Rowsfire is the Data Controller for personal information collected through rowsfire.com. This means we determine the purposes and means of processing your data.

• Legal Entity: [Rowsfire registered legal entity name — pending confirmation]
• Registered Address: [Registered business address — pending confirmation]
• Contact for Privacy Matters: service@rowsfire.com
• Data Protection Officer (DPO): Designated representative reachable at privacy@rowsfire.com

For EU/UK customers: if you have concerns about our handling of your personal data, you have the right to file a complaint with your local data protection authority. We commit to working with you in good faith to resolve any concern before escalation.

2.1 Information You Provide Directly

When you register an account, place an order, contact support, leave a review, or subscribe to marketing, we collect:

• Identity data: first and last name, billing/shipping name
• Contact data: email address, phone number, shipping and billing addresses
• Account data: username, password (stored encrypted), preferences
• Order data: products purchased, order history, transaction amounts
• Payment data: processed by our payment providers (Shopify Payments, PayPal, Klarna, Apple/Google Pay) — we do not store full card numbers on our servers
• Communication data: messages sent to support, reviews submitted via Judge.me, social media interactions
• Customs data: identification details (e.g., passport / ID copy) when required by destination country customs authorities

2.2 Information Collected Automatically

When you browse our site, our servers and analytics tools automatically receive:

• Technical data: IP address, browser type and version, device type, operating system
• Usage data: pages visited, time spent, click paths, referring URLs, search queries on our site
• Location data: approximate geographic location derived from IP address (country / region level)
• Cookies and similar technologies: see Section 6 for details

2.3 Information from Third Parties

We may receive limited data from:

• Payment processors confirming successful transactions
• Shipping carriers providing delivery status
• Marketing platforms (e.g. Meta, Google) reporting ad campaign performance in aggregated form
• Affiliate program partners (GoAffPro) reporting referral conversions

We use your personal data only for the purposes for which it was collected:

3.1 Order Fulfillment & Customer Service

• Process payments and execute your orders
• Ship products to you and provide shipping updates
• Provide pre-sale and post-sale customer support
• Process returns, exchanges, and warranty claims
• Comply with customs declaration requirements

3.2 Account Management

• Create and maintain your registered account
• Authenticate logins and prevent unauthorized access
• Save your preferences and order history

3.3 Communications

• Transactional: order confirmations, shipping notifications, RMA updates (cannot be opted out as required for service delivery)
• Marketing: newsletters, promotions, new product announcements (only with explicit opt-in for EU/UK customers; opt-out available for all)

3.4 Site Improvement & Analytics

• Understand site usage patterns through aggregated analytics
• Improve site performance, navigation, and conversion
• Detect and prevent fraud, security incidents, or abuse

3.5 Legal Compliance

• Comply with tax, accounting, and customs regulations
• Respond to lawful requests from authorities
• Enforce our Terms and Conditions

If you are in the EU, UK, or another jurisdiction with similar data protection laws, we rely on the following lawful bases under Article 6 of the GDPR:

• Contractual Necessity: processing required to fulfill your order and provide post-sale services (e.g. shipping, returns, warranty)
• Legal Obligation: processing required by law (e.g. tax records, customs declarations, fraud prevention)
• Legitimate Interests: processing for our legitimate business purposes (e.g. site security, fraud prevention, basic analytics) — balanced against your privacy rights
• Consent: processing you have explicitly opted into (e.g. marketing emails, non-essential cookies, social media tracking)

You may withdraw consent at any time without affecting the lawfulness of prior processing. To withdraw, email service@rowsfire.com or use the unsubscribe link in any marketing email.

To operate our store and services, we share necessary data with the following processors. Each is bound by data processing agreements (DPAs) and is subject to applicable privacy laws.

We do not sell, rent, or trade your personal information to data brokers, advertisers, or any other third parties for their own marketing purposes. We may disclose information when legally required (court order, regulatory request) or when necessary to protect our rights and safety.

Our website uses cookies and similar technologies to function correctly and improve your experience. Cookies are small text files stored on your device when you visit a site.

6.1 Types of Cookies We Use

• Strictly Necessary: required for the site to work — login, cart, checkout, security. These cannot be disabled.
• Performance / Analytics: help us understand how visitors use the site (e.g. Google Analytics). Anonymized.
• Functional: remember your preferences (language, currency, recently viewed products).
• Marketing: used to deliver relevant ads on third-party sites (e.g. Meta Pixel). Set only with your consent.

6.2 Managing Cookies

You can manage cookies in three ways:

• Cookie Banner: on first visit (and on demand), you can accept or reject non-essential cookies. Your choice is remembered.
• Browser Settings: all major browsers allow you to block cookies entirely, accept only first-party cookies, or be notified before each cookie. Disabling cookies may affect site functionality.
• Opt-Out Tools:
  • Google Analytics: Google Analytics Opt-Out Browser Add-on
  • Meta Pixel: adjust your Meta ad preferences in your Facebook account settings
  • Industry tools: NAI Opt-Out · Digital Advertising Alliance

6.3 Do Not Track

Our site currently does not respond to "Do Not Track" browser signals because there is no industry-standard interpretation. Instead, we honor your explicit choices through the cookie consent banner.

Rowsfire operates internationally. Your personal information may be processed and stored in countries other than where you reside, including the United States (where Shopify, Google, and Meta servers are located) and [Hong Kong / China] (where some Rowsfire operations are based).

