Privacy Policy

1. Introduction

Tarivoxa Mushroom Farm ("Tarivoxa", "we", "us", or "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy describes our practices regarding the collection, use, storage, sharing, and protection of personal information obtained through our website at www.tarivoxa.ie and through any direct interactions you may have with our business, including orders, enquiries, farm tour bookings, and newsletter subscriptions.

Tarivoxa Mushroom Farm is the data controller responsible for your personal data. We are a registered business operating from Drumacon, Clones, Co. Monaghan, H23 YK62, Ireland. Our data processing activities are governed by the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Irish Data Protection Act 2018, and the ePrivacy Regulations (S.I. No. 336 of 2011).

By using our website or providing us with your personal data, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any aspect of this policy, please refrain from using our website or submitting personal information to us. We encourage you to read this document carefully and contact us if you have any questions.

2. What Data We Collect

We may collect and process the following categories of personal data, depending on how you interact with us:

2.1 Information You Provide Directly

• Contact information: your full name, email address, phone number, and postal address when you submit a contact form, place an order, or book a farm tour.
• Order details: products ordered, delivery preferences, payment method (we do not store full payment card details; these are processed securely by our payment provider).
• Communication content: the text of messages you send us via our contact form, email, or phone.
• Newsletter subscription data: your email address when you subscribe to our mailing list.
• Farm tour booking data: names, group size, preferred dates, and any dietary requirements or accessibility needs you share with us.

2.2 Information Collected Automatically

• Device and browser information: device type, operating system, browser type and version, screen resolution.
• IP address: your Internet Protocol address, which may indicate your approximate geographic location.
• Usage data: pages visited, time spent on pages, click patterns, referring URLs, and navigation paths through our website.
• Cookies and similar technologies: small data files placed on your device that help us understand site usage and improve your experience. See Section 10 for full details on cookies.
• Server logs: standard web server log data including request timestamps, HTTP status codes, and data transfer volumes.

3. How We Collect Data

We collect personal data through the following methods:

• Website forms: when you complete our contact form, newsletter sign-up form, or any order form on our website.
• Email and phone: when you correspond with us directly by email at [email protected] or by telephone at +353 47 51234.
• In-person interactions: when you visit our farm shop or attend a farm tour and provide your details verbally or in writing.
• Cookies and analytics tools: through Google Analytics, which collects anonymised usage statistics about website visitors. We have configured Google Analytics to anonymise IP addresses before storage.
• Server logs: our web hosting infrastructure automatically records standard access logs for security and performance monitoring.

We do not collect personal data through hidden or deceptive means. Every data collection point on our website is clearly identifiable, and you are never required to provide personal data to browse our informational pages.

4. Legal Basis for Processing (GDPR Article 6)

We process your personal data only when we have a lawful basis to do so under GDPR Article 6. The legal bases we rely upon include:

• Consent (Article 6(1)(a)): When you subscribe to our newsletter, you provide explicit consent for us to send you marketing emails. You may withdraw this consent at any time by clicking the unsubscribe link in any email or by contacting us directly. We also rely on consent for the placement of non-essential cookies on your device.
• Contract performance (Article 6(1)(b)): When you place an order or book a farm tour, we process your personal data as necessary to fulfil that contract, including processing your order, arranging delivery, and communicating with you about your booking.
• Legitimate interests (Article 6(1)(f)): We process certain data based on our legitimate business interests, provided these do not override your fundamental rights. This includes website analytics to improve our services, responding to general enquiries submitted through our contact form, preventing fraud, and maintaining the security of our website. We have carried out a legitimate interest assessment for each of these processing activities.
• Legal obligation (Article 6(1)(c)): We may process personal data when required by Irish or EU law, for example to comply with tax and accounting obligations or to respond to lawful requests from regulatory authorities.

5. How We Use Your Data

We use the personal data we collect for the following specific purposes:

• Service delivery: to process and fulfil your mushroom orders, arrange deliveries, confirm farm tour bookings, and provide customer support.
• Communication: to respond to enquiries you submit through our contact form or by email, and to send order confirmations and delivery updates.
• Marketing (with consent only): to send you our monthly newsletter containing seasonal updates, new variety announcements, recipes, and farm event invitations. We will only send marketing communications if you have explicitly opted in.
• Website improvement: to analyse aggregated, anonymised website usage data through Google Analytics, helping us understand which pages are most useful and how visitors navigate our site.
• Legal and regulatory compliance: to maintain financial records as required by Irish Revenue, to comply with food safety regulations, and to respond to any lawful requests from authorities.
• Security: to protect our website, our customers, and our business from fraud, abuse, and unauthorised access.

We will never use your personal data for automated decision-making or profiling that produces legal effects or similarly significant effects on you.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our specific retention periods are as follows:

• Contact form submissions: retained for 2 years from the date of submission, then permanently deleted.
• Order records: retained for 6 years after the date of the transaction, in accordance with Irish tax and accounting requirements (Taxes Consolidation Act 1997).
• Newsletter subscriber data: retained for as long as you remain subscribed. Upon unsubscribing, your email address is removed from our active mailing list within 30 days. A hashed record may be kept on a suppression list to ensure we do not re-add you without your consent.
• Farm tour booking data: retained for 2 years after the tour date for operational and safety records.
• Website analytics data: Google Analytics data is retained for 14 months, after which it is automatically deleted by Google.
• Server logs: retained for 90 days for security monitoring, then automatically purged.
• Cookies: essential cookies expire at the end of your browser session. Analytics cookies expire after 13 months. See Section 10 for full details.

When data reaches the end of its retention period, it is securely deleted or anonymised so that it can no longer be linked to you.

7. Data Sharing

We do not sell, rent, or trade your personal data to any third party. We may share your data with the following categories of service providers, strictly for the purposes described in this policy:

• Hosting provider: our website is hosted on servers located within the European Economic Area (EEA). Our hosting provider processes data on our behalf under a data processing agreement.
• Email service provider: we use a GDPR-compliant email platform to manage our newsletter mailing list and send transactional emails such as order confirmations.
• Payment processor: when you make a purchase, your payment is processed by a PCI DSS-compliant payment gateway. We do not have access to your full card details at any point.
• Delivery partners: we share your name, delivery address, and phone number with our courier partner to fulfil product deliveries.
• Analytics provider: Google Analytics receives anonymised usage data from our website. Google processes this data under its own terms of service and privacy policy.
• Professional advisors: our accountants and legal advisors may access data as necessary for tax compliance or legal proceedings.
• Law enforcement or regulatory bodies: we may disclose data if required by law, court order, or a binding request from a competent authority.

All third-party service providers are bound by contractual obligations to process your data securely and only for the specified purposes. We conduct due diligence on our providers to ensure they meet appropriate data protection standards.

8. International Data Transfers

We primarily store and process your personal data within Ireland and the European Economic Area (EEA). However, some of our service providers, particularly Google (for analytics), may transfer data to servers located outside the EEA, including the United States.

Where data is transferred outside the EEA, we ensure that adequate safeguards are in place as required by GDPR Chapter V. These safeguards include:

• European Commission adequacy decisions: transfers to countries that the European Commission has determined provide an adequate level of data protection.
• Standard Contractual Clauses (SCCs): approved contractual frameworks that bind the data importer to GDPR-equivalent protections.
• EU-U.S. Data Privacy Framework: for transfers to certified US organisations under the EU-U.S. Data Privacy Framework, where applicable.

You may request a copy of the safeguards we have put in place for international transfers by contacting us using the details provided in Section 13.

9. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions and exceptions as provided by law:

• Right of access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is processed. We will respond to your request within 30 days.
• Right to rectification (Article 16): You have the right to request that we correct any inaccurate personal data or complete any incomplete data we hold about you.
• Right to erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected, or when you withdraw consent.
• Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your data in certain circumstances, for example while we verify the accuracy of data you have contested.
• Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller.
• Right to object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop processing your data for that purpose immediately.
• Right to withdraw consent (Article 7(3)): Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with the Data Protection Commission (DPC), the Irish supervisory authority for data protection. The DPC can be contacted at 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland, or via their website at www.dataprotection.ie.

To exercise any of these rights, please contact us at [email protected] or by post at the address listed in Section 13. We may need to verify your identity before processing your request. We will respond to all valid requests within 30 days, and will inform you if an extension is needed.

10. Cookies

Our website uses cookies, which are small text files placed on your device by your web browser. Cookies allow us to recognise your device, remember your preferences, and understand how you use our site. Below is a detailed breakdown of the cookies we use:

10.1 Essential Cookies

These cookies are strictly necessary for the website to function properly. They enable core features such as remembering your cookie consent preference and maintaining security. Essential cookies do not require your consent under ePrivacy regulations.

• tarivoxa_cookie_consent: Stores your cookie acceptance or rejection preference. Duration: 12 months. Type: Persistent.

10.2 Analytics Cookies

These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. We use Google Analytics with IP anonymisation enabled. Analytics cookies are only placed if you accept cookies via our consent banner.

• _ga: Distinguishes unique users. Duration: 13 months. Set by Google Analytics.
• _ga_[ID]: Maintains session state. Duration: 13 months. Set by Google Analytics.

10.3 Marketing Cookies

At present, we do not use marketing or advertising cookies on our website. If we introduce them in the future, this policy will be updated and you will be asked for explicit consent before any such cookies are placed.

10.4 Managing Cookies

When you first visit our website, a cookie consent banner will appear, giving you the option to accept or reject non-essential cookies. You can change your preference at any time by clearing your browser cookies and revisiting the site. You may also manage cookies through your browser settings. Please note that disabling essential cookies may impair the functionality of certain features on our website.

11. Children's Privacy

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16 years of age. If we become aware that we have inadvertently collected personal data from a child under 16, we will take prompt steps to delete that data from our systems. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make material changes, we will update the "Last Updated" date at the top of this page. For significant changes that affect how we process your data, we will make reasonable efforts to notify you, such as by posting a prominent notice on our website or, where appropriate, sending an email to newsletter subscribers.

We encourage you to review this policy periodically to stay informed about how we protect your personal data. Your continued use of our website after any changes are posted constitutes your acknowledgement of the updated policy.

13. Contact Details

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us using the following details:

If you are unsatisfied with our response, you have the right to lodge a complaint with the Data Protection Commission: