USA-BasedFree Domestic Shipping on $50+ (most items)Custom Commissions Upon Request
USA-BasedFree Domestic Shipping on $50+ (most items)Custom Commissions Upon Request
USA-BasedFree Domestic Shipping on $50+ (most items)Custom Commissions Upon Request
XposedDesigns

PRIVACY POLICY

Last Updated: May 7, 2026 · Effective: May 7, 2026

Xposed Designs LLC (“we,” “our,” or “us”) respects your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices and rights you have. It applies to xposeddesigns.com, shop.xposeddesigns.com, and any related services we operate (the “Site”). By using the Site you agree to this Policy. If you do not agree, please do not use the Site.

1. Information We Collect

a. Information you give us

  • Name, email address, phone number, and shipping/billing addresses.
  • Order details, purchase history, and product preferences.
  • Messages, support inquiries, and reviews you submit.
  • Marketing preferences, including SMS and email opt-ins.
  • Payment information is collected and processed by our payment processors (Shopify Payments, PayPal, and Stripe). We do not store full credit-card numbers on our systems.

b. Information we collect automatically

  • Device and browser data: IP address, user agent, operating system, device type, language, and time zone.
  • Usage data: pages viewed, products viewed and purchased, search queries, links clicked, referring URLs, session duration.
  • Cookies, pixels, local storage, and similar technologies (see Section 5).
  • Approximate location derived from IP address.

c. Information from third parties

  • Order, fulfillment, and fraud-screening data from Shopify.
  • Engagement data from email and SMS providers when you open or click our messages.
  • Public profile information when you log in or sign up via a connected account (where offered).

2. How We Use Your Information

We use your information to:

  • Process and fulfill your orders, including payment, shipping, returns, and customer service.
  • Send transactional messages (order confirmations, shipping updates, refund notices).
  • Send marketing emails or text messages when you opt in and let you opt out at any time.
  • Operate, secure, debug, and improve the Site, including analyzing performance and diagnosing errors.
  • Personalize content, product recommendations, and offers.
  • Detect, prevent, and respond to fraud and abuse.
  • Comply with legal obligations and enforce our Terms of Service.

We rely on the following legal bases (where GDPR or similar laws apply): performance of a contract (orders), consent (marketing, non-essential cookies), legitimate interests (security, fraud prevention, basic analytics), and legal obligation.

3. Service Providers and Categories of Recipients

We share information with the service providers below to operate the Site. Each is contractually required to handle your information consistent with this Policy.

ProviderPurposeData sharedPrivacy policy
Shopify Inc.Storefront hosting, checkout, order management, fraud screeningIdentifiers, contact info, order data, device datashopify.com
Vercel Inc.Web hosting, edge delivery, performance metricsIP, device data, request metadatavercel.com
Google LLC (Google Analytics 4)Site analyticsPseudonymous identifiers, device data, page views; IP-anonymizedgoogle.com
Meta Platforms, Inc. (Meta Pixel)Advertising and conversion measurementPseudonymous identifiers, page views, add-to-cart and purchase eventsfacebook.com
Klaviyo, Inc.Email and SMS marketing, behavioral profiles for marketingEmail, phone, name, browsing and purchase eventsklaviyo.com
Functional Software, Inc. (Sentry)Error monitoring and limited session-replay-on-errorError metadata, sanitized DOM snapshots (text masked, media blocked), pseudonymous fingerprintsentry.io
Judge.me Pty Ltd.Product reviewsName, email, review content, order verificationjudge.me
Resend, Inc.Transactional email deliveryEmail, message contentresend.com
Shopify Payments / Stripe Inc. / PayPal, Inc.Payment processingPayment card details, billing address, transaction dataShopify, Stripe, PayPal policies
Shipping carriers (USPS, UPS, FedEx, DHL)Order deliveryName, shipping address, contact infoCarrier policies

We may also disclose information when required by law, to enforce our rights, to investigate fraud, or in connection with a corporate transaction.

4. Sharing for Cross-Context Behavioral Advertising (“Sale” / “Share”)

Some of the partners above — specifically Meta Pixel and, depending on your settings, Google Analytics 4 — may use information collected on the Site to serve advertising on other sites and apps. Under California, Colorado, Connecticut, Texas, Virginia, Oregon, and similar U.S. state privacy laws, this is treated as “sharing” for cross-context behavioral advertising and may be treated as a “sale” of personal information.

We do not sell your information for monetary consideration. We do, however, share limited information with advertising partners for the purposes described above. You can opt out at any time:

  • Click “Your Privacy Choices” in the Site footer.
  • Enable Global Privacy Control in your browser; we will treat that as an opt-out automatically.
  • For California residents: see Section 9.

We do not knowingly share personal information of consumers we know to be under 16 for cross-context behavioral advertising.

5. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

  • Strictly necessary — required for the Site to function (cart, checkout, login, security). These cannot be turned off.
  • Functional — remember your preferences (theme, region, recently viewed).
  • Analytics — help us understand how the Site is used (Google Analytics 4, Vercel Speed Insights). Loaded only with consent or in a privacy-preserving “consent-denied” mode that does not set advertising identifiers.
  • Marketing / Advertising — measure ad effectiveness and enable personalized advertising (Meta Pixel, Klaviyo). Loaded only with consent.

You can manage these categories at any time via the “Your Privacy Choices” link in the footer. You can also block or delete cookies through your browser, though doing so may affect how the Site works. A current cookie list with names, purposes, and durations is available at /legal/cookies.

