP/13.6 No Sale of Personal Data

VARELMZ does not sell Personal Data under any circumstances. Sharing with third parties shall only occur where it is permitted or required by law, necessary for the performance of a contract, in the organisation’s legitimate interests, or where explicit consent has been obtained.

PP/13.7 International Data Transfers

Personal Data may be transferred to countries outside the United Kingdom (UK) or the European Economic Area (EEA). Such transfers shall occur only where adequate safeguards are in place to ensure an essentially equivalent level of protection to that provided under UK or EEA Data Protection Law.

PP/13.7.1 Scope of International Data Transfers

VARELMZ may transfer Personal Data to jurisdictions outside the Data Subject’s country of residence where necessary for the performance of a contract, the provision of services, or to comply with applicable legal or regulatory obligations. All such transfers shall be conducted in accordance with applicable data protection requirements.

Where required, we will rely on recognised transfer mechanisms, such as adequacy decisions issued by competent authorities or appropriate safeguards, including standard contractual clauses or equivalent instruments. We do not accept responsibility for the data protection practices or regulatory frameworks of third-country recipients beyond our direct control.

PP/13.7.2 Disclaimer and Associated Risks

To the fullest extent permitted by law, VARELMZ disclaims liability for any loss, misuse, unauthorised access, or other consequences arising from such transfers. Data Subjects acknowledge and accept the potential risks associated with international data transfers to jurisdictions that may not provide an equivalent level of data protection.

Where sufficient safeguards cannot be ensured, we reserve the right, but not the obligation, to suspend or restrict such transfers at our sole discretion.

PP/13.7.3 International Data Transfer Mechanisms

All international transfers of Personal Data shall be subject to lawful transfer mechanisms approved under applicable data protection regimes. These may include:

• UK or EEA adequacy regulations: Transfers may be made to countries that have been formally recognised as providing an adequate level of protection;
  
  
• Standard Contractual Clauses (SCCs): Where adequacy does not apply, VARELMZ may enter into approved contractual terms with the recipient;
  
  
• Binding Corporate Rules (BCRs) or other recognised safeguards: Where neither UK or EEA adequacy regulations nor Standard Contractual Clauses apply, VARELMZ may use Binding Corporate Rules or other recognised safeguards.
  

VARELMZ strives to ensure that recipients of Personal Data implement appropriate technical, organisational, and legal safeguards to protect such data. However, we do not accept liability for the adequacy or effectiveness of measures beyond our direct control. 

Where appropriate, additional safeguards may be applied to support data subjects’ rights and freedoms in accordance with applicable laws.

Data subjects may request information regarding international data transfer arrangements, including any relevant safeguards, by contacting us as set out in this Privacy Policy.

PP/13.8 Children’s Privacy

PP/13.8.1 Age Verification

VARELMZ shall not knowingly collect or process Personal Data relating to individuals under the age of 16 years, or under the age of majority in their jurisdiction where such age is higher, without verifiable consent from a parent or legal guardian. It is expressly acknowledged and agreed that the responsibility for providing accurate age information and securing any necessary parental or guardian consent rests solely with the user or their parent/legal guardian. VARELMZ shall bear no liability or responsibility for any misrepresentation or inaccurate provision of age or consent information.

PP/13.8.2 Parental or Guardian Consent

In circumstances where Personal Data of individuals under the age of 16 is submitted, it shall be the sole responsibility of the parent or legal guardian to provide verifiable consent in accordance with applicable law prior to such submission. VARELMZ shall rely exclusively upon the representations made by the user or their parent/legal guardian in this regard and shall not be held liable for any failure to obtain valid consent.

PP/13.8.3 Data Removal and Rectification

Should VARELMZ receive notification or otherwise become aware that Personal Data of a minor under the age of 16 has been processed without appropriate verifiable parental or guardian consent, VARELMZ shall, upon verification of such notification, take reasonable steps to delete or rectify such data. 

Requests for deletion or rectification must be submitted by a verified parent, legal guardian, or the minor concerned. VARELMZ reserves the right to verify the identity and authority of any requester prior to action and shall not be liable for any delays or failure to act where such verification is not satisfactorily completed. VARELMZ disclaims any liability arising from data provided or processed in breach of this provision.

