Privacy policy

Privacy

Private Pact

What data I touch, why, and how cookies work — in plain language.

Last Updated 02 June 2026

It's just me — Ron — back here. One person, one set of keys, one laptop. There's no "team," no data department, and nobody else with access to anything you send me.

I don't sell your information. I don't trade it. I don't hand it to anyone for their own use, and I don't feed it into cross-site advertising profiles.

I'm not in the data business; I'm in the ceramics-and-questionable-decisions business. The only data I touch is the small amount I actually need, and I use it for exactly three things:

  1. Getting your order to you — your name, address, email, what you bought, and (for custom work) anything you send me to make the thing.
  2. Keeping the site working and worth visiting — anonymized, non-identifying numbers about how pages perform and which designs are popular, collected through cookies and Google Analytics. This tells me a coaster is selling; it doesn't tell me who you are.
  3. Emailing the people who asked for it — order messages, plus product news and discounts for anyone who opted in. Opt out anytime (see Marketing & Your Inbox).

I don't collect SPIIsensitive personal information like Social Security numbers, government IDs, or financial-account numbers — and I keep ordinary personal information to the minimum an order needs. Things I genuinely cannot see or store: your full card number, bank details, and payment credentials. Those run straight through the payment processor and never reach me.

The one genuinely sensitive thing I ever handle is photos you send for custom orders, which can be personal by nature. I treat those with extra care — see Custom-Order Photos for exactly how.

Now the honest part: your data passes through more systems than just mine. This store runs on Shopify, uses a few Shopify apps, sends email through Proton Mail and Judge.me, and measures traffic with Google. Each has its own settings, and frankly some of them are confusing, overlap, or quietly override each other. A few are enterprise-grade features built for giant retailers, switched on by default, and not something a one-person shop can fully turn off. I push back on every unnecessary setting I can find and turn off what I'm able to — but with that many moving parts, some collection may be inadvertent, unintended, or invisible to me. I periodically review my settings, apps, and integrations and fix what I catch.

If you ever think something here is off — a setting that contradicts this policy, data being collected that shouldn't be — I want to hear about it. I'm openly asking you to tell me so I can fix it fast: hello@wickedwicksandmore.com.

And about data integrity: unlike a faceless corporation that sits on a breach for six months, if I ever lose control of your data, I'll tell you as soon as I possibly can — including any delay a law-enforcement investigation legally forces on me — and I'll share whatever I'm allowed to. If I can't pin down exactly who was affected, I'll notify everyone who might have been. I can't control the other companies in the chain, but if any of them tell me your data was involved, I'll pass that on to you as fast as I get it.

On This Page

  1. What this covers
  2. Photos, personalization & security
  3. What I collect
  4. Where it comes from
  5. Why I use it (& legal basis)
  6. Who else touches it
  7. Cookies & tracking
  8. Payments
  9. Marketing & your inbox
  10. Your rights & choices
  11. How long I keep things
  12. Kids
  13. International transfers
  14. If something goes wrong
  15. Changes
  16. Contact

What this covers

This Private Pact explains what personal information I collect through wickedwicksandmore.com, my Shopify store, and the channels connected to it — and what I do and don't do with it. It also covers cookies and tracking; there's no separate cookie policy, it's all right here.

What it doesn't cover: the independent privacy practices of the companies I rely on. I can tell you what I send them and link you to their policies, but I don't write or control how Shopify, Google, Judge.me, Proton, Meta/Instagram, or the payment processors handle data inside their own systems. Where their practices apply, their policies govern — I link them throughout, and I rank them head-to-head on security in DICKS, my security report card.

Custom-order photos, personalization & how I guard your data

Custom-order photos

If you order custom work, you may send me a photo. Here's the whole lifecycle:

  • How to send it: encrypted email to orders@wickedwicksandmore.com (routed through Proton Mail, end-to-end encrypted), or encrypted messaging like Signal or iMessage.
  • What I use it for: making the product you ordered. Nothing else.
  • How I store it: I save it to a single, password-protected, encrypted location and work from there.
  • How long I keep it: I delete my working copies within 3 business days after your delivery is confirmed. If delivery is disputed, that clock starts when the dispute is resolved. Honest caveat: if a photo passed through Shopify's order system or my email provider, a copy can persist there for as long as those services retain order and message data — which I don't control and can't force-delete on their servers. What's in my hands, I delete fast.
  • Marketing / portfolio: I will never use your photo for marketing, promotion, or a portfolio without your explicit say-so.
  • The content rules — who can appear, age and consent, what's prohibited, and what happens if a submission breaks them — live in Malevolent Mandates (Terms of Service). Read those before you send anything.
  • One hard line: if something sent to me appears to involve a minor, I will not quietly delete it. Federal law requires me to preserve it and report it to the National Center for Missing & Exploited Children, and I will. No exceptions, no looking away.

