CCPA/CPRA Privacy Policy (California Privacy Notice)
Our Privacy Policy was last updated on September 1, 2025.
This California Privacy Notice (“Notice”) supplements our main Privacy Policy and applies solely to California residents (“consumers”) under the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, “CCPA”). Terms defined in the CCPA have the same meaning here.
Who We Are
GLITZ&GRAF AGENCY SRL (“GLITZ&GRAF”, “we”, “us”, “our”)
Calea Moșilor 88, District 3, Bucharest, Romania
We sell made-to-order (print-on-demand) goods via glitzandgraf.com and may use third-party fulfillment partners (including Printify network providers) and service providers (e.g., Shopify, payment processors, analytics/ads partners).
1) Notice at Collection
We collect, use, and retain personal information for business and commercial purposes described below. We may sell or share certain categories (as those terms are defined by the CCPA) for cross-context behavioral advertising unless you opt out (see §5 and Your Privacy Choices link in our footer).
|
Category (CCPA) |
Examples |
Sources |
Purposes |
Sold/Shared for Cross-Context Ads? |
Retention |
|
A. Identifiers |
name, email, IP, order ID, device IDs |
from you (checkout/forms); automatically (site/app); service providers |
fulfill orders; account communications; fraud/security; analytics; marketing |
May share email/IP/online identifiers with ads/analytics partners (unless you opt out) |
Orders up to 10 years (tax/accounting); marketing IDs until opt-out or 24 months inactivity |
|
B. Customer Records (Cal. Civ. Code §1798.80(e)) |
billing/shipping address; limited payment info (token/last 4; we do not receive full card numbers) |
from you; payment processor |
checkout & fulfillment; fraud prevention; accounting |
No |
Tax/accounting up to 10 years; otherwise as needed for service/legal |
|
D. Commercial Information |
products viewed/purchased; discounts used; order history |
from you; automatically; service providers |
customer service; personalization; analytics; marketing; fraud |
May share hashed/email-based signals with ads partners (unless you opt out) |
Same as A |
|
F. Internet/Network Activity |
device/browser info; pages viewed; clicks; cookie IDs; approximate location inferred from IP |
automatically; service providers |
site operations; security; analytics; marketing; debugging |
May share cookie/identifier data for cross-context ads (unless you opt out or decline marketing cookies) |
Up to 24 months (or shorter where possible) |
|
G. Geolocation (approximate) |
coarse location (city/region) inferred from IP |
automatically; service providers |
locale, tax settings; fraud/security; analytics |
May share with analytics/ads partners (unless you opt out) |
Up to 24 months |
|
Sensitive Personal Information (SPI) |
we do not intentionally collect SPI (e.g., SSN, precise geolocation, health, union, race). Payment card details are processed by our payment processor. |
n/a |
n/a |
No |
n/a |
⚠️ We do not use or disclose Sensitive Personal Information for inferring characteristics.
Financial incentive: We may offer discounts or promotions (e.g., first-purchase codes). See §7.
You can opt out of sale/share at any time via Do Not Sell or Share My Personal Information or by sending a Global Privacy Control (GPC) signal in your browser. We honor GPC for that browser/device.
2) How We Use Personal Information
We use personal information to: provide our site and services; process and deliver orders; support customers; detect and prevent fraud/security incidents; debug and improve functionality; measure and analyze performance; personalize content; provide marketing/advertising (including cross-context advertising, subject to opt-out); comply with legal obligations; and support internal operations (audit, accounting, governance).
We do not knowingly collect personal information from children under 13, and we do not knowingly sell/share personal information of consumers under 16.
3) Disclosures to Service Providers and Contractors
We disclose personal information to service providers/contractors under written agreements restricting use to the services we request (e.g., hosting/platform, payment processing, fulfillment/shipping, analytics, advertising partners acting at our direction, customer communications, security/fraud).
We may also disclose information in connection with a business transfer, or as required by law.
