Privacy Policy

Effective Date: Last Modified:

This Privacy Policy describes how (the "Site", "Company", "we", "us", "our") collects, uses, and discloses your personal information when you visit, use our services, or make a purchase from the Company or otherwise communicate with us (collectively, the "Services"). For purposes of this Privacy Policy, "you" and "your" means you as the user of the Services, whether you are a customer, website visitor, or another individual whose information we have collected pursuant to this Privacy Policy.

Please read this Privacy Policy carefully. By using and accessing any of the Services, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not use or access any of the Services.

1. Information We Process

We may collect or process the following types of information about you. The specific information we collect about you will vary depending on how you interact with us.

Contact information and personal identifiers, such as your name, address, email address, telephone number, and username or social media handle.
Device identifiers, such as information about your device like your MAC address, IP address, or other online identifiers.
Physical characteristics, such as your hair type and color, skin type, and eye color.
Biometric information, such as facial geometry if you use certain of our virtual try-on applications.
Commercial information, such as the products or services you have purchased, returned or considered, and your product preferences.
Payment information, such as your method of payment, digital currency wallet address, and payment card information.
Identity verification information, such as photo identification, loyalty member ID, and authentication information.
Online or network activity information, such as information regarding your interaction with our websites, mobile applications, digital properties, and advertisements.
Geolocation information, such as information that can help identify your physical location.
Audio and visual information, such as recordings of your voice when you call our customer service.
Professional or employment-related information, such as professional licenses or certifications.
User Content, such as your communications with us or any other content you provide.
Inferences drawn from or created based on any of the information identified above.

2. How We Collect Information

We may collect personal information about you from various sources. For example:

Directly from you, such as when you make a purchase on our website, contact us with a question or complaint, use one of our mobile applications, create an account, or register for one of our brand loyalty programs.
From your friends or family members, such as when your friend or family member sends you a gift or makes a referral.
When you interact with our website or emails — we may automatically collect information from your browser or device using technologies such as cookies, pixel tags, and similar technologies.
From our business partners and service providers, such as demographic companies, analytics providers, advertising companies and networks.
From social media platforms and networks, such as Facebook, Instagram, Twitter, Pinterest, and Google.

We keep the categories of personal data described in this Privacy Policy for as long as reasonably necessary to fulfill the purposes described or as otherwise legally permitted or required.

3. How We Use Information

We may use the information we have about you:

To provide products and services to you, such as fulfilling orders and processing payments, creating and maintaining your account or loyalty program membership.
To communicate with you, including to respond to your inquiries or complaints, and to help you place an order.
To administer your participation in special events, contests, sweepstakes, surveys or promotions.
For marketing and advertising, such as to send you postal mail, text messages, email, push notifications or other messages.
To operate and understand your use of our websites and mobile applications, such as to remember your information and evaluate and improve our services.
To operate and improve our business, including to conduct analytics, provide quality assurance, conduct research and development.
For legal and security purposes, such as to detect, prevent, and prosecute harmful, fraudulent, or illegal activity.

4. How We Share Information

We may share your personal information with:

Our Brands. When you interact with a Brand, we may share your personal information with other Brands for marketing, advertising and other purposes.
Our Subsidiaries and Affiliates on a need-to-know basis for the purposes identified in this Privacy Policy.
Service Providers who perform services on our behalf, such as entities that process credit card payments, fulfill orders, and provide hosting and analytics.
Parties to a corporate transaction in the event we sell or transfer all or a portion of our business or assets.
Advertising Companies, such as advertising networks, to serve advertisements on our behalf.
Other third parties if required by law, to law enforcement authorities, or when disclosure is necessary to prevent physical harm or financial loss.

5. How You Control Your Information

Data Subject Rights: Depending on local laws, you may have rights with respect to your personal information, including the right to request access, update, correct inaccuracies, or have the information deleted.
Marketing & Advertising Preferences: You can opt-out of receiving marketing communications by following the unsubscribe instructions or by contacting us.
Mobile Device & Browser Preferences: You can edit your location and push notification preferences using the settings on your device.
Cookie Preferences: You can set your browser to refuse all or some browser cookies or to alert you when these files are being sent.

6. How We Use Cookies

Like many websites, we use Cookies on our Site. Cookies are small text files that websites place on your Internet-connected device to uniquely identify your browser or to store information or settings in your browser which allows us to remember you when you come back to our websites and provide you with personalized experiences and advertisements.

We use different types of cookies on our websites, which may include strictly necessary cookies, performance cookies, functional cookies and targeting cookies. Most browsers automatically accept Cookies by default, but you can choose to set your browser to remove or reject Cookies through your browser controls.

