Contents
We are located at 23801 Calabasas Road, Calabasas, CA 91302, USA. Along with our affiliated companies (collectively, “Company Group”, or “we/our/us”), we own and operate a number of websites (the “Websites” or “Sites”) and mobile applications (the “Apps”).
This global Privacy Policy (“Privacy Policy”) applies to each Website and App that it appears on.
This Privacy Policy explains how we collect, use, process, share and store Data when you use our Services (both terms as defined below), explains rights that you may have under specific data privacy and protection laws, and provides instructions on how to exercise any rights that apply to you (collectively, “Data Laws”).
The rights discussed in the CCPA Notice are for residents of California. The rights discussed in the GDPR Notice are for persons located in the EU, EEA, UK or Switzerland. Depending on where you live or are located, these rights may not apply to you. Both the CCPA Notice and the GDPR Notice are provided as Addenda at the end of this Privacy Policy.
Our Websites, Apps and Services may include links to third-party websites, plug-ins, services, social networks or mobile applications. Clicking on those links, or enabling those connections, may allow the third-party to collect or share Data about you. We do not control these third parties, and you should read each of their privacy notices before you submit any information to them.
You should carefully read this document to understand our policies and practices for processing and storing Data. By interacting with our Services, you accept the policies and practices described in this Privacy Policy. This Privacy Policy may change from time to time (see Updates to This Privacy Policy), and your continued use of our Services after any change means you accept those changes. Please check the Privacy Policy frequently for any updates.
In addition to the terms already defined above, we provide these definitions:
“CCPA” means the California Consumer Privacy Act of 2018, as it may be amended from time to time.
“Data” is information about you that we collect, or that you provide to us, and may include PII.
“Device” means the computer, smart phone or other electronic device that you use to access the Services.
“Device Information” means information about a Device, including the IP address used to access the Services, associated cookies or cookie identifiers, and other information related to the formatting or presentation of the Services for your Device and includes information about the Device often stored in picture files, including Device type and the location you were in when you took the picture.
“EEA” means countries in the EU plus Iceland, Lichtenstein, and Norway.
“EU” means the countries which are currently members of the European Union.
“GDPR” means the General Data Protection Regulation of the European Union, and the equivalent Data laws of the EEA, United Kingdom and Switzerland.
“Personal Data” means any information about an identified or identifiable natural person who has rights under the GDPR (“Data Subject”). An “identifiable natural person” is one who can be identified, directly or indirectly, by a single piece of data such as a name, an ID number, IP address, location data, an online identifier or by other data that, when combined, makes it possible to determine the identity of that natural person.
“Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household or Device.
“PII” means personally identifiable information, which is information that can be used to identify a specific individual, including Data that may be classified as Personal Information subject to the CCPA Notice or Personal Data subject to the GDPR Notice.
“Services” means the Sites, Apps, and other services available from us.
We use different methods to collect Data, including:
Direct Interactions. You may give us Data by filling in forms or contacting us by phone, e-mail or otherwise. This includes Data you provide when you create an account, subscribe to our Services, search for a product, place an order, upload a photo or other content, create a seller profile on our Services that offer seller capabilities, participate in discussion boards or other social media functions on our Services, enter a competition, promotion or survey, and when you report a problem with our Services. If you choose to make any seller profile that you create public, people may see your name, the country you designate in your profile, and your “About” details. You can adjust the privacy settings for your seller profile at any time.
Automated Technologies or Interactions. As you interact with our Services, we may automatically collect Data about your Device and your browsing actions and patterns, even if you do not create an account or place an order with us. We collect this Data by using cookies, server logs, and other similar technologies, as detailed in our Cookie Notice which may be available to you depending on your location. You can block cookies in your browser by activating the settings that allow you to refuse all or some cookies. IMPORTANT NOTE: if you use your browser settings to block all cookies (including essential cookies), the Services may not function properly or may not work at all.