Personalization details

For custom and personalized pieces you might give me a name, a date, an inside joke, a birthday or an anniversary. I use it to make your thing and to talk to you about your order — that's it. I don't build profiles, and I don't feed it to advertising.

How I actually guard your data

I'm not going to hand you a blueprint of my setup, but here's enough to show this isn't a shoebox of sticky notes. The shop is run with deliberate, layered protection — choices I made, not whatever shipped switched-on out of the box:

  • My network runs WPA3-encrypted Wi-Fi and is segmented, so the store side is walled off from everything else on it.
  • My router does active, built-in threat filtering at the edge, blocking known-bad traffic before it reaches a device.
  • My work happens on Mac hardware with full-disk encryption and its built-in security protections switched on and locked down.
  • My traffic is almost always routed through a VPN — almost, because if a VPN ever drops I'd rather it fail safe than have something break silently.
  • I use multi-factor authentication and least-privilege access everywhere they're offered. The fewer open doors, the better.

No setup is bulletproof, and I won't pretend otherwise. But this is meaningfully more than the average online shop bothers with. For how the bigger systems holding your data measure up, see DICKS.

What I collect

Depending on how you interact with the store, I may collect:

  • Contact details — name, shipping and billing address, email, phone number.
  • Order & transaction info — what you view, add to cart, buy, return, or exchange, and your order history.
  • Account info — if you create an account, your login email and saved preferences.
  • Communications — whatever you include when you message me.
  • Custom-order materials — photos and personalization details (see above).
  • Device & usage data — IP address, browser and device type, and how you move through the site, collected through cookies and analytics.
  • Payment info — handled by the payment processor. I receive a confirmation and limited details (like the last digits or card type); I never receive or store your full card number.

Where it comes from

  • Directly from you — when you order, create an account, send a photo, or message me.
  • Automatically — from your device and the site, through cookies and analytics (only the non-essential ones after you consent).
  • From my service providers — Shopify and the payment processors, when they handle a transaction on my behalf.
  • From platforms you arrive through — like Instagram or Google, subject to their own policies.

Why I use it — and my legal basis for it

For shoppers in the EEA and UK, here's the lawful basis for each use (and it's just good plain sense for everyone else):

  • Fulfilling your order and managing your account — to perform my contract with you.
  • Site security, fraud prevention, and improving the store — my legitimate interests in running a safe, working shop.
  • Marketing emails and non-essential cookies — your consent, which you can withdraw anytime.
  • Tax, accounting, and legal compliance — my legal obligations.

Who else touches your data

A short list of companies process limited data on my behalf or to complete something you asked for. None of them buy it from me, and I don't sell or share it for their own independent use or for cross-context behavioral advertising.

Who What they do Their terms
Shopify Hosts and powers the store; handles checkout, fraud screening, and analytics Privacy · DPA · Network Intelligence
Shopify Inbox Store chat / messaging Inbox Terms
Shopify AI / agentic shopping If you reach the store through an AI shopping assistant Agentic Storefront Terms
Judge.me Product reviews and review-request / marketing emails Privacy · Security · DPA
Google Analytics Anonymized traffic measurement. I keep its advertising and remarketing features (including Google Signals) turned off, so your visit isn't fed into cross-site ad profiles Privacy · Opt-out add-on
Proton Mail Hosts my email (end-to-end encrypted) Privacy
Payment processors Shopify Payments, PayPal, Amazon Pay, Apple Pay, Google Pay — process your payment. I never see your card number See Payments
Shipping carriers USPS and UPS, to deliver your order
Meta / Instagram If you message me or arrive via Instagram. Where I control advertising pixels, I keep cross-site ad-profiling features off Privacy
Square In-person sales at markets and pop-ups POS Terms

I'll also disclose your information when the law genuinely compels it — a valid subpoena, court order, or warrant — or to protect the store, enforce my Terms, or in the unlikely event of a business sale. I'll only give up what's actually required.

