Our website address is: https://carlacookiebox.com/. We are a Canadian, family-run bakery shipping desserts across Canada and the United States.

This Privacy Policy explains how we collect, use, and protect your information when you browse, place an order, or interact with our site.

By using our website, you agree to this Privacy Policy as well as our Terms & Conditions and Return & Refund Policy.

When visitors leave comments on the site, we collect the data shown in the comments form, plus the visitor’s IP address and browser user agent string to help with spam detection and security.

An anonymized string (hash) created from your email address may be sent to the Gravatar service to see if you are using it. Their privacy policy is here: https://automattic.com/privacy/. After your comment is approved, your profile picture may be visible to the public in the context of your comment.

We use third-party processors WooPayments/Stripe and PayPal to securely handle payments. We do not store full credit card numbers on our servers.

These payment providers may collect and process your name, email, billing and shipping addresses, IP address, device information, and order details to:

• process transactions
• verify your identity
• prevent fraud and abuse
• comply with financial and legal regulations

Data may be processed outside Canada (for example, in the United States or the EU) depending on the provider. For more details, please review their privacy policies directly.

If you upload images to the website (for example, in forms or reviews), you should avoid uploading images with embedded location (EXIF GPS) data. Visitors to the website may download and extract any location data from images on the site.

We use cookies to improve your experience, keep your cart intact, and understand how our website is used.

• Essential cookies – needed for login, checkout, and remembering your cart.
• Preference cookies – remember your settings and choices.
• Analytics cookies – help us understand traffic, popular pages, and improve our site.
• Marketing cookies – used (if you opt in) for email/SMS campaigns and social media ads.

Some cookies are set by WordPress and WooCommerce (e.g., login and screen options). You can manage cookies in your browser settings, but disabling them may affect checkout or account features.

For more details, see our dedicated Cookies Policy.

Articles and pages on this site may include embedded content (for example, videos, images, Instagram feeds, or product reviews). Embedded content from other websites behaves in the exact same way as if you visited the other website directly.

These websites may collect data about you, use cookies, embed third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction if you have an account and are logged in to that website.

If you request a password reset, your IP address may be included in the reset email to help with security and abuse prevention.

For more detail on third-party tools, see the “Third-Party Data Sharing” section below.

If you leave a comment, the comment and its metadata are retained indefinitely so we can recognize and approve follow-up comments automatically instead of holding them in a moderation queue.

For customers who create an account, we store the personal information they provide in their profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

Order-related information is retained as long as needed for tax, legal, fraud-prevention, and product-safety reasons.

If you have an account on this site, or have left comments or placed orders, you can request an exported file of the personal data we hold about you, including any data you have provided to us.

You can also request that we erase any personal data we hold about you, except data we are obliged to keep for administrative, legal, or security purposes (for example, order records for tax compliance).

To make a request, please contact us at support@carlacookiebox.com.

Visitor comments and some form submissions may be checked through automated spam and security detection services. Data may be processed on servers outside of Canada depending on the tools we use (for example, hosting, analytics, or email providers).

By providing your phone number during checkout or any SMS opt-in form, you consent to receive text messages from Carla’s Cookie Box, including order updates, customer support messages, promotional offers, and abandoned cart reminders.

Message frequency varies. Message & data rates may apply, depending on your mobile carrier.

You can opt out at any time by replying STOP to any SMS message. For help, reply HELP or contact us at support@carlacookiebox.com.

Abandoned cart messages may be sent if you begin checkout, provide your phone number, and do not complete your purchase. You can opt out of these reminders at any time using the same STOP command.

We work with trusted third-party providers who help us run our business. They receive only the information needed to perform their services, such as:

• WooCommerce, WooPayments/Stripe, PayPal – payment processing and fraud prevention
• Shipping & logistics – platforms like ClickShip, Stallion Express, Canada Post, UPS and other couriers to label, ship, and track orders
• Marketing & analytics – tools such as Klaviyo, Google Analytics, Meta (Facebook/Instagram) to send emails, measure traffic, and run ads
• Customer support – platforms like Re:amaze for customer service and ticketing
• Hosting & security – providers such as Rocket.net, Cloudflare, and WordPress-related services

These providers may process data outside of Canada (including in the U.S. or EU). We aim to work only with services using industry-standard security and privacy practices.

We may use your approximate location to:

• estimate shipping timelines and costs
• apply the correct taxes and currency
• prevent fraud and suspicious orders
• send relevant messages about shipping or availability

Location may be inferred from your IP address, device settings, or shipping/billing address. We do not access precise GPS location unless you explicitly allow it in your device or browser settings, which you can change at any time.

We do not sell your personal information.

If you are covered under GDPR, CCPA, or similar privacy laws, you may have rights to:

• access the personal data we hold about you
• request correction or deletion
• limit or object to certain processing
• opt out of specific types of targeted advertising or sharing

To submit a privacy request, email us at support@carlacookiebox.com with the subject “Privacy Request.” We may ask for verification to protect your account.

We ship desserts across Canada and to parts of the United States. Our email and SMS tools may use approximate location (for example, region or province) to:

• confirm that shipping is available to your area
• send region-specific promos or notices
• communicate weather or courier-related delays that could affect delivery

This helps us keep messages more accurate, relevant, and honest about your expected delivery experience.

For shipping issues, please see our Shipping Issue / Claims Form and Return & Refund Policy.

By using our website, creating an account, placing an order, or opting into email/SMS marketing, you consent to the data practices described in this Privacy Policy.

If we make material changes to this policy, we will update the “Last updated” date at the top of this page.

If you have questions about your data or this Privacy Policy, please contact us at support@carlacookiebox.com or use our Contact Page.