Sweet Aurora Privacy Policy
Effective Date: December 26th 2025Last Updated: December 26th 2025
Welcome to Sweet Aurora. Protecting your privacy is fundamental to our operations — this policy details every aspect of how we handle your information, with strict compliance to global privacy laws (including the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA/CPRA), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)). By interacting with our website or communicating with us, you acknowledge and consent to the practices below.
1. Information We Collect: Zero Unnecessary Data (Minimization Principle)
We collect only the minimum information required to fulfill your requests — we do NOT collect or store sensitive personal information (e.g., financial data, health data, government-issued IDs, biometrics).
1.1 Personal Information (Voluntary Only)
Collected only when you initiate contact (e.g., “Contact Us” inquiries):
- Full name (if you provide it)
- Email address (required to respond to your message)
- Any additional details you voluntarily include in your inquiry (e.g., product questions)
1.2 Non-Personal/Anonymous Information
Collected only to improve site functionality (cannot be linked to your identity):
- Browser type/version
- Device type (e.g., smartphone, laptop)
- Pages visited on our site (and time spent on each)
- Referral source (e.g., how you found our site)
- IP address (anonymized immediately — we do not store full IP addresses)
2. How We Use Your Information: Strict Purpose Limitation
We use your information only for the specific purpose you provided it for — we never use it for unrelated or secondary purposes without your explicit consent.
2.1 Permitted Uses
- Responding to inquiries: Using your email/name to reply to your questions, provide product information, or address your requests.
- Site improvement: Using anonymous usage data to fix technical issues, optimize page layout, or add content relevant to visitors.
- Legal compliance: Using/storing information only as required by law (e.g., retaining email records to comply with tax/regulatory obligations — we will notify you if this applies).
2.2 Prohibited Uses (Explicitly Ruled Out)
We will never use your information for:
- Marketing, advertising, or promotional communications (even if you provide contact details)
- Selling, renting, or trading to third parties (for any purpose)
- Profiling or targeting you with personalized content
- Sharing with affiliates, partners, or other businesses (except as required by law)
3. Data Storage: Limited Retention & Secure Systems
We minimize how long we keep your information — and store it only in secure environments.
3.1 Retention Periods
- Personal information (e.g., email inquiries): Retained for 90 days after we resolve your request. After 90 days, we permanently delete your name, email, and message content from our systems.
- Anonymous usage data: Retained for 12 months (then aggregated into non-identifiable statistics and deleted).
- Legal exceptions: If required by law to retain information longer, we will:
- Notify you in writing (via email) of the legal obligation
- Limit retention to the shortest period required by law
- Delete the information immediately once the obligation ends
3.2 Storage Security
Your information is stored:
- On encrypted servers (AES-256 encryption) hosted by a GDPR/CCPA-compliant provider (e.g., AWS, Google Cloud)
- Accessible only to authorized Sweet Aurora staff (who sign confidentiality agreements)
- Protected by multi-factor authentication (MFA) and regular security audits
- Backed up only to encrypted storage (with backup files deleted in line with retention periods)
4. Third-Party Services: Strict Vendor Oversight
We use only two types of third-party tools — and only if they meet our strict privacy standards.
4.1 Permitted Third Parties
- Analytics tools (e.g., Google Analytics): Configured to collect only anonymous data (no personal information is shared). These tools are contractually required to:
- Not use your data for their own purposes
- Comply with all applicable privacy laws
- Delete data in line with our retention periods
- Email providers (e.g., Gmail, Outlook): Used only to send/receive your inquiries. These providers are required to:
- Encrypt all email communications (TLS 1.3)
- Not scan your messages for advertising or data mining
- Comply with our retention/deletion policies
4.2 Vendor Accountability
We:
- Conduct annual privacy audits of all third-party vendors
- Terminate vendors immediately if they violate privacy requirements
- Notify you within 72 hours if a vendor experiences a data breach that affects your information
5. Cookies & Tracking Technologies: No Tracking, Only Essentials
We use only essential, non-tracking cookies — no marketing, targeting, or third-party cookies.
5.1 Cookie Details
- Essential cookies: Used only to enable basic site functionality (e.g., remembering if you’ve dismissed a notice). These cookies:
- Expire when you close your browser
- Do not collect personal information
- Cannot be used to track you across sites
- No other cookies: We do NOT use performance, marketing, or social media cookies. You can disable even essential cookies in your browser settings (this will not break site functionality).
6. Data Breach Response: Transparent & Fast
We have a documented breach response plan to protect you if your information is compromised.
6.1 Breach Notification
If a breach affects your personal information:
- We will notify you via email within 72 hours of discovering the breach
- We will provide details (e.g., what information was exposed, steps we’re taking to fix it)
- We will offer free credit monitoring (if applicable, e.g., in the US/Canada)
- We will report the breach to relevant regulators (as required by law)
6.2 Breach Mitigation
We will:
- Immediately secure the affected system to prevent further exposure
- Conduct a full investigation to identify the cause
- Implement fixes to prevent future breaches
- Update this policy to reflect any changes to our security practices
7. Your Rights: Comprehensive & Easy to Exercise
You have extensive rights over your information — we make it free and simple to exercise them.
7.1 Global Rights (Applicable to All Users)
- Access: Request a complete copy of all personal information we hold about you (we will provide it in a readable format, e.g., PDF).
- Correction: Request correction of inaccurate, incomplete, or outdated information.
- Deletion: Request permanent deletion of your personal information (we will confirm deletion in writing).
- Restriction: Request that we stop using your information (e.g., if you dispute its accuracy).
- Data portability: Request a copy of your information in a machine-readable format (e.g., CSV) (if applicable).
7.2 Regional Rights (e.g., EU/California)
- Opt-out of data collection: Request that we stop collecting any information about you (we will disable analytics for your visits).
- Non-discrimination: We will not treat you differently (e.g., deny access to our site) if you exercise your privacy rights.
7.3 How to Exercise Rights
Email lighttreat@sweetaurorathera.com with:
- Your full name (if you provided it)
- The right you wish to exercise
- Any details to help us locate your information (e.g., the subject line of your inquiry)
We will respond within 10 business days (faster than legal requirements) — and will not charge you for any request.
8. Changes to This Policy: Full Transparency
We will update this policy only if required by law or to improve privacy protections.
- Notification of changes: If we make significant changes (e.g., expanding data collection), we will:
- Post the updated policy on this page (with a new “Last Updated” date)
- Email all users whose information we hold to notify them of the changes
- Archive of old policies: We will keep a copy of all previous policy versions on our site for 3 years.
9. Contact Us
For questions, concerns, or to exercise your privacy rights:
- Email: lighttreat@sweetaurorathera.com
- Response time: 10 business days (or faster for urgent requests)