Privacy Policy

1. Information We Collect

We collect the following categories of information:

a) Information you provide directly:

• Account details: name, email address, password (stored as a one-way hash — we never see your plaintext password).
• Order details: billing address, shipping address(es), gift recipient information, phone number (if provided), gift messages, and order history.
• Payment details: payment card information is collected and processed directly by our third-party payment processor (Square). We do not store full card numbers; we retain only the last 4 digits and a token reference for refund and reconciliation purposes.
• Communications: emails or messages you send to us (e.g., support requests).

b) Information collected automatically:

• Technical data: IP address, browser type and version, device type, operating system, referring URL, and pages visited.
• Cookies and similar technologies: session cookies (to keep you logged in and to associate items with your cart), security cookies (for CSRF protection and rate-limiting), and analytics cookies (if Google Analytics or Google Tag Manager is enabled).

c) Information from third parties:

• Address validation results from USPS when you enter a shipping address.
• Tax-rate lookups based on the ZIP code you enter at checkout.
• Shipping and tracking updates from our shipping providers (ShipEngine, USPS, UPS, etc.).

2. How We Use Your Information

We use the information we collect to:

• Process and fulfill your orders, including arranging shipping and calculating tax;
• Communicate with you about your account, orders, shipments, returns, and refunds;
• Send you transactional emails (order confirmations, shipping notifications, password resets, abandoned-cart reminders, etc.);
• Send you marketing emails or promotions about Grebe's products, where permitted by law and only until you opt out;
• Maintain the security of the Site, including detecting and preventing fraud, abuse, and unauthorized access;
• Analyze how the Site is used so we can improve it (page views, product popularity, checkout funnel performance);
• Comply with legal obligations, respond to lawful requests, and enforce our Terms of Use.

3. How We Share Your Information

We do not sell your personal information. We share information only with service providers who help us run the Site and only to the extent necessary for them to provide their service. These include:

• Payment processor: Square (for card processing and refunds).
• Shipping providers: ShipEngine, USPS, UPS, and other carriers selected for your order (for label creation, shipment, and tracking).
• Address validation: USPS Address Verification.
• Tax lookup: ZipTax (for sales-tax rate determination).
• Email delivery: Our SMTP / transactional email provider (for sending the emails described above).
• Analytics: Google Analytics / Google Tag Manager, if enabled in our site settings (see Section 5 below for cookie opt-out details).
• Hosting and backups: Our hosting provider and Amazon Web Services (Amazon S3 for encrypted backup storage).

We may also disclose information when required by law, to cooperate with law enforcement, to protect our rights or those of third parties, or in connection with a business transfer (e.g., a sale or reorganization). Any such successor will be bound to respect this Policy.

4. How Long We Keep Information

We keep personal information for as long as it is needed to provide the services you request, comply with legal and tax obligations, resolve disputes, and enforce our agreements. Inactive guest carts are deleted after 30 days; inactive customer carts after 90 days. Order records are retained for the periods required by tax and accounting law. Marketing email lists are kept until you unsubscribe.

5. Cookies and Tracking Technologies

Cookies are small text files stored on your device. We use:

• Strictly necessary cookies to operate the Site, keep you signed in, hold your cart, and protect against abuse. These cannot be disabled without breaking site functionality.
• Analytics cookies (Google Analytics / GTM) to understand how the Site is used. You can opt out site-wide using browser settings, by enabling “Do Not Track,” by installing the Google Analytics Opt-Out Browser Add-on, or by clearing cookies for shop.grebesbakery.com.

Most browsers let you refuse new cookies or alert you when cookies are sent. Refer to your browser's help section for instructions.

6. Your Choices

• Account information: You can review and update your name, email, password, shipping addresses, and saved recipients at any time from your account page.
• Marketing emails: Every marketing email contains an unsubscribe link. You will continue to receive transactional emails (order confirmations, shipping updates, etc.) for active orders even after unsubscribing.
• Closing your account: Contact us at the email below to request closure. We may retain certain records (e.g., order history) as required by law.

7. Your Rights (Including California Residents)

Depending on where you live, you may have rights regarding your personal information, including:

• The right to know what personal information we hold about you and how we use it;
• The right to access or request a copy of your personal information;
• The right to correct inaccurate information;
• The right to delete your information, subject to legal retention requirements;
• The right to opt out of the sale or sharing of personal information — Grebe's does not sell your personal information;
• The right to be free from discrimination for exercising these rights.

To exercise any of these rights, email us at [email protected] with the subject line “Privacy Request” and a description of your request. We will respond within the timeframe required by applicable law (typically 45 days for California residents under the CCPA / CPRA). We may need to verify your identity before fulfilling the request.

8. Children's Privacy

The Site is intended for users 18 years of age or older. Grebe's does not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information to us, please contact us at the email below and we will delete it.

9. Security

We use commercially reasonable administrative, technical, and physical safeguards to protect your information. Passwords are stored as one-way hashes (bcrypt). Payment card details are handled by Square and are not stored on our servers. Backups are encrypted in transit and at rest. No security system is impenetrable, however, and we cannot guarantee absolute security. If we become aware of a breach affecting your personal information, we will notify you in accordance with applicable law.

10. Third-Party Links

The Site may link to third-party websites we do not control. We are not responsible for those sites' content or privacy practices. Review their policies before submitting personal information.

11. International Users

Grebe's Bakery is based in West Allis, Wisconsin, USA, and the Site is intended for customers in the United States. If you access the Site from outside the United States, you do so on your own initiative and consent to your information being processed in the United States, which may have different data-protection laws than your country.

12. Changes to This Policy

We may update this Policy from time to time. The “Last updated” date at the top of this page shows when the Policy was last revised. Material changes will be effective when posted on the Site. Your continued use of the Site after the effective date of any changes constitutes your acceptance of the revised Policy.

13. Contact Us

Questions about this Policy or your information? Contact us at: