California Privacy Notice
This California Privacy Notice ("California Notice”) supplements the Privacy Notice and applies to you only if you are a resident of the State of California and in accordance with the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”).
I. NOTICE OF COLLECTION AND USE OF PERSONAL DATA
We collect certain information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you ("Personal Data”), as further described below. In addition, we may collect data that is not identifiable to you or otherwise associated with you, such as aggregated data, and is not Personal Data. To the extent this data is stored or associated with Personal Data, it will be treated as Personal Data; otherwise, the data is not subject to this notice.
Categories of Personal Data
In the last twelve (12) months, we have collected the following categories of Personal Data:
- Identifiers, such as a real name, alias, billing and shipping address, unique personal identifier, online identifier, internet protocol address, or email address.
- Personal Data categories listed in the California Customer Records statute (Cal. Civ. Code 1798.80(e)), such as name, contact information, and last four digits of your credit or debit card.
- Protected classifications under California or federal law, such as gender.
- Commercial information, such as products or services purchased, transaction information and transaction history.
- Internet or other electronic network activity information, including, browsing history, search history, and information regarding a consumer’s interaction with our website.
- Geolocation data, such as device location.
- Audio, electronic, visual, or similar information, such as CCTV and video recordings for security purposes in our stores.
- Inferences drawn from any of the information above to create a profile about an individual reflecting an individual’s preferences and characteristics.
We will not collect additional categories of Personal Data other than those categories listed above. If we intend to collect additional categories of Personal Data, we will provide you with a new notice at or before the time of collection.
Retention of Personal Data
We retain Personal Data for no longer than necessary to provide the Services and to carry out the processing activities described in our Privacy Notices. This includes, but is not limited to, compliance with applicable laws, regulations, rules, and requests of relevant law enforcement and/or other governmental agencies, and to the extent we reasonably deem necessary to protect our and our partners’ rights, property, or safety, and the rights, property, and safety of users and other third persons.
Your Personal Data will not be kept in a form that allows you to be identified for any longer than we reasonably consider necessary to accomplish the purposes for which it was collected or processed, or as permitted or required by applicable laws related to data retention. Thereafter, as a general matter, your Personal Data will be archived and stored to be used and otherwise processed in the event of legal or regulatory requirements, statutes of limitations, disputes, or actions, and will be stored and if applicable, used and otherwise processed until reasonably after the end of any such requirement, limitation, dispute, or action. Following the end of the relevant retention period, we will delete or anonymize your Personal Data, or archived as permitted by applicable law.
How We Safeguard Your Personal Data
We use reasonable and appropriate physical, technical, and organizational safeguards designed to promote the security of our systems and protect the confidentiality, integrity, availability, and resilience of Personal Data. Those safeguards include: (i) the pseudonymization and encryption of Personal Data where we deem appropriate; (ii) taking steps to ensure Personal Data is backed up and remains available in the event of a security incident; and (iii) periodic testing, assessment, and evaluation of the effectiveness of our safeguards.
However, no method of safeguarding information is completely secure. While we use measures designed to protect Personal Data, we cannot guarantee that our safeguards will be effective or sufficient. In addition, you should be aware that Internet data transmission is not always secure, and we cannot warrant that information you transmit utilizing the Services is or will be secure.
Use of Personal Data
We collect and process your Personal Data for the following business and commercial purposes:
- Providing, predicting, or performing, including maintaining or servicing accounts, providing customer service, processing, or fulfilling orders and transactions, verifying customer information, and processing payments.
- Marketing our products and services to you, including sending you messages about the products and services we offer, which may include special offers for products and services.
- Communicating with you by email, text message (SMS, MMS), telephone, and other methods of communication, about products, services, order status, and information tailored to your requests or inquiries.
- Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of the services or devices owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the services or devices owned, manufactured, manufactured for, or controlled by us.
- Complying with applicable laws, regulations, rules, and requests of relevant law enforcement and/or other governmental agencies, or for other purposes, as permitted or required by law.
- As necessary or appropriate to protect the rights, property, and safety of our users, us, and other third parties.
We will not use the Personal Data we collected for materially different, unrelated, or incompatible purposes without providing you with notice.
Sources of Personal Data
We may collect Personal Data:
- Directly from you. When you provide it to us directly whether online, by email, phone, or in-person, for example, when you sign-up to receive emails from us or contact us.
