Privacy policy
EXCLUSIVE FABRICS & FURNISHINGS, LLC
DBA HALF PRICE DRAPES
COMPREHENSIVE PRIVACY POLICY
Effective Date: April 20, 2026
Last Updated: April 20, 2026
Applies To: Halfpricedrapes.com, operated by Exclusive Fabrics & Furnishings, LLC DBA Half Price Drapes (“HPD,” “we,” “us,” or “our”)
Notice to U.S. Consumers
Residents of California, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, Tennessee, Indiana, Kentucky, Rhode Island, and other states with comprehensive privacy laws have specific rights regarding their personal information. See Sections 11–12. Submit requests through our Privacy Rights Request Portal.
We honor Universal Opt-Out Mechanisms (including Global Privacy Control signals) from residents of all states that require recognition of such signals.
1. Scope of This Policy and Your Consent
This Privacy Policy describes how Exclusive Fabrics & Furnishings, LLC DBA Half Price Drapes collects, uses, discloses, and protects personal information when you visit or make a purchase from Halfpricedrapes.com (the “Site”), use our mobile applications, contact our customer service team, or otherwise interact with us. It does not apply to third-party websites linked from our Site.
1.1 How We Obtain Your Consent
We obtain your consent through clear, affirmative actions — not through passive browsing or implied agreement. Specifically:
• Cookie & Tracking Consent: When you first visit our Site, we present a cookie consent banner requiring you to make an active choice (accept, decline, or customize). Non-essential tracking technologies — including advertising pixels, analytics scripts, session replay tools, and third-party tags — are technically blocked and do not fire, load, or execute until you affirmatively accept the relevant cookie category through our consent banner. Merely visiting or browsing the Site does not constitute consent to non-essential tracking.
• Marketing Consent: Email and SMS marketing require separate, affirmative opt-in (e.g., checking an unchecked box, submitting a sign-up form, or texting a keyword). Pre-checked boxes are never used.
• Account Consent: Creating an account or completing a purchase requires you to affirmatively acknowledge this Privacy Policy and our Terms of Service via a clickthrough mechanism (not a browsewrap).
1.2 Consent Integrity — No Dark Patterns
We do not use deceptive user interface designs (“dark patterns”) to obtain, manipulate, or subvert your consent. Specifically: our consent banner gives equal visual prominence to “Accept” and “Decline” options; we do not use confusing double negatives, misleading button labels, or asymmetric design that steers you toward a particular choice; declining consent does not degrade your core shopping experience; and we do not repeatedly prompt you to reconsider after you have declined. These commitments are consistent with enforcement guidance from the FTC and the California Privacy Protection Agency (CPPA) regarding manipulative consent practices.
2. Information We Collect
Data Minimization Principle
We collect only the personal information that is reasonably necessary to fulfill the purposes described in this Policy. We do not collect personal information that is excessive, irrelevant, or disproportionate to the services we provide. We regularly review our data collection practices to ensure they remain aligned with this principle and with applicable data minimization requirements under state privacy laws.
2.1 Information You Provide Directly
• Contact Information: name, email address, mailing/shipping address, phone number
• Account Credentials: username, password, account number
• Billing Information: payment card number, billing address (processed by our PCI-DSS compliant payment processor; we do not store full card numbers)
• Order Information: products ordered, custom specifications (e.g., curtain measurements, fabric choices), order history
• Communications: messages sent via contact forms, email, live chat (Tidio), phone, or customer service channels (see Section 9 for communication privacy protections)
• Marketing Preferences: opt-in/opt-out choices, including records of when and how consent was obtained
• User-Generated Content: product reviews, ratings, photos, or testimonials you voluntarily submit
2.2 Information Collected Automatically (Subject to Consent)
Important: The categories below marked with an asterisk (*) are collected only after you provide affirmative consent through our cookie consent banner. We do not collect this data from users who decline non-essential cookies.
• Strictly Necessary Data (no consent required): Shopify session identifiers, cart contents, authentication tokens, and security-related data necessary for the Site to function
• *Analytics Data: pages visited, time spent, links clicked, referral URLs, search queries on the Site, navigation paths
• *Advertising Data: ad impression and click data, conversion events, hashed identifiers transmitted to ad platforms
• *Device & Browser Data: IP address, browser type and version, operating system, device identifiers, screen resolution
• Transaction Data: purchase history, cart contents, abandoned cart data, coupon usage (collected as part of order processing)
• Inferred Data: consumer profiles and segments derived from your behavior (generated only from data for which consent has been obtained)
2.3 Information from Third Parties
• Data from advertising and analytics partners (e.g., audience segments, attribution data)
• Data from marketplace platforms (e.g., Amazon)
• Publicly available information used to enhance our records
• Data from consent management and identity verification providers
2.4 Sources of Collection
We collect personal information from: (a) directly from you — when you create an account, place an order, subscribe to marketing, use live chat, submit a form, or write a review; (b) automatically from your device — through cookies, pixels, and similar technologies, subject to your consent preferences as described in Section 7 (strictly necessary data is collected automatically; all other automated collection requires affirmative consent); and (c) from third-party sources — including advertising and analytics platforms (e.g., Google, Meta), marketplace platforms (e.g., Amazon), data enrichment providers, consent management platforms, and publicly available sources.
