GDPR Notice

Scope and Controller

This General Data Protection Regulation (GDPR) Notice applies to the personal data processed by Dolphin's NFL Health Shop, operating the website dolphinsshopnflonline.com and related online services that reference this Notice.

The data controller for GDPR purposes is: Dolphin's NFL Health Shop, owned by Violet Dash, 201 W Mifflin St, Madison, WI 53703, United States of America. Contact: [email protected].

Our services and processing operations are based in the United States. This Notice is intended to meet GDPR requirements while aligning with applicable United States laws.

Categories of Personal Data We Process

• Identification and contact data: name, email address, postal address, and similar information you provide.
• Account and preference data: credentials, communication preferences, saved content, and settings (if accounts are offered).
• Device and technical data: IP address, device identifiers, browser type, operating system, language, referring URLs, and event logs.
• Usage data: pages viewed, features used, time on site, and interactions with our content and messages.
• Communications: inquiries, survey responses, support requests, and feedback.
• Health-related information (special categories): only if you voluntarily submit information regarding medications, conditions, supplements, or wellness goals in free-text fields. We do not require such data to browse our site and request that you avoid including sensitive details unless necessary.

Sources of Personal Data

• Directly from you: when you contact us, subscribe, submit forms, or otherwise provide information.
• Automatically: through cookies and similar technologies when you access our services.
• From service providers and partners: analytics, hosting, email delivery, security, and anti-fraud services that generate or provide data related to your use of our site.

Purposes and Lawful Bases for Processing

We process personal data for the following purposes under GDPR lawful bases:

• Provide and operate the services, respond to inquiries, and deliver customer support (performance of a contract or steps prior to entering into a contract; legitimate interests).
• Improve site functionality, security, and user experience; conduct analytics and research (legitimate interests).
• Send service-related communications and, where permitted, optional newsletters or promotional messages (legitimate interests or consent where required). You may opt out at any time.
• Comply with legal obligations and enforce our terms; prevent, detect, and investigate fraud or security incidents (legal obligation; legitimate interests).
• Process any special category data you voluntarily provide only with your explicit consent or where another GDPR basis applies (e.g., establishment, exercise, or defense of legal claims).

Cookies and Similar Technologies

We use cookies and similar technologies to enable core functionality, remember preferences, measure performance, and secure our services. Where required by law, we obtain your consent for non-essential cookies. You can manage cookies via your browser settings; disabling certain cookies may affect site functionality. At this time, our services do not respond to Do Not Track signals.

Data Retention

We retain personal data only as long as necessary for the purposes described above, including to meet legal, accounting, or reporting requirements. Typical retention periods include:

• Account and contact data: for the life of the account or active relationship, plus up to 3 years after inactivity or request closure.
• Communications and support records: up to 3 years after resolution, unless longer retention is needed for legal purposes.
• Technical logs and analytics: typically 12–24 months, unless a shorter or longer period is necessary for security, integrity, or compliance.

We will delete or de-identify data when retention is no longer necessary.

Sharing and Disclosures

We do not sell personal information for monetary consideration and do not share personal data for cross-context behavioral advertising as those terms may be defined under certain U.S. state laws.

We may disclose personal data to:

• Service providers (processors) who perform services on our behalf, such as hosting, analytics, email delivery, security, and IT support, under written contracts that require appropriate safeguards.
• Professional advisors (e.g., legal, compliance, accounting) under confidentiality obligations.
• Competent authorities, law enforcement, or courts where required by law or to protect rights, safety, or property.
• Successors or affiliates in connection with a corporate transaction, subject to continued protections consistent with this Notice.

International Data Transfers

We are located in the United States, and your personal data will be processed in the U.S. If you are in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, we rely on appropriate safeguards for international transfers, such as the European Commission’s Standard Contractual Clauses and supplementary organizational and technical measures designed to protect your data.

Security Measures

We implement administrative, technical, and physical safeguards designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. No method of transmission or storage is completely secure; we continually review and improve our safeguards.

Your GDPR Rights

If you are in the EEA, UK, or Switzerland, you have the following rights, subject to limitations in law:

• Access: obtain confirmation and a copy of your personal data.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure: request deletion of your personal data in certain circumstances.
• Restriction: request restriction of processing in certain circumstances.
• Portability: receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
• Objection: object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.
• Automated decision-making: request human review and contest decisions where solely automated processing produces legal or similarly significant effects; we do not engage in such processing for our services.

How to Exercise Your Rights

You may submit a request by emailing [email protected] or by writing to: Violet Dash, Dolphin's NFL Health Shop, 201 W Mifflin St, Madison, WI 53703, USA. We may need to verify your identity. We aim to respond within one month, or as permitted by law. You also have the right to lodge a complaint with a supervisory authority in your habitual residence, place of work, or place of the alleged infringement.

US State Privacy Disclosures

For residents of certain U.S. states, including California, Colorado, Connecticut, Utah, and Virginia, applicable law may provide rights to access, correct, delete, or obtain a copy of personal information. You may exercise these rights using the contact methods above. We do not sell personal information and do not share personal information for cross-context behavioral advertising. We will not discriminate against you for exercising your privacy rights.

Children's Data

Our services are not directed to children under 13, and we do not knowingly collect personal information from children. If we learn that a child has provided personal data, we will take appropriate steps to delete it. Where consent is relied upon and local law sets a higher age threshold, we will comply with that requirement.

Health and Wellness Information

We provide educational content related to medications, diseases, and supplements. We are not a healthcare provider or a HIPAA-covered entity, and our services are not intended to store protected health information. Please avoid submitting sensitive health information. If you choose to provide wellness or health-related data in free-text fields, we will process it only as described in this Notice and, where required, based on your explicit consent.

When We Act as a Processor

In limited cases we may process personal data on behalf of business customers or partners. In such cases, we act as a processor under their instructions, and the customer’s privacy notice applies. Data subject requests should be directed to the relevant controller; we will support them as required by our contracts and applicable law.

Changes to This Notice

We may update this GDPR Notice from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Material changes will be indicated by updating the “Last updated” date below.

Last updated: September 12, 2025

Contact Information

Controller: Dolphin's NFL Health Shop, Violet Dash

Address: 201 W Mifflin St, Madison, WI 53703, United States of America

Email: [email protected]