- Automatically or indirectly from you. For example, through analytics tools, cookies, pixel tags (such as GA4, Retentionx, Retently, Klaviyo, Black Crow, 42, and Shopify, or through your interactions with us on social media websites (such as Google, Facebook, and TikTok).
- Operating Systems and Platforms. For example, we automatically collect information relating to the device used to access our Services, such as IP address, device identifiers, and browser information.
- From Third Parties such as Advertising Networks. For example, ad networks (Bing/Microsoft, Criteo, and RTB House) to serve advertisements across the Internet. These advertisers use cookies, pixel tags, and other tracking technologies to collect information about your online activity and provide online behavioral advertising.
- From Third Parties such as Social Networks. For example, from social media networks (such as Facebook, Instagram, YouTube, LinkedIn and X), including if you contact us for customer service support through our social media pages.
- From Third Parties such as Data Analytics Providers. For example, through technology and analytics providers (such as GA4, Retentionx, Retently, Klaviyo, Black Crow, 42, and Shopify). These providers use cookies, pixel tags, and other tracking technologies to collect information about your online activity to allow us to personalize your online experience, including sending you messages about the products and services we offer.
- From our Service Providers For example commercial email providers, security consultants, payment processors and other Service Providers we engage, such as, Shopify, Shop Pay, Amazon Pay, PayPal, Google Pay, Apple Pay, Global-E, Klarna, Loop, UPS, Goods Delivery, Bergen Logistics and ShipStation.
II. Disclosing OF PERSONAL DATA
Within the last twelve (12) months, we have shared the following categories of Personal Data for a business purpose with the following categories of third parties:
- Category 1 (Identifiers): Service Providers and Third Parties.
- Category 2 (California Customer Records): Service Providers.
- Category 3 (Protected Classifications): Service Providers.
- Category 4 (Commercial Information): Service Providers and Third Parties.
- Category 5 (Internet or Network Activity): Service Providers and Third Parties.
- Category 6 (Geolocation Data): Service Providers and Third Parties.
- Category 7 (Audio, Visual or Similar Information): Service Providers.
- Category 8 (Inferences): Service Providers and Third Parties.
We also share Personal Data with third parties (i) when we obtain your prior approval or consent; (ii) when required by laws or regulations; (iii) when it is necessary to protect the rights or property of the Company, you or other third parties, and it is difficult to obtain your consent; (iv) when it is necessary for advanced public health or children's healthy development, and it is difficult to obtain your consent; (v) when it is necessary to cooperate with statutory work required by laws and regulations performed by any national or local government office, or their subcontractors, and it is difficult to obtain your consent; or (vi) due to a merger, restructuring or other similar strategic transactions.
Finally, we may also share Personal Data with government agencies or regulators when permitted or required to do so by law; in response to a request from a law enforcement agency or authority or any regulatory authority; and/or to protect the integrity of the Services or our interests, rights, property, health, or safety, and/or that of our users, visitors, and others.
Do Not Track
We may use analytics systems and providers and participate in advertising networks that process Personal Data about your online activities over time and across third-party websites or online services, and these systems and providers may provide some of this information to us. To prevent Google Analytics from using your information for analytics generally, you may install the Google Analytics Opt-out Browser Add-on by clicking here. However, we do not currently recognize or respond to any web browser’s "do not track” signal or similar mechanisms.
III. Sale or Sharing of Personal Data under the CCPA
We do not “sell” Personal Data. However, we may “share” your Personal Data to Third Parties in order to provide you with personalized content, sales and marketing communications from us and our Partners (e.g., our clients that purchase our member contact information through lead generation, content syndication, branding, and other similar products and services) that are relevant to your purchasing tendencies as demonstrated by your interaction with our Services.
We do not knowingly sell or share information of consumers who are under 16.
IV. YOUR CCPA RIGHTS
The CCPA provides California residents with the below rights. For more information about how to exercise your CCPA rights, see the section “Submitting a Verified Consumer Request” below.
- Right to Access: You have the right to request, twice in a 12-month period, that we disclose to you the Personal Data we have collected, used, disclosed, and sold about you during the past 12 months.
- Right to Correct: You have the right to request that we correct the Personal Data we maintain about you if that information is inaccurate.
- Right to Delete: You have the right to request that we delete certain Personal Data we have collected from you.
