When you place an order, we collect what's required to fulfill it: your name, shipping address, email, phone number, and payment details.

Payment information is handled directly by our payment processor — we never see, store, or have access to your full card number.

When you browse the site, we collect what your browser sends us automatically: IP address, device type, pages visited, and similar non-identifying signals used to keep the site working and improve it over time.

The list is short. We use your information to:

• Process and ship your order
• Send shipping updates and the occasional letter (only if you've subscribed)
• Answer your questions when you write to support
• Detect fraud and prevent abuse of the site
• Improve the site through aggregated, anonymized analytics

We share what's necessary with a small number of trusted service providers who help us run the business:

• Shopify — storefront and checkout
• Stripe — payment processing
• Shipping carriers — to deliver your order
• Klaviyo — to send the letter you subscribed to
• One Tree Planted — to plant your tree

Each is contractually obligated to protect your data and to use it only for the specific service we hired them for. We disclose information to authorities only when legally required to — a court order, valid subpoena, or similar.

We use a deliberately small set of cookies:

• Essential cookies that keep your cart working and remember your preferences
• Privacy-respecting analytics through Plausible, which doesn't track you across the web or build advertising profiles

You can decline non-essential cookies through the banner on your first visit, and change your mind anytime in your browser settings.

Diatmous is intended for adults. We do not knowingly collect personal information from anyone under the age of 16.

If you believe a minor has provided us with personal data, please write to us and we'll delete it within 48 hours, no questions asked.

Your data is encrypted in transit using TLS and at rest by our infrastructure providers. Payments are handled by PCI-DSS compliant processors.

Access to customer records is limited to the small handful of people who genuinely need it to do their work, and every access is logged and audited.

No system is perfect — but we treat your data as if it were our own, because in many cases, it is.

You can ask us at any time to:

• Show you what data we hold about you
• Correct anything that's wrong
• Delete your account and associated data
• Unsubscribe from marketing emails (every email has a one-click link at the bottom)
• Opt out of non-essential cookies and analytics

Just write to privacy@diatmous.com from the email address on your account and we'll act within 30 days — usually within three.

Diatmous operates from Karachi, Pakistan, and our service providers are based in various jurisdictions around the world. By using our site, you understand your data may be transferred to and processed in countries that may have different privacy laws than your own.

We take steps to ensure the same standard of protection wherever your data travels — including standard contractual clauses where required.

If we materially change this policy, we'll email anyone with an account and post a clear notice on the site at least 30 days before the new policy takes effect.

The effective date at the top of this page always reflects the version currently in force.

Questions about your data, this policy, or anything else? We answer all privacy emails personally.