FREE SHIPPING ON ORDERS $50+ — USE CODE: STASH50 · NEW DROPS EVERY FRIDAY — RAID THE STASH · TASTE, NOT THE PRICE TAG — SHOP THE EDIT · 10–20 DAY DELIVERY — PRICED FOR THE SCROLL · PAY IN 4 WITH KLARNA — ZERO INTEREST · FREE SHIPPING ON ORDERS $50+ — USE CODE: STASH50 · NEW DROPS EVERY FRIDAY — RAID THE STASH · TASTE, NOT THE PRICE TAG — SHOP THE EDIT · 10–20 DAY DELIVERY — PRICED FOR THE SCROLL · PAY IN 4 WITH KLARNA — ZERO INTEREST
Piece of Stass

Privacy Policy

Last updated: June 21, 2026

TEMPLATE / NOT LEGAL ADVICE. This Privacy Policy is a customizable template for pieceofstass.com. It is not legal advice. Complete all [PLACEHOLDERS] and have a licensed attorney (and, where required, a qualified data-protection adviser) review it before publishing. Privacy laws change; verify all references are current as of your launch date. If you process EU/UK personal data at scale you may need a Data Protection Officer and/or an EU/UK representative — confirm with counsel.

Privacy Policy

Effective Date: [EFFECTIVE DATE] Last Updated: June 21, 2026

This Privacy Policy explains how Piece of Stass LLC ("Piece of Stass," "we," "us," or "our") collects, uses, discloses, and protects personal information when you visit pieceofstass.com (the "Site"), make a purchase, or otherwise interact with us. It also describes your privacy rights and how to exercise them.

For the purposes of the EU/UK General Data Protection Regulation (GDPR/UK GDPR), Piece of Stass is the data controller of your personal data. Our contact details are in Section 14.

1. Scope

This Policy applies to personal information we process about visitors, customers, and others who interact with the Site. It does not apply to third-party websites or services we link to, which have their own privacy policies.

2. Personal Information We Collect

We collect the following categories of personal information:

2.1 Information you provide directly

  • Identity & contact data: name, email address, phone number, shipping and billing addresses.
  • Order data: products purchased, order value, transaction history.
  • Account data: username, password (stored hashed), preferences.
  • Communications: messages you send us (support tickets, emails, chat), and reviews or other User Content.
  • Marketing preferences: email and SMS opt-in status.

2.2 Payment information

  • Payment card and billing details are collected and processed directly by our payment processor, Stripe, Inc. We do not store full card numbers on our servers. We receive limited transaction data (e.g., confirmation, last four digits, billing ZIP).

2.3 Information collected automatically

When you use the Site, we and our service providers automatically collect:

  • Device & technical data: IP address, browser type, operating system, device identifiers, language.
  • Usage data: pages viewed, referring/exit pages, clicks, time on page, search terms.
  • Cookies & similar technologies: see our Cookie Policy.

2.4 Information from advertising & analytics partners

We use the following tools, which may set identifiers and receive event data (including hashed identifiers) about your interactions:

| Provider | Tool | Purpose |

| --- | --- | --- |

| Meta Platforms | Meta Pixel & Conversions API (CAPI) | Ad measurement, conversion tracking, audience building |

| TikTok | TikTok Pixel & Events API | Ad measurement, conversion tracking, audience building |

| Google | Google Analytics 4 (GA4) | Website analytics and measurement |

| Klaviyo | Klaviyo | Email/SMS marketing, automation, on-site tracking |

| Stripe | Stripe | Payment processing, fraud prevention |

| Cloudflare | Cloudflare | Security, bot mitigation, content delivery |

Server-side tools such as Meta CAPI and the TikTok Events API may transmit event data (including hashed email or phone, where you have provided it) directly from our servers to the platform to improve measurement. Where required, this occurs only with your consent (see Sections 6 and 9).

2.5 Sensitive information

We do not intentionally collect "sensitive" personal information (e.g., government IDs, precise geolocation, racial/ethnic data, health data). Please do not submit such information to us.

3. How We Use Personal Information (Purposes & Legal Bases)

We use personal information for the purposes below. Where GDPR/UK GDPR applies, the corresponding legal basis is indicated.

| Purpose | Examples | GDPR Legal Basis |

| --- | --- | --- |

| Fulfill orders | Process payments, ship products, send order/transactional emails, handle returns | Performance of a contract (Art. 6(1)(b)) |

| Customer service | Respond to inquiries, resolve disputes | Contract / Legitimate interests (Art. 6(1)(f)) |

| Account management | Maintain your account and order history | Contract |

| Marketing | Send promotional emails/SMS, run and measure ad campaigns (Meta, TikTok, Google) | Consent (Art. 6(1)(a)) where required; otherwise Legitimate interests |

| Analytics & improvement | Understand Site usage, improve products and UX | Consent (for non-essential cookies) / Legitimate interests |

| Security & fraud prevention | Detect and prevent fraud, abuse, and security incidents | Legitimate interests / Legal obligation |

| Legal compliance | Tax, accounting, regulatory, and recordkeeping | Legal obligation (Art. 6(1)(c)) |

We do not use personal information for automated decision-making that produces legal or similarly significant effects.

4. How We Share Personal Information

We share personal information only as described below. We do not sell your personal information for money. Certain advertising activities (e.g., use of Meta/TikTok pixels and CAPI for cross-context behavioral advertising) may be considered a "sale" or "sharing" under the CCPA/CPRA — see Section 9 for your opt-out rights.

