Privacy Policy

How we collect, use, and protect your information

Draft โ€” Attorney Review Required. This document was prepared as a starting point and must be reviewed by a licensed attorney before publication. Placeholders marked in highlighted text require client-specific information.

Privacy Policy

Effective Date: [EFFECTIVE DATE]  |  Last Updated: [LAST UPDATED DATE]

Contents

  1. Information We Collect
  2. How We Use Your Information
  3. How We Share Your Information
  4. Cookies & Analytics
  5. Data Retention
  6. Security
  7. California Residents (CCPA/CPRA)
  8. EU & UK Residents (GDPR)
  9. Canadian Residents (PIPEDA & Quebec Law 25)
  10. Children's Privacy
  11. Changes to This Policy
  12. Contact Us

Ritual Custom Woodworks ("we," "us," or "our"), operated by [OWNER FULL NAME], a [STATE] limited liability company, operates the website located at ritual-customs.com (the "Site"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit or make a purchase through the Site.

By using the Site, you agree to the practices described in this policy. If you do not agree, please do not use the Site.

1. Information We Collect

Information You Provide Directly

  • Purchase information: When you purchase through PayPal, PayPal collects your name, billing address, email address, and payment details. We receive from PayPal: your name, email address, shipping address, and transaction details necessary to fulfill your order.
  • Waitlist entries: If you join a product waitlist, we collect your name, email address, phone number (optional), Instagram handle (optional), preferred contact method, and any message you include.
  • Communications: If you contact us via email or Instagram, we retain the content of those communications and your contact details.

Information Collected Automatically

  • Log data: Our web server automatically records your IP address, browser type and version, operating system, referring URLs, pages visited, and the date and time of your visit.
  • Analytics data: If you consent (where required), we use Google Analytics 4 (GA4) to collect information about how you interact with our Site, including pages viewed, time on page, and general geographic location (city/region level). GA4 uses cookies and may process your IP address. See Section 4 for details.
  • Session data: We use a session cookie to maintain your browsing session (e.g., theme preference). This cookie is strictly necessary and does not track you across other websites.

Information We Do Not Collect

We do not collect or store credit card numbers, bank account details, or full payment card data. All payment processing is handled exclusively by PayPal. We do not knowingly collect personal information from children under 13.

2. How We Use Your Information

We use the personal information we collect for the following purposes:

  • Order fulfillment: To process and ship your purchase, send order confirmation, and handle returns or disputes.
  • Waitlist management: To contact you when a waitlisted product becomes available or when a similar piece is created.
  • Customer service: To respond to your inquiries and resolve issues.
  • Site improvement: To understand how visitors use the Site and improve its content, navigation, and performance (via analytics, with consent where required).
  • Legal compliance: To comply with applicable laws, respond to legal process, and enforce our Terms of Service.
  • Marketing communications: With your consent (where required by law), to send you updates about new pieces, promotions, or announcements. You may opt out at any time.

3. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. We share information only as follows:

  • PayPal: Payment processing. PayPal's privacy policy governs their use of your data: paypal.com/us/legalhub/privacy-full.
  • Shipping carriers: We share your name and shipping address with the carrier (e.g., USPS, UPS, FedEx) solely to deliver your order.
  • Google Analytics: If you consent, anonymized usage data is shared with Google under Google's data processing terms. See Section 4.
  • Legal requirements: We may disclose your information if required by law, court order, or government authority, or to protect the rights, safety, or property of Ritual Custom Woodworks, our customers, or the public.
  • Business transfer: If the business is sold or transferred, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Site before such a transfer occurs.

4. Cookies & Analytics

Strictly Necessary Cookies

We use one session cookie to remember your theme preference during your visit. This cookie expires when you close your browser and is required for the Site to function properly. No consent is required for this cookie.

Analytics Cookies (Google Analytics 4)

With your consent (required for EU/UK and Quebec visitors; opt-out available for California residents), we use Google Analytics 4, which sets analytics cookies to help us understand how visitors use the Site. GA4 may process your IP address and assigns an anonymized identifier to your browser.