PP/13.8.4 Liability for Minors’ Actions and Their Data Processing

VARELMZ expressly disclaims any and all liability, responsibility, or obligation arising directly or indirectly from any Personal Data submitted, processed, or used by individuals under the age of sixteen 16 years without valid and verifiable parental or legal guardian consent.

Users, parents, and legal guardians acknowledge and agree that they bear full responsibility for ensuring compliance with all applicable laws and regulations regarding the processing of Personal Data and contractual actions involving minors.

This includes, but is not limited to, responsibility for:

• any inaccuracies, misrepresentations, or falsifications of age or consent information provided by or on behalf of a minor;
  
  
• any failure by a minor or their parent/legal guardian to comply with applicable laws relating to data protection and contractual capacity;
  
  
• any orders, purchases, or transactions initiated or completed by a minor without verifiable parental or guardian consent;
  
  
• any claims, damages, losses, liabilities, costs, or expenses arising from contracts or commitments made by minors without proper consent;
  
  
• any adverse legal, regulatory, financial, or reputational consequences resulting from processing or use of Personal Data or commercial transactions involving minors in breach of this policy.

VARELMZ is under no obligation to verify parental consent prior to processing orders or data submitted by minors and disclaims any liability arising from reliance on user-provided information.

VARELMZ reserves the right, at its sole discretion, to suspend, cancel, or refuse any order or service related to minors where consent is absent or cannot be verified, without incurring liability.

Requests for deletion or correction of Personal Data relating to minors must be submitted by a verified parent, guardian, or the minor themselves. We reserve the right to verify such requests prior to taking action.

PP/13.9 Data Retention and Disposal

VARELMZ acts in the capacity of a Data Controller in respect of any Personal Data collected via its online store. However, the operational infrastructure and data-handling functionality are provided primarily through the third-party Hosting Platform, Shopify, upon which VARELMZ relies for the majority of data processing and storage. 

We do not ordinarily perform independent processing of Personal Data, except in limited and clearly defined circumstances necessary to manage the store, conduct communications, or fulfil legal obligations.

Accordingly, VARELMZ depends on the data retention mechanisms and technical defaults of the Hosting Platform, and makes no representation that it independently processes or disposes of Personal Data beyond what is reasonably required or permitted by law.

PP/13.9.1 Data Minimisation Commitment

VARELMZ is committed to the principle of data minimisation. Personal Data is collected and retained only to the extent necessary to fulfil clearly defined and lawful purposes. Where data is collected via the Hosting Platform, the minimisation standards are primarily enforced through that platform’s operational and technical settings. VARELMZ does not generally engage in separate data collection or retention outside that framework, except where explicitly required.

PP/13.9.2 Overview of Data Retention Practices

PP/13.9.2.1 Retention Durations

Retention durations for Personal Data are, in most cases, governed by the Hosting Platform’s default configuration and lifecycle settings. This may include retention of customer, transactional, and store-related data for defined periods following user activity, inactivity, or account closure. Where VARELMZ accesses or retains data independently — for example, in connection with customer support or legal compliance  — such data is retained only for so long as is reasonably necessary, having regard to the original purpose for which it was collected.

PP/13.9.2.2 Criteria for Retention Duration

As the Data Controller, VARELMZ remains responsible for ensuring that Personal Data under its control is not retained for longer than is necessary. In practice, the majority of retention functions are performed through the Hosting Platform. Where VARELMZ retains or accesses data independently, retention durations may be influenced by:

• applicable legal and regulatory obligations;
  
  
• contractual commitments or requirements;
  
  
• ongoing business or operational needs;

• the specific context and purpose for which the data was originally collected; and
  
  
• any other relevant circumstances or considerations reasonably impacting data retention.
  

To the best of our knowledge, data retained via Shopify is not held indefinitely without review or action. VARELMZ undertakes, where reasonably practicable, to review retained data periodically and ensure it is not kept longer than necessary.