When we transfer personal data of EU/UK residents outside the European Economic Area (EEA) or the United Kingdom, we rely on:

• Adequacy Decisions issued by the European Commission for transfers to countries with recognized adequate protection
• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to other countries
• Supplementary technical measures such as encryption in transit and at rest, where appropriate

You may request a copy of the SCCs or other transfer mechanisms applicable to your data by emailing privacy@rowsfire.com.

We retain your personal information only as long as necessary for the purposes for which it was collected, plus required legal / accounting retention periods.

After the retention period expires, we securely delete or irreversibly anonymize your personal information. You can request earlier deletion at any time per Section 10 (Your Rights).

9.1 Technical Safeguards

• Encryption in transit: all data sent to/from our site uses TLS (HTTPS) 1.2 or higher
• Encryption at rest: sensitive data on Shopify and our processor servers is encrypted using industry-standard methods
• Payment security: payment processing follows PCI DSS standards via Shopify Payments and other certified processors. Full card numbers are never stored on Rowsfire's own servers.
• Access controls: staff access to personal data is role-based, on a need-to-know basis

9.2 Your Responsibilities

• Use a strong, unique password for your Rowsfire account (do not reuse passwords from other sites)
• Never share your login credentials
• Notify us at service@rowsfire.com immediately if you suspect unauthorized access
• Always log out from shared or public computers

9.3 Honest Limitation

While we implement industry-standard security measures, no internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying affected users in case of a verified breach (see Section 13).

Depending on your location, you have the following rights regarding your personal information:

10.1 Universal Rights

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: ask us to correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): request deletion of your data, subject to legal retention requirements
• Right to restrict processing: ask us to limit how we use your data while a dispute is resolved
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interests, including direct marketing
• Right to withdraw consent: for any processing based on consent

10.2 How to Exercise Your Rights

To exercise any of these rights, email service@rowsfire.com or privacy@rowsfire.com with:

• Your full name and the email address used for your account/orders
• Specific request (access / correct / delete / etc.)
• Sufficient detail to identify the data in question

We will respond within 30 days of receiving a verified request. We may need to verify your identity before processing the request to protect against unauthorized disclosure.

10.3 Right to Lodge a Complaint

If you are unhappy with how we handle your privacy request, you have the right to lodge a complaint with your local data protection authority. For EU residents, this is your national DPA; for UK residents, this is the Information Commissioner's Office (ICO).

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

11.1 Categories of Personal Information We Collect

In the past 12 months, we have collected the following CCPA categories from California consumers:

• Identifiers (name, email, IP address, account ID)
• Customer records (billing/shipping address, phone)
• Commercial information (products purchased, transaction history)
• Internet activity (browsing on our site, interactions with email)
• Geolocation (approximate from IP)

11.2 California Rights

• Right to Know: what personal information we collect, use, disclose, or sell
• Right to Delete: request deletion of personal information we have about you
• Right to Correct: ask us to correct inaccurate information
• Right to Limit Use of Sensitive Personal Information: we currently do not use sensitive personal information beyond what is required to provide services
• Right to Non-Discrimination: we will not discriminate against you for exercising any of these rights

11.3 "Do Not Sell or Share My Personal Information"

Rowsfire does not sell your personal information for monetary consideration. However, the use of certain third-party advertising cookies (such as Meta Pixel) may be considered "sharing" under CPRA. To opt out:

• Reject marketing cookies in our cookie banner
• Email privacy@rowsfire.com with subject "Do Not Sell or Share My Information"
• Use the Global Privacy Control (GPC) browser signal — we honor it as an opt-out request

11.4 Authorized Agents

You may designate an authorized agent to make a privacy request on your behalf. We will request verification of the agent's authority before responding.

Our website and products are not intended for children under 16 years of age (or the applicable age of digital consent in your country). We do not knowingly collect personal information from children under 16.

If you believe a child has provided us with personal information, please contact us at service@rowsfire.com, and we will take steps to delete the information promptly.

Parents and guardians: if you discover that your child has created an account or made a purchase without your authorization, contact us with proof of relationship and we will assist with cancellation, refund, or data deletion.

In the unlikely event of a data breach affecting your personal information, we commit to:

• Investigate the breach immediately and contain its impact
• Notify affected users by email within 72 hours of confirmation, where required by GDPR or other applicable law
• Notify relevant supervisory authorities within the legally required timeframe
• Provide clear information about: what happened, what data was affected, what we're doing to fix it, what you can do to protect yourself
• Offer reasonable remediation, which may include identity protection guidance

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. The "Effective" date at the top of this page indicates the latest version.

For material changes that significantly affect how we process your personal data, we will provide additional notice (such as a prominent banner on the site or an email to registered customers) at least 30 days before the changes take effect.

Continued use of our site after the effective date of revised Privacy Policy constitutes acceptance of the changes. If you disagree with material changes, you may discontinue use and request deletion of your data per Section 10.

For questions, concerns, or requests related to this Privacy Policy or your personal data:

• General Privacy Inquiries: service@rowsfire.com
• Data Protection Officer: privacy@rowsfire.com
• Mailing Address: [Rowsfire registered business address — pending confirmation]
• EU Representative: [If applicable — pending confirmation per GDPR Article 27]
• UK Representative: [If applicable — pending confirmation]

We aim to respond to all privacy inquiries within 30 days. For urgent matters (e.g., suspected account compromise), please use WhatsApp Live Support: +86 190 3218 0624.