3. Legal Basis for Processing
We process your personal information only when we have a valid legal basis. Where the legal basis is consent, tracking technologies are not activated until that consent is received.
|
Processing Purpose |
Legal Basis |
Explanation |
|
Order fulfillment |
Contractual necessity |
Processing your order, payment, shipping, and customer support requires your data to perform the contract of sale. |
|
Account management |
Contractual necessity |
Maintaining your account, order history, and preferences. |
|
Transactional comms |
Contractual / Legal |
Order confirmations, shipping updates, return notifications. |
|
Marketing emails & SMS |
Consent (opt-in) |
Promotional content only where you have affirmatively opted in. Withdraw consent at any time. |
|
Personalized advertising |
Consent (cookie banner) |
Ads via third-party platforms based on behavior. Tracking not activated until consent. |
|
Analytics & improvement |
Consent (cookie banner) |
Analyzing traffic and behavior. Analytics scripts load only after you accept. |
|
Fraud prevention |
Legitimate interest / Legal |
Detecting and preventing fraud. Uses only strictly necessary data. |
|
Legal compliance |
Legal obligation |
Retaining records and responding to lawful government/regulatory requests. |
|
DSAR fulfillment |
Legal obligation |
Verifying identity and fulfilling access, deletion, correction, and opt-out requests. |
Where we rely on consent, you may withdraw it at any time via our Your Privacy Choices page, by emailing legal@halfpricedrapes.com, or by adjusting your cookie preferences. Withdrawal does not affect processing conducted prior to withdrawal.
4. How We Use Your Information
• Process and fulfill orders, including custom curtain production, shipping, delivery, and returns
• Manage your account and provide customer support across all channels
• Send transactional communications (order confirmations, shipping notifications, return status)
• Send marketing emails and SMS messages (only where you have affirmatively opted in)
• Serve personalized advertising on third-party platforms (only where you have consented to advertising cookies)
• Analyze Site traffic and behavior to improve our website (only where you have consented to analytics cookies)
• Conduct A/B testing and optimize marketing campaigns (only with consented data)
• Detect, prevent, and investigate fraud and security incidents (using only strictly necessary data)
• Comply with legal obligations and enforce our Terms of Service
• Respond to data subject rights requests
• Conduct data protection assessments where required by applicable law
4.1 Sensitive Personal Information
We do not use sensitive personal information for advertising, profiling, or any purpose beyond what is strictly necessary to provide the goods or services you requested. Specifically:
• We do not collect or process sensitive personal information (as defined under the CCPA/CPRA, including Social Security numbers, driver’s license numbers, racial or ethnic origin, religious beliefs, biometric data, or precise geolocation) except as strictly necessary for business operations.
• Payment card data is processed exclusively by our PCI-DSS compliant payment processors and is never stored on our systems.
• We do not sell, share, or use sensitive personal information for cross-context behavioral advertising, profiling, or any secondary purpose under any circumstances.
• Where applicable law requires us to limit the use of sensitive personal information, we comply without requiring a consumer request.
No Sensitive Attribute Inference
We do not infer or derive sensitive personal characteristics — including but not limited to race, ethnicity, religion, sexual orientation, health conditions, disability status, immigration status, or precise income level — from your browsing behavior, purchase history, or any other data we collect. Our profiling and segmentation activities are limited to product and shopping preferences (e.g., curtain style, fabric type, room category).
4.2 Purpose Limitation
We do not use your personal information for purposes that are materially different from, incompatible with, or unrelated to the purposes disclosed in this Policy at the time of collection. If we wish to use your data for a new purpose, we will update this Policy and, where required by law, obtain your consent. We will never repurpose data collected for order fulfillment to train algorithms, build advertising models, or enrich third-party data sets.
4.3 Automated Decision-Making
We do not use automated decision-making technology (including algorithms or AI) to make decisions that produce legal or similarly significant effects concerning you — such as determining eligibility for credit, employment, housing, insurance, or other consequential outcomes.
Our use of technology is limited to: product recommendations based on browsing/purchase history; fraud detection scoring through payment processors (decisions flagged as potentially fraudulent are reviewed by a human before any order is cancelled); and email/SMS send-time optimization and audience segmentation (subject to opt-in consent).
4.4 Data Integrity Commitments
• No data brokerage or monetization: We do not license, rent, trade, or otherwise monetize personal information through data brokerage, cooperative databases, or any form of third-party data exchange.
• No shadow profiles or off-platform profiling: We do not create or maintain profiles about individuals based on data collected from third-party websites, data brokers, or external datasets. All profiling is limited to interactions on our Site where permitted by consent.
• No combining with external datasets: We do not combine personal information from our Site with external datasets obtained from data brokers or unrelated third parties for profiling, targeted advertising, or behavioral analysis.
