Privacy policy

How Warm by Design collects, uses, and shares your personal information when you visit warmbydesign.com, place an order, or interact with our ads. Plain language, named partners, and your rights — written to comply with the GDPR (including as it applies in the UK), the California Consumer Privacy Act (as amended by the CPRA), and other applicable US state privacy laws.

1. Who we are

This policy is issued by Warm by Design ("we," "us," "our"), a sole proprietorship based in California. Registration as Warm by Design LLC is pending. We operate warmbydesign.com (the "Site") and any associated marketing, social, and advertising channels.

For the purposes of applicable data protection laws, Warm by Design is the data controller of the personal information described in this policy, except where this policy expressly identifies a joint controller arrangement (see Section 8).

Contact for any privacy question: support@warmbydesign.com.

2. Personal information we collect

We collect the following categories of personal information:

• Contact details — name, email address, phone number, shipping and billing address.
• Order and transaction information — items purchased, order amount, payment method (we do not store full card numbers; payments are processed by Shop Pay, Stripe, PayPal, and other PCI-DSS-compliant processors).
• Account information — login credentials and preferences for any account you create through Shopify on the Site.
• Communications — emails, SMS messages, and chat messages you exchange with us, including support tickets.
• Marketing preferences — your opt-in or opt-out status for email and SMS, and engagement signals (opens, clicks, unsubscribes).
• Device and usage information — IP address, browser type, operating system, referring URL, pages viewed on the Site, products viewed or added to cart, time spent, and identifiers stored in cookies, pixels, and similar technologies (see Section 6).
• Inferences — interests and audience segments derived from the above (for example, "customers who have viewed table lamps").

We do not knowingly collect special categories of personal data (race, religion, health, biometrics, precise geolocation, etc.). We do not sell personal information for monetary consideration.

3. Personal information sources

We receive personal information from:

• You — directly, when you place an order, create an account, contact us, sign up for marketing, or interact with the Site.
• Your device — automatically, through cookies, pixels, and similar technologies described in Section 6.
• Service providers and advertising platforms — including Shopify, Klaviyo, Google, Meta (Facebook/Instagram), Pinterest, and TikTok, as described in Section 5.
• Public sources — for fraud prevention and address verification, where lawful.

4. How we use your personal information

We use the categories above to:

• Fulfill orders, ship products, process refunds, and provide customer support.
• Operate, secure, and improve the Site.
• Send transactional messages (order confirmations, shipping updates, account notices).
• Send marketing email and SMS to people who have opted in, and to suppress them where you have opted out.
• Measure, attribute, and improve the performance of our advertising on platforms including Pinterest, Meta, Google, and TikTok — including conversion tracking, retargeting, and lookalike-audience modeling, all as described in Section 5 and Section 8.
• Detect, prevent, and respond to fraud, abuse, and security incidents.
• Comply with legal obligations, enforce our Terms of Service, and protect our rights.

Where the GDPR or UK GDPR applies, our legal bases are: contract performance (orders, accounts), consent (marketing email/SMS, non-essential cookies and pixels including the Pinterest Tag), legitimate interests (fraud prevention, security, basic site analytics, attribution measurement), and legal obligation (tax, accounting, regulatory).

5. How we disclose your personal information — named partners

We share personal information with the following categories of recipients. Each recipient processes the data only for the purposes described and in accordance with its own privacy notice.

5.1 E-commerce platform and payments

• Shopify Inc. — hosts the Site and processes orders, accounts, checkout, and certain analytics on our behalf. Shopify Privacy Policy.
• Shop Pay, Stripe, PayPal, Apple Pay, Google Pay — payment processors that handle card and wallet transactions. We never receive or store full card numbers.

5.2 Email and SMS marketing

• Klaviyo, Inc. — email and SMS marketing platform. We share contact details, order history, and engagement events with Klaviyo to send you marketing messages you have opted in to and to suppress messages you have opted out of. Klaviyo Privacy Notice.

5.3 Advertising and measurement partners

We share certain device, event, and conversion information with the advertising platforms below in order to measure and improve our ads, retarget visitors who have not opted out, and build lookalike audiences. The data shared is typically hashed identifiers (such as hashed email or phone), event names (page view, add-to-cart, purchase), event values, and pseudonymous device identifiers.

