1. Introduction and Scope
This Privacy Policy describes how FORTISGROWTHGY INC ("we") collects, uses, stores, and protects the personal information of data subjects located in the European Union, with particular regard to the personal data protection measures for children under the age of 16. This policy adheres strictly to the General Data Protection Regulation (GDPR) and its May 2025 amendments, and applies to all personal data collected through our website (growfortis.com), our offline stores, and other business channels.
As the data controller, we are committed to protecting your personal data rights. While we are exempt from the Record-Keeping Agreement (RoPA) as a small and medium-sized enterprise (SME) under the 2025 GDPR amendments, we will still adhere to strict record-keeping requirements when processing high-risk data or special category data.
2. Types of Personal Data Collected
2.1 Basic Personal Data
The basic data we may collect includes, but is not limited to, name, contact information (email, phone number), address, payment information, order history, and browsing history. This data is primarily used for contract fulfillment purposes such as order processing, customer service, and product delivery. 2.2 Children's Personal Data
Due to the nature of our products, we may collect personal data (such as age and size preferences) from children under the age of 16. Pursuant to Article 8 of the GDPR, the processing of such data requires the explicit consent of a parent or legal guardian. We recognize that the age of consent varies across EU Member States (e.g., 16 in Germany and 13 in the UK), and we will process this data in accordance with the specific requirements of the Member State where the data subject resides.
3. Legal Basis and Purpose of Data Processing
Our legal bases for processing personal data include:
Performing contractual obligations with you (e.g., processing orders);
Obtaining the explicit consent of the data subject (particularly for children's data);
Complying with legal obligations;
Protecting the vital interests of the data subject
The primary purposes of data processing are:
Fulfilling product sales and delivery
Providing customer service and after-sales support
Improving product design and user experience
Ensuring the secure operation of our website and services
With respect to children's data, we strictly adhere to the "minimum necessary" principle, collecting only information directly related to product customization and size recommendations, and not using it for marketing purposes. 4. Data Subject Rights
Under the GDPR, you have the following rights:
Right of Access: Request access to the personal data we collect about you
Right of Correction: Request correction of inaccurate personal data
Right of Erasure: Request erasure of personal data under certain conditions (e.g., when the data is no longer necessary). Child data subjects may request erasure of personal information from their minor years even after they reach adulthood
Right to Restriction of Processing: Request restriction of processing under certain circumstances
Right to Data Portability: Request receipt of your personal data in a structured format
Right to Object: Object to data processing based on our legitimate interests
To exercise these rights, please contact us at [email protected]. For children's data, a parent or guardian may exercise all rights on their behalf and may request verification of the lawfulness of our processing of their data.
5. Data Retention and Security
We determine the retention period based on the purpose of the data and legal requirements. Generally, order data will be retained for seven years after the completion of the contract. Children's data will be deleted immediately upon termination of service, unless a longer retention period is required by law. We implement multi-layered security measures to protect personal data:
Use encryption technology to store sensitive data
Implement access control and adhere to the principle of least privilege
Perform regular security audits and employee training
6. Data Breach Notification
In the event of a personal data breach, we will notify the relevant regulatory authority within 72 hours of becoming aware of it, unless the breach is unlikely to pose a risk to the rights of data subjects. This notification will include the nature of the breach, the categories of data affected, the potential consequences, and the remedial measures taken. If notification exceeds 72 hours, we will provide a reason for the delay and may provide additional information in stages.
7. Cookies and Tracking Technologies
In accordance with the EU e-Privacy Directive, our website uses cookies and similar technologies:
Necessary cookies: These are used for basic website functionality (such as shopping carts) and do not require consent.
Non-essential cookies: These are used for analyzing user behavior and are enabled with your active consent.
You can manage or disable cookies through your browser settings, but this may affect the functionality of the website. 8. Third-Party Data Sharing
We share data with the following third parties only when necessary:
Logistics service providers (for order fulfillment)
Payment processors (for transaction completion)
Compliance auditors (to ensure lawful data processing)
All third parties are required to sign data processing agreements to ensure the level of protection required by the GDPR. We do not sell any personal data to third parties, and specifically prohibit the use of children's data for commercial marketing purposes.
9. Cross-Border Data Transfers
If your personal data is transferred to countries outside the European Economic Area (EEA), we will ensure compliance through the following methods:
Transfer to countries recognized by the EU as providing an adequate level of protection
Using standard contractual clauses approved by the European Commission
Ensuring that the recipient implements appropriate data protection measures
10. Policy Updates
We will update this policy based on regulatory changes and business needs. Significant changes will be notified via website announcements and emails (if you have provided contact information). We will maintain historical versions of the updated policy on our website for easy reference.
11. Contact Information
If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact:
Email: [email protected]
Website: growfortis.com
If you have any objection to our processing of your data, you have the right to lodge a complaint with the relevant EU data protection supervisory authority.