5. Disclosure of Your Information
We share personal information with the following categories of recipients:
|
Recipient Category |
Purpose |
Examples |
|
Payment Processors |
Billing & fraud prevention |
Stripe, PayPal, Shopify Payments |
|
Shipping & Fulfillment |
Order delivery |
FedEx, UPS, USPS |
|
Email Marketing |
Email campaigns, automation, flows |
Klaviyo |
|
SMS Marketing |
Text message campaigns & automation |
Klaviyo SMS or similar |
|
Advertising Networks |
Paid ads, retargeting, audience matching (activated only after consent) |
Google Ads, Meta, TikTok, Pinterest Ads, Microsoft/Bing Ads, Criteo |
|
Connected TV |
CTV ad delivery and measurement |
Vibe CTV and similar DSPs |
|
Demand-Side Platforms (DSP) |
Programmatic advertising, audience targeting, and cross-device attribution |
Amazon DSP (Amazon Advertising Platform) |
|
Ecommerce Platform |
Site hosting, checkout, order management |
Shopify |
|
Customer Service / Chat |
Support ticketing and live chat (see Section 9) |
Freshdesk, Tidio Chat |
|
Analytics Providers |
Traffic/behavior analysis (activated only after consent) |
Google Analytics, Polar Analytics |
|
Consent Management |
Cookie consent, privacy preference center |
OneTrust |
|
Affiliate & Review |
Affiliate tracking, product reviews |
Impact, ShareASale |
|
Legal & Compliance |
Regulatory compliance, litigation |
Legal counsel, government authorities |
|
Business Transferees |
Merger, acquisition, or asset sale |
Successor entities |
We do not sell your personal information to data brokers or unaffiliated third parties for their own independent marketing purposes.
Important Notice: Ad Platform Data Sharing
When we share data with advertising networks and demand-side platforms (e.g., uploading hashed customer email lists, transmitting conversion events via pixels or server-to-server integrations, or enabling audience matching), this may constitute “sharing,” “selling,” or “targeted advertising” under applicable state privacy laws.
This includes integrations with platforms such as Google, Meta, TikTok, Pinterest, Microsoft Advertising, Criteo, Connected TV providers (such as Vibe), and demand-side platforms such as Amazon DSP.
These data transmissions occur only after and to the extent that you have provided affirmative consent to advertising cookies and tracking technologies through our consent management platform. See Sections 11–12 for your opt-out rights.
5.1 Vendor Accountability and AI/Machine Learning Restrictions
All third-party service providers that process personal information on our behalf are bound by written data processing agreements requiring them to:
• Process personal information only on our documented instructions and solely for specified purposes
• Implement reasonable security measures to protect personal information
• Not use customer data for AI model training, machine learning development, algorithm improvement, or any form of automated learning — whether for their own products, for third parties, or for generalized model improvement. This applies to all vendors, including chat tools (Tidio), analytics providers, advertising platforms, and email/SMS platforms
• Not sell, share, or disclose personal information to any third party except as necessary to perform the contracted service or as required by law
• Delete or return all personal information upon termination of the service agreement, unless retention is required by law
• Cooperate with compliance audits and promptly notify us of any data breach or non-compliance
We conduct vendor security and privacy assessments prior to onboarding and periodically thereafter. Non-compliant vendors are subject to prompt remedial action, including termination.
5.2 Cross-Border Data Processing
Your personal information may be processed, stored, or transferred to locations outside of your state of residence, including other U.S. states or, in limited circumstances, other countries. For example:
• Our ecommerce platform (Shopify) and analytics tools may process data on servers in various U.S. states and Canada
• Our customer service platform and chat tools may process data in locations where their infrastructure is hosted
• Our creative production team at Take4 Media, based in Karachi, Pakistan, may access order-related data solely for product photography, creative production, and digital asset management purposes
Where personal information is transferred outside the United States, we ensure appropriate safeguards are in place, including contractual protections requiring the recipient to maintain security and confidentiality standards substantially equivalent to those described in this Policy.
5.3 Third-Party Platform Independence
We are not responsible for the independent data practices of third-party platforms you interact with directly, including advertising networks (Google, Meta, TikTok, Pinterest, Microsoft Advertising, Criteo), demand-side platforms (Amazon DSP), Connected TV providers (Vibe), social media platforms, payment processors, and external websites. These third parties operate under their own privacy policies. Our responsibility extends to data we share with them under our data processing agreements, not to their independent collection or use of data they obtain directly from you.
6. Your Choices and Rights
6.1 Email Communications
You may opt out of marketing emails by clicking the “Unsubscribe” link in any marketing email or by contacting us. We process unsubscribe requests within 10 business days. Opting out of marketing will not affect transactional emails.
6.2 SMS / Text Message Marketing
By providing your mobile number and affirmatively opting in, you expressly consent to receive recurring automated marketing texts from Half Price Drapes. Consent is not a condition of purchase.
SMS Program Terms
• Program Name: Half Price Drapes Alerts
• Message Frequency: Up to 8 marketing messages per month. Frequency varies by promotions and engagement.
• Message & Data Rates: Standard carrier rates may apply.
• Opt Out: Reply STOP to any message. You may also opt out by email, phone, our Privacy Rights Portal, or any other reasonable method. We process opt-outs within 10 business days.
• Help: Reply HELP or email legal@halfpricedrapes.com.
• Carriers: Major U.S. carriers supported. Carriers are not liable for delayed/undelivered messages.