Cross-Device Tracking: Some of our Services use data analytics companies, advertising networks, and/or social media companies to engage in “cross-Device tracking,” which occurs when platforms, publishers, and advertising technology companies try to connect a consumer’s activity across smartphones, tablets, desktop computers, and other connected devices. The goal of cross-Device tracking is to enable us to link your behavior with our Services across Devices.
Third parties or Publicly Available Sources. We receive Data from third parties such as business partners and sub-contractors who provide us with a variety of business services like shipping and payment processing, advertising, analytics, search information, etc.
User Contributions. You may also provide us with Data to post on the Services or to transmit to third parties (collectively, "User Contributions"). User Contributions are submitted at your own risk. We limit access to certain pages, and you can also adjust privacy settings for User Contributions by logging into your account profile. However, we cannot and do not guarantee that unauthorized persons will not be able to view your User Contributions.
PII We Collect
We collect PII including your name, postal address, e-mail address, telephone number, IP address, credit/debit card numbers and other financial information needed to complete your transactions with us, photos and other content you upload, date of birth, any profile image you provide, user IDs and/or passwords used to access the Services, your Services browsing history, and any phone number used to call our customer service number. If you sell products through our Services, in addition to the information above we collect information necessary to pay you and comply with tax reporting laws, such as your PayPal account, and social security or Tax ID number, and your birthdate for verification of your identity.
Device Information
We collect information relating to the Device(s) you use to access the Services, including the Device model, operating system, browser type, IP address, and event information from use of the Services.
Mobile App
Depending on your permissions, if you download and use our Apps, we may collect or access certain information from your mobile Device including:
Community Postings
You can post information on our blogs, forums, or other public posting areas. Any information you disclose is available to anyone with internet access. You do not have to use these features, but if you do, please use common sense and good judgment when posting in these community spaces or sharing your personal information with others through the Services.
Other Data We Collect
In addition to PII, we collect other Data from you when you use the Services, including:
Data About Children
We do not knowingly collect, use, process, share or store PII from children under the age of 18. The Services are not intended for use by children under the age of 18. If you believe that we have unknowingly collected or processed PII from a child under the age of 18, contact us as soon possible at [email protected]
Use and Processing of PII
In accordance with data laws, we may use and process PII for the following purposes:
Use and Processing of Other Data
We may use Data that is not PII for any business purpose.
You can manage your preferences about how your Data is used by following the instructions in each form or communication you receive from us. For more information, see Your Choices About Our Use of Data.
Sharing of PII
Subject to Data laws and any rights you exercise under this Policy, we may share Data within our Company Group to comply with internal, contractual and legal obligations, and for marketing activities.
We may also share Data with third parties as follows:
Sharing of Other Data
We may share other Data without restriction.
Transactional Emails: We occasionally send transactional emails notifying you about your orders, account information, changes to the Services, updates to our online documents, and other matters. You may not opt out of transactional emails.
Promotional Offers: You can stop receiving promotional offers by following opt-out links in each promotional message, or contacting us at [email protected] and requesting your removal from our promotional offers list.
Push Notifications on Mobile App: Depending on your Device, push notifications may be turned on by default. You can opt out of push notifications at any time by adjusting your Device settings.
Tracking Technologies and Advertising: You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you refuse all cookies, you will be unable to use the Services. If you disable or refuse some cookies, parts of our Services will be inaccessible or not function properly. For more information about tracking technologies, please see Automated Technologies or Interactions above.
Updating PII. You may contact us via the Contact Us link in the App or the Contact Us page on the Website you are using, or at [email protected] and we will update or correct any account information at your request.
We use and store PII only as long as we need it to maintain our relationship with you or to meet contractual and legal obligations, i.e., reporting under tax laws. We store PII from the time of collection as follows, unless contractual or legal obligations require us to store it for a longer period:
If you neither create an account nor buy anything (even as a guest) we will delete PII about you at the earlier of your revocation of consent or in accordance with our Cookie Notice.