• Pinterest, Inc. (and, for users in the European Economic Area or the United Kingdom, Pinterest Europe Limited) — we use or may use the Pinterest Tag and the Pinterest Conversions API to send activity data (page views, add-to-cart, purchases, lead events) to Pinterest for measurement, optimization, and audience-building. For users in the EEA and UK, Pinterest Europe Limited and Warm by Design are joint controllers for this activity data — see Section 8. Pinterest Privacy Policy.
• Meta Platforms, Inc. (Facebook, Instagram) — we use or may use the Meta Pixel and Conversions API for the same purposes. Meta Privacy Policy.
• Google LLC — Google Analytics, Google Ads, and Google Tag for site analytics, conversion tracking, and remarketing. Google Privacy Policy.
• TikTok Inc. — TikTok Pixel and Events API for measurement and advertising on TikTok, where applicable. TikTok Privacy Policy.

You can opt out of advertising cookies and pixels at any time using the cookie banner on the Site, by adjusting your browser settings, or as described in Section 9. Opting out does not affect transactional emails or your ability to place an order.

5.4 Operational and legal recipients

• Shipping carriers — UPS, USPS, FedEx, and similar, to deliver your order.
• Customer support tooling — Gmail, helpdesk software, and similar, to respond to your inquiries.
• Professional advisers — accountants, auditors, and legal counsel, where reasonably necessary.
• Authorities — when required by law, court order, or to protect our rights, your safety, or the safety of others.
• In a corporate transaction — to a buyer or successor entity in the event of a merger, acquisition, financing, reorganization, or sale of assets, in which case we will require the recipient to honor this policy.

6. Cookies, pixels, and similar tracking technologies

The Site uses cookies, pixels, and SDKs (collectively "tracking technologies"). They fall into four buckets:

• Strictly necessary — required to operate the Site, the cart, and checkout. These cannot be disabled.
• Functional — remember your preferences (such as language or saved cart).
• Analytics — Shopify analytics and Google Analytics, used to understand how the Site is used in aggregate.
• Advertising and measurement — including the Pinterest Tag, Meta Pixel, Google Ads tag, and TikTok Pixel. These are used to measure ad effectiveness, attribute conversions, retarget visitors, and build lookalike audiences. They are loaded only with your consent where consent is required by law (EEA, UK, and applicable US states).

You can manage your preferences at any time through the cookie banner, your browser, or your device settings. Disabling advertising cookies will not block you from buying — it will only stop the corresponding measurement and retargeting.

7. Pinterest-specific disclosures

Because Pinterest applies a specific joint-controller framework to advertiser data, we disclose the following separately:

• What is shared with Pinterest. When the Pinterest Tag or Pinterest Conversions API is enabled, your interactions on the Site (page views, add-to-cart, checkout, purchase, and similar events) and pseudonymous identifiers (such as hashed email and IP address) may be transmitted to Pinterest.
• Why it is shared. To measure the performance of our Pinterest ads, attribute conversions, optimize bidding, and build audiences (including lookalike audiences) for future Pinterest campaigns.
• How you can opt out. Decline advertising cookies in our cookie banner, set your browser to block third-party cookies, or use Pinterest's own privacy controls at pinterest.com/settings/privacy.
• Pinterest Developer Platform. Warm by Design is a registered Pinterest developer and uses the Pinterest API in compliance with the Pinterest Developer Guidelines and the Pinterest Developer Terms of Service. We use the API only for our own first-party advertising, catalog, and content operations on our own Pinterest business account; we do not provide a tool, app, or service to third parties through the Pinterest API.

8. Joint controller arrangement (EEA and UK)

If you are located in the European Economic Area or the United Kingdom and we collect personal data about you through a Pinterest Ad Service feature (including the Pinterest Tag or the Pinterest Conversions API), Pinterest Europe Limited and Warm by Design are joint controllers of that personal data, as defined in the Joint Controller Addendum to the Pinterest Advertising Services Agreement.

Reasons for joint processing. The joint processing exists so that we can (a) measure how our Pinterest ads perform, (b) attribute conversions on the Site to Pinterest campaigns, (c) optimize bidding, and (d) build and refine audiences (including lookalike audiences) for future campaigns. Without joint processing, advertising on Pinterest would not be measurable in any meaningful way.

Allocation of responsibility. Under the Joint Controller Addendum, Warm by Design is responsible for obtaining any required consent from you before the Pinterest Tag or Conversions API collects data on the Site, providing this notice, and honoring your data-subject requests. Pinterest is responsible for the security of the data once it has been transmitted to Pinterest, for honoring data-subject requests directed to Pinterest, and for the lawfulness of any further processing it undertakes as a controller in its own right.

How to exercise your rights. You may exercise your data-subject rights (access, deletion, correction, objection, restriction, and portability) against either joint controller. Contact support@warmbydesign.com for requests directed at Warm by Design, or use Pinterest's privacy controls at pinterest.com/settings/privacy for requests directed at Pinterest.

An equivalent joint-controller arrangement applies to Meta Platforms Ireland Limited for Meta Pixel and Conversions API events transmitted from the Site, under Meta's Controller Addendum.