• Consent Records: We retain records of opt-in consent (date, time, method, disclosure language) for program duration plus 5 years.
We do not sell, rent, or share your mobile number with third parties for their marketing. Our SMS program complies with the TCPA and CTIA guidelines.
6.3 Cookie Preferences
You may manage your cookie preferences through the cookie consent banner displayed on our Site, by clicking the “Cookie Settings” link in our footer, or by adjusting your browser settings. See Section 7 for details.
6.4 Updating Your Information
You may update certain personal information by logging into your account on our Site. For other changes, contact us at legal@halfpricedrapes.com.
7. Cookies, Tracking Technologies, and Consent Controls
7.1 Our Consent-Before-Tracking Commitment
• No pre-consent tracking: Non-essential cookies, pixels, tags, and scripts (including all analytics and advertising technologies) are technically blocked from loading, executing, or transmitting data until you affirmatively accept the relevant category through our cookie consent banner.
• Consent signals enforced at the technical layer: Our consent management platform (OneTrust) controls script execution. When you decline or have not yet interacted with the consent banner, advertising and analytics tags are suppressed at the code level.
• Regular technical audits: We conduct regular audits of our Site to verify that non-essential tracking technologies do not activate prior to consent, including automated scanning for pre-consent pixel fires.
• GPC / UOOM: When we detect a GPC signal or other recognized Universal Opt-Out Mechanism, we treat it as a valid opt-out of sale/sharing/targeted advertising. Advertising and analytics tags are suppressed without requiring further action.
• No behavioral fingerprinting: We do not use device fingerprinting, canvas fingerprinting, probabilistic identifiers, or other covert tracking techniques to identify or track users without their knowledge and consent.
• No identity resolution or de-anonymization: We do not deploy any tool or process that attempts to identify an otherwise anonymous Site visitor by matching device signals, browser characteristics, or behavioral data against external databases, social media profiles, or third-party identity graphs.
• No covert tracking technologies: We do not deploy hidden, obfuscated, or covert tracking technologies designed to bypass user consent mechanisms, browser privacy controls, or ad-blocking tools.
While we implement robust technical and organizational controls, no system is entirely free from error. In the event of any unintended data transmission occurring outside the scope of user consent, we will take prompt corrective action, investigate the root cause, and implement measures to prevent recurrence. We maintain internal incident logs and will notify affected users and applicable regulatory authorities where required by law.
7.2 Types of Cookies and Activation Status
|
Cookie Type |
Purpose |
Activation |
Examples |
|
Strictly Necessary |
Core site functions (login, cart, checkout) |
Active on page load; cannot be disabled |
Shopify session cookies |
|
Functionality |
Preferences (currency, language) |
Active on page load |
Preference cookies |
|
Analytics / Performance |
Traffic, page performance, user journeys |
Blocked until user accepts analytics cookies |
Google Analytics, Shopify Analytics, Polar |
|
Advertising / Targeting |
Ad campaign tracking, retargeting, audience building |
Blocked until user accepts advertising cookies |
Meta Pixel, Google Ads Tag, TikTok Pixel, Pinterest Tag, Bing UET |
|
Email / SMS Tracking |
Email open and click behavior |
Active only within opted-in emails/SMS |
Klaviyo tracking pixels |
7.3 Consent Categories and Associated Technologies
|
Category |
Examples of Technologies |
|
Strictly Necessary |
Shopify core functionality cookies |
|
Functional |
Preference and localization cookies |
|
Analytics |
Google Analytics, Shopify Analytics, Polar Analytics |
|
Advertising / Targeting |
Meta Pixel, Google Ads Tag, TikTok Pixel, Pinterest Tag, Microsoft UET, Criteo |
|
CTV / DSP |
Vibe (CTV), Amazon DSP |
7.4 Server-Side and Event-Based Tracking
In addition to browser-based cookies and pixels, we may use server-to-server (“S2S”) or event-based integrations with certain advertising and analytics platforms. These integrations allow us to transmit conversion events (such as purchases or site interactions) directly from our systems to those platforms for measurement and attribution purposes.
These technologies may not rely on traditional browser cookies and may operate using pseudonymized identifiers, aggregated data, or hashed information.
Where required by applicable law, these integrations are subject to the same consent controls described in this Policy and are not activated unless you have provided affirmative consent to the relevant tracking category. To be clear: we do not use server-side or event-based integrations to circumvent, bypass, or operate outside of the consent preferences you have expressed through our cookie consent banner or through a Universal Opt-Out Mechanism such as Global Privacy Control.
7.5 Connected TV (CTV) and Cross-Device Tracking
We may work with Connected TV (“CTV”) and programmatic advertising platforms (such as Vibe and Amazon DSP) that deliver advertisements on streaming devices, including smart TVs and similar platforms.
These platforms may use device identifiers, IP-based signals, or household-level data to: measure advertisement exposure; associate ad impressions with website visits; and perform cross-device attribution (for example, linking ad exposure on a television to activity on a mobile or desktop device).
These technologies may not rely on traditional cookies but are considered forms of cross-context behavioral advertising under applicable privacy laws. Where required by law, such tracking is governed by your consent preferences.