4) Your CCPA Rights (California)
Subject to exceptions, California residents have the right to:
Ø Know/Access: request the categories and specific pieces of personal information we collected about you in the last 12 months, the sources, purposes, and recipients (including sale/share).
Ø Delete: request deletion of personal information we collected from you.
Ø Correct: request correction of inaccurate personal information.
Ø Opt-Out of Sale/Share: direct us not to sell or share your personal information for cross-context behavioral advertising.
Ø Limit Use/Disclosure of SPI: where SPI is collected, limit its use/disclosure to permitted purposes (not applicable here).
Ø Non-Discrimination: we will not discriminate against you for exercising CCPA rights.
How to exercise your rights
Submit requests at: /pages/your-privacy-choices or email ccpa@glitzandgraf.com or cpra@glitzandgraf.com.
For Do Not Sell or Share, use the same page or enable Global Privacy Control (GPC) in your browser.
Verification: we will reasonably verify your identity (e.g., email verification, order metadata). If you use an authorized agent, we may require proof of authorization and verification of your identity.
Timing: we respond within 45 days, extendable once by 45 days where reasonably necessary (with notice).
Scope: Access disclosures cover the 12-month look-back; we may honor requests beyond 12 months where required by law.
If we deny your request in whole or in part, we will explain the reasons. California law does not require us to provide a formal appeal process; however, you may re-submit with additional information for reconsideration.
5) Sale/Share Opt-Out & Global Privacy Control
Some of our use of cookies and similar technologies for advertising/analytics may be considered “sale” or “sharing” under CCPA. You can:
Ø Click Do Not Sell or Share My Personal Information and follow the instructions; and
Ø Enable the Global Privacy Control (GPC) in your browser.
We treat a valid GPC signal as a request to opt out of sale/share for that browser and device.
⚠️ If you clear cookies, switch browsers, or use a different device, you may need to opt out again (unless logged in and we can persist your preference).
6) Data Retention
We retain personal information only as long as necessary for the purposes described in this Notice or as required by law (e.g., tax/accounting).
Where we cannot delete due to legal obligations (e.g., fraud prevention, regulatory requirements), we retain only as long as necessary and delete or de-identify thereafter.
7) Notice of Financial Incentive
From time to time we may offer promotions, discounts, or benefits (e.g., first-purchase codes, newsletter perks) that could be considered a financial incentive under the CCPA.
Ø Participation: voluntary and requires opt-in (e.g., by redeeming the code or subscribing).
Ø Material terms: basic contact information (e.g., email) may be required; used for marketing and administration.
Ø Value of data: estimated in good faith based on collection/retention costs and marketing revenue generated (varies).
Ø Withdrawal: unsubscribe anytime or email ccpa@glitzandgraf.com / cpra@glitzandgraf.com. You may still use services without participating.
We do not offer loyalty pricing that is unjust, unreasonable, coercive, or usurious.
8) “Shine the Light” (Cal. Civ. Code §1798.83)
California residents may request a list of third parties to whom we disclosed personal information for their direct marketing in the preceding calendar year (if any), and the categories disclosed.
To request, email ccpa@glitzandgraf.com or cpra@glitzandgraf.com with subject line: “Shine the Light Request.”
9) Do Not Track
We do not respond to browser Do Not Track (DNT) signals.
We do honor Global Privacy Control (GPC) as described in §5.
10) Updates to this Notice
We may update this Notice to reflect changes in our practices or the law. We will post the updated version with a new Effective date. Material changes will be highlighted where appropriate.
11) Contact Us
Data Controller: GLITZ&GRAF AGENCY SRL
Email (privacy/CCPA/CPRA): ccpa@glitzandgraf.com / cpra@glitzandgraf.com
Postal address: Calea Moșilor 88, District 3, Bucharest, Romania
Website: https://glitzandgraf.com
For general inquiries: contact@glitzandgraf.com
For returns/issues: returns@glitzandgraf.com