9. Your rights and choices

Subject to applicable law, you have the right to:

• Know and access the personal information we hold about you.
• Correct inaccurate personal information.
• Delete your personal information.
• Receive a portable copy of personal information you have provided.
• Opt out of marketing email (unsubscribe link in any email) and SMS (reply STOP).
• Opt out of "sharing" of personal information for cross-context behavioral advertising and of the use of advertising cookies and pixels — through the cookie banner or by emailing support@warmbydesign.com.
• Withdraw consent where processing is based on consent (this does not affect the lawfulness of processing prior to withdrawal).
• Object to processing based on legitimate interests, where applicable.
• Authorized agents may submit requests on your behalf, with proof of authorization.
• Non-discrimination — we will not deny you goods or services, charge a different price, or provide a different level of quality because you exercised any of these rights.

To exercise any of these rights, email support@warmbydesign.com with the subject line "Privacy request." We will verify your identity (typically by matching your email to an order on file) and respond within the time required by applicable law (45 days for CCPA/CPRA requests, one month for GDPR/UK GDPR requests).

California "Shine the Light." California residents may request information about disclosures of personal information for direct marketing purposes. Send the request to the email above with the subject line "Shine the Light request."

Global Privacy Control (GPC). We honor the Global Privacy Control browser signal as a valid opt-out of "sharing" of personal information under the CPRA.

10. Security

We implement appropriate technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, and destruction. These include encryption in transit (TLS), access controls, principle-of-least-privilege account permissions, and reliance on PCI-DSS-compliant payment processors so that we never store full card numbers.

No method of transmission or storage is perfectly secure. We cannot guarantee absolute security, but we work to keep risk low.

11. Data breach notification

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will:

• Notify the competent supervisory authority (the relevant EU/EEA Data Protection Authority or the UK Information Commissioner's Office) within 72 hours of becoming aware of the breach, where required by Article 33 of the GDPR or its UK equivalent.
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR), and provide a description of the breach, its likely consequences, and the measures we are taking.
• Notify state attorneys general and affected residents in accordance with applicable US state breach-notification laws (including California Civil Code §1798.82).
• Where a breach involves data jointly processed with Pinterest (or another joint-controller advertising partner), cooperate with that partner under the relevant Joint Controller Addendum, including reciprocal notification within the timelines that addendum requires.

12. Data retention

We retain personal information for as long as needed to provide the Site and our products, comply with our legal obligations (including tax, accounting, and consumer-protection record-keeping), resolve disputes, and enforce our agreements. Specifically:

• Order and transaction records: seven years (US tax retention).
• Marketing contacts: until you unsubscribe, plus a suppression record kept indefinitely so we do not contact you again.
• Site analytics and advertising-event data: per the retention schedules of Shopify, Google Analytics, Pinterest, Meta, and TikTok (typically 14–26 months).
• Support correspondence: three years after the most recent message.

13. International transfers

We are based in the United States, and most of our service providers (including Shopify, Klaviyo, Pinterest, Meta, Google, and TikTok) process data in the United States and other countries outside the EEA and UK. Where personal data is transferred from the EEA or UK to a country that has not received an adequacy decision, we and our processors rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and the EU–US Data Privacy Framework where the recipient is certified.

14. Children's data

The Site is intended for adults. We do not knowingly collect personal information from anyone under 16, and we do not direct marketing to children. If you believe a child has provided us with personal information, contact support@warmbydesign.com and we will delete it.

15. Third-party websites and links

The Site may link to third-party websites and platforms (including our profiles on Pinterest, Instagram, TikTok, and YouTube). We are not responsible for the privacy practices of those third parties. Their privacy notices govern data they collect from you when you visit them.

16. Complaints

If you are not satisfied with our response to a privacy request, you may lodge a complaint with the data-protection authority in your jurisdiction:

• EEA — your local Data Protection Authority. A list is available at edpb.europa.eu/about-edpb/about-edpb/members.
• United Kingdom — the Information Commissioner's Office at ico.org.uk/make-a-complaint.
• California — the California Privacy Protection Agency at cppa.ca.gov.

17. Changes to this privacy policy

We may update this policy from time to time. The "Last updated" date at the bottom reflects the current version. Material changes — including changes that broaden how we share data with advertising partners or change the legal basis for processing — will be communicated through a notice on the Site, and where practicable, by email to recent customers.

18. Contact

Privacy questions, requests, and complaints can be sent to support@warmbydesign.com or by mail to:

Warm by Design
Attn: Privacy
145 S Glenoaks Blvd, Suite [TBD]
Burbank, CA 91502
United States

Last updated 2026-05-01.