Privacy Policy

Last updated: October 28, 2025
Applies to: https://milkytallow.com and any sub‑pages, checkout, customer accounts, email/SMS sign‑ups, and in‑person market sign‑ups operated by Milky Tallow (the “Site”).

We are based in British Columbia, Canada. This Privacy Policy explains how we collect, use, disclose, and protect personal information under BC’s Personal Information Protection Act (PIPA). Where applicable, we also outline additional rights for residents of the EU/EEA/UK (GDPR/UK GDPR) and California, USA (CCPA/CPRA).

1) Who we are & how to contact us

Controller/Business: Milky Tallow
Privacy contact (position): Privacy Officer
Email: privacy@milkytallow.com
Mailing address: PO BOX 99900 RZ 515 746, RPO CAMERON, BURNABY BC V3J 0C8, Canada

If you have questions or want to exercise your privacy rights, email us (see §13/§17/§18).

2) Scope

This policy covers personal information we collect:

  • On the Site (including checkout and customer accounts)
  • Via email or SMS sign‑ups and our social media lead forms
  • At local markets/pop‑ups when you provide information to us
  • Through customer service channels (email, chat, contact forms)
  • Via cookies and similar technologies on the Site

This policy does not cover websites, apps, or services we do not control. When you follow external links (e.g., Instagram, TikTok, Etsy), their privacy policies apply.

3) What we collect

A) Information you provide directly

  • Identity & contact: name, email, shipping/billing addresses.
  • Account data: username, password, order history, saved addresses, preferences.
  • Order details: items purchased, payment method (tokenized references only), delivery notes, transaction totals and taxes.
  • Marketing choices: your consent/opt‑in status and unsubscribe/opt‑out actions.
  • Support messages: enquiries you send us (including photos for damage/returns claims).

B) Information collected automatically (cookies/SDKs)

  • Technical data: IP address, device/browser type, OS, time zone, pages viewed, referring/exit URLs, page interactions.
  • Shopping session data: cart contents, session ID, CSRF tokens, sign‑in state.
  • Basic analytics: aggregated activity to understand Site use (we do not run third‑party advertising cookies at this time; see §6).

C) Information from third parties

  • Payment processors: confirmation of payment status (we do not receive or store full card numbers).
  • Shipping partners: tracking events and delivery confirmations.
  • Marketing/analytics partners (if enabled later): campaign performance and attribution data.

We do not intentionally collect sensitive personal information (e.g., government IDs, health data) and we do not knowingly collect data from children (see §14).

4) Why we use your information (purposes)

We use personal information to:

  1. Sell and deliver products: process orders, take payment, ship, and handle returns.
  2. Operate & secure the Site: maintain accounts, authenticate users, prevent fraud/abuse, troubleshoot.
  3. Customer support: answer questions, process warranty/recall notices, and send order updates.
  4. Marketing with consent: send email/SMS newsletters and offers; measure campaign performance. You can opt out at any time.
  5. Analytics & improvement: understand how the Site is used and improve products/content.
  6. Legal & compliance: keep tax/transaction records, comply with lawful requests, and enforce our terms.

5) Legal bases we rely on

  • BC/Canada (PIPA): consent (express or implied), reasonable purposes, and other grounds permitted by law. You may withdraw consent at any time (see §13), subject to legal/contractual limits.
  • EU/EEA/UK (if you purchase from the EU/UK): contract (to fulfil your order), consent (for marketing/cookies where required), and legitimate interests (fraud prevention, Site security, basic analytics). You may object where we rely on legitimate interests.
  • California (if you reside there): we process personal information as a “business.” See §17 for your rights and opt‑out choices.

6) Cookies & similar technologies

We use first‑party cookies necessary for security, session management, and checkout. Typical WooCommerce/WordPress cookies include cart and session identifiers and sign‑in state cookies. We may use basic analytics to understand performance and improve the Site.
Advertising cookies: we do not use third‑party advertising cookies or cross‑site tracking pixels at this time. If we enable them later, we will update this policy and provide any required opt‑outs.

Managing cookies: You can manage cookies via your browser settings and (where available) our cookie banner. Disabling certain cookies may impact Site features like checkout and login.

7) Do we sell or share your information?

We do not sell personal information. We also do not share personal information for cross‑context behavioural advertising as defined by some laws (e.g., CPRA). If this changes, we will provide a “Do Not Sell or Share My Personal Information” link and honour applicable opt‑out signals.

8) Retention

We keep personal information only as long as needed for the purposes in §4 and to satisfy legal, accounting, or tax requirements. Examples:

  • Orders & invoices: at least 7 years (tax record‑keeping).
  • Customer accounts: until you request deletion or after prolonged inactivity per our internal schedule.
  • Marketing consent records: while you subscribe plus a reasonable period to prove compliance.
  • Support tickets/claims: as long as needed to resolve the matter and for legal purposes.
    When data is no longer needed, we securely delete or anonymize it.