7.6 Dynamic Technology Environment
The specific cookies, pixels, tags, scripts, and tracking technologies used on our Site may change over time due to updates in our platform, integrations with third-party service providers, or changes in our marketing and analytics tools.
We maintain ongoing monitoring and auditing processes to ensure that any such technologies remain consistent with the disclosures in this Policy and are subject to our consent controls.
7.7 Managing Your Preferences
• Cookie Consent Banner: Manage preferences through the banner displayed on first visit and accessible anytime via the “Cookie Settings” link in our Site footer.
• Privacy Preference Center: Visit our Your Privacy Choices page to update preferences at any time.
• Browser Settings: Adjust cookie settings in your browser. Disabling strictly necessary cookies may impair Site functionality.
• GPC / UOOM: Enable Global Privacy Control in your browser. We honor this signal automatically.
Disabling advertising cookies will not remove all ads — you will still see ads, but they will be generic rather than personalized.
7.8 Do Not Track (DNT) and Global Privacy Control (GPC)
Browser DNT Signals: Because there is no universally accepted standard for how businesses should respond to DNT signals, we do not currently alter our data collection in response to browser-based DNT signals. However, we strongly support and honor the more technically robust Global Privacy Control (GPC) standard.
GPC Signals: When we detect a GPC signal from your browser, we treat it as a legally valid opt-out of the sale and sharing of your personal information and suppress all non-essential advertising and analytics tracking for that browser session and device. No further action is required. This applies to residents of all states that require UOOM recognition.
Additional industry opt-out tools:
• Google Ads Settings: adssettings.google.com
• Meta Ad Preferences: facebook.com/adpreferences
• DAA Opt-Out: optout.aboutads.info
• NAI Opt-Out: optout.networkadvertising.org
7.9 Consent Logging and Audit Trail
We maintain detailed records of user consent for compliance, auditing, and legal defense purposes. These records include: timestamp of consent granted/modified/withdrawn; specific categories selected; version of consent banner presented; method of consent; and subsequent changes. Consent records are retained for the duration of your relationship plus 5 years, or as required by law. Records are available for regulatory inspection upon lawful request.
7.10 Granular Cookie Information
For additional transparency, we maintain a detailed and regularly updated inventory of cookies and tracking technologies used on our Site, including their names, purposes, and retention periods. This information may be provided through our Cookie Policy or made available upon request.
7.11 Good Faith Compliance
We implement industry-standard and commercially reasonable technical and organizational measures to ensure that tracking technologies operate in accordance with user consent preferences. We continuously monitor, test, and audit our systems to verify compliance and to identify and remediate any unintended data collection.
The following is a high-level summary of the tracking technologies currently in use on our Site. For a comprehensive and regularly updated description — including specific cookie names, providers, purposes, and durations — please refer to our separate Cookie Policy, accessible via the “Cookie Policy” link in our Site footer.
|
Technology Type |
Providers |
Consent Required? |
Typical Retention |
|
Strictly Necessary Cookies |
Shopify |
No (required for Site function) |
Session to 2 years |
|
Analytics Cookies |
Google Analytics, Polar, Shopify Analytics |
Yes |
Up to 24 months |
|
Advertising Pixels |
Meta, Google Ads, TikTok, Pinterest, Microsoft UET, Criteo |
Yes |
Varies by provider |
|
CTV / DSP Tags |
Vibe, Amazon DSP |
Yes |
Per provider policy |
|
Server-Side / S2S |
Google, Meta (CAPI), Amazon |
Yes |
Per provider policy |
|
Email / SMS Tracking |
Klaviyo |
Opt-in required |
Per marketing consent |
8. Direct Marketing and Behavioral Advertising
We participate in interest-based advertising through digital marketing networks and ad exchanges, using cookies, pixels, ad tags, and mobile identifiers to deliver personalized advertising. These activities may involve tracking your interactions across different websites, devices, and platforms over time in order to deliver personalized advertising and measure campaign effectiveness. To the extent this activity constitutes the “sale” or “sharing” of personal information under California law or “targeted advertising” under other state privacy laws, you may exercise your opt-out rights as described in Sections 11–12.
You may opt out of marketing messages at any time by following the unsubscribe instructions in the message or by contacting us. Please allow up to 48 hours for processing. Opting out does not affect transactional or service-related communications.
9. Communication Privacy and Recording Practices
We are committed to respecting the privacy of your communications with us.
9.1 Our Communication Privacy Commitments
• No unauthorized interception: We do not intercept, record, or monitor the contents of your private communications without your knowledge and consent, nor do we permit third parties to do so through tools deployed on our Site.
• Chat tools (Tidio): Tidio processes chat messages solely to provide customer service and does not use your chat data for its own marketing, advertising, or AI training purposes. Chat transcripts are stored by Tidio as our contracted service provider under our data processing agreement. Chat functionality loads only after you initiate a chat interaction.
• No session replay or keystroke capture: We do not use session replay tools that record mouse movements, keystrokes, scrolling behavior, or form field inputs.
• Search queries: On-site search queries are processed by Shopify to return results and are not transmitted to third-party analytics or advertising vendors prior to consent.