- Right to Opt-Out of Sale or Sharing: You have the right to opt-out of the sale of your Personal Data or the sharing of your Personal Data for cross-context behavioral advertising purposes.
- Right to Opt-In to or Out-Of Financial Incentives: You have the right to opt-in to financial incentives. You also have the right to opt-out at any time. Please see the “Notice of Loyalty/Financial Incentive” section below for more information about the financial incentive(s) and/or price or service difference(s) that we may offer.
- Right to Non-Discrimination: You have the right not to receive discriminatory treatment by us for the exercise of your CCPA privacy rights.
Some of our products and services, however, may require your Personal Data. If you choose not to provide your Personal Data that is necessary to provide any aspect of our products or services, you may not be able to use those products or services.
Some of our Services, however, may require your Personal Data. If you choose not to provide your Personal Data that is necessary to provide any aspect of our products or services, you may not be able to use those products or services. In addition, as described in the section captioned “Your Choices” in the Privacy Notice, it is possible to change your browser settings to block the automatic collection of certain information.
V. NOTICE OF FINANCIAL INCENTIVE
From time to time, we may offer a financial incentive and/or price or service difference to our customers related to the collection of Personal Data. This Notice of Financial Incentive(s) explains the financial incentives or price or service differences that we may offer, so that you can make an informed decision on whether you would like to participate.
We offer various financial incentives to customers in certain situations. For example, we may provide discounts, coupons and other benefits (such as free shipping, expedited returns processing and/or VIP customer service) for customers who spend a certain dollar amount. In addition, we may offer financial incentives to customers who sign up to receive our marketing SMS messages or emails. When you participate in a financial incentive, we collect Personal Data from you, such as identifiers (like your name and email address) and commercial information (like your purchase history). You can choose to opt-in to a financial incentive by following the sign-up or participation instructions provided, and you have the ability to opt-out of the financial incentive, or our subsequent use of your Personal Data in connection with a financial incentive, at any time by contacting us at privacy@nililotan.com. The value of your Personal Data is reasonably related to the value of the offer or discount presented to you.
VI. SUBMITTING A VERIFIED CONSUMER REQUEST
To exercise your rights, you must provide us with sufficient information to allow us to verify your identity and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. Once we receive the information you provide to us, we will review it and determine if more information is necessary to verify your identity as required by law, and we may request additional information in order to do so.
If you would like further information regarding your legal rights under California law or would like to exercise any of them, please contact us by:
- Calling us at: 1.888.415.1045
- Emailing us at: privacy@nililotan.com
Consumer Request by an Authorized Agent
If any authorized agent submits a consumer request on your behalf, in order to confirm that person or entity’s authority to act on your behalf and verify the authorized agent’s identity, please contact us through the above described methods.
- To verify your authorization to request on behalf of a California resident, provide one or more of the following: (1) California Secretary of State authorization, (2) written permission from the California resident, or (3) power of attorney.
- Sufficient information to verify the authorized agent’s identity, depending on the nature of the request.
-
To verify the identity of the California resident for whom the request is being made, provide two or more (three or more when requesting a copy of the resident’s Personal Information) of the following:
- Valid Government Issued ID (not expired); or
- Email Address
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. We will only use Personal Information provided in a verifiable consumer request to verify the request’s identity or authority to make the request.
We will acknowledge receipt of the request within ten (10) days of its receipt. We will respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the 12-month period preceding the receipt of the verifiable consumer request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For Data Portability requests, we will provide the responsive information in a portable and, to the extent technically feasible, in a readily useable format that allows you to transmit the information to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
VII. MODIFICATIONS AND UPDATES TO THIS CALIFORNIA NOTICE
This California Notice replaces all previous disclosures we may have provided to you about our information practices with respect to the Services. We reserve the right, at any time, to modify, alter, and/or update this California Notice, and any such modifications, alterations, or updates will be effective upon our posting of the revised California Notice. We will use reasonable efforts to notify you in the event material changes are made to our processing activities and/or this California Notice, such as by posting a notice on the Services or sending you an email. Your continued use of the Services following our posting of any revised California Notice will constitute your acknowledgement of the amended California Notice.
If you have any questions or concerns about this California Notice and/or how we process Personal Data, please contact us.
For more information about how users with disabilities can access this Privacy Notice in an alternative format, please refer here.
Last Updated April 25, 2024