Privacy
Policy

This policy explains what data Chaos & Mischief collects, why, and how it is handled. We collect only what we need. We do not sell data. We do not share it without reason.

Who We Are

Chaos & Mischief is operated by Chris Hallett, Krakauer Strasse 27, 1020 Vienna, Austria. Tax number (STN): 123172850. GISA: 39410115. Contact: theboss@chaosandmischief.com

Chris Hallett is the data controller responsible for your personal data under the General Data Protection Regulation (GDPR).

What We Collect and Why

Email address — pre-launch interest list. When you register interest on our website, we collect your email address. We use this to send you information about our first drop and future releases. Legal basis: consent (GDPR Article 6(1)(a)). You may withdraw consent at any time by emailing us or clicking unsubscribe in any email we send.

Order data — when you purchase. When the store opens, we will collect name, delivery address, email address, and payment information to fulfil your order. Payment data is processed by our payment provider (Shopify Payments / Stripe) and is not stored by us directly. Legal basis: contract performance (GDPR Article 6(1)(b)).

Artifact registry data. When a shirt is sold, the following information is entered into our public artifact registry: shirt ID, design code, tier, and month/year of creation. No personal data — no name, no email, no order ID — is included in the public registry. Internally, we maintain a record linking each order to its registry entry for operational and audit purposes. This internal linkage is held securely and is covered by the order data retention period below. Legal basis: legitimate interest (GDPR Article 6(1)(f)) — maintaining the integrity of the artifact record system.

Website analytics. We may collect anonymised data about how visitors use this website (pages visited, time on site, referral source) to improve the experience. No personal data is associated with this. Legal basis: legitimate interest.

Who Sees Your Data

We use a small number of third-party services to operate the business:

• Brevo — our email platform, which stores your email address and sends communications on our behalf.
• Shopify — our store platform, which processes orders and stores order data.
• Printful — our fulfilment partner, who receives your name and delivery address to print and ship your order.
• Cloudflare — hosts this website and processes traffic data.

All third parties are required to handle your data in compliance with GDPR. We do not sell, rent, or share your data with anyone outside of operational necessity.

International Data Transfers

Some of our processors are based outside the European Union or European Economic Area — including Printful (United States) and Shopify (Canada). Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission. You may request further information about these safeguards by contacting us.

How Long We Keep Your Data

• Email list — until you unsubscribe or request deletion.
• Order data — for as long as required by Austrian tax and accounting law (typically 7 years).
• Artifact registry entries — permanently, as this is the core record of the brand’s artifact history. Registry entries contain no personal data.

Your Rights

Under GDPR, you have the right to access the data we hold about you, correct it, request its deletion, object to processing, and request data portability. To exercise any of these rights, contact us at theboss@chaosandmischief.com. We will respond within 30 days.

Please note that artifact registry entries do not contain personal data and are permanent records of the brand’s artifact history. They form a core part of the product’s integrity system and are not subject to erasure requests.

You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde): dsb.gv.at

Cookies

This website currently uses no tracking cookies. If this changes, this policy will be updated and consent will be requested before any tracking cookies are set.

Changes to This Policy

If we make material changes to how we handle your data, we will update the effective date above and notify email subscribers. Where changes affect consent-based processing, we will notify you and request fresh consent where required by law.

Contact