PP/13.9.2.3 Retention for Legal Obligations

Notwithstanding any shorter retention periods referenced herein, VARELMZ reserves the right to retain certain data for longer where required for the purpose of complying with regulatory or legal obligations, responding to maintaining appropriate records, complying with lawful requests, or establishing or defending legal claims. Such retention shall be limited to what is strictly necessary in the circumstances and shall be reviewed periodically for continued justification.

PP/13.9.2.4 Platform Retention Defaults

Unless otherwise stated, VARELMZ relies on the Hosting Platform’s default data retention settings, which may vary depending on account activity, legal retention periods, and system-level operations. VARELMZ does not ordinarily alter, extend, or override these defaults, and disclaims responsibility for retention settings implemented at the platform level that are not directly managed or modified by VARELMZ.

PP/13.9.2.5 Log Data, Anonymisation and Pseudonymisation

PP/13.9.2.5.1 Log Data

VARELMZ may retain system-generated logs, metadata, and related technical records where reasonably necessary for purposes such as operational diagnostics, performance optimisation, security monitoring, fraud prevention, and compliance auditing. This log data may include, for example, access timestamps, IP addresses, device identifiers, and event tracking entries. Retention is limited to what is strictly required and performed in line with the principle of data minimisation.

PP/13.9.2.5.2 Anonymisation and Pseudonymisation

Where feasible and appropriate, VARELMZ shall apply anonymisation or pseudonymisation techniques to retained log data to reduce the risk of individual identification:

• Anonymisation: the process of irreversibly removing identifying elements from data, such that the individual can no longer be identified by any means reasonably likely to be used; anonymised data falls outside the scope of Data Protection Law and may be retained indefinitely for legitimate purposes such as analytics.

• Pseudonymisation: involves substituting identifying information with coded references, while retaining the ability to re-identify the data under secure and controlled conditions; pseudonymised data remains within the scope of applicable Data Protection Laws and is safeguarded accordingly.

These techniques are implemented, where applicable, as part of our commitment to data minimisation, privacy, and security.

PP/13.9.3 Data Disposal and Archival

PP/13.9.3.1 Automated Data Purging

Automated data deletion or anonymisation processes, where they exist, are typically implemented through Shopify. VARELMZ does not usually operate separate automated systems for data purging. To the extent any automated purging is applied by us directly, it shall conform with relevant retention principles and applicable law.

PP/13.9.3.2 Secure Disposal Protocols

Where data is no longer required for its original purpose and no legal justification exists for continued retention, it is ordinarily subject to secure deletion, anonymisation, or comparable safeguards to render it permanently inaccessible. Where the data is processed through the Hosting Platform, VARELMZ may rely on that platform’s disposal mechanisms and may not routinely implement separate deletion procedures unless operationally necessary or legally required.

PP/13.9.3.3 Backup and Archival Practices

Backups and archives of store-related data are managed, in most instances, by Shopify as part of its standard service infrastructure. VARELMZ does not typically operate independent backup or archival systems. Any such measures taken outside the platform environment shall be limited in scope and duration, and maintained only to the extent required for continuity, recordkeeping, or legal compliance.

PP/13.9.3.4 Discretionary Deletion and Limitation of Liability

VARELMZ reserves the right, at its sole discretion and without prior notice, to archive, anonymise, delete, or otherwise dispose of Personal Data where such action is undertaken in good faith and in accordance with applicable law, internal policies, or operational requirements. 

VARELMZ disclaims any and all liability arising from the removal, loss, or unavailability of any Personal Data deleted or otherwise rendered inaccessible pursuant to such actions, whether performed directly or through reliance on third-party service providers. 

No Data Subject or third party shall have any right to compensation, reinstatement, or other remedy in connection with any such lawful data deletion.

PP/14.0 Data Protection Impact Assessments (DPIAs)

PP/14.1 Risk Assessment

VARELMZ may conduct Data Protection Impact Assessments (DPIAs) in circumstances where processing of Personal Data is likely to result in a high risk to the rights and freedoms of Data Subjects. Given the nature of VARELMZ’s operations as an online retail store selling clothing, DPIAs are generally not required except where new or unusual processing activities involving elevated risks are introduced.