We disclose personal information to:

  • Service providers / processors who perform services on our behalf, including: payment processing (Stripe), email/SMS marketing (Klaviyo), analytics (Google), advertising/measurement (Meta, TikTok), hosting and security (Cloudflare and [hosting provider, e.g., Shopify]), and fulfillment/shipping partners and suppliers (including overseas dropship suppliers, who receive the shipping name and address needed to deliver your order).
  • Advertising partners (Meta, TikTok, Google) for measurement and audience purposes, subject to consent where required.
  • Professional advisers (lawyers, accountants, auditors) under confidentiality.
  • Authorities and others where required by law, to enforce our Terms, to protect rights and safety, or in connection with a merger, acquisition, financing, or sale of assets.

We require service providers to process personal information only for the purposes we specify and under appropriate contractual safeguards (including GDPR Article 28 data processing terms where applicable).

5. Cookies & Similar Technologies

We use cookies, pixels, SDKs, and local storage to operate the Site, remember preferences, analyze usage, and deliver advertising. For detailed information and your choices, see our Cookie Policy. Where required (EU/UK), non-essential cookies are set only after you provide consent via our consent management platform (CMP).

6. Marketing Communications

6.1. Email. With your consent or as otherwise permitted, we may send promotional emails via Klaviyo. You can unsubscribe at any time using the link in each email or by contacting us. Transactional messages (e.g., order confirmations) are not marketing and may still be sent.

6.2. SMS. If you opt in to SMS marketing, message and data rates may apply. Reply STOP to unsubscribe and HELP for help. We comply with the U.S. Telephone Consumer Protection Act (TCPA) and the CAN-SPAM Act.

6.3. Targeted advertising. We use Meta, TikTok, and Google tools to deliver and measure ads. You can manage these through our cookie consent tool and through the platforms' own settings (Section 9).

7. Children's Privacy (COPPA)

The Site is intended for adults and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us personal information, contact us at [PRIVACY EMAIL] and we will delete it. Where the GDPR applies, the minimum age for consent may be higher (13–16 depending on the country); we do not knowingly process such data without appropriate consent.

8. Data Retention

We retain personal information only as long as necessary for the purposes described, including to fulfill orders, comply with legal, tax, and accounting obligations (typically up to [7] years for transaction records under applicable law), resolve disputes, and enforce agreements. When no longer needed, we delete or anonymize it. Marketing data is retained until you opt out or after a period of inactivity ([e.g., 24–36 months]).

9. Your Privacy Rights

Your rights depend on where you live. We honor verified requests as required by law and will not discriminate against you for exercising your rights.

9.1 EU/EEA & UK residents (GDPR / UK GDPR)

You have the right to: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection to processing (including direct marketing), and withdrawal of consent at any time. You may also lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority, or the UK ICO). We respond within 30 days (extendable by up to 60 days for complex requests, with notice).

9.2 California residents (CCPA/CPRA)

You have the right to: know/access the categories and specific pieces of personal information we collect; delete personal information; correct inaccurate information; opt out of the "sale" or "sharing" of personal information (including cross-context behavioral advertising); and limit the use of sensitive personal information (we do not use sensitive PI for purposes requiring this option). We respond within 45 days (extendable by another 45 days with notice). To opt out, use the "Do Not Sell or Share My Personal Information" link/control on the Site or your cookie settings. We honor Global Privacy Control (GPC) browser signals as a valid opt-out.

9.3 Other U.S. state residents

Residents of states with comprehensive privacy laws now in effect (including, as of 2026, California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and additional states such as Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Indiana, Tennessee, Minnesota, Maryland, Kentucky, and Rhode Island, among others) may have similar rights to access, correct, delete, obtain a copy of, and opt out of targeted advertising, "sale," and certain profiling. Tennessee residents have rights under the Tennessee Information Protection Act (TIPA). To exercise rights, see Section 9.4.

9.4 How to exercise your rights (DSARs)

Submit a data subject access/rights request ("DSAR") by:

  • Email: [PRIVACY/DSAR EMAIL]
  • Web form: [DSAR FORM URL]
  • Mail: [Registered Business Address], Tennessee, USA

We will verify your identity before fulfilling a request. An authorized agent may submit a request on your behalf with proof of authorization. There is no fee unless requests are excessive or unfounded.

10. International Data Transfers

We are based in the United States, and our service providers may process personal information in the U.S. and other countries. When we transfer personal data from the EEA, UK, or Switzerland to countries that do not provide an "adequate" level of protection, we rely on appropriate safeguards, including the EU Standard Contractual Clauses (2021 SCCs) and the UK International Data Transfer Addendum, together with supplementary measures where appropriate. You may request a copy of the relevant safeguards by contacting us.

11. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information (including TLS encryption in transit, access controls, and use of PCI-DSS-compliant payment processing via Stripe). No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

12. Data Breach Notification

If a personal data breach occurs, we will notify affected individuals and relevant authorities as required by applicable law (e.g., GDPR's 72-hour authority-notification requirement and applicable U.S. state breach-notification laws).

13. Changes to This Policy

We may update this Policy from time to time. The "Last Updated" date reflects the latest revision. Material changes will be communicated through the Site or by other appropriate means.

14. Contact Us & Data Protection Representatives

Piece of Stass LLC — Data Controller [Registered Business Address], Tennessee, USA

Privacy/DSAR Email: [PRIVACY EMAIL]

General Support: [SUPPORT EMAIL]

  • EU Representative (GDPR Art. 27): [Appoint and list if you target/monitor EU data subjects]
  • UK Representative (UK GDPR Art. 27): [Appoint and list if you target/monitor UK data subjects]
  • Data Protection Officer (if appointed): [Name/contact]
This Privacy Policy is a template and must be reviewed by a licensed attorney before use.