• Phone and email support: If we record customer service phone calls, we will provide clear notice and obtain your consent at the beginning of the call.
9.2 California Residents — CIPA Notice
The California Invasion of Privacy Act (Cal. Penal Code § 630 et seq.) prohibits the interception or recording of private communications without the consent of all parties. We are committed to compliance with CIPA and all applicable federal and state wiretapping and electronic surveillance laws. We do not aid, authorize, or permit any third party to intercept, eavesdrop on, or record your communications with our Site without your prior consent. We do not install or use trap and trace devices or pen register processes (as defined under Cal. Penal Code § 638.50) on our Site without a court order or your prior affirmative consent. No third-party pixel, tag, or script deployed on our Site is authorized to capture incoming electronic impulses for the purpose of identifying or de-anonymizing Site visitors without consent.
10. Data Retention
We retain personal information as follows:
|
Data Category |
Retention Period |
Reason |
|
Account Data |
Duration of account + 2 years after closure or last activity |
Account management, legal compliance |
|
Order / Transaction Records |
7 years from transaction date |
Tax, accounting, audit obligations |
|
Marketing Consent Records |
Duration of consent + 5 years |
Demonstrate compliance (TCPA, CCPA) |
|
Marketing Engagement Data |
Until opt-out; suppression list retained indefinitely |
Honor communication preferences |
|
Customer Service Records |
3 years from last interaction |
Dispute resolution, quality assurance |
|
Chat Transcripts |
2 years from date of interaction, then deleted |
Customer service, compliance |
|
Log / Technical Data |
Up to 13 months |
Security, debugging |
|
Analytics Data |
Up to 24 months, then deleted or anonymized |
Site improvement |
|
Cookie / Tracking Data |
Varies by type and provider. First-party analytics cookies typically expire within 24 months. Third-party advertising, DSP, and CTV tracking technologies are governed by the retention policies of the respective providers |
Subject to consent preferences |
|
Employment Application Data |
2 years from submission |
Recruitment, legal compliance |
After retention periods expire, we securely delete or anonymize data. Where immediate deletion is not feasible (e.g., backup archives), we isolate the data until deletion is possible.
11. California Privacy Rights (CCPA / CPRA)
This section applies to California residents and supplements the rest of this Policy.
11.1 Categories of Personal Information Collected
In the preceding 12 months, we have collected:
|
Category (CCPA) |
Data Elements |
Business Purpose |
|
Identifiers |
Name, email, IP address, account ID, phone number, device IDs |
Order processing, marketing, analytics |
|
Cal. Civ. Code § 1798.80(e) |
Name, address, telephone number, credit card number |
Payment, order processing |
|
Commercial Information |
Purchase history, browsing/shopping history, cart data, returns |
Order fulfillment, personalized advertising (with consent) |
|
Internet / Electronic Activity |
Cookies, pixel data, page visits, click behavior, search queries |
Analytics (with consent), ad targeting (with consent) |
|
Geolocation Data |
Derived from IP address or shipping address |
Shipping, localized content, fraud prevention |
|
Audio, Electronic, Visual |
Customer service call recordings, photos/videos submitted |
Service quality, product content |
|
Professional / Employment |
Reseller certification, business details |
Trade program verification |
|
Inferences |
Consumer profiles from browsing, purchase, engagement |
Personalized marketing (with consent) |
|
Sensitive Personal Information |
Payment card data (processed by third party; not stored by HPD); account login credentials; precise geolocation (if enabled) |
Payment processing, account security only |
11.2 Sale and Sharing of Personal Information
• No monetary sale: We have never sold, and do not sell, personal information to any third party in exchange for monetary compensation. We do not provide personal information to data brokers, list resellers, or any entity that pays us money for consumer data.
• “Sharing” under California law: Under the CCPA/CPRA, certain data-sharing arrangements for cross-context behavioral advertising legally qualify as “sharing” (and potentially “selling”), even without monetary compensation. We engage in cross-context behavioral advertising when we transmit hashed email addresses, advertising identifiers, or conversion data to advertising partners — including Google, Meta, TikTok, Pinterest, Microsoft Advertising, Criteo, Connected TV providers (such as Vibe), and demand-side platforms such as Amazon DSP — for Custom Audience matching, lookalike audience creation, conversion measurement, and cross-device attribution. This sharing occurs only after and to the extent you have consented to advertising cookies.
• Categories shared: Identifiers (hashed email, advertising IDs), Internet/electronic activity (page visits, conversion events), Commercial information (purchase data), and Inferences (shopping preference segments). No sensitive personal information is ever shared.
• Your control: You may opt out of this sharing at any time. When you opt out, we cease all data transmissions to advertising partners for behavioral advertising purposes.
We do not knowingly sell or share the personal information of consumers under the age of 16.
11.3 Your California Privacy Rights
• Right to Know: Request disclosure of categories and specific data collected, sources, purposes, and third-party recipients (up to twice in a 12-month period).
• Right to Delete: Request deletion of your personal information, subject to legal exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt Out of Sale/Sharing: Direct us to stop selling or sharing your personal information. Exercise through cookie consent banner, the “Your Privacy Choices” / “Do Not Sell or Share My Personal Information” footer link, or by enabling GPC.