Our websites are not designed to respond to "do not track" signals from browsers.

7. User Generated Content

The Services may enable you to post product reviews and other user-generated content. If you choose to submit user generated content to any public area of the Services, this content will be public and accessible by anyone.

We do not control who will have access to the information that you choose to make available to others, and cannot ensure that parties who have access to such information will respect your privacy or keep it secure.

8. Third Party Websites and Links

We may use, disclose or otherwise process your personal information to advertise our products and services in different ways, including targeted advertising. We work with third party advertising companies to serve advertisements on our behalf.

We also work with third-party platforms, including platforms operated by social networks, to show you advertisements or measure the effectiveness of our advertisements.

9. International Data Transfers

We are headquartered in the United States and may share your information with service providers and other recipients in the United States and worldwide. If you are located in a region with laws governing data collection and use that may differ from U.S. law, please note that we may transfer personal data to a country and jurisdiction that does not have the same data protection laws as your jurisdiction. We use appropriate transfer mechanisms where required.

10. How We Protect Information

We maintain administrative, technical, and physical safeguards designed to protect the personal information you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure, or use. We restrict access to personal information on a need-to-know basis to employees and authorized service providers who require access to fulfil their job requirements.

11. How Long We Retain Information

There are many factors that we use to determine how long personal information is retained, such as:

The purposes for which the personal information was collected, including to provide our products and services.
Your marketing preferences and how you engage with our Brands.
Any legal or regulatory requirements that apply to the personal information.
Whether the personal information may be relevant to us in protecting our own rights (e.g. applicable limitation periods).

12. Children's Data

The Services are not intended to be used by children, and we do not knowingly collect any personal information about children. If you are the parent or guardian of a child who has provided us with their personal information, you may contact us using the contact details set out below to request that it be deleted.

As of the Effective Date of this Privacy Policy, we do not have actual knowledge that we "share" or "sell" personal information of individuals under 18 years of age.

13. Security and Retention of Your Information

Please be aware that no security measures are perfect or impenetrable, and we cannot guarantee "perfect security." In addition, any information you send to us may not be secure while in transit. We recommend that you do not use unsecure channels to communicate sensitive or confidential information to us.

How long we retain your personal information depends on different factors, such as whether we need the information to maintain your account, to provide the Services, comply with legal obligations, resolve disputes or enforce other applicable contracts and policies.

14. Your Rights and Choices

Depending on where you live, you may have some or all of the rights listed below in relation to your personal information. However, these rights are not absolute, may apply only in certain circumstances and, in certain cases, we may decline your request as permitted by law.

Right to Access / Know. You may have a right to request access to personal information that we hold about you, including details relating to the ways in which we use and share your information.
Right to Delete. You may have a right to request that we delete personal information we maintain about you.
Right to Correct. You may have a right to request that we correct inaccurate personal information we maintain about you.
Right of Portability. You may have a right to receive a copy of the personal information we hold about you and to request that we transfer it to a third party.
Restriction of Processing. You may have the right to ask us to stop or restrict our processing of personal information.
Withdrawal of Consent. Where we rely on consent to process your personal information, you may have the right to withdraw this consent.
Appeal. You may have a right to appeal our decision if we decline to process your request by replying directly to our denial.
Managing Communication Preferences. We may send you promotional emails, and you may opt out of receiving these at any time by using the unsubscribe option displayed in our emails.

15. Updates to Our Privacy Policy

We reserve the right to revise this Privacy Policy from time to time. We will post changes on this page and indicate the "Effective Date" at the top of this page. Your continued use of our Services after any change in this Privacy Policy will constitute your acceptance of such change.

16. Complaints

If you have complaints about how we process your personal information, please contact us using the contact details provided below. If you are not satisfied with our response to your complaint, depending on where you live you may have the right to appeal our decision or lodge your complaint with your local data protection authority.

17. State Specific Disclosures

California Residents

This section applies solely to California residents and supplements our Privacy Policy above.

Collection and Disclosure of Personal Information

We may collect and disclose or may have collected and disclosed your personal information to certain categories of third parties, as described below.

