Last Updated: February 25, 2026

1. Overview

This policy explains how we handle your data with a focus on security and transparency. We use industry-standard tools to process orders, calculate taxes accurately, and protect our website from malicious activity.

2. Payment Processing & Data Accuracy

We utilize Stripe for all payment transactions.

  • Source of Truth: Contact information is never collected as part of the checkout process at yamworks.com. That task is delegated to Stripe.
  • Final Authority: Stripe serves as the ultimate source of truth for your billing and shipping data. The verified information you confirm within the Stripe interface is what is used for tax calculations and final order fulfillment.
  • Security: We do not store or have access to your credit card numbers. All payment data is processed on Stripe’s PCI-compliant servers. Use of this service is subject to Stripe’s Security & Data Protection Policy.

3. Information Retrieved from External Processors

To fulfill our legal and operational duties, we retrieve specific verified data from Stripe following a successful transaction:

  • Verified Contact Details: We retrieve your verified email and phone number to ensure reliable order communication.
  • Tax Compliance: We use Stripe to calculate the correct VAT/Sales Tax based on your verified location.

4. Cookies & Functional Technologies

We use cookies to ensure a functional and secure shopping experience. These are categorized as follows:

  • Essential Commerce Cookies: These enable core functionality such as the shopping cart, session management, and the secure bridge between our store and the payment gateway.
  • Communication & Form Tools: We use internal tools to manage contact requests and prevent duplicate form submissions.
  • Security & Firewall Suite: Our website is protected by a real-time security monitor that uses technical cookies to distinguish legitimate human visitors from automated hacking attempts and brute-force attacks.

5. Automated Fraud & Spam Protection (Google reCAPTCHA)

We use Google reCAPTCHA on our login, registration, and “Place Order” forms.

  • Purpose: This is essential to prevent “Carding” (where bots attempt to test stolen credit cards on our checkout) and to protect user accounts from unauthorized access.
  • How it works: This tool analyzes hardware and software patterns (such as mouse movements) to identify bot behavior. This data processing is subject to the Google Privacy Policy and Terms of Service.

6. Email Marketing & Communications

  • Purpose: We use Brevo to manage our email subscriber list and send newsletters, art drop announcements, and order confirmations.
  • Data Collected: When you subscribe to our newsletter, we collect your email address, and optionally, your name.
  • Legal Basis: We process this data based on your explicit consent (provided when you opt-in via our subscription form) or our legitimate interest in providing updates regarding your purchases.
  • Data Location: Your data is stored on Brevo’s secure servers. You can unsubscribe at any time by clicking the “Unsubscribe” link in the footer of any email we send. Alternatively you can also check the “The Bureau > Newsletter” submenu.
  • Privacy Policy: You can view Brevo’s privacy policy here.

7. Your Rights

Under global privacy frameworks (including GDPR), you have the right to access or request the deletion of your personal data. Check the “The Bureau > GDPR” submenu.

While you have the right to request the erasure of your personal data (the “Right to be Forgotten”), please note that under EU VAT Directive 2006/112/EC and the Bulgarian Accountancy Act (Закон за счетоводството), yamworks.com is legally obligated to retain specific information related to financial transactions for a period of 10 years.

What this means for your erasure request:

  • Data that WILL be erased: Your user account, login credentials, marketing preferences, email subscription, and any saved “wishlists” or browsing history.
  • Data that WILL NOT be erased: Your name, billing address, shipping address, and IP address as they appear on historical invoices and tax records.

This data is strictly “blocked” from our active marketing systems and is retained solely for tax audit purposes and to prove the “Place of Supply” for VAT calculations. Once the mandatory 10-year period expires, this data will be permanently purged.