PP/14.1.1 DPIA Outcomes

Where a DPIA is conducted and significant risks are identified, VARELMZ shall implement appropriate measures to mitigate those risks prior to commencing the relevant processing activities. Such measures will be regularly reviewed to ensure ongoing compliance with data protection obligations.

PP/14.1.2 Data Security and Protection Measures

VARELMZ is dedicated to maintaining appropriate organisational and technical measures to protect Personal Data under its control against accidental loss, unauthorised access, unlawful processing, and other forms of compromise. Where VARELMZ relies on the third-party Hosting Platform for infrastructure and processing functions, security obligations are fulfilled, in part, through that platform's safeguards, as publicly documented in its own privacy and security frameworks.

PP/14.2 Internal Structure and Permission Management

PP/14.2.1 Organisational and Access Controls

PP/14.2.1.1 Organisational Safeguards

VARELMZ maintains internal policies and practices designed to promote secure handling of Personal Data. These include confidentiality obligations for staff, role-appropriate access restrictions, periodic reviews of authorisation levels, and awareness measures such as staff training on data protection principles and handling procedures.

PP/14.2.1.2 Access Authorisation

Access to systems and data is managed on a role-based basis and limited to personnel with a defined operational need. Multi-factor authentication (MFA) is implemented where supported, and authorisation levels are reviewed periodically to ensure alignment with job responsibilities and data protection requirements. Unauthorised access attempts are subject to investigation and may result in revocation of access privileges.

PP/14.2.2 Technical and Platform Security Measures

PP/14.2.2.1 Technical Safeguards

Technical security measures applied to systems and data include, where applicable, transport layer security (TLS), encryption of data in transit and at rest, the use of secure servers, firewall protections, and other industry-standard protocols intended to mitigate the risk of unauthorised access, data loss, or service disruption.

PP/14.2.2.2 Hosting Platform Security

As the operational framework and data-handling environment are provided by the Hosting Platform, VARELMZ relies on the technical and security measures implemented by Shopify, including system safeguards, access controls, and compliance with relevant industry standards, as outlined in Shopify’s security documentation and terms of service. VARELMZ generally refrains from modifying or extending the platform’s native security protocols.

PP/14.2.2.3 Third-Party Vendor Security

Where VARELMZ engages third-party service providers to process Personal Data on its behalf, such vendors are independently responsible for implementing and maintaining appropriate security measures in accordance with applicable law and industry standards. While we seek to engage reputable providers, we do not guarantee or warrant the security practices of any third-party vendor and shall not be held liable for any security failures or breaches arising from their actions. Our oversight and due diligence with respect to third-party security measures are limited to reasonable assessments as part of vendor selection and ongoing relationships.

PP/14.2.3 Risk Detection and Incident Action

PP/14.2.3.1 Security Incident Monitoring

The Hosting Platform conducts routine monitoring for potential security threats, unauthorised activity, and other indicators of compromise. VARELMZ may also engage in incident awareness or reporting to the extent such monitoring functions are made available through the platform or become necessary due to operational or legal obligations. Security incidents are managed in accordance with applicable contractual and law responsibilities.

PP/14.2.3.2 Data Breach Notification

In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of individuals, VARELMZ shall take reasonable steps to ensure timely notification is made to affected Data Subjects and, where required, to relevant supervisory authorities, in accordance with applicable data protection legislation. 

As our online store is operated using third-party hosting and processing services provided by Shopify, the operational framework and associated notification obligations are subject to Shopify’s policies and contractual responsibilities. VARELMZ relies on Shopify to discharge its own notification duties and shall cooperate in good faith where applicable. VARELMZ expressly disclaims any liability arising from Shopify’s failure to notify or respond to incidents, acknowledging that its ability to control or influence such responses is limited.

PP/14.2.4 Limitations and User Responsibilities

PP/14.2.4.1 Limitations of Security

While VARELMZ endeavours to implement appropriate security measures, no system can be guaranteed to be fully secure. We disclaim any representation of absolute security and advise Data Subjects to exercise caution, particularly when transmitting Personal Data over the internet. We accept no liability for breaches beyond our reasonable control, including but not limited to those arising from third-party infrastructure vulnerabilities.