Cookies & tracking

Two kinds of cookies are in play:

  • Essential cookies — cart, session, and security/fraud. These keep the site working and are always on; the store literally can't function without them.
  • Non-essential cookies — analytics and performance, through Google. These do not fire until you say yes.

Consent is opt-in. You'll see a cookie banner, and non-essential cookies and analytics stay switched off by default until you allow them (managed through Google Consent Mode v2). You can change your choice anytime using the Cookie preferences link in the site footer.

Global Privacy Control / Do Not Track: I honor the Global Privacy Control signal and treat it as an opt-out. Because I keep things opt-in to begin with, there isn't much to opt out of — but I respect the signal where it applies. I don't separately act on legacy "Do Not Track" browser headers beyond this. You can also manage or erase what Google holds through Google's own opt-out add-on and account controls (more on each system in DICKS).

Payments

I accept Shop Pay, Shop Pay Installments, major cards (Visa, Mastercard, American Express, Diners Club, Discover), and wallets (Apple Pay, Google Pay, Amazon Pay, PayPal). Everything runs through Shopify and the processor or wallet you choose. I never see, receive, or store your full card number or payment credentials — that data goes directly to the processor.

Marketing & your inbox

I only send marketing to people who opted in. Two systems handle email: order and account messages go through Proton Mail; review requests and marketing go through Judge.me.

  • Every marketing email has a one-click unsubscribe. Use it and you're off the marketing list promptly — and in no case longer than the 10 business days the law allows.
  • You'll still get necessary messages about your order or account.
  • Marketing emails include my mailing address, because the law requires it.

Your rights & choices

Depending on where you live — including US state privacy laws and, for EEA/UK shoppers, the GDPR and UK GDPR — you may have the right to:

  • Access / know what personal information I hold about you.
  • Correct inaccurate information.
  • Delete information I hold about you.
  • Portability — get a copy, or have it sent onward, where the law provides.
  • Opt out of sale, sharing, or targeted advertising. I don't do any of those, so there's nothing to opt out of — but the right stands.
  • Object to or restrict certain processing, and withdraw consent anytime.
  • Complain to your local data protection authority (EEA/UK).

These rights aren't absolute, and some legal exceptions apply. To use them, email orders@wickedwicksandmore.com. I may need to verify it's really you, and an authorized agent can act for you with proof. I'll respond within the timeframe the law requires, and I'll never discriminate against you for asking. For data Shopify processes as its own controller, you can also use the Shopify Privacy Portal.

How long I keep things

I keep personal information only as long as I actually need it: order and transaction records for as long as the order, taxes, disputes, and legal duties require; account info while your account is active; custom-order photos per the 3-business-day rule above; and analytics for the limited windows set in Google Analytics. When I no longer need something, I delete it or strip it of anything that could identify you.

Kids

This store is 18+ (see Malevolent Mandates). It isn't directed to children, and I don't knowingly collect personal information from anyone under 13, or under the higher age of majority where you live. If you're a parent or guardian and believe a minor sent me information, contact me and I'll delete it. I have no actual knowledge that I sell or share the personal information of anyone under 16 — and to be clear, I don't sell or share it for anyone, at any age.

International transfers

I'm based in the United States, so your information is processed here. For shoppers in the EEA and UK, any transfer relies on recognized safeguards such as the EU Standard Contractual Clauses, which Shopify provides through its Data Processing Addendum.

If something goes wrong

If a breach ever affects your information, I'll notify you without unreasonable delay and consistent with the law — including any pause a law-enforcement investigation requires — and I'll share what I'm legally able to as the picture comes clear. Where the District of Columbia or your state requires it, I'll also notify the relevant Attorney General, and where the law calls for extra steps like identity-theft protection, I'll provide them. If I can't determine exactly who was affected, I'll err toward telling everyone who might have been.

Changes

I may update this Private Pact from time to time — to reflect how the store actually works, or for legal or operational reasons. The "Last Updated" date at the top shows the latest revision, and I'll give notice of material changes where the law requires it.

Contact

Privacy questions, or want to exercise a right? Email orders@wickedwicksandmore.com. Anything else, hello@wickedwicksandmore.com. By mail: Wicked Wicks and More, 116 V St NW, Washington, DC 20001. For anything sensitive, encrypted email is best — it's end-to-end encrypted through Proton Mail.

Wicked Wicks and More · Handmade in Washington, DC · Stay Wicked