If you either create an account, or buy as a guest, we will delete PII about you at the first of the following:
The Services have physical, electronic, and administrative security measures in place designed to protect against the loss, misuse, and unauthorized access, use, alteration, or disclosure of Data under our control. When you submit credit card information through the Services, we create a nonce so your credit card information is never stored by us. While no transmission over the internet can be guaranteed as 100% secure, and we strive to protect PII during transmission, we cannot ensure or warrant the security of any Data that you transmit to or receive from us. We urge you to take steps to keep Data safe (including your account password), log out of your account after use, and close your web browser.
You confirm that your command and knowledge of the language in which this Privacy Policy is written is sufficient to understand the terms and conditions in this Privacy Policy. If you live in the European Union, EEA, UK or Switzerland, or are located outside the United States: (i) you agree that by using the Services, personal data about you may be transferred to our servers located in the United States in connection with the purposes stated in this Privacy Policy, and (ii) you understand that the laws with respect to the protection of Data in the United States may not be as stringent as those in your home jurisdiction. If you live in or are located in the European Union, EEA, UK or Switzerland, the Addendum for Persons Located in the European Union, UK, EEA and Switzerland EU below describes additional rights you might have.
If you have any concern about the privacy practices of the Services, please contact us at following address with a detailed description, and we will try to resolve it:
Privacy Program
Attn: Legal Department
23801 Calabasas Road
Calabasas, CA 91302
USA
If you are located in Europe
We have appointed ITG EU & GRCI Law to act as our EU and UK Representatives. If you wish to exercise your rights under EU GDPR or the UK GDPR or have any queries in relation to your rights or privacy matters generally please email from Europe [email protected], or from UK, [email protected].
Please check this Privacy Policy periodically to inform yourself of any changes. We reserve the right to modify this Privacy Policy at any time, so you should review it frequently. If we make material changes to this Privacy Policy, we will post notice of the changes on the Services homepage and/or as required by law notify you by email using the current email address for your account.
Effective Date: June 1, 2021
Last Revised on: June 1, 2021
This Addendum for Persons Residing in California (this “CCPA Notice”) supplements the Privacy Policy and applies only to residents of the State of California. This CCPA Notice is provided in compliance with the CCPA, and any terms defined in the CCPA have the same meaning when used in this CCPA Addendum.
How We Collect Personal Information
We collect “Personal Information” as defined in the CCPA. We collect Personal Information from the following categories of sources:
How We Share Personal Information
We disclose Personal Information to other companies for business purposes and enter into a contract with the recipient describing the purpose and requiring the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the activities in the contract. These recipients are “Service Providers” under the CCPA.
Summary of Categories of Personal Information Collected, Sources, and Categories of Third Parties Shared With
The table below summarizes the Personal Information collected, used and shared by us or our Service Providers and Third Parties within the last twelve (12) months.
| Category of Personal Information Collected | Categories of Sources | Examples of Uses | Categories of Third Parties We Share Personal Information With |
| Identifiers, such as your name, address, phone number, Internet Protocol (IP) address, email address, social media handles, and account name. If you choose to sell products and receive a royalty or commission, we also collect your social security number and/or tax identification number. |
You, if you choose to provide it to us. You, when you use the Services. We and our Service Providers collect this info automatically. Our Service Providers that collect your IP address automatically |
To respond to your requests for information. To provide the Services to you. |
Our Service Providers, such as our Website host, payment processors, social networks, order fulfilment processors, and analytics providers. Our affiliates and subsidiaries. Third Parties and government authorities relating to (i) legal requests, if required by law, or (ii) if we believe in good faith that it is necessary. Third Parties for a Reorganization Use. Service Providers for purposes of advertising our products to you and tracking your response to our ads. |
|
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as your name, address, phone number, credit or debit card number. Only if you are a seller on the CafePress Website, your Social Security Number so that we may report tax information as required by law. Some personal information included in this category may overlap with other categories. |
You, if you choose to provide it to us. | To fulfill your orders. To comply with tax laws. |
Our Service Providers such as delivery companies, payment processors, order fulfillment providers, printers, product distributors, advertising, social network and data analytics providers. Our affiliates and subsidiaries. Tax authorities. Fraud prevention Service Providers. Third Parties and government authorities relating to (i) legal requests, if required by law, or (ii) if we believe in good faith that it is necessary. Third Parties for a Reorganization Use. |