9) Sharing with service providers (processors)

We use service providers who process personal information on our behalf and under contract, including:

  • E‑commerce platform & hosting: WordPress + WooCommerce; web hosting and backups (currently a Canadian‑operated or international provider).
  • Payment processing: PCI‑DSS compliant providers process card transactions; we do not store full card numbers.
  • Email/SMS (if enabled): platforms that send newsletters/alerts on our behalf.
  • Analytics (if enabled): privacy‑respecting analytics to understand Site performance.
  • Shipping & logistics: carriers and fulfilment partners (e.g., Canada Post; international carriers when needed).
    We restrict access to personal information to personnel and vendors with a need to know. Processors must implement appropriate safeguards and may not use personal information for their own purposes.

10) International transfers

Some service providers are located outside Canada (e.g., in the United States or EU). Personal information may therefore be processed and stored in other jurisdictions, where it may be available to foreign courts, law enforcement, and national security authorities. Where required, we use appropriate safeguards (e.g., contractual commitments) for cross‑border transfers.

11) Security

We employ administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including encrypted transport (HTTPS), role‑based access, strong passwords/MFA for admin accounts, least‑privilege access, and regular updates. No method of transmission or storage is 100% secure; risks remain online. Use unique, strong passwords and keep devices updated.

12) Your choices

  • Marketing opt‑out: unsubscribe links in emails; reply STOP for SMS (where available).
  • Cookies: adjust browser settings or, where available, use our cookie banner.
  • Account: sign in to update your profile and saved addresses.
  • Tracking & advertising: as noted, we do not run third‑party ad cookies/pixels at this time.

13) Your rights (BC/Canada)

Subject to legal limits, you may request to access and correct your personal information and withdraw consent to our use/disclosure of your personal information. We may require reasonable verification of your identity and may refuse requests where permitted by law (we will explain why). To exercise rights, contact us (see §1).

14) Children’s privacy

Our Site and products are intended for adults and are not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child under 13 has provided personal information, please contact us so we can delete it. For EU/UK residents, our Site is not directed to children under 16.

15) Automated decision‑making / profiling

We do not engage in automated decision‑making that produces legal or similarly significant effects. If this changes, we will update this policy and describe the logic and consequences and the rights available to you.

16) Changes to this Policy

We may update this policy from time to time. The “Last updated” date will change, and material changes will be highlighted for at least 30 days. If changes materially affect existing consents, we will ask you to re‑consent where required by law.

17) Regional addenda

A) EU/EEA & UK residents

If you are in the EU/EEA or UK and purchase from us, you have rights under GDPR/UK GDPR, including: access, rectification, erasure, restriction, portability, objection, and the right not to be subject to certain automated decisions. Our main legal bases are contract, consent, and legitimate interests (fraud prevention, Site security, basic analytics).
Controller: Milky Tallow (see §1).
Transfers: We may transfer personal information outside the EEA/UK; where required, we use appropriate safeguards (e.g., standard contractual clauses).
Complaints: EU residents may complain to their local supervisory authority; UK residents to the ICO.

B) California residents (CCPA/CPRA)

We do not sell or share personal information for cross‑context behavioural advertising. If we enable advertising cookies/pixels in the future, we will provide a “Do Not Sell or Share My Personal Information” link and honour opt‑out preference signals (such as Global Privacy Control) as required.
Your rights include: to know (categories and specific pieces), to delete, to correct, to opt‑out of sale/share, to limit use of sensitive personal information (we do not collect SPI), and non‑discrimination for exercising rights. To exercise: see §1.

18) Complaints

If you are not satisfied, you may contact:

  • Milky Tallow Privacy Officer: privacy@milkytallow.com.
  • British Columbia OIPC: Office of the Information and Privacy Commissioner for BC, PO Box 9038 Stn. Prov. Govt., Victoria BC V8W 9A4, Phone: (250) 387‑5629, Email: info@oipc.bc.ca.
  • Office of the Privacy Commissioner of Canada (federal matters): https://www.priv.gc.ca/

19) Identity verification & authorized agents

For privacy requests, we will verify your identity using information already on file (e.g., email verification and order ID). Authorized agents may submit requests with proof of authorization and identity. We do not disclose full payment card numbers at any time.

20) Short‑form privacy notice (for checkout/sign‑ups)

Privacy at a glance — We collect your information to fulfil orders, support you, and—only with your consent—send marketing. We don’t sell your information. Unsubscribe anytime. Read the full policy at milkytallow.com/privacy‑policy.

Version history

  • v1.0 — October 28, 2025 — Initial comprehensive policy for BC/Canada with EU/UK and California addenda; role‑based contact, no phone number, PO Box mailing address.