Last updated: 17 November 2025
This Privacy Policy explains how Orchidea (“we”, “us”, “our”) collects, uses and protects your personal data when you visit our website, download our materials (such as reports), subscribe to our newsletter or contact us about our services.We aim to handle your data in line with applicable data protection laws, including the EU General Data Protection Regulation (GDPR). By using our website and sharing your data with us, you acknowledge and agree to the practices described in this Policy.
If you have any questions about this Policy, you can contact us at:
Email: hi@orchidea.agency
Address: Barcelona, Spain 08005
This Policy is for information only and does not constitute legal advice. We may update it from time to time; please check this page periodically.
1. Who is responsible for your data?
The data controller for processing your personal data is:
autónoma Valeriia Shaposhnikova
Barcelona, Spain 08005
Email: hi@orchidea.agency
We decide why and how your personal data is processed in connection with this website, our marketing and client communication.
2. What data we collect. We only collect data that is relevant for clear and legitimate purposes.
2.1. Data you provide directly
When you:
- Download a report or other resource
- Subscribe to our newsletter
- Sign up to receive updates or content on Beehiiv or Substack
- Contact us via email or a contact form
- Request information about our services
- Enter into or discuss a potential contract with uswe may collect, for example:
- First and last name
- Email address
- Company / brand name Role / job title
- Website or social media links of your brand
- Preferences you indicate (e.g. topics you are interested in)
- Any information you voluntarily include in your message (such as project description, goals, timelines, budgets)
Some of this information may be optional. When specific data is necessary to fulfil your request (for example, your email to send you a report), we may not be able to provide the requested service if you do not provide it.
2.2. Data collected automatically
When you visit our website, and when you open or interact with our emails, we may automatically collect certain technical and interaction data, such as:
- IP addressDevice information (type, operating system, browser)
- Language settings
- Dates and times of visits
- Pages visited and time spent on each page
- Referring website or campaign (for example, if you came from LinkedIn or Instagram)
- Basic email engagement data (for example, whether you opened an email or clicked a link), as provided by our email platforms
- This information is usually collected via cookies, tracking pixels and similar technologies. You can control cookies via your browser settings. Blocking some cookies may affect the functioning of certain parts of the site.
We do not deliberately attempt to identify individual visitors from this technical data unless it is reasonably necessary (for example, to ensure security or to investigate abuse).
3. Why we process your data (purposes and legal bases)
We process your data only when we have a valid legal basis under GDPR. For each purpose below, we indicate the main legal basis.
3.1. Sending requested materials (reports, guides, resources)
- To send you materials you request, such as trend reports or other downloads.
- To manage and record who has requested which materials, for internal statistics and campaign analysis.
Legal basis: your consent (Article 6(1)(a) GDPR), given when you submit the relevant form.
3.2. Newsletter and marketing communication
- To send you newsletters, updates, case studies, invitations and other communications about branding, design and trends in beauty, wellness and related industries.
- To inform you about our services, offers and events that may be relevant to you.
- To publish and distribute content, and manage subscribers, through platforms such as Beehiiv and Substack.
We may segment or lightly personalise email content based on basic information we know about you (for example, your role, the type of brand you work with or your interaction with previous emails). This is simple segmentation for relevance, not automated decision-making with legal or similarly significant effects.
Legal basis:your consent to receive such communication (Article 6(1)(a) GDPR); andour legitimate interest (Article 6(1)(f) GDPR) in promoting our services and sharing relevant content with people who have shown interest.
You can opt out of marketing emails at any time by clicking “unsubscribe” in any email or by contacting us directly at hi@orchidea.agency.
3.3. Responding to enquiries and managing client relationshipsTo answer your requests, proposals or questions.
- To discuss potential collaborations and provide you with information you request about our services.
- To prepare, manage and perform contracts (for example, branding projects).
- To handle billing, administration and follow-up.
- To keep limited records of interactions for business and legal purposes.
Legal basis:
- performance of a contract or steps at your request prior to entering into a contract (Article 6(1)(b) GDPR);
- our legitimate interest in managing our business and client relationships (Article 6(1)(f) GDPR);
- compliance with legal obligations (Article 6(1)(c) GDPR), for example accounting and tax rules.
3.4. Website security, analytics and improvement
- To ensure the security and proper functioning of the website (for example, to prevent abuse, attacks or spam).
- To understand how visitors use our website and content.
- To measure the effectiveness of our campaigns (for example, which posts or pages lead to downloads).
- To improve our messaging, content and user experience.
Legal basis:
- our legitimate interest in ensuring the security and performance of our website and in improving our services (Article 6(1)(f) GDPR);
- your consent where required for non-essential cookies or analytics tools.
We do not use this data to make decisions that would significantly affect you as an individual.
4. How long we keep your data
We keep your personal data only for as long as necessary for the purposes described above, or as required by law. In practice, this means for example:
- Newsletter and download subscribers: we keep your data while you remain subscribed and interact with our content on Beehiiv, Substack or via direct email. If you unsubscribe or there is clear long-term inactivity, we may remove you from the active mailing list and/or anonymise your data. We may keep limited information (for example, that you unsubscribed and when) to respect your choice and avoid sending you further emails.
