Xyluria Privacy Policy

Last Updated: August 27, 2025

This Privacy Policy explains how Xyluria (“Xyluria,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you visit xyluria.com or use our products and services (collectively, the “Services”).
If you do not agree with this Policy, please do not use the Services.

Controller. If you are located in the EEA/UK, Xyluria is the data controller of your personal information.
Contact: xyluria@gmail.com

1. Information We Collect

A. Information You Provide

  • Order & Fulfillment Data. Name, shipping/billing address, email, phone, items purchased, order notes.

  • Account Data. Name, email, password (hashed).

  • Support & Communications. Content of emails/messages, attachments, return/repair information.

  • UGC & Comments. Comments, reviews, ratings; IP address and browser user-agent for anti-spam.

  • Marketing Preferences. Newsletter opt-ins, categories of interest.

We do not ask you to provide sensitive personal information. Please do not share health, biometric, or other sensitive data.

B. Information Collected Automatically

  • Device/Usage Data. IP address, device identifiers, browser type/version, pages viewed, time stamps, referral/UTM, approximate location (city/country level).

  • Cookies/Similar Technologies. Pixels, SDKs, local storage for core functionality (e.g., cart), analytics, and (where enabled) advertising. See Section 10 and our Cookie Policy.

C. Payment Information

We do not store full payment card numbers. Payments are processed by third-party providers (e.g., Stripe, PayPal). They receive your payment information subject to their own policies. We receive limited information to confirm payment and fulfill your order.

D. Information from Third Parties

  • Carriers/Logistics Partners (shipping status, tracking).

  • Fraud Prevention/Identity Verification services.

  • Analytics and Advertising Partners (see Section 10), where enabled by your consent and applicable law.

2. Why We Use Personal Information (and Legal Bases)

We process your information for these purposes and, where GDPR/UK GDPR applies, under the following legal bases:

  • Provide the Services (create/manage account, process payments, ship orders, returns/warranties) — Contract; Legal obligation (e.g., tax/records).

  • Customer Support & CommunicationsContract; Legitimate interests (service quality).

  • Personalize & Improve the Site (content, features, diagnostics) — Legitimate interests; Consent where required (e.g., non-essential cookies).

  • Security & Fraud Prevention (detect, investigate, prevent fraudulent or illegal activity) — Legitimate interests; Legal obligation.

  • Marketing (email/SMS, on-site, or ads where permitted) — Consent (where required); otherwise Legitimate interests.

  • Compliance with laws, regulatory requests, and dispute resolution — Legal obligation; Legitimate interests.

You may withdraw consent at any time where consent is the legal basis.

3. Sharing Your Information

We do not sell personal information. We share limited data with:

  • Service Providers/Processors. Payment processors (Stripe/PayPal), ecommerce and hosting platforms, email/SMS providers, customer support tools, fulfillment and carriers (UPS/FedEx/DHL), anti-spam and security tools, analytics/advertising vendors (see Section 10).

  • Legal/Compliance. Law enforcement or regulators when required by law.

  • Business Transfers. As part of a merger, acquisition, financing, or sale of assets.

Where required, we sign data processing agreements and implement appropriate safeguards.

4. International Data Transfers

We may transfer, store, and process information outside your country (including the United States and other jurisdictions). For EEA/UK users, where your data is transferred to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) and, where applicable, the UK IDTA/Addendum, plus supplementary measures.

5. Retention

We keep personal information only as long as necessary for the purposes described or as required by law (e.g., tax and accounting records). Illustratively:

  • Orders & invoices: retained for the applicable statutory period (often 7 years or as required under local law).

  • Account data: retained while your account is active and for a reasonable period after closure.

  • Marketing: retained until you opt out or your consent expires/withdrawn.

  • Comments/UGC: retained to preserve context/history unless you request deletion and no legal basis requires retention.

6. Security

We use administrative, technical, and physical safeguards appropriate to the nature of the data (e.g., HTTPS/TLS encryption in transit, access controls, password hashing, limited access on a need-to-know basis). No method is 100% secure. We maintain procedures to assess and notify (where required) in the event of a data breach.

7. Your Rights & Choices

Depending on your location, you may have the right to access, correct, delete/erase, restrict processing, object to processing (including profiling for direct marketing), and data portability. You may also withdraw consent at any time.

  • How to submit a request: Email xyluria@gmail.com with your request and sufficient information to verify your identity. We will respond within the time required by law (typically 30–45 days).

  • Marketing Opt-Out: Use the “unsubscribe” link in marketing emails or contact us.

  • Cookies/Analytics/Ads: See Section 10 for cookie preferences and opt-out tools.

You also have the right to lodge a complaint with your local supervisory authority (EEA/UK).

8. Children’s Privacy

Our Services are not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us to remove it.
For California residents, we do not sell or share personal information of consumers under 16 without affirmative authorization.

9. State-Specific Disclosures (United States)

A. California (CPRA) – Notice at Collection

We collect the following categories of personal information, for the purposes and retention periods described above: Identifiers (e.g., name, email, address), Commercial information (purchases), Internet activity (usage/cookie data), Geolocation (approximate), Inferences (limited personalization). We do not collect sensitive personal information for purposes of inferring characteristics.

  • Sell/Share. We do not sell personal information. We do not share personal information for cross-context behavioral advertising unless explicitly stated in our Cookie/Consent banner. If sharing is enabled, you can opt out via the “Do Not Sell or Share My Personal Information” link and we honor Global Privacy Control (GPC) signals.

  • Your CPRA rights: Know/Access, Delete, Correct, Opt-out of Sale/Share, Limit use of sensitive PI (not applicable here), Non-discrimination. Submit requests per Section 7.

  • Shine the Light: We do not disclose personal information to third parties for their own direct marketing.

B. Other U.S. State Laws (VA/CO/CT/UT, etc.)

Where these laws apply, you may have rights similar to those listed in Section 7, including the right to opt out of targeted advertising and certain profiling. Use our cookie preferences or contact us.

10. Cookies, Analytics & Advertising

We use cookies and similar technologies for:

  • Essential (e.g., keeping items in cart, account login),

  • Performance/Analytics (e.g., understanding site usage),

  • Functional (preferences),

  • Advertising/Retargeting (where enabled and permitted).

Consent & Preferences. On your first visit (and periodically), we present a cookie banner. You can accept, reject non-essential, or manage categories at any time via Cookie Settings (link in footer). If you withdraw consent, it will not affect prior lawful processing.

Analytics. If we use Google Analytics, we configure IP anonymization where available. Opt-out options include browser add-ons and cookie preferences.

Advertising. If we use Meta Pixel/Google Ads or similar, they may collect or receive info from our Site to provide measurement and (where enabled) targeted ads. You can opt out through our Cookie Settings, ad-platform settings, and industry tools (e.g., NAI/DAA).

11. Do Not Track & Global Privacy Control

Some browsers offer Do Not Track (DNT) signals; there is no common standard. We currently respond to GPC (Global Privacy Control) where legally required. Use our Cookie Settings to manage preferences.

12. Automated Decision-Making

We do not use automated decision-making that produces legal or similarly significant effects on you. We may use limited profiling to personalize content/ads where permitted by law and consented by you.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be posted on this page with an updated “Last Updated” date. In certain cases, we may provide additional notice (e.g., email or banner).

14. Contact Us

Shopping Cart