How we handle your information.

1. Who we are

“TheSweetsTruck,” “we,” “us,” and “our” refer to the business operating thesweetstruck.com from California, USA. Our primary point of contact for privacy matters is privacy@thesweetstruck.com. For everything else (orders, wholesale, general questions) reach us at hello@thesweetstruck.com.

For visitors located in the European Economic Area (EEA) or Sweden specifically, TheSweetsTruck acts as a data controller under the General Data Protection Regulation (GDPR) for personal data we collect through the website and our order, wholesale, and marketing flows.

2. Information we collect

2.1 Information you give us directly

• Account and order information. Name, email, shipping and billing addresses, phone number (when provided), order history, the products you buy, and any notes you add to an order.
• Wholesale application information. Business name, business address, role/title, business email and phone, estimated monthly volume, the brands or categories you're interested in, and any details you provide in the free-text field. Our wholesale application form posts to an internal review channel where our team triages new applications. Approved applicants get a Tier 1 wholesale account.
• Newsletter signups. Email address and the source page of the signup, so we know which lead magnet brought you in.
• Communications. The contents of emails, contact-form messages, support requests, and chat threads you start with us.

2.2 Information collected automatically

• Device and connection data. IP address, approximate location derived from IP (country and region only), user agent, browser language, time zone, referring URL, and the pages you view on our site. We use Cloudflare as our CDN and edge platform, and Cloudflare may log this information for security, abuse prevention, and routing.
• Analytics events. Pageviews, clicks on key UI elements, add-to-cart and checkout actions, search queries on our store, and similar interaction events. These are tagged in Cloudflare Zaraz and forwarded to the analytics destinations listed in section 5. Server-side events fire from our Workers runtime to the same destinations. We do not include direct identifiers (plaintext email or phone) in analytics payloads; pseudonymous user IDs may be included.
• Cookies and storage. See section 12 for the full list. Key cookies include _medusa_country (your selected market), _medusa_cache_id (cache key for your session), and authentication cookies after you log in.

2.3 Information from third parties

• Payment confirmations. Our payment processor (Stripe) confirms whether a payment succeeded and returns the last four digits and card brand for display. We do not store full card numbers; Stripe does.

3. How we use information

We use personal information to:

• Process orders, calculate accurate region-specific pricing in USD, CAD, or SEK, charge payment, ship products, handle returns, and provide customer support.
• Review wholesale applications and operate B2B account features (tier pricing, MOQ tracking, Net-30 terms once a first paid order has cleared).
• Send transactional messages: order confirmations, shipping updates, delivery notifications, wholesale account status, password resets, and similar service emails.
• Send marketing emails to people who have opted in, including launch announcements, restocks, and seasonal selections. Every marketing email contains a one-click unsubscribe.
• Measure how the site performs: page speed, conversion funnels, search effectiveness, and aggregate behavioral patterns. We use this to improve the catalog, the checkout, and the buying experience.
• Detect, prevent, and respond to fraud, abuse, account takeover, scraping, and security incidents.
• Comply with legal obligations including tax reporting, FDA labeling and import compliance, customs filings (for cross-border shipments), and lawful requests from authorities.

4. Legal bases (EU/EEA visitors)

If you are in the EEA or Sweden, our legal bases for processing your personal data are:

• Contract. Processing necessary to fulfill an order, manage a wholesale account, or respond to a request you submitted.
• Consent. Marketing emails and non-essential cookies and analytics. You can withdraw consent at any time.
• Legitimate interests. Security, fraud prevention, basic site analytics in aggregate, and improving our product offering, where these interests are not overridden by your rights.
• Legal obligation. Tax, accounting, food-labeling, and customs compliance.

5. Who we share information with

We do not sell personal information. We share information only with service providers acting on our instructions, and with authorities when legally required. The processors below receive the minimum data needed for their function.

We may add or remove processors as our stack evolves. Material changes will be reflected here and the “Last updated” date at the top of this page will move.

We may also disclose information:

• To comply with a valid legal request, subpoena, court order, or applicable law.
• To enforce our Terms of Service or protect the rights, property, or safety of TheSweetsTruck, our customers, or the public.
• In connection with a merger, acquisition, financing, reorganization, sale of business assets, or insolvency, where the information remains subject to substantially similar protections.

6. International data transfers

We operate from California, our backend is hosted on EU servers (Hetzner, Germany), our object storage is in the EU (Cloudflare R2, EEUR location), our transactional email runs through Resend in the United States (us-east-1, Virginia), and we serve customers in the US, Canada, and Sweden. Personal information will therefore travel between the United States, the European Union, and Canada in the normal course of operating the service.

When we transfer personal data of EEA, UK, or Swiss data subjects outside the EEA, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses with the receiving party, supplementary measures where required, and adequacy decisions where they apply. For more information about a specific transfer, contact us at privacy@thesweetstruck.com.

7. How long we keep information

We keep personal information only as long as we need it for the purposes described in this policy, then we delete or anonymize it. Specific retention windows:

• Order records: retained for the longer of (a) seven years, to satisfy US and Canadian tax and accounting obligations, or (b) the period required by California, federal, and import/export law.
• Account data: retained for as long as your account is active, plus 24 months of inactivity before we close and purge it.
• Wholesale applications that were not approved: retained for 24 months to prevent duplicate submissions and resolve disputes, then deleted.
• Marketing list: retained until you unsubscribe, then removed from active sends within a few days. We may keep a suppression record (your email and the fact that you unsubscribed) so we don't accidentally re-add you.
• Support correspondence: retained for 36 months from the last message.
• Analytics events (PostHog and Zaraz destinations): retained per each tool's default. PostHog event data is retained for up to 12 months in our EU project unless we shorten it.
• Server and security logs: retained 30 to 90 days for operational and security purposes, then rotated out.