Category	Disclosed to Third Parties
Contact information and personal identifiers	Our Brands, Our Subsidiaries and Affiliates, Service Providers, fraud detection providers, law enforcement authorities or other government officials where required or permitted by law.
Device Identifiers	Our Brands, Our Subsidiaries and Affiliates, Service Providers, fraud detection providers, law enforcement authorities or other government officials where required or permitted by law.
Demographic information	Our Brands, Our Subsidiaries and Affiliates, Service Providers, law enforcement authorities or other government officials where required or permitted by law.
Physical characteristics	Our Brands, Our Subsidiaries and Affiliates, Service Providers, law enforcement authorities or other government officials where required or permitted by law.
Biometric information	Service Providers.
Commercial information	Our Brands, Our Subsidiaries and Affiliates, Service Providers, fraud detection providers, law enforcement authorities or other government officials where required or permitted by law.
Payment information	Our Brands, Our Subsidiaries and Affiliates, Service Providers, fraud detection providers, law enforcement authorities or other government officials where required or permitted by law.
Identity verification information	Our Brands, Our Subsidiaries and Affiliates, Service Providers, fraud detection providers, law enforcement authorities or other government officials where required or permitted by law.
Online or network activity information	Our Brands, Our Subsidiaries and Affiliates, Service Providers, fraud detection providers, law enforcement authorities or other government officials where required or permitted by law.
Geolocation information	Our Brands, Our Subsidiaries and Affiliates, Service Providers, fraud detection providers, law enforcement authorities or other government officials where required or permitted by law.
Audio and visual information	Our Brands, Our Subsidiaries and Affiliates, Service Providers, law enforcement authorities or other government officials where required or permitted by law.
Professional or employment related information	Our Brands, Our Subsidiaries and Affiliates, Service Providers, law enforcement authorities or other government officials where required or permitted by law.
Health and medical information	Our Brands, Our Subsidiaries and Affiliates, Service Providers, law enforcement authorities or other government officials where required or permitted by law.
User Content	Our Brands, Our Subsidiaries and Affiliates, Service Providers, law enforcement authorities or other government officials where required or permitted by law.
Inferences	Our Brands, Our Subsidiaries and Affiliates, Service Providers, law enforcement authorities or other government officials where required or permitted by law.

Sale or Sharing of Personal Information

We do not sell or share your personal information for monetary consideration. Certain advertising practices may be considered a "sale" under California law. You have the right to opt out of these types of disclosures of your information.

Category	Sold to or Shared with Third Parties
Contact Information and personal Identifiers, Device identifiers, Online or network activity information, Commercial information, Inferences	Advertising companies, Our Brands.

Your Rights (California)

If you are a California resident, you have the right to:

Request, twice in a 12-month period, access to the personal information we have collected, used, disclosed, and sold or shared about you.
Deletion of the personal information we have collected from you (subject to certain exceptions).
Correction of the personal information we maintain about you, if that information is inaccurate.
Limitation of our use and disclosure of sensitive personal information used for inferring characteristics about you.
Opt-out of the sale of your personal information or sharing of your personal information for cross-context behavioral advertising purposes.

You can exercise your rights by contacting us at privacy@demtoes.com.

Colorado, Connecticut and Virginia Residents

This section applies solely to Colorado, Connecticut, and Virginia residents and supplements our Privacy Policy above.

If you are a Colorado, Connecticut, or Virginia resident, you have the right to request access to, or correction or deletion of, your personal information, or opt out of the processing of your personal information for targeted advertising purposes or the sale of your personal information.

You can exercise your rights by contacting us at privacy@demtoes.com.

Illinois Residents

This section applies solely to Illinois residents and supplements our Privacy Policy above. We may collect biometric information such as facial geometry if you use certain of our virtual try-on applications. We will retain biometric information only until the occurrence of the first of the following:

The initial purpose for collecting or obtaining such biometric information has been satisfied.
Three years following your last interaction with us.

Utah Residents

If you are a Utah resident, you have the right to request access to your personal information, request the deletion of personal information you have provided to us, opt-out of the processing of your sensitive information, or opt out of the processing of your personal information for targeted advertising purposes.

You can exercise your rights by contacting privacy@demtoes.com.

Florida Residents

Florida Civil Code Section § 1798.83 permits users of our Website that are Florida residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to privacy@demtoes.com.

18. Your Data Protection Rights Under the GDPR

Harborstone Strategic Holdings, Inc. is based in the United States. We make no claims that the Site or any of its content is accessible or appropriate outside of the United States. If you access the Site from outside the United States, you do so on your own initiative and are responsible for compliance with local laws. However, as a courtesy to the Users of our Website that are residents of the European Economic Area (EEA), we make sure to be compliant with the requirements thereof.

