GDPR Privacy Notice

Last updated: May 2026

This notice is addressed to individuals in the European Union (EU), European Economic Area (EEA), and United Kingdom (UK) and supplements our Privacy Policy. It is provided in compliance with the EU General Data Protection Regulation (GDPR) and the UK GDPR.

1. Data Controller

The data controller responsible for your personal data is:

American Fire Safety Supply LLC
United States
Email: [email protected]

AMFSS does not have a formal EU/UK representative appointed under Article 27 GDPR at this time. For all data protection queries, contact us directly at the email above.

2. What Personal Data We Process

When you purchase from or interact with our site, we may process the following categories of personal data:

• Identification data: name, company name;
• Contact data: email address, telephone number;
• Address data: billing and shipping addresses;
• Transaction data: order contents, amounts, payment method type (not full card numbers), order history;
• Technical data: IP address, browser type, cookies, pages visited;
• Communications: support requests and correspondence.

We do not intentionally collect special categories of data (health, political opinions, biometric data, etc.).

3. Lawful Basis for Processing

We rely on the following lawful bases under Article 6 GDPR:

• Article 6(1)(b) — Contract: processing necessary to fulfill your order, manage your account, handle returns, and provide customer support;
• Article 6(1)(c) — Legal obligation: retaining records for tax, accounting, and regulatory compliance;
• Article 6(1)(f) — Legitimate interests: fraud prevention, site security, analytics, and communicating with existing customers about relevant products — where our interests are not overridden by your rights;
• Article 6(1)(a) — Consent: for marketing emails and non-essential cookies, where required.

4. International Data Transfers

AMFSS is based in the United States, which is not considered a country with an adequate level of data protection under EU/UK standards. When we transfer your personal data to the US, we rely on one or more of the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with US-based processors (e.g., Shopify, Google) where applicable;
• The UK International Data Transfer Addendum where applicable to UK data;
• Your explicit consent where obtained at the time of collection.

You may request a copy of the transfer mechanism we rely upon by contacting [email protected].

5. Your Rights Under GDPR

As an EU or UK data subject, you have the following rights:

• Right of access (Art. 15): obtain a copy of the personal data we hold about you and information about how it is processed;
• Right to rectification (Art. 16): correct inaccurate or incomplete data;
• Right to erasure (Art. 17): request deletion of your data where we no longer have a lawful basis to retain it;
• Right to restriction of processing (Art. 18): ask us to limit how we use your data while a dispute is resolved;
• Right to data portability (Art. 20): receive your data in a machine-readable format or have it transferred to another controller, where technically feasible;
• Right to object (Art. 21): object to processing based on legitimate interests, including direct marketing;
• Right to withdraw consent (Art. 7(3)): where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. In complex cases we may extend this to 90 days and will notify you of the extension.

We will not charge a fee for reasonable requests. We may ask you to verify your identity before processing your request.

6. Automated Decision-Making and Profiling

We do not use fully automated decision-making (including profiling) that produces legal effects or similarly significant effects on you within the meaning of Article 22 GDPR.

7. Data Retention

We retain transaction and order records for a minimum of 7 years to comply with US tax and accounting regulations. Inactive customer account data may be deleted upon request after this retention period. Marketing consent records are retained for as long as you remain opted in, plus a reasonable period for compliance purposes.

8. Right to Lodge a Complaint

If you believe we have handled your data in violation of GDPR, you have the right to lodge a complaint with the supervisory authority in your country of residence or establishment. For example:

• EU: your national Data Protection Authority (DPA) — a list is available at edpb.europa.eu;
• UK: the Information Commissioner's Office (ICO) at ico.org.uk.

We would appreciate the opportunity to address your concerns directly before you escalate to a regulator. Please contact us first at [email protected].

9. Contact

Data protection queries:
[email protected]
American Fire Safety Supply LLC
United States