8. Security

We use a combination of technical and organizational measures to protect personal information, including:

• TLS 1.2 or higher (HSTS preload-enabled) for every public endpoint.
• Encryption at rest for our object storage and database backups.
• Cloudflare Access in front of administrative endpoints, with service tokens used for automation and short-lived sessions for human access.
• Strong content security headers (CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options) applied at the edge.
• Least-privilege scoping for storage tokens and API credentials.
• Routine encrypted database backups with retention and integrity checks.
• Code review and least-deployable-blast-radius for changes that touch personal data flows.

No system can be 100% secure. If you suspect a vulnerability, please email security@thesweetstruck.com or see our security contact at /.well-known/security.txt for coordinated disclosure.

9. Your rights and choices

Depending on where you live, you may have some or all of the following rights:

• Access: Request a copy of the personal information we hold about you.
• Correction: Ask us to fix information that is inaccurate or incomplete.
• Deletion: Ask us to delete your personal information, subject to legal retention obligations (such as keeping order records for tax purposes).
• Portability: Receive a copy of your information in a portable format (CSV or JSON).
• Restriction or objection: Ask us to limit or stop certain uses, including objecting to processing based on legitimate interests.
• Withdrawal of consent: Where we rely on consent (marketing emails, optional analytics cookies), you can withdraw it at any time without affecting the lawfulness of past processing.
• Complaint: If you're in the EEA, file a complaint with your local data protection authority. In Sweden that's the Integritetsskyddsmyndigheten (IMY).

To exercise any of these, email privacy@thesweetstruck.com from the address associated with your account. We may ask for additional information to verify your identity. We respond within 30 days (45 days where the law allows an extension for complex requests, with notice to you).

You can unsubscribe from marketing emails at any time using the link at the bottom of any marketing message, or by replying with the word “unsubscribe.”

10. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you the rights to know, access, correct, delete, and limit certain uses of your personal information, plus the right to opt out of “sale” or “sharing” for cross-context behavioral advertising, and the right not to receive discriminatory treatment for exercising these rights.

• Sale of personal information: We do not sell personal information for money.
• Sharing for cross-context behavioral advertising: When you consent to marketing/analytics cookies and we forward analytics events to Meta Pixel, TikTok Pixel, or Google Analytics 4 through Cloudflare Zaraz, this can qualify as “sharing” under CPRA. You can opt out at any time by declining or revoking analytics consent on our site, or by emailing privacy@thesweetstruck.com with “CCPA opt-out” in the subject. We also honor the Global Privacy Control (GPC) signal sent by your browser as a valid opt-out for sharing.
• Categories of personal information collected in the past 12 months, per CCPA definitions: identifiers (name, email, IP, device ID), customer records (shipping/billing addresses, order history), commercial information (purchase history, wholesale activity), internet activity (pages viewed, interactions), geolocation (region/country, not precise), and inferences drawn from the above (audience segments).
• Sensitive personal information. We do not knowingly collect sensitive personal information as that term is defined under CPRA, and we do not use it to infer characteristics about you.
• Authorized agents. You may designate an authorized agent to act on your behalf. We will verify the agent's authority and may request that you confirm directly.
• Shine the Light. California Civil Code §1798.83 permits California residents to request information about disclosures of personal information to third parties for direct marketing purposes. We do not currently disclose personal information to third parties for their own direct marketing.

11. Canadian residents (PIPEDA, Quebec Law 25)

If you are in Canada, we handle personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), and, if you reside in Quebec, in accordance with Law 25. You have the rights of access, correction, withdrawal of consent, and (in Quebec) data portability and the right to be informed of automated decision-making. Direct requests to privacy@thesweetstruck.com. If we have not resolved your concern, you may contact the Office of the Privacy Commissioner of Canada, or the Commission d'accès à l'information in Quebec.

12. Cookies and similar technologies

We use first-party cookies and local storage for essential site features and, with your consent, for analytics and marketing measurement. Key items:

• Essential (no consent required): _medusa_country (region selection, 30 days), _medusa_cache_id (per-session cache key, 1 day), authentication cookies after you log in, CSRF cookies, and Cloudflare's __cf_bm bot-management cookie.
• Analytics and marketing (consent required): cookies and storage set by Cloudflare Zaraz on behalf of Google Analytics 4, Meta Pixel, and TikTok Pixel to measure conversion and aggregate audience behavior. You can revoke consent at any time from the cookie banner.

Your browser also lets you block or delete cookies. Doing so may break parts of the site (region selection, login persistence, cart contents).

13. Children

TheSweetsTruck is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us personal information, contact privacy@thesweetstruck.com and we will delete it promptly. Wholesale accounts require the applicant to be 18 or older and acting on behalf of a registered business.

14. Changes to this policy

We may update this policy as our services and the law evolve. The “Last updated” date at the top reflects the most recent change. Material changes will be notified by email to registered customers and posted prominently on the site at least 14 days before they take effect.

15. Contact us

Privacy questions, rights requests, and complaints:

• Email: privacy@thesweetstruck.com
• General inquiries: hello@thesweetstruck.com
• Security disclosures: security@thesweetstruck.com (see /.well-known/security.txt)
• Postal: TheSweetsTruck, California, USA (full mailing address provided on request)