PP/14.2.4.2 Security Responsibilities of Users

PP/14.2.4.2.1 User Responsibility for Account Security

Users are solely responsible for maintaining the confidentiality and security of their account credentials, including the use of strong, unique passwords and other appropriate security measures. Users must promptly notify VARELMZ of any suspected or actual unauthorised use of their accounts or any other breach of security.

PP/14.2.4.2.2 Liability Disclaimer for User Failures

VARELMZ expressly disclaims any liability for losses, damages, or consequences arising directly or indirectly from a User’s failure to comply with these obligations, including but not limited to data breaches, unauthorised access, misuse of the account, or financial loss. We shall not be liable for any loss or damage resulting from Users’ failure to safeguard their credentials, delays in reporting security incidents, or reliance on any security features or recommendations provided by us or the Hosting Platform. Under no circumstances shall we be responsible for any incidental, indirect, consequential, special, or punitive damages arising out of or in connection with the loss, compromise, or misuse of User accounts, regardless of whether such damages were foreseeable or we were advised of the possibility thereof.

PP/14.2.4.2.3 Acknowledgement of Inherent Security Risks

Users acknowledge that no system can guarantee absolute security and accept the inherent risks associated with the use of our online services.

PP/14.2.4.2.4 User Indemnification

By using the platform, Users agree to hold VARELMZ harmless from any claims, losses, or damages arising from their own negligence, failure to implement appropriate security measures, or any third-party actions affecting their accounts.

PP/14.3 Limitation of Liability

To the fullest extent permitted by applicable law, VARELMZ expressly disclaims and limits all liability, whether in contract, tort (including negligence), strict liability, or otherwise, arising directly or indirectly from the collection, processing, storage, transfer, disclosure, sharing, or any other handling of Personal Data. This limitation applies regardless of whether such activities are carried out in accordance with this Policy, applicable legal requirements, or otherwise.

By using VARELMZ’s services, the Data Subject acknowledges and accepts all inherent risks related to the processing of Personal Data, including risks beyond VARELMZ’s reasonable control.

The Data Subject hereby expressly consents to such processing and agrees that VARELMZ shall bear no responsibility or liability for any loss, damage, or expense, whether direct, indirect, incidental, consequential, punitive, or special, arising out of or connected with the processing of Personal Data.

Notwithstanding the foregoing, nothing in this Policy shall exclude or limit VARELMZ’s liability for fraud, wilful misconduct, gross negligence, or any other liability which cannot be excluded or limited under applicable mandatory law.

PP/14.3.1 Limitation of Liability for Our Processing

Without prejudice to Section PP/14.3, VARELMZ shall have no liability whatsoever, to the fullest extent permitted by applicable law, arising from or in connection with its processing of Personal Data.

PP/14.3.2 Limitation of Liability for Third-Party Processing

VARELMZ shall have no liability whatsoever, to the fullest extent permitted by applicable law, for any acts, omissions, breaches, or non-compliance by third-party processors or arising from any external links, including the content, practices, or policies of third-party websites or services.

Users are advised to review the privacy policies and terms of such third parties directly.

PP/14.4 Individual Rights and Control

VARELMZ acknowledges its responsibilities, as a Data Controller or equivalent operator under applicable Data Protection Laws, to facilitate the exercise of individual rights relating to the Personal Data processed through its online store.

The extent to which these rights may be exercised depends on the nature of the data held, the legal basis for processing, and the operational infrastructure provided by the Hosting Platform.

Where reasonably practicable, VARELMZ will assist Data Subjects in exercising their rights in accordance with applicable laws, subject to legal exceptions, overriding obligations, and the technical functionality provided by the Hosting Platform.

PP/14.4.1 Procedures for Exercising Individual Rights

Data Subjects may submit requests using the contact details provided in this Policy. Verification of identity may be required to prevent unauthorised disclosure.

PP/14.4.2 Fees and Validity of Requests

Requests are generally handled free of charge; however, VARELMZ reserves the right to charge a reasonable administrative fee or decline requests that are manifestly unfounded, excessive, or repetitive, in line with applicable laws.

PP/14.4.3 Response Time and Processing

VARELMZ shall endeavour to respond to all valid requests promptly. For complex or multiple requests, or operational constraints, Data Subjects may be informed of any delays. While no specific timeframe is guaranteed, requests will be processed according to operational capacity.

PP/14.4.4 Additional Information and Restrictions

Additional information may be requested to clarify or verify the scope and validity of a request. Compliance with erasure or restriction requests may be limited by legal obligations or legitimate interests requiring continued processing.

PP/14.5 Data Subject Rights

PP/14.5.1 Right to Access

Data Subjects have the right to confirm whether their Personal Data is processed and to access such data along with supplementary information as required by law. Access may be provided via Hosting Platform mechanisms or directly by VARELMZ. Identity verification and reasonable administrative fees for repeat or unfounded requests may apply.

PP/14.5.2 Right to Rectification / Correction

Data Subjects may request rectification or correction of inaccurate or incomplete Personal Data. VARELMZ will implement such changes as soon as reasonably practicable, either by enabling the Data Subject to make updates through Hosting Platform tools or by processing the request directly.

PP/14.5.3 Right to Erasure (“Right to be Forgotten”)

Where permitted, Data Subjects may request erasure of Personal Data no longer necessary for its original purposes or when consent is withdrawn. Requests are subject to exemptions including legal obligations or legitimate interests. Deletion will be carried out via Hosting Platform or directly by VARELMZ. Where control over deletion is limited, VARELMZ will facilitate requests to the extent possible but disclaims liability for platform constraints.

PP/14.5.4 Right to Data Portability

Data Subjects may request their Personal Data in a structured, commonly used, machine-readable format and request transmission to another controller, where technically feasible and legally required. This right generally applies to data provided directly by the Data Subject processed on consent or contract grounds.

PP/14.5.5 Rights to Restrict and Object to Processing

PP/14.5.5.1 Right to Restrict Processing

Data Subjects may request restriction of processing in limited cases, such as when contesting data accuracy or during legal claims.

PP/14.5.5.2 Right to Object to Processing

Where processing is based on legitimate interests or involves direct marketing, Data Subjects may object. VARELMZ will assess such requests and cease or restrict processing as legally mandated, using Hosting Platform tools or direct engagement.

PP/14.5.6 Right to Withdraw Consent

Where processing relies on consent, Data Subjects may withdraw consent at any time without affecting prior lawful processing. Withdrawal may be managed through Hosting Platform tools or by contacting VARELMZ directly. Withdrawal requests will be acted upon in good faith, subject to technical and operational capabilities. Following withdrawal, a brief period of continued communication may occur due to system updates.

PP/14.5.6.1 Essential Communications Despite Withdrawal of Consent

Certain communications necessary for service, legal, or contractual reasons (e.g., system alerts, transaction confirmations, policy updates) may continue despite withdrawal of consent. VARELMZ may send such communications to ensure proper operation, security, and legal compliance.

PP/14.5.7 Right to Automated Decision-Making and Profiling

In the case where we engage in automated decision-making processes that produce legal or similarly significant effects on Data Subjects, Data Subjects shall have the right to obtain human intervention, express their views, and contest the decision.

PP/14.6 Limitations on Data Subject Rights

Data Subject rights may be limited or restricted where such limitations are necessary for compliance with legal obligations, fraud prevention, public interest, or the protection of others’ rights and freedoms, as permitted under applicable Data Protection Laws.

Notwithstanding the above, VARELMZ shall not deny services, charge different prices, or otherwise discriminate against any Data Subject for exercising their privacy rights under applicable law.

PP/14.7 Special Jurisdictional Rights

VARELMZ recognises that Data Subjects in certain jurisdictions have additional or enhanced rights concerning their Personal Data. The following subsections outline those rights to the extent that applicable laws apply to VARELMZ’s operations or data processing.

Requests to exercise the following rights may be submitted via the email provided in this Privacy Policy. Where VARELMZ is not the sole Data Processor, redirection to the Hosting Platform’s tools may be required.

PP/14.7.1 Rights under UK and EU Data Protection Laws

Individuals located in the United Kingdom and the European Economic Area (EEA) may be entitled to rights under the UK General Data Protection Regulation (UK-GDPR) and the EU General Data Protection Regulation (GDPR), including but not limited to rights of access, correction, erasure, restriction, portability, objection, and withdrawal of consent.

