Privacy Policy

Rose + Thyme ("we", "us", "our") operates the website at therosethyme.com. We are the data controller for the personal information described in this policy. For data-protection questions reach us at admin@therosethyme.com.

The categories of information we collect depend on how you interact with us:

• When you place an order: your name, email address, phone number (optional), shipping address, the items you bought, and the order total. Payment card details are entered directly into PayPal's secure iframe and never touch our servers — we receive only a transaction confirmation and, for billing verification, the billing address you provide.
• When you subscribe to our newsletter: your email address and the source of the signup (e.g. footer form vs. homepage popup). We also store the date you joined and, if you unsubscribe, the date you opted out.
• When we ship your order: the tracking number and carrier we entered when fulfilling the package.
• When you browse: standard server logs (IP address, browser type, pages visited, referring URL, timestamps), short-lived cookies that keep your cart and login session working, and a Pinterest tag that records page views and checkout events for advertising attribution (see "Cookies and tracking" below).
• When you email us: the content of your message and your email address so we can reply.

We do not collect government IDs, financial account numbers, biometric data, precise geolocation, or health information.

• Fulfill your orders: process payment, pack and ship your items, send confirmation and tracking emails, handle returns or refunds.
• Provide customer support: respond to your questions and resolve issues with orders.
• Send newsletters and promotional emails (only after you opt in): new launches, restocks, brand stories, and the welcome discount code we promised when you signed up. Every email has a one-click unsubscribe link.
• Run and improve the site: server logs and aggregate analytics help us debug errors, prevent fraud, and understand which pages people find useful.
• Marketing measurement: we use the Pinterest tag to measure how ads on Pinterest drive visits and purchases to our site. This lets us decide where to spend our marketing budget without you needing to opt in to anything extra.
• Comply with the law: tax reporting, fraud investigation, and responding to lawful requests.

If you are in the UK, European Union, or Switzerland, we rely on the following legal bases under the GDPR to process your personal data:

• Contract: processing your order and sending order-related emails.
• Consent: sending you marketing newsletters and dropping non-essential cookies (where required by your jurisdiction).
• Legitimate interest: keeping the site secure, preventing fraud, measuring how well our marketing works.
• Legal obligation: retaining tax records and responding to lawful requests.

We do not sell your personal information. We share data only with the service providers who help us run the business, and only the minimum they need to do their job. Our current processors are:

• PayPal — processes payments and stores card details on our behalf. We never see or store your card number.
• Resend — sends transactional emails (order confirmations, shipping notifications, welcome emails) and our newsletter.
• Render — hosts the website and our database (United States data centers).
• Pinterest — receives anonymous page-view and checkout signals via the Pinterest tag for advertising measurement.
• Shipping carriers (USPS, UPS, FedEx, DHL) — receive your shipping address to deliver your package.

We may also disclose information when legally required to do so (e.g. court order, tax authority request) or to protect our rights or the safety of others.

The site uses three categories of cookies and similar technology:

• Strictly necessary — small HTTP cookies that keep your shopping cart working between page loads (rt_cart) and keep the admin signed in (rt_admin). The site cannot function without these.
• Functional — browser localStorage entries that remember whether you dismissed the welcome popup (rt_newsletter_popup) and whether we've already fired a conversion event for your order (rt_pinterest_checkout_fired).
• Marketing measurement — the Pinterest tag sets cookies on ct.pinterest.com to attribute visits and purchases to Pinterest ads. You can opt out of Pinterest's ad personalization at pinterest.com/settings/privacy.

Most browsers let you block or delete cookies in their settings. Blocking strictly- necessary cookies will break the shopping cart.

• Order records: seven years, to comply with tax and accounting obligations.
• Newsletter subscribers: until you unsubscribe, then we keep your email on a suppression list so we don't accidentally email you again.
• Discount codes: until they expire or are redeemed, plus a short window afterwards for support purposes.
• Server logs: 90 days, then rotated and discarded.
• Support emails: as long as needed to resolve your issue, and up to two years afterward for reference.

Depending on where you live, you may have the right to:

• Ask us what personal information we hold about you.
• Correct information that's inaccurate.
• Delete your information (subject to legal retention requirements).
• Export your information in a portable format.
• Withdraw consent to marketing at any time.
• Object to processing based on legitimate interest.
• Lodge a complaint with your local data-protection authority (e.g. the ICO in the UK, your state attorney general in the US).

To exercise any of these rights, email admin@therosethyme.com with the request. We'll verify your identity and respond within 30 days.

California residents: under the CCPA/CPRA you also have the right to know what categories of personal information we have collected and disclosed in the past 12 months. We do not sell personal information as defined by California law, and we do not knowingly process personal information of anyone under 16.

We use TLS (HTTPS) for all traffic, hash and salt the admin password using bcrypt (or compare in constant time), store data in a managed Postgres database with access restricted to the production application, and use a signed session token for admin authentication. Card data is processed entirely inside PayPal's PCI-compliant infrastructure — we never see or store it.

No system is perfectly secure. If you suspect your account or information has been compromised, email admin@therosethyme.com and we'll investigate.

Our products are intended for adults. We do not knowingly collect personal information from anyone under 13 years of age (or 16 in the EU/UK). If you believe a child has provided us with personal information, contact us and we will delete it.

Our servers and most of our service providers are located in the United States. If you access the site from outside the US, your information will be transferred to and processed in the US, which may have different data-protection rules than your home country. By using the site or providing us with your information you consent to this transfer.

We may update this policy from time to time as the business or the law changes. When we make material changes we'll update the "Last updated" date at the top and, where required, notify subscribers by email. Continued use of the site after a change means you accept the updated policy.

For any privacy question, request, or complaint, email admin@therosethyme.com. We'll respond within 30 days.