| Protected Classifications, such as age (40 years or older), gender, etc. | You, directly. Derived from your orders. |
To analyze the demographics of our customer base. | Service Providers such as data analytics providers. Our affiliates and subsidiaries. |
| Commercial information, such as products or services purchased, obtained, or considered. | You, when you use the Services. We and our service providers collect this info automatically. |
To fulfill your orders and provide current and future Services to you. | Service Providers who help us determine our product mix and analyze our customer’s shopping and purchase preferences. Our Service Providers such as delivery companies, payment processors, order fulfillment providers, printers, product distributors, advertising, social network and data analytics providers. Our affiliates and subsidiaries. Tax authorities. Fraud prevention Service Providers. Third Parties and government authorities relating to (i) legal requests, if required by law, or (ii) if we believe in good faith that it is necessary. Third Parties for a Reorganization Use. |
| Financial data, such as credit or debit card number, verification number, and expiration date. We do not store your full credit card number or verification number. | You, if you choose to provide it to us. | To fulfill your orders and investigate and prevent fraud. | Payment processors. Third Parties and government authorities relating to (i) legal requests, if required by law, or (ii) if we believe in good faith that it is necessary. |
| Device information and identifiers, such as IP address; browser type and language; operating system; platform type; device type; software; and App identifiers. | You, when you use the Services. We and our service providers collect this info automatically. |
Providing you with a good experience when you visit the Services, such as the ability to serve content in your preferred language, provide pricing in local currency, store your user ID and/or password for your convenience, or pre-populate fields in your use of the Services. | Service providers, such as analytics providers. Third Parties, such as analytics providers. Third Parties and government authorities relating to (i) legal requests, if required by law, or (ii) if we believe in good faith that it is necessary. Third Parties for a Reorganization Use. |
| Internet network and electronic device activity, such as browsing history, search history, and information on your interaction with a search result. | You, through your Device when you use the Services. We and our service providers collect this information automatically. Analytics providers Advertising providers. Cookies and tracking technologies. |
Providing you with a good experience when you use the Services, such as the ability to serve content in your preferred language, provide pricing in local currency, store your user ID and/or password for your convenience, or pre-populate fields in your use of the Services. Marketing and advertising our products, specifically understanding which of our marketing campaigns resulted in your visit to the Services. |
Our Service Providers such as data analytics providers. Advertising networks. Data analytics providers. Social networks. Our affiliates and subsidiaries. Third Parties and government authorities relating to (i) legal requests, if required by law, or (ii) if we believe in good faith that it is necessary. Third Parties for a Reorganization Use. |
| Geolocation data, such as your postal address and your IP address. We infer your general location from your IP address. | You, if you choose to provide it to us. You, through your Device, when you use the Services. We and our service providers collect this info automatically. |
Responding to your requests for information.
Shipping your products to you. Providing you with a good experience when you visit the Services, such as the ability to serve content in your preferred language, provide pricing in local currency, store your user ID and/or password for your convenience, or pre-populate fields in your use of the Services. |
Our Service Providers such as delivery companies. Our affiliates and subsidiaries. Tax authorities. Fraud prevention Service Providers. Third Parties and government authorities relating to (i) legal requests, if required by law, or (ii) if we believe in good faith that it is necessary. Third Parties for a Reorganization Use. |
| Inferences drawn from personal information, such as a person’s preferences, characteristics, trends, predispositions, behavior, and attitudes. | Advertising networks, data analytics providers, and special occasions based on our review of product orders. | Targeted advertising, marketing analytics, reminders of special occasions. | Advertising networks. Data analytics providers |
| Visual information, such as photographic or other images. | You, if you choose to provide it to us, or another customer provides it to us. | Incorporating the image into your products. Storing the image for the customer for future use on other products. |
Service Providers, such as printers. Third Parties and government authorities relating to (i) legal requests, if required by law, or (ii) if we believe in good faith that it is necessary. |
| Sensory Information, including audio recordings when you call our customer service telephone number. | You, if you call customer service. | Responding to your customer service requests. | Our affiliates and subsidiaries. Third Parties and government authorities relating to (i) legal requests, if required by law, or (ii) if we believe in good faith that it is necessary. |
Sales of Personal Information
We use cookies and third-party applications that qualify as a sale of information under the CCPA.