6. Marketing Communications

Email

We send marketing email only after you opt in. Every marketing email includes an unsubscribe link. You can also email support@xposeddesigns.com to be removed.

SMS

We send SMS marketing only after you provide your mobile number and explicitly check the SMS consent box. Standard message and data rates apply. Message frequency varies. Reply STOP to cancel; reply HELP for help. SMS consent is not a condition of purchase. Our SMS practices are governed by the Telephone Consumer Protection Act (TCPA) and Klaviyo's SMS terms.

7. Data Retention

We keep personal information only as long as necessary for the purposes described in this Policy. Typical retention periods:

  • Order and transaction records — 7 years (U.S. tax and accounting requirements).
  • Customer accounts — until you request deletion or 3 years of inactivity, whichever is first.
  • Marketing data (Klaviyo profiles) — until you opt out, then up to 30 days for suppression-list purposes.
  • Analytics data (Google Analytics 4) — 14 months at the user-and-event level (GA4 default), longer at aggregated level.
  • Support tickets and email logs — 3 years.
  • Error logs and Sentry data — 90 days.

When data is no longer needed we delete or de-identify it.

8. Your Rights

Depending on where you live you may have the following rights with respect to your personal information:

  • Access — request a copy of the information we hold about you.
  • Correction — ask us to correct inaccurate or incomplete information.
  • Deletion — ask us to delete your information, subject to legal exceptions.
  • Portability — receive your information in a portable format.
  • Opt-out of marketing — at any time, via the unsubscribe link or contact below.
  • Opt-out of “sale” / “sharing” for cross-context behavioral advertising — see Section 9.
  • Limit use of sensitive personal information (California).
  • Withdraw consent where we rely on consent (EEA / UK / Quebec).
  • Lodge a complaint with your data-protection authority.

To exercise these rights, email privacy@xposeddesigns.com or use our contact page. We will respond within 45 days for U.S. requests and within 30 days for GDPR/UK requests, with extensions where the law allows.

We may need to verify your identity before fulfilling a request — typically by confirming control of the email address on file, or by matching information against a recent order. You may use an authorized agent in California; we will require written authorization and identity verification.

9. California Residents (CCPA / CPRA)

In addition to the rights in Section 8, California residents have the following:

  • Right to know the specific pieces and categories of personal information collected, the sources, the business purposes, and the categories of recipients.
  • Right to opt out of the sale or sharing of personal information. Use the “Your Privacy Choices” link in the footer or enable Global Privacy Control.
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes that would trigger this right.
  • Right to non-discrimination — we will not deny service, charge a different price, or provide a different quality of service because you exercised a privacy right.

Categories collected (CCPA §1798.140): identifiers, customer records, commercial information, internet activity, geolocation (approximate), and inferences drawn from these categories. We do not knowingly collect biometric or precise geolocation data.

Sources: you, your device, our service providers, and our advertising partners.

Business purposes: order fulfillment, security and fraud prevention, analytics, advertising, and legal compliance (CCPA §1798.140(e)).

Sold/shared categories (last 12 months): identifiers and internet activity, with Meta and Google for cross-context behavioral advertising. Not sold: sensitive personal information, government IDs, health or financial account data.

To submit a verifiable consumer request, email privacy@xposeddesigns.com. We do not charge a fee unless your request is manifestly unfounded or excessive.

10. EEA / UK / Switzerland Residents

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and corresponding laws apply.

  • Controller: Xposed Designs LLC, Orlando, Florida, USA.
  • Legal bases: see Section 2.
  • International transfers: when we transfer your information from your jurisdiction to the United States or other countries, we rely on the European Commission's Standard Contractual Clauses (SCCs) with our service providers and, where required, supplementary measures.
  • Right to lodge a complaint: with your local supervisory authority. A list is available at edpb.europa.eu.

11. Children's Privacy

The Site is not directed to children under 13, and we do not knowingly collect personal information from children under 13 in the United States or under 16 in the EEA/UK. If you believe a child has provided us with personal information, please contact us and we will delete it.

12. Data Security

We use commercially reasonable administrative, technical, and physical safeguards to protect personal information. These include encryption in transit (TLS), encryption at rest with our hosted providers, access controls, authentication requirements for staff, and regular review of vendor security practices. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

13. Third-Party Links and Plugins

The Site may link to third-party sites or embed third-party content (e.g., social-media share buttons, embedded videos). Those third parties operate under their own privacy policies. We are not responsible for their practices.

14. Changes to This Policy

We may update this Policy from time to time. When we make material changes we will revise the “Last Updated” date and, where required, notify you by email or a banner on the Site. Continued use of the Site after a change indicates acceptance. A change log is maintained at the bottom of this page.

15. Contact

Xposed Designs LLC

Orlando, Florida, USA

Email: privacy@xposeddesigns.com

General contact: xposeddesigns.com/contact

Change Log

  • 2026-05-07. Revision. Disclosed individual processors (GA4, Meta Pixel, Klaviyo, Sentry, Judge.me, Resend, Vercel). Added CCPA/CPRA “Your Privacy Choices” mechanism and GPC honoring. Added concrete retention periods. Added GDPR section with SCCs reference. Clarified SMS / TCPA. Added CPRA-accurate “share” language for advertising partners.
  • 2025-11-25. Initial policy.