Privacy policy

PRIVACY POLICY

Last updated: July 9, 2025

INTRODUCTION This Privacy Policy explains how Carbs Sourdough Bakery Inc. ("Carbs Bakery", "we", "us" or "our"), operating the online store at https://www.carbsbakery.com (the "Site"), collects, uses, discloses and protects your personal information when you visit, browse or make a purchase from the Site or otherwise interact with us (collectively, the "Services").

  1. CONTACT US If you have any questions about this Privacy Policy, wish to exercise your privacy rights or make a complaint, please contact us. Email: info@carbsbakery.com Mailing address: Carbs Sourdough Bakery Inc. (10611549 Canada Inc.) 8567 Chemin Dalton Mont‑Royal, QC H4T 1V5 Canada

We will respond to all privacy‑related inquiries within 30 days.

  1. PERSONAL INFORMATION WE COLLECT We collect the following categories of personal information.

A. Device & Usage Data • What we collect: IP address; browser and device type; operating system; referring URLs; time zone; cookies and similar technologies; pages viewed; items added to cart; on‑site actions. • Purpose: load the Site correctly; monitor performance and security; improve content and user experience. • Source: collected automatically via cookies, log files, pixels and tags. • Disclosed to: Shopify (hosting), Google Analytics, Meta (Facebook/Instagram) Pixel.

B. Order Information • What we collect: name; shipping and billing addresses; email; phone; products purchased; payment method (last four digits of card, card type, expiration date); delivery preference. • Purpose: process and ship orders; provide order updates and invoices; detect fraud or abuse. • Source: provided by you at checkout. • Disclosed to: Shopify Payments, PayPal, Canada Post, Trexity (local delivery), ShipStation (fulfilment), Klaviyo (email).

C. Payment Information • What we collect: encrypted payment token (we do not store full card numbers). • Purpose: accept payment. • Source: provided by you at checkout. • Disclosed to: Shopify Payments, PayPal.

D. Customer Support • What we collect: email, phone or social‑media messages, photos or other information you send us about product issues. • Purpose: respond to enquiries and complaints; provide replacements or refunds. • Source: provided by you. • Disclosed to: Gorgias (help desk), Gmail.

E. Marketing Preferences • What we collect: email‑marketing opt‑in status; marketing‑campaign interactions. • Purpose: send newsletters, product launches and promotions you may find interesting. • Source: provided by you or inferred from interactions. • Disclosed to: Klaviyo (email), Meta and Google (ads).

We do not intentionally collect sensitive personal information (e.g., health or biometric data).

  1. COOKIES AND SIMILAR TECHNOLOGIES We use cookies, pixels and local‑storage files to run the storefront, keep you signed in, remember your cart and analyse traffic. Persistent cookies remain on your device for between 30 minutes and two years. You can disable cookies in your browser; doing so may affect Site functionality. For a full, live list of cookies, visit our Cookie Settings page or email us.

  2. HOW WE USE PERSONAL INFORMATION • Provide the Services: display products, process orders, arrange shipping and handle payments. • Communicate: send order confirmations, shipping updates, password resets and responses to enquiries. • Improve and personalise: analyse Site traffic, fix bugs, test new features and show relevant products. • Marketing (with consent): send newsletters, promotions and targeted ads. • Security and fraud prevention. • Legal compliance (tax, bookkeeping and consumer‑protection obligations).

  3. LEGAL BASES FOR PROCESSING (EEA/UK VISITORS) We process personal information under the following lawful bases: • Contract (to perform the contract when you place an order). • Consent (for marketing emails and non‑essential cookies). • Legitimate interests (to improve Services, prevent fraud and secure the Site) balanced against your rights. • Legal obligation (to comply with laws).

  4. SHARING PERSONAL INFORMATION We share personal information only with trusted service providers that need the data to deliver the Services and are bound by confidentiality obligations. These include: Shopify Inc.; Shopify Payments; PayPal; Canada Post; Trexity; ShipStation; Klaviyo; Google Analytics; Meta (Facebook/Instagram) Pixel; and Gorgias. We may also disclose information if required by law or to protect our rights or customers. We do not sell or rent personal information.

  5. BEHAVIOURAL ADVERTISING AND ANALYTICS With your consent, we and our advertising partners use cookies and pixels to show ads based on your browsing activity. You can opt out of targeted advertising at: Google Ads: https://www.google.com/settings/ads/anonymous Facebook/Instagram: https://www.facebook.com/settings/?tab=ads Digital Advertising Alliance: https://optout.aboutads.info/

  6. RETENTION We retain order records for at least seven years to comply with Canadian tax law. Other personal information is kept only as long as necessary for the purposes outlined in this Policy or until you request deletion, subject to legal obligations.

  7. AUTOMATED DECISION‑MAKING We do not engage in fully automated decision‑making that produces legal or similarly significant effects. Shopify may run automated fraud checks (temporary IP or credit‑card blacklists) to protect the platform.

  8. YOUR RIGHTS Depending on where you live, you may have the right to access, correct, delete, restrict or port your personal information, and to withdraw consent for marketing at any time. To exercise these rights, email privacy@carbsbakery.com. We may ask you to verify your identity.

California residents: We do not “sell” or “share” personal information as defined under the California Consumer Privacy Act and its amendments, but you may still exercise the rights described above.

EEA/UK residents: You may lodge a complaint with your local data‑protection authority or with the Office of the Privacy Commissioner of Canada (OPC).

  1. SECURITY We follow industry best practices, including TLS encryption, regular security audits and least‑privilege access controls, to protect personal information. No method of transmission or storage is completely secure.

  2. CHILDREN’S PRIVACY The Site is not directed to children under 13 years of age, and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us and we will delete it.

  3. CHANGES TO THIS POLICY We may update this Policy from time to time. The revised version will be posted on the Site with a new “Last updated” date. Please review it periodically.

Thank you for trusting Carbs Bakery with your information – we are committed to protecting it while bringing you the best sourdough on the Internet!