Your CCPA Rights and Choices
The CCPA provides California residents with specific rights regarding Personal Information. This section describes your CCPA rights and explains how to exercise those rights.
We may deny your deletion request if retaining the Personal Information is necessary for us or our service provider(s) to:
Only you, or someone legally authorized to act on your behalf, may make a verifiable CCPA request related to Personal Information about you. You may also make a verifiable CCPA request on behalf of your minor child. To designate someone legally authorized to act on your behalf, you may upload proof of the authorization to [email protected].
You may make a verifiable CCPA request for access or data portability only twice within any 12-month period. The verifiable CCPA request must:
We will use Personal Information provided in a verifiable CCPA request only to verify the requestor’s identity or authority to make the request.
Any CCPA disclosures we provide will only cover the 12-month period preceding our receipt of your verifiable CCPA request. Our response will also explain the reasons we are not complying with your CCPA request, if applicable.
For CCPA data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable CCPA request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the CCPA request warrants a fee, we will tell you why and provide you with a cost estimate before completing your request.
Other California Privacy Rights
In addition to your rights under the CCPA, California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of the Services that are California residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. We do not disclose Personal Information to third parties for their direct marketing purposes. If you would like more information about our compliance with California’s “Shine the Light” law, please send an email to [email protected] or write us at:
Privacy Program
Attn: Legal Department
23801 Calabasas Road
Calabasas, CA 91302
USA
Changes to this CCPA Notice
We reserve the right to amend this CCPA Notice at our discretion and at any time. When we make changes to this Notice, we will post the updated Notice on the Services and update the Notice’s effective date. Your continued use of the Services following the posting of any changes to this Notice constitutes your acceptance of those changes.
CCPA Contact Information
If you have questions or comments about this Notice, the ways in which we collect and use Personal Information, your choices and rights regarding such use, or you wish to exercise your rights under California law, please contact us at:
Email: [email protected]
Postal Address: Privacy Program, Attention: Legal Department, 23801 Calabasas Road, Calabasas, California 91302-1547
This Addendum for Persons Located in the European Union, UK, EEA and Switzerland (this “GDPR Notice”) supplements the information contained in the Privacy Policy and applies solely to persons located in the EU, UK, EEA and Switzerland. We adopt this GDPR Notice to comply with GDPR, and any terms defined in GDPR (including Personal Data) have the same meaning when used in this GDPR Notice.
In General
We do not collect, use, process, share or store special categories of Personal Data.
Who is Responsible for Personal Data About You?
We are responsible for Personal Data about you. Specifically Personal Data is controlled by:
Privacy Program,
Attention: Legal Department
Gateway House, Tollgate, Chandler’s Ford,
Eastleigh, Southampton, S053 3TG,
United Kingdom
We have appointed ITG EU & GRCI Law to act as our EU and UK Representatives. If you wish to exercise your rights under EU GDPR or the UK GDPR or have any queries in relation to your rights or privacy matters generally please email from Europe [email protected], or from UK [email protected].
We may need to request additional information from you in order to confirm your identity before responding to your request or question.
On Which EU Legal Basis Do We Process Personal Data About You?
Depending on the specific purpose or purposes for the processing of the Personal Data, we rely on the following legal grounds:
Legitimate interests include, for example, developing and improving our internal administration or business and service processes, marketing and reputation activities, keeping our records up to date, handling and managing our legal and contractual duties and obligations, and compliance with internal and legal policies and regulations that apply to us.
