Legal
California Privacy Rights
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Effective Date: May 1, 2026
Who This Page Is For
This page is for residents of California. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents specific rights regarding their personal information. This page explains those rights, what personal information we collect, how we use it, and how to submit a request.
If you are not a California resident, our Privacy Policy governs the collection and use of your personal information.
Do Not Sell or Share My Personal Information
We share personal information with third-party advertising platforms, including Meta (Facebook/Instagram) via the Meta Pixel, which may constitute “selling” or “sharing” under California law. You have the right to opt out.
Under the CCPA/CPRA, “sharing” includes disclosing personal information for cross-context behavioral advertising — meaning advertising that tracks your activity across different websites or apps to target you with ads. Our use of the Meta Pixel may meet this definition.
To opt out of the sale or sharing of your personal information for advertising purposes:
- Email us at attlux-questions@gmail.com with the subject line “CCPA Opt-Out — Do Not Sell or Share” and include the email address associated with your account (if any). We will process your request within 15 business days.
- Adjust your browser or device settings to send a Global Privacy Control (GPC) signal. We honor GPC signals as a valid opt-out under California law. GPC is a browser-level signal — learn more at globalprivacycontrol.org.
- Opt out of Meta's use of your data directly at facebook.com/adpreferences.
Once you opt out, we will not use your personal information for cross-context behavioral advertising unless you subsequently provide consent. Opting out does not affect our use of your information for order fulfillment, authentication, or transactional communications.
Personal Information We Collect
In the past 12 months, we have collected the following categories of personal information:
| Category | Examples Collected |
|---|---|
| Identifiers | Email address, name, IP address, session identifiers |
| Commercial Information | Items purchased, order history, Archive Credit balance, exchange requests |
| Internet / Network Activity | Pages visited, time on site, clicks, referring URLs, browser type, device information |
| Geolocation Data | Approximate location derived from IP address (city/region level only — not precise GPS) |
| Inferences | Inferences drawn from browsing and purchase behavior to understand preferences (via Google Analytics and PostHog) |
| Sensitive Personal Information | Payment card data (processed by Stripe; we do not store card numbers or CVVs) |
We do not collect Social Security numbers, government-issued ID numbers, biometric data, health information, or precise geolocation.
How We Collect Personal Information
We collect personal information:
- Directly from you — when you provide your email address for login, enter a shipping address at checkout, or contact us
- Automatically — through cookies, the Meta Pixel, Google Analytics, Google Tag Manager, and PostHog when you visit and interact with the Site
- From payment processors — Stripe provides a payment confirmation token; we do not receive raw card data
- From shipping carriers — Shippo provides tracking updates tied to your order
Purposes for Collecting Personal Information
We collect and use personal information for the following business purposes:
- Processing and fulfilling orders
- Authenticating your account via magic link or one-time passcode
- Sending transactional emails (order confirmations, shipping updates, login links)
- Managing exchanges and issuing Archive Credits
- Analyzing how visitors use the Site to improve the shopping experience
- Measuring the effectiveness of advertising campaigns
- Serving targeted advertisements on Meta platforms to users who have visited the Site (subject to your opt-out rights above)
- Complying with legal obligations
Third Parties We Share Personal Information With
In the past 12 months, we have shared personal information with the following categories of third parties:
| Third Party | What We Share / Why |
|---|---|
| Stripe | Email address and order amount for payment processing |
| Shippo | Name and shipping address for label generation and carrier handoff |
| Postmark | Email address and order details for transactional email delivery |
| Cloudinary | Product images (no personal information) |
| Supabase | All account and order data stored in our database |
| Google (Analytics + Tag Manager) | IP address, browsing behavior, and device data for analytics |
| PostHog | Session data, click events, and feature usage for product analytics |
| Meta (Facebook / Instagram) | Browsing behavior and purchase events via Meta Pixel for advertising measurement and retargeting |
We do not sell personal information to data brokers or unaffiliated third parties for their own marketing purposes.
Your California Privacy Rights
As a California resident, you have the following rights under the CCPA/CPRA:
| Your Right | What It Means | How to Exercise It |
|---|---|---|
| Right to Know | Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collecting it, and the third parties we share it with. | Email attlux-questions@gmail.com |
| Right to Delete | Request deletion of personal information we hold about you. Certain exceptions apply — for example, we may retain information needed to complete a pending order, comply with a legal obligation, or detect fraud. | Email attlux-questions@gmail.com |
| Right to Correct | Request correction of inaccurate personal information we hold about you. | Email attlux-questions@gmail.com |
| Right to Opt Out | Opt out of the sale or sharing of your personal information for cross-context behavioral advertising. See the "Do Not Sell or Share" section above. | Email attlux-questions@gmail.com or use GPC signal |
| Right to Limit Use of Sensitive Information | Request that we limit our use of sensitive personal information (such as payment card data) to the purpose for which it was collected. We already limit such use — we do not use payment data beyond fulfilling your transaction. | Email attlux-questions@gmail.com |
| Right to Non-Discrimination | We will not deny you goods or services, charge different prices, or provide a different level of service because you exercised your CCPA/CPRA rights. | No action required |
How to Submit a Privacy Request
To exercise any of the rights above, email us at attlux-questions@gmail.com with:
- Subject line: "CCPA Privacy Request — [type of request]" (e.g., "CCPA Privacy Request — Right to Know")
- The email address associated with your Attic Luxury account, if any
- A description of the specific right you wish to exercise
We will acknowledge your request within 10 business days and respond within 45 calendar days. If we need additional time (up to 90 days total), we will notify you in writing with the reason for the extension.
Verification of Requests
To protect your privacy, we must verify your identity before processing a Right to Know or Right to Delete request. We will verify your identity by confirming the email address you provide matches an address associated with an account or order in our system.
If we cannot verify your identity, we may be unable to process your request. We will not ask for sensitive information such as your Social Security number or payment card number as part of the verification process.
You may designate an authorized agent to submit a request on your behalf. If you use an authorized agent, we will require written authorization signed by you, and we may contact you directly to verify the request.
California "Shine the Light" Law
California Civil Code Section 1798.83 (“Shine the Light”) permits California residents to request information about personal information disclosed to third parties for direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes. If you have questions, contact us at attlux-questions@gmail.com.
Minors Under 16
We do not sell or share the personal information of consumers we know to be under 16 years of age. The Site is not directed to individuals under 18.
Changes to This Page
We may update this California Privacy Rights page as our practices change or as required by law. The Effective Date at the top of this page reflects the date of the most recent update. We encourage you to review this page periodically.
Contact Us
For questions about this page or your California privacy rights:
Attic Luxury California Privacy Rights — Effective May 1, 2026