VARELMZ is committed to respecting these rights and will comply with applicable obligations in good faith, within the limits of its legal, contractual, and technical capabilities.

PP/14.7.2 California Consumer Rights (CCPA / CPRA)

Residents of the State of California may have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), including the right to:

• know what categories of Personal Data are collected;
  
  
• request access to specific pieces of Personal Data;
  
  
• request deletion of Personal Data, subject to lawful exceptions;
  
  
• limit the use of sensitive Personal Data;
  
  
• opt out of the sale or sharing of Personal Data;
  
  
• request certain information regarding disclosures of Personal Data to third parties for their direct marketing purposes (per California Civil Code §1798.83, the “Shine the Light” law).

PP/14.7.3 Nevada Privacy Rights

Nevada residents have a limited right to opt out of the sale of certain Personal Data. Although VARELMZ does not sell Personal Data as defined under Nevada law, Nevada residents may submit an opt-out request.

PP/14.7.4 Rights for Residents of Colorado, Connecticut, Utah, and Virginia

Residents of Colorado, Connecticut, Virginia, and Utah may have the following rights under their respective state laws:

• confirm whether their Personal Data is being processed;
  
  
• request access to and deletion of certain Personal Data;
  
  
• obtain a copy of their Personal Data in a structured, commonly used, and machine-readable format;
  
  
• opt out of Personal Data processing for targeted advertising, sales, or profiling that results in legal or similarly significant effects;
  
  
• correct inaccuracies in their Personal Data, considering the nature and purpose of the processing.

PP/14.7.5 Other Jurisdictions

VARELMZ recognises that individuals in other jurisdictions may be entitled to additional or equivalent data protection rights under laws applicable to their location. VARELMZ will endeavour to comply with such laws in good faith within its technical and contractual capabilities.

PP/14.8 Requests and Complaints

PP/14.8.1 Submitting Data Subject Requests

Data Subject Requests, including but not limited to access, correction, or deletion of Personal Data, must be submitted in accordance with VARELMZ’s verification procedures to ensure the identity and security of the requestor. VARELMZ shall make reasonable efforts to respond to all valid requests in accordance with applicable law.

Where permitted by law, Data Subjects may designate an authorised agent to submit requests on their behalf. VARELMZ may require proof of such authorisation and may request direct confirmation from the Data Subject before acting on the agent’s request.

PP/14.8.1.1 Limitations and Conditions on Data Subject Requests

All rights described herein are subject to the limitations, exemptions, and conditions established by applicable Data Protection Laws. VARELMZ reserves the right to decline, restrict, or defer any request where:

• compliance is technically infeasible or would impose a disproportionate technical or operational burden;
  
  
• legal, regulatory, or contractual obligations require the continued retention, use, or processing of the Personal Data;
  
  
• the request is unfounded, repetitive, excessive, or manifestly unreasonable in nature or frequency;
  
  
• there is reasonable suspicion of fraudulent, malicious, or bad-faith intent behind the request.

PP/14.8.1.2 Operational Considerations and Response Times

While VARELMZ aims to address Data Subject Requests as efficiently as possible, no specific timeframe is guaranteed. The ability to respond may be impacted by:

• time required to verify the identity of the Data Subject or assess the legitimacy of the request;

• the complexity, nature, or volume of the request(s) submitted;
  
  
• technical limitations or restrictions within the Hosting Platform or relevant infrastructure;
  
  
• delays caused by third-party Processors or service providers, including where VARELMZ relies on their cooperation to fulfil the request.

PP/14.8.1.3 Limitation of Liability Regarding Requests

To the fullest extent permitted by applicable law, VARELMZ shall not be held liable for any failure or delay in fulfilling a Data Subject Request where such failure or delay results from:

• limitations or failures inherent to the Hosting Platform or other third-party systems beyond VARELMZ’s control;
  
  
• incomplete, inaccurate, or unverifiable information submitted by the Data Subject;
  
  
• failure, non-compliance, or delay by third-party Processors or entities involved in the data processing chain;
  
  
• system outages, force majeure events, or any other circumstance reasonably outside VARELMZ’s control.