In addition, we process Personal Data to let you know about updates to products and services you have purchased from us or expressed interest in before. We also process Personal Data on the basis of your consent, where you have expressly given that to us for certain purposes such as direct marketing.
Will Personal Data About You be Transferred Outside the EU/EEA?
Our headquarters and operations are in the United States, UK and Ireland. We strive to store and process EU, UK, EEA and Swiss Personal Data in Ireland, on the servers located in the EU. With the exception of Personal Creations and Café Press, all EU/EEA customer Personal Data is processed and stored on Amazon Web Services (AWS) servers located in Ireland (see more information below). Personal Creations and Café Press customer Personal Data is processed and stored on AWS Servers in the U.S.
Notice Re: EU-U.S. and Swiss-U.S. Privacy Shield, CJEU Schrems II Ruling and EU Standard Contract Clauses (SCC)
We have withdrawn from the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States as further described below.
On July 16, 2020, the European Court of Justice (CJEU) determined that the EU-U.S. Privacy Shield framework is no longer valid for the transfer of Personal Data from the European Economic Area (EEA) to the U.S. (known as the Schrems II decision). The Schrems II decision also placed additional compliance requirements on the use of EU Standard Contract Clauses (SCC) for the transfer of EU/EEA Personal Data to the U.S. by companies subject to Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) and/or Executive Order 12333 (E.O. 12333).
We know our customers, website visitors, and business partners care deeply about privacy and data security, and we optimize our work to get these issues right. We’d like to confirm that you can continue to use our Services with regard to EU and EEA Personal Data in compliance with EU law.
First, please know that it is our good-faith belief that the types of EU/EEA Personal Data we collect, use, process, share and/or store in the U.S. are not of the types of Personal Data that would generally be subject to requests from U.S. government authorities pursuant to FISA Section 702 and/or E.O. 12333.
Second, please note that as part of our good-faith efforts to comply with applicable data protection laws, we strive to continue to store and process EU, EEA, UK and Swiss Personal Data in Ireland, on servers located in the EU. In compliance with the GDPR and other applicable laws we also implement data encryption, data minimization, data pseudonymization, and need to know access to Personal Data.
Third, although we have withdrawn from Privacy Shield, we are retaining the data collected during our participation, and are providing adequate protection for such data by another authorized means.
Fourth, when international transfer of Personal Data is necessary to perform a contract with you, or in individual cases for the purposes of our compelling legitimate business interests and in order to comply with our internal policies, contractual and legal obligations.
If you represent one of our service providers or business partners and your organization is a party to an agreement with us that includes EU Standard Contract Clauses (SCC) for compliance with EU/EEA data protection laws, please contact us at [email protected] to discuss whether any updates to our agreement are needed resulting from the Schrems II decision.
Trust is a top priority for us, and we will continue to work vigilantly to ensure that our customers, website visitors, and business partners are able to continue to enjoy the benefits of our Services securely, compliantly, and without disruption.
Your Consent to Transfer of Personal Data
In addition to the above, we may also process, store, and/or transfer Personal Data we collect about you, in and to a country outside the EU including the United States. Those other countries may have different privacy laws that may or may not be as comprehensive as your own.
By submitting Personal Data or interacting with our Services, you consent to this transfer, storing, and/or processing including in the United States.
You may send us an email from Europe at [email protected] or from UK to [email protected] to request access to, correction, or deletion of Personal Data that you have provided to us. In some situations, we cannot delete Personal Data about you except by also deleting your user account. Please note that deletion of your account will cause you to lose your stored photos, completed and in-process projects, and all content you have uploaded for sale through any of our Services with Shops or Marketplaces. If this Data is deleted by us at your request, we will not be able get it back for you if you change your mind in the future. We may not be able to grant a request to change or delete Personal Data about you if we believe the change or deletion would violate any law or legal requirement or negatively affect the accuracy of the Data.
If you delete your User Contributions from our Services, copies may still be viewable in cached and archived pages or where other users have copied or stored them. Our terms of use govern proper access and use of information provided on our Services, including User Contributions.