This Privacy Policy explains how Caroline Winters Beauty (“we,” “us,” “our”) collects, uses, and discloses personal information when you visit or buy from carolinewinters.com (the “Site”), and the choices you have.

Who we are and how to contact us

We are Caroline Winters Beauty, the business responsible for your personal information. For any privacy request or question, contact us at [email protected] or by mail at Caroline Winters Beauty, c/o Salesflex, 4250 Concorde Road, Suite 2, Memphis, TN 38118, USA.

Information we collect

• Identifiers — name, email, phone, billing and shipping address, order number, IP address, and device or account identifiers.

• Commercial information — products viewed and purchased, subscriptions, returns, and payment confirmation (we do not store full payment card numbers; payments are handled by our payment providers).

• Internet and device activity — pages viewed, links clicked, referring pages, and similar analytics collected through cookies and pixels.

• Approximate location — derived from your IP address.

• Sensitive information — if you use our Adverse Event Reporting form, the health-related details you choose to share about a reaction to a product.

• Inferences — preferences drawn from the above to improve your experience.

We collect this information when you provide it, automatically as you use the Site, and from service providers (such as our payment, shipping, analytics, and advertising partners).

How we use personal information

• To process, fulfill, and deliver your orders and subscriptions, and to handle returns and refunds.

• To provide customer support and respond to your messages and adverse-event reports.

• To send marketing you have requested and transactional messages about your orders.

• To operate, secure, analyze, and improve the Site, including fraud prevention.

• To advertise and measure advertising, including through cookies and pixels.

• To meet legal obligations, including cosmetics safety reporting and recordkeeping.

How we disclose personal information, and to whom

We do not sell your personal information for money, but our use of advertising and analytics cookies and pixels is treated as a "sale" and "sharing" under California law (see "Your privacy choices"). We disclose personal information to service providers and partners who perform functions for us, in these categories:

• Payment processing — Shopify Payments / Shop Pay and PayPal.

• Order fulfillment and shipping — our U.S. warehouse and carriers (e.g., UPS, FedEx, USPS).

• Subscription billing — our subscription provider (Recharge).

• Email/SMS marketing and analytics — our messaging provider (Klaviyo).

• Customer support and help center — our support provider (Gorgias).

• Security and bot prevention — Google reCAPTCHA.

• Advertising, measurement, and analytics partners — including Meta (Facebook/Instagram) and Google, which may receive information through cookies and pixels on the Site.

• Legal and safety — regulators (including the U.S. Food and Drug Administration for cosmetic adverse events) and others where required by law or to protect rights and safety.

We disclose the categories of information described above (such as identifiers, commercial information, and internet activity) to the recipient categories listed here. Some advertising-related disclosures are considered a "sale" or "sharing" of personal information for cross-context behavioral advertising under California law. See "Your privacy choices" below.

Cookies, tracking, and your choices

We and our partners use cookies and similar technologies for functionality, analytics, and advertising. You can manage cookies through our cookie banner and your browser settings. We honor recognized opt-out preference signals, including Global Privacy Control (GPC): when we detect a GPC signal from your browser, we treat it as a request to opt out of sale and sharing for that browser.

Your privacy choices (including California rights)

Depending on where you live, you may have the right to: know what personal information we hold; access or receive a copy; correct it; delete it; opt out of the sale or sharing of personal information for cross-context behavioral advertising; and limit the use of sensitive information. We will not discriminate against you for exercising these rights.

To opt out of sale or sharing, use the "Do Not Sell or Share My Personal Information" link in our footer. We also automatically honor Global Privacy Control (GPC): if your browser sends a GPC signal, you do not need to use the link, and posting the link does not replace our duty to honor the signal. For any other request, contact us at [email protected]. You may use an authorized agent (we may require written authorization) and we may need to verify your identity before acting.

Sensitive information

The health details you provide on the Adverse Event Reporting form are used to handle your report and to meet our safety obligations, including reporting serious adverse events to the FDA and keeping required records. We do not use this information to build advertising profiles.

Data retention

We keep personal information for as long as needed to provide the Site and our products, comply with our legal obligations (including cosmetics safety recordkeeping), resolve disputes, and enforce our agreements.

Security

We use reasonable administrative, technical, and physical safeguards designed to protect your information. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Children

The Site is intended for adults. We do not knowingly collect personal information from children under 13, and we do not knowingly sell or share the personal information of consumers under 16. If we learn we have collected information from a child under 13, we will delete it.

Changes to this policy

We may update this policy from time to time. We will post the updated version here and revise the effective date above. Material changes take effect when posted.