In certain circumstances, you have the following data protection rights:

The right to access, update or delete your information. You can access, update or request deletion of your Personal Information directly within your account settings. If you are unable to perform these actions yourself, please contact us to assist you.
The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
The right to object. You have the right to object to our processing of your Personal Information.
The right of restriction. You have the right to request that we restrict the processing of your personal information.
The right to data portability. You have the right to be provided with a copy of the information we have on you in a structured, machine-readable and commonly used format.
The right to withdraw consent. You also have the right to withdraw your consent at any time where we previously relied on your consent to process your personal information.

Users who are residents of the European Economic Area (EEA) have the right to object to the Company processing their Personal Information based on legitimate interests, direct marketing (including profiling), and processing for scientific and/or historical research and statistics purposes.

19. Subject Access Requests as per the GDPR

Harborstone Strategic Holdings, Inc. is based in the United States. However, as a courtesy to the Users of our Website that are residents of the European Economic Area (EEA), we make sure to be compliant with the requirements thereof.

Users who are residents of the European Economic Area (EEA) may make subject access requests ("SARs") at any time to find out more about the Personal Information which the Company holds about them, what it is doing with that Personal Information, and why.

SARs should be addressed to us using the Contact Us Section of this Policy.
Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made.
The Company does not charge a fee for the handling of normal SARs.
The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied, and for requests that are manifestly unfounded or excessive.

20. Data Breach Notification as per the GDPR

All Personal Information breaches must be reported immediately to the Company using the Contact Us Section. If a Personal Information breach occurs and that breach is likely to result in a risk to the rights and freedoms of Users, the Company must ensure that the Information Commissioner's Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.

Data breach notifications shall include the following information:

The categories and approximate number of Users concerned.
The categories and approximate number of Personal Information records concerned.
The name and contact details of the Company's authorized representative.
The likely consequences of the breach.
Details of the measures taken, or proposed to be taken, by the Company to address the breach including measures to mitigate its possible adverse effects.

21. Lawful, Fair, and Transparent Data Processing as per the GDPR

The GDPR seeks to ensure that Personal Information is processed lawfully, fairly, and transparently, without adversely affecting the rights of the User. The GDPR states that processing of Personal Information shall be lawful if at least one of the following applies:

The User has given consent to the processing of their Personal Information for one or more specific purposes.
The processing is necessary for the performance of a contract to which the User is a party.
The processing is necessary for compliance with a legal obligation to which the data controller is subject.
The processing is necessary to protect the vital interests of the User or of another natural person.
The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the User.

If the Personal Information in question is "special category data" (also known as "sensitive Personal Information"), at least one of the following conditions must be met:

The User has given their explicit consent to the processing of such data for one or more specified purposes.
The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the User in the field of employment, social security, and social protection law.
The processing is necessary to protect the vital interests of the User or of another natural person where the User is physically or legally incapable of giving consent.
The processing relates to Personal Information which is clearly made public by the User.
The processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity.
The processing is necessary for substantial public interest reasons, on the basis of EU or EU Member State law.
The processing is necessary for the purposes of preventative or occupational medicine, medical diagnosis, or the provision of health or social care.
The processing is necessary for public interest reasons in the area of public health.
The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.

22. Erasure of Users' Personal Information as per the GDPR

If you are a resident of the European Economic Area (EEA), you have the right to request that the Company erases the Personal Information it holds about you in the following circumstances:

It is no longer necessary for the Company to hold that Personal Information with respect to the purpose(s) for which it was originally collected or processed.
The User wishes to withdraw their consent to the Company holding and processing their Personal Information.
The User objects to the Company holding and processing their Personal Information and there is no overriding legitimate interest to allow the Company to continue doing so.
The Personal Information has been processed unlawfully.
The Personal Information needs to be erased in order for the Company to comply with a particular legal obligation.

Unless the Company has reasonable grounds to refuse to erase Personal Information, all requests for erasure shall be complied with, and the User informed of the erasure, within one month of receipt of the User's request.

23. Rectification of Users' Data as per the GDPR

If you are a resident of the European Economic Area (EEA), you have the right to request that the Company rectify the Personal Information it holds about you in the following circumstances:

Users have the right to require the Company to rectify any of their Personal Information that is inaccurate or incomplete.
The Company shall rectify the Personal Information in question, and inform the User of that rectification, within one month of the User informing the Company of the issue.
In the event that any affected Personal Information has been disclosed to third parties, those parties shall be informed of any rectification that must be made.

24. Contact Us

Please contact us with any questions or comments about this Privacy Policy at:

Harborstone Strategic Holdings, Inc.

8 The Green, Suite A, Dover, DE 19901

privacy@demtoes.com