Privacy Policy

1. Introduction & Scope

Welcome to SwaddleShawls ("we," "our," "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.

This policy is designed to comply with stringent global data protection regulations, including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the General Data Protection Regulation (GDPR) for our European customers.

2. The Data We Collect About You

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data: includes first name, last name, username or similar identifier, title, and date of birth.
• Contact Data: includes billing address, delivery address, email address, and telephone numbers.
• Financial Data: includes payment card details (processed securely via our PCI-DSS compliant third-party payment gateways, Stripe and BasaltSurge. We do not store full credit card numbers).
• Transaction Data: includes details about payments to and from you and other details of products you have purchased from us.
• Technical Data: includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform.
• Usage Data: includes information about how you use our website and products, tracked via first and third-party analytics cookies.

3. How We Use Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you (e.g., processing and delivering your order).
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal obligation (e.g., tax and accounting records).

4. Disclosures of Your Personal Data (Third-Party Processing)

We do not sell your personal data. We may share your personal data with trusted third parties set out below for the purposes set out in Section 3:

• Payment Processors: Stripe Inc. and BasaltSurge for secure financial transaction processing.
• Logistics Partners: Couriers and fulfillment centers necessary to deliver your physical goods.
• Analytics & Marketing Providers: Google Analytics, Meta Platforms (Facebook Pixel), Microsoft Clarity, and Pinterest to analyze website traffic, optimize your user experience, and deliver relevant advertisements.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

5. Data Security & Retention

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. By law, we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes.

6. Your Legal Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to:

• Request access: to your personal data (commonly known as a "data subject access request").
• Request correction: of the personal data that we hold about you.
• Request erasure: of your personal data ("Right to be Forgotten"). You may ask us to delete or remove personal data where there is no good reason for us continuing to process it.
• Object to processing: of your personal data where we are relying on a legitimate interest.

If you wish to exercise any of the rights set out above, please Contact Us. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.

7. CCPA & CPRA Notice for California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information. You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. We do not sell your personal information.