• Right to Limit Sensitive Data Use: Direct us to limit use of sensitive personal information to purposes necessary to provide the Service. We do not use sensitive PI beyond what is necessary.
• Right to Non-Discrimination: No denial of goods, price differences, or service quality differences for exercising rights.
11.4 How to Exercise Your Rights
• Online: Privacy Rights Request Portal (link in Site footer)
• Email: legal@halfpricedrapes.com — Subject: “California Privacy Rights Request”
• Phone: 1-866-413-7273
• Mail: Exclusive Fabrics & Furnishings, LLC DBA Half Price Drapes, 440 Boulder Court, Suite 100, Pleasanton, CA 94566, Attn: Legal / Privacy
We verify identity using information on file. Response within 45 days (extendable by 45 days with notice). Authorized agents require written authorization and identity verification of both parties.
11.5 Identity Verification Process
• Email Confirmation: We send a verification email to the address on file. You must click the verification link.
• Order Validation: For requests involving transaction data, we may ask you to confirm recent order numbers, shipping addresses, or payment methods.
• Account Matching: We match information in your request against our records.
• Escalated Verification: If we cannot verify through the above methods, we may request a government-issued ID. Any ID collected solely for verification is deleted promptly after resolution.
If we cannot reasonably verify your identity, we will inform you and explain why. We will never deny a request solely to avoid fulfilling it.
11.6 Notice of Right to Opt Out of Sale/Sharing
You may opt out of sharing for behavioral advertising by:
• Using the cookie consent controls on our Site (“Cookies Settings” in the banner or the persistent cookie settings icon)
• Clicking the “Your Privacy Choices” / “Do Not Sell or Share My Personal Information” link in our Site footer
• Enabling the Global Privacy Control (GPC) signal in your browser
• Submitting a request via our Privacy Rights Request Portal or emailing legal@halfpricedrapes.com with subject “CCPA Opt-Out”
• Visiting the DAA (optout.aboutads.info) or NAI (optout.networkadvertising.org) opt-out pages
11.7 Notice of Financial Incentives
We may offer promotions, discounts, or other incentives in exchange for providing personal information such as your email address (e.g., newsletter sign-up discounts, sweepstakes, giveaways). Participation is voluntary. You may opt in on our Site and withdraw at any time by contacting legal@halfpricedrapes.com.
The value of the incentive is reasonably related to the value of your personal information, calculated based on the approximate additional spending per promotion participant compared to non-participants.
11.8 Shine the Light (California Civil Code § 1798.83)
We do not disclose personal information to third parties for their own direct marketing purposes. If you have questions, contact us at legal@halfpricedrapes.com.
11.9 California Metrics Disclosure
In accordance with CCPA regulations, we will publish annual metrics regarding the number and type of consumer rights requests received, processed, and denied. These metrics will be made available on our Site.
12. Privacy Rights for Residents of Other U.S. States
This section applies to residents of states with comprehensive privacy laws currently in effect: Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Kentucky, Rhode Island, Tennessee, Montana, Oregon, Texas, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, and any additional states enacting comprehensive privacy legislation.
12.1 Common Rights Across State Privacy Laws
• Access: Confirm whether we process your data and obtain a copy.
• Delete: Request deletion, subject to legal exceptions.
• Correct: Request correction of inaccurate data.
• Opt Out of Targeted Advertising: Opt out of processing for targeted advertising.
• Opt Out of Sale: Opt out of sale of personal data.
• Opt Out of Profiling: Opt out of profiling that produces legal or significant effects.
• Data Portability: Receive data in a portable format.
• Non-Discrimination: Exercise rights without discriminatory treatment.
12.2 Universal Opt-Out Mechanisms
We honor GPC and other recognized UOOMs as valid opt-outs of sale/sharing/targeted advertising for all states requiring such recognition. When detected, advertising and analytics tags are suppressed automatically.
12.3 How to Exercise Your Rights
• Online: Privacy Rights Request Portal
• Email: legal@halfpricedrapes.com
• Preferences: Your Privacy Choices page
• Mail: Exclusive Fabrics & Furnishings, LLC DBA Half Price Drapes, 440 Boulder Court, Suite 100, Pleasanton, CA 94566, Attn: Legal / Privacy
Response within timeframes required by your state (generally 45 days). Identity verification follows the same process described in Section 11.5.
12.4 Your Right to Appeal
If we decline or are unable to fulfill your privacy rights request (in whole or in part), you have the right to appeal. Submit an appeal via email (legal@halfpricedrapes.com, subject: “Privacy Rights Appeal”), our Privacy Rights Request Portal, or by mail. Your appeal must reference the original request and your reasoning. We will respond within 60 days with a written explanation. If denied, we will provide information on how to contact your state’s Attorney General or applicable regulatory authority.
12.5 Data Protection Assessments
Where required by state law, we conduct data protection assessments for processing activities presenting heightened risk, evaluating benefits, risks, and safeguards.
13. Employee and Applicant Privacy Notice (California)
This section applies to employees, contractors, job applicants, and prospective employees of Half Price Drapes who are California residents.