GA4 cookies set by this Site:

  • _ga โ€” Distinguishes unique users. Expires: 2 years.
  • _ga_XXXXXXXXXX โ€” Persists session state. Expires: 2 years.

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on or by adjusting your browser's cookie settings. For more information on how Google uses data, see Google's Privacy Policy.

5. Data Retention

  • Transaction records: Retained for 7 years to comply with US tax recordkeeping requirements (IRS) and applicable Canadian requirements (CRA: 6 years minimum).
  • Waitlist entries: Retained until the associated product sells and a reasonable follow-up period (90 days) has passed, or until you request deletion.
  • Email communications: Retained for 3 years or until you request deletion.
  • Analytics data: Controlled by Google. Default GA4 retention is 14 months. We do not retain raw analytics data on our servers.
  • Marketing consent records: Retained for 3 years after the consent relationship ends, as required by Canadian anti-spam law (CASL).

When data is no longer needed for its stated purpose and no legal retention obligation applies, we delete or anonymize it.

6. Security

We implement reasonable technical and organizational measures to protect your personal information, including HTTPS encryption, password hashing, rate-limited login attempts, and parameterized database queries. However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords and to contact us immediately if you suspect unauthorized access to your information.

7. California Residents โ€” CCPA/CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you specific rights regarding your personal information:

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and the categories of third parties with whom it is shared.
  • Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (e.g., completing a transaction, legal obligations).
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Opt Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising in the traditional sense. GA4 data sharing with Google may qualify as "sharing" under CPRA. You may opt out of this by using the Google Analytics opt-out tool or contacting us.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise these rights, contact us using the information in Section 12. We will respond within 45 days. We may need to verify your identity before processing your request.

8. EU & UK Residents โ€” GDPR Rights

If you are located in the European Union or United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR give you the following rights:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of your data where it is no longer necessary for the purpose it was collected, or where you withdraw consent.
  • Right to Restriction of Processing (Art. 18): Request that we restrict processing of your data in certain circumstances.
  • Right to Data Portability (Art. 20): Request your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

Lawful basis for processing: We process your personal data under the following bases: (a) performance of a contract (order fulfillment); (b) legitimate interests (fraud prevention, Site security); (c) consent (analytics, marketing communications); and (d) legal obligation (tax recordkeeping).

International transfers: Your data may be transferred to and processed in the United States. We rely on standard contractual clauses and adequacy decisions where applicable. By using the Site, you acknowledge this transfer.

To exercise your GDPR rights, contact our privacy officer at [CONTACT EMAIL]">[CONTACT EMAIL]. You also have the right to lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority).

9. Canadian Residents โ€” PIPEDA & Quebec Law 25

If you are located in Canada, your personal information is collected, used, and disclosed in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, the Act Respecting the Protection of Personal Information in the Private Sector (Law 25 / LPRPSP).

  • Consent: We collect your personal information with your knowledge and consent, or where permitted by law.
  • Right to Access: You may request access to your personal information and ask us to correct any inaccuracies.
  • Right to Withdrawal: You may withdraw consent to non-essential uses of your personal information at any time, subject to legal or contractual restrictions.
  • Privacy Officer: Our designated privacy officer can be reached at [CONTACT EMAIL]">[CONTACT EMAIL].
  • Breach Notification: In the event of a privacy breach that poses a real risk of significant harm, we will notify affected individuals and the relevant authority (Office of the Privacy Commissioner of Canada; Commission d'accรจs ร  l'information du Quรฉbec) as required by law.

Quebec residents have additional rights under Law 25, including the right to have automated decisions explained and the right to data portability for digital information you have provided to us.

10. Children's Privacy

The Site is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us immediately and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you by email or by a prominent notice on the Site. Your continued use of the Site after changes are posted constitutes your acceptance of the updated policy.

12. Contact Us

Ritual Custom Woodworks

[OWNER FULL NAME]

[BUSINESS ADDRESS]

[CITY, STATE, ZIP]

Email: [CONTACT EMAIL]">[CONTACT EMAIL]

Instagram: @ritual_custom_woodworks