- Enquiries and project communication: we may keep correspondence and relevant project details for up to 5–10 years after the end of the relationship or conversation, insofar as necessary for legal obligations, accounting, or to protect our rights in case of disputes.
- Technical / analytics data: retention depends on the specific tools used (for example, web analytics or email statistics). After the relevant retention period, data may be deleted or aggregated.
We may keep data longer where required by law or where reasonably necessary to establish, exercise or defend legal claims.
5. Who we share your data with (recipients)
We do not sell or rent your personal data to third parties. However, we may share your data with trusted service providers (“processors”) who help us operate our business, under written or contractual arrangements and under our instructions.
These may include:
- Email and newsletter platforms
For managing subscriber lists, sending emails and tracking basic statistics (opens, clicks).
This includes platforms such as: Beehiiv (beehiiv.com), Substack (substack.com).
- Website hosting and CMS providers. To host and maintain our website and store form submissions.
- Analytics and performance tools. To understand traffic and campaign performance (for example, web analytics tools or pixels used to measure visits and conversions).
- Professional advisors. Such as accountants, lawyers or other consultants, when reasonably necessary to comply with legal obligations or to protect our rights.
- Authorities and law enforcement
When we are legally required to disclose data or when it is necessary to protect our rights, safety or property.
These processors may only use your personal data for the purposes agreed with us and must implement appropriate measures to protect it.
6. International data transfers
Some of our service providers (for example, Beehiiv, Substack or certain analytics tools) may be located in countries outside the European Economic Area (EEA) or may store data on servers outside the EEA.
Where personal data is transferred outside the EEA to a country that does not provide an equivalent level of data protection, we will ensure that appropriate safeguards are in place, such as:
- an adequacy decision by the European Commission; or
- Standard Contractual Clauses (SCCs) approved by the European Commission; or
- other lawful mechanisms under GDPR.
You can contact us at hi@orchidea.agency if you would like more information about the specific safeguards used for international transfers linked to our main providers.
7. How we protect your data
We take reasonable technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures may include, for example:
- Using reputable hosting and email platforms (Beehiiv, Substack and others)
- Access controls and passwords for tools and accounts where your data is stored
- Limiting access to personal data to those who need it for their work
- Enabling security features such as two-factor authentication where available
However, no method of transmission or storage is completely secure. We cannot guarantee absolute security of your data, and you share information with us at your own risk. You are responsible for keeping your email accounts, devices and any credentials you use to access third-party platforms (Beehiiv, Substack, etc.) secure.
If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority when required by law.
8. Your rights under GDPRAs an individual in the EU/EEA, you have the following rights regarding your personal data, subject to certain conditions and exceptions:
- Right of access
You can request confirmation of whether we process your personal data and, if so, receive a copy of that data.Right to rectification
You can ask us to correct inaccurate or incomplete personal data.
- Right to erasure (“right to be forgotten”)
You can ask us to delete your personal data in certain situations (for example, when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent and there is no other legal basis).
- Right to restrict processing
You can ask us to restrict how we use your data in specific cases (for example, while we verify its accuracy or the basis for processing).
- Right to data portability
Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used and machine-readable format and have it transmitted to another controller where technically feasible.
- Right to object
You can object to processing based on our legitimate interest, including profiling based on that interest. We will stop processing unless we can demonstrate compelling legitimate grounds or need to protect legal claims.
- Right to object to direct marketing
You can object at any time to the processing of your data for direct marketing, including profiling related to such marketing. In practice, you can unsubscribe from our emails at any time.
- Right to withdraw consent
If we rely on your consent, you can withdraw it at any time (for example, by unsubscribing or contacting us). This does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, please contact us at:
Email: hi@orchidea.agencyWe may need to request additional information to verify your identity before acting on your request, especially for sensitive actions such as access or deletion.
You also have the right to lodge a complaint with your local supervisory authority.
In Spain, this is:Agencia Española de Protección de Datos (AEPD)
Website: www.aepd.es
9. Third-party websites and services
Our website, newsletter and other communications may contain links to third-party websites, platforms or services (for example, social networks, external articles, Beehiiv or Substack pages). This Privacy Policy does not apply to those third-party websites or services.
We are not responsible for the privacy practices, content or security of third parties. When you follow a link or interact with a third-party service, that third party’s own privacy policy will apply. We encourage you to read the privacy policies of any website or service you visit.If you choose to share personal data directly with third parties (for example, through social media platforms, public comments or forms on other websites), we are not responsible for how they handle that data.
10. Children’s privacy
Our website, content and services are not directed at children under 16 years of age. We do not knowingly collect personal data from children.
If you believe that a child has provided us with personal data without appropriate consent, please contact us at hi@orchidea.agency and we will take reasonable steps to delete such data as soon as possible.
11. Changes to this Privacy Policy
We may update this Privacy Policy from time to time, for example to reflect changes in our services, tools or legal requirements. When we do, we will revise the “Last updated” date at the top of this page.
We encourage you to review this Policy regularly. Continued use of our website and services after changes are posted will be deemed acceptance of those changes.
12. Contact
If you have any questions, concerns or requests regarding this Privacy Policy or the way we process your personal data, you can contact us at:
autónoma Valeriia Shaposhnikova
Email: hi@orchidea.agency
Address: Barcelona, Spain 08005