13.1 Personal Information We Collect
• Identifiers: name, address, email, phone, employee ID, Social Security number, driver’s license, passport, government-issued IDs, emergency contacts
• Professional/Employment Information: employment history, education, position applied for, compensation, performance evaluations, background check results
• Financial Information: bank account details, payroll information, expense reimbursement data
• Internet/Network Activity: email logs, device and browser information, web browsing sessions
• Geolocation Data: GPS data, IP-based location, cell network data
• Sensory Data: audio recordings of calls, video surveillance
• Protected Classifications: age, gender, nationality, race/ethnicity, marital status
• California Customer Records: health insurance, workers’ compensation data, signature, physical description
• Sensitive Personal Information: Social Security number, driver’s license number, financial account credentials, racial/ethnic origin, health information
13.2 How We Use Employee/Applicant Information
We use this information for: processing applications and background checks, administering payroll and benefits, workforce management, training, IT systems security, legal compliance, and protecting the rights and safety of employees and our business.
13.3 Employee/Applicant Rights
California employees and applicants have the same rights described in Section 11.3, including the right to know, delete, correct, and limit use of sensitive personal information. To exercise these rights, contact legal@halfpricedrapes.com.
14. Children’s and Minors’ Privacy
Our Site is intended for adults 18 and older. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, contact us immediately at legal@halfpricedrapes.com and we will promptly delete such information.
Absolute Prohibition: Minors Under 16
We maintain a zero-tolerance policy regarding the sale, sharing, or targeted advertising use of personal information belonging to any consumer we know or have reason to believe is under the age of 16. This means:
• No sale: We will not sell the personal information of known minors under 16 under any circumstances.
• No sharing for advertising: We will not share personal information of known minors under 16 with advertising networks or any third party for cross-context behavioral advertising.
• No targeted advertising: We will not process personal information of known minors under 16 for displaying targeted or personalized advertising.
• No profiling: We will not create consumer profiles, inferences, or behavioral segments based on personal information of known minors under 16.
• Affirmative consent required: Where applicable state law requires opt-in consent from the consumer (ages 13–15) or parent/guardian (under 13), we will obtain it before any applicable processing.
• Immediate remediation: If we become aware of a violation, we will immediately cease non-essential processing, delete or de-identify the data, and notify the affected individual or parent/guardian where required by law.
If you are under 18 years of age, reside in California, and have a registered account, you may request removal of content you have publicly posted on the Service by contacting us.
15. Data Security
We implement reasonable administrative, technical, and physical safeguards:
• SSL/TLS encryption on all data in transit
• Encryption of sensitive data at rest where feasible
• Role-based access controls on a need-to-know basis
• Payment card data handled exclusively by PCI-DSS Level 1 compliant processors
• Regular security reviews, vulnerability assessments, and employee training
• Vendor security assessments and data processing agreements with all third-party processors
• Incident response procedures for detection, investigation, and notification
No method of transmission over the internet is 100% secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee absolute security.
15.1 Data Breach Response
In the event of a data breach, we will: promptly investigate the nature and scope; take reasonable steps to contain the breach and mitigate harm; notify affected individuals as required by applicable federal and state breach notification laws (including California Civil Code § 1798.82); notify applicable state Attorneys General and regulatory authorities within required timeframes; and provide affected individuals with information about the breach and protective steps.
We contractually require all vendors to notify us promptly of any breach involving our customers’ data.
16. Blogs, Reviews, and Forums
Our Service may offer publicly accessible blogs, reviews, or forums. Any information you provide in these areas may be read, collected, and used by others. To request removal, contact marketing@halfpricedrapes.com. In some cases, removal may not be possible.
17. Links to Third-Party Sites
Our Site may link to third-party websites and platforms. This Policy does not apply to those sites. We are not responsible for their privacy practices. We encourage you to review their privacy policies.
18. Visitors from Outside the United States
The Service is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States. Data protection laws in the United States may differ from those in your jurisdiction. By using the Service, you consent to the transfer of your information to the United States.
19. Changes to This Privacy Policy
When we make material changes, we will: post the revised Policy with an updated “Last Updated” date; email registered account holders; and display a prominent Site notice for at least 30 days. Material changes are effective 30 days after posting for existing users, immediately for new users. Where required by law, we will obtain consent before applying material changes. Prior versions are available upon request.
20. Contact Us
For privacy questions, data subject requests, or concerns:
• Privacy & Legal Email: legal@halfpricedrapes.com (primary contact for all privacy rights requests, CCPA/CPRA inquiries, and CIPA concerns)
• General Support: support@halfpricedrapes.com (privacy requests received here will be forwarded to our legal/privacy team)
• Phone: 1-866-413-7273
• Online: Privacy Rights Request Portal (link in Site footer)
• Preferences: Your Privacy Choices page (link in Site footer)
Exclusive Fabrics & Furnishings, LLC DBA Half Price Drapes
440 Boulder Court, Suite 100
Pleasanton, CA 94566
Attn: Legal / Privacy
Response: Acknowledgment within 5 business days; substantive response within 10 business days. Formal DSARs processed per applicable law timelines.
© 2026 Exclusive Fabrics & Furnishings, LLC DBA Half Price Drapes. All rights reserved.