PP/14.8.1.4 Protection Against Fraudulent or Abusive Requests

VARELMZ reserves the right to take reasonable steps to protect its systems and operations from fraudulent, malicious, or abusive requests. These steps may include, but are not limited to:

• requiring additional verification steps to confirm the identity or intent of the requestor;
  
  
• declining to act on requests where there is credible suspicion of fraud, bad faith, or abuse;
  
  
• restricting or suspending the processing of further requests from individuals who have previously submitted abusive or bad-faith requests;
  
  
• reporting unlawful or abusive behaviour to the appropriate authorities or legal channels, where necessary.

By submitting a request, the Data Subject acknowledges and accepts that VARELMZ’s ability to comply is subject to the above terms and that its obligations are limited to the extent permitted by applicable law.

PP/14.8.2 Complaints to Supervisory Authorities

Data Subjects have the right to lodge complaints regarding the handling of their Personal Data with an appropriate supervisory authority. The following outlines the available options:

• UK Information Commissioner’s Office (ICO): Individuals located in the United Kingdom may submit complaints to the ICO if they believe that their rights under the UK General Data Protection Regulation (UK-GDPR) or the Data Protection Act 2018 have been violated.
  
  
• EU Supervisory Authorities: If the Data Subject resides within the European Union or their data is processed under the scope of the EU General Data Protection Regulation (EU-GDPR), they may contact the relevant Data Protection Authority in their Member State of residence, place of work, or place of the alleged infringement. A current list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
  
  
• California Attorney General’s Office: California residents may lodge complaints with the California Attorney General regarding any breach of rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
  
  
• Other U.S. State Regulators: Data Subjects in other U.S. states such as Virginia, Colorado, Connecticut, and Utah may contact their respective state Attorney General’s Office to raise concerns under applicable state consumer privacy laws.
  
  
• Other Applicable Jurisdictions: Where required by law or applicable regulation, individuals may also submit complaints to local data protection authorities or regulators relevant to their location or the jurisdiction in which their data is processed.

SP/14.9 Notice of Binding Terms and Conditions

This notice constitutes a formal and legally binding statement for the Parties concerned.

ST/14.9.1 Updates to Terms and Conditions

ST/14.9.1.1 Right to Make Updates

VARELMZ reserves the unrestricted right to amend, update, revise, or otherwise modify any of its Terms and Conditions — including, but not limited to, the Service Terms, Shipping Policy, Return Policy, and Privacy Policy — at any time and for any reason deemed necessary, including to comply with applicable laws, respond to changes in operational requirements, or for any other legitimate business purpose. All such updates shall be published on the official VARELMZ Website and shall supersede all prior versions.

ST/14.9.1.2 Effective Date of Updates

Unless expressly stated otherwise, all updates shall become effective immediately upon publication on the VARELMZ Website, or on such other date as may be explicitly specified therein. It shall be the sole responsibility of each User to periodically review the relevant policies to ensure continued awareness of the most current Terms.

ST/14.9.1.3 Acceptance Through Continued Use

The continued use by any User of VARELMZ’s Services — including, without limitation, browsing the Website, submitting enquiries, placing orders, or initiating returns — shall constitute full and binding acceptance of the applicable versions of the Terms and Conditions in force at the time of such use. 

VARELMZ may, but shall not be obliged to, notify Users of any significant amendments to the Related Policies; however, failure to provide such notification shall not affect the validity or enforceability of those amendments, nor relieve Users of their obligation to comply therewith. 

Users who do not agree to any updated Terms must immediately discontinue all use of VARELMZ’s Services and, where applicable, provide written notice to VARELMZ.

SP/15.0 Enquiries Regarding Terms and Conditions

For any matters related to our Terms and Conditions, customers may contact VARELMZ at the following designated email address:

info@varelmz.com 

All correspondence must include the customer’s full legal name, any relevant order number(s), and a clear description of the nature of the enquiry. We reserve the right to disregard, decline to respond to, or delay processing of any communication that is incomplete, unverifiable, irrelevant, or submitted via unauthorised or unofficial channels.