Privacy Policy
Last updated: August 3, 2025
Doretti Black (“we,” “us,” “our”) operates this store and website (the “Services”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you visit or make a purchase through our Services, sign up for marketing communications (email, SMS), or otherwise interact with us.
1. Controller & Contact
Controller: Doretti Black LLC
Address: 2125 Biscayne Blvd, Ste 204 #22155, Miami, FL 33137, USA
Privacy & Support Email: hello@dorettiblack.com
2. Key Definitions
Personal Information (PI): Data that identifies or can reasonably be linked to you.
Processing: Collection, use, storage, disclosure, or deletion of personal information.
Service Providers / Contractors: Third parties performing services on our behalf under written contracts.
Sensitive Personal Information (SPI): Government identifiers, financial account details, precise geolocation, health information, etc.
Sale/Share: Disclosure of personal information for monetary or other valuable consideration, or for cross-context behavioral advertising.
Targeted Advertising: Displaying ads to you based on personal information obtained from your activities across non-affiliated websites, applications, or services (as defined by applicable state laws); this does not include contextual advertising, ad measurement limited to our own properties, or processing you have opted out of.
We do not collect or process “consumer health data” as defined by Washington’s My Health My Data Act or Nevada’s Consumer Health Data Law. If that changes, we will provide the required notices and consent mechanisms before processing.
3. Information We Collect
3.1 Information You Provide Directly
| Context | Types of Data | Primary Purpose | Legal Basis |
|---|---|---|---|
| Account Registration | Name, email, password, preferences | Account management & personalization | Contract performance; Legitimate interests |
| Order Processing | Name, billing/shipping address, phone (optional), payment details | Fulfillment & customer service | Contract performance |
| Marketing Communications | Email, SMS number, preferences, demographics | Marketing & personalization | Consent; Legitimate interests |
| Customer Support | Name, email, order details, inquiry content | Service & issue resolution | Contract performance; Legitimate interests |
| Surveys & Feedback | Responses, ratings, comments | Product improvement & analytics | Consent; Legitimate interests |
| Newsletter Signup | Email; name (optional) | Marketing communications | Consent |
3.2 Information Collected Automatically
| Category | Examples | Purpose | Retention |
|---|---|---|---|
| Device Information | IP, browser, OS, device IDs | Security, analytics, personalization | 1 year |
| Usage Data | Pages visited, time on site, clicks, referrer | Optimization & analytics | 2 years |
| Location Data | IP-based location; GPS (with consent) | Personalization, fraud prevention | 6 months |
| Transaction Data | Purchase history, cart actions, payment method (tokenized) | Processing & recommendations | 7 years |
| Communication Data | Email interactions, chat logs | Service quality & marketing optimization | 3 years |
3.3 Information from Third Parties
Social platforms (if you connect accounts); marketing partners; data brokers (public/commercial data); analytics providers; payment processors (fraud signals/verification). For social sign-in, we receive only the information you authorize the platform to share, and you can revoke that sharing in your platform settings at any time.
4. How We Collect Information
4.1 Direct Collection
Account creation, checkout, support interactions, marketing signups, surveys.
4.2 Automatic Collection
Cookies and similar technologies, server logs, email pixels, mobile/app analytics, site interaction tracking. Session replay/UX tools are configured to mask payment fields and sensitive inputs, and they only run in accordance with your Consent/Preference Center choices.
4.3 Third-Party Sources (examples)
Shopify (commerce platform), Stripe/Shopify Payments (payments), Klaviyo (email), Meta/Facebook, Google Analytics, TikTok/Pinterest (ads), Hotjar (UX/heatmaps). If you choose “buy-now-pay-later” or similar installment options, the provider independently collects and processes your personal information under its own privacy policy and may share limited status/transaction data with us to complete your order and prevent fraud.
5. How We Use Your Information
5.1 Primary Purposes
| Purpose | Data | Legal Basis | Retention |
|---|---|---|---|
| Order Processing | Contact, payment (token), shipping | Contract performance | 7 years |
| Customer Support | Account, order, communications | Contract; Legitimate interests | 3 years |
| Marketing Communications | Contact, preferences, behavioral | Consent; Legitimate interests | 2 years after last interaction |
| Website Analytics | Usage, device, location | Legitimate interests (opt-out in US; consent in EEA/UK) | 2 years |
| Personalization | Behavioral, preference, demographics | Legitimate interests; Consent | 2 years |
| Fraud Prevention | Transaction, device, behavioral | Legal obligation; Legitimate interests | 7 years |
| Legal Compliance | As required | Legal obligation | As required |
Legitimate interests include fraud prevention, network security, product improvement, and direct marketing where permitted.
5.2 Secondary Purposes
Product development, security, internal analytics/operations, research using de-identified/aggregated data.
5.3 Data Minimization & Purpose Limitation
We collect and process only the personal information that is reasonably necessary and proportionate to the purposes disclosed in this Policy. We will not use personal information for incompatible purposes without your consent or another applicable legal basis.
5.4 De-identified data
When we use de-identified data, we (i) take reasonable measures to ensure the data cannot be associated with a consumer or household; (ii) publicly commit to maintain and use it in de-identified form and not to attempt to re-identify it except to test our de-identification processes; and (iii) require recipients to do the same.
6. How We Share Information
6.1 Categories of Recipients
| Recipient | Data Shared | Purpose | Safeguards |
|---|---|---|---|
| E-commerce Platform | Account, order, payment tokens | Store operations | DPA; access controls |
| Payment Processors | Payment, billing, fraud data | Payment/fraud | PCI-DSS; SCC/DPF where applicable |
| Marketing Platforms | Contact, behavioral, preferences | Email/SMS marketing | Contractual limits |
| Analytics Providers | Usage, device | Optimization | Pseudonymization/anonymization |
| Advertising Networks | Identifiers, interests, behavioral | Targeted advertising | Opt-out controls |
| Customer Service Tools | Contact, order, communications | Support ops | Security certifications |
| Legal/Compliance | As required by law | Compliance | Court orders/subpoenas |
Service provider/contractor restrictions: we contractually prohibit our providers from retaining, using, or disclosing PI for any purpose other than performing services for us; require appropriate safeguards; require deletion/return at end of services; and restrict sub-processing without our authorization.
6.2 Business Transfers
In a merger, acquisition, or asset sale, your information may transfer; we’ll notify you before it becomes subject to a different policy.
6.3 Sale/Share for Advertising & Opt-Out Signals
We may “sell” or “share” PI with advertising partners for cross-context behavioral advertising as defined by certain laws. You can opt out via our Privacy Choices/Preference Center or by submitting a request (see Section 8).
We honor browser-based opt-out preference signals recognized by law, including Global Privacy Control (GPC) in California and Colorado and global opt-out technology in Texas, and will extend recognition to any additional state-recognized UOOMs. These choices generally apply to the browser/device that sends the signal; if you are signed in, you can also persist preferences to your account in the Preference Center. After you opt out or we receive a recognized UOOM, we will serve only contextual advertising that does not rely on cross-context behavioral tracking. We maintain records of opt-out preference signals (including GPC) sufficient to demonstrate compliance. We process sale/share opt-out requests and recognized opt-out preference signals (including GPC) within 15 business days, as required by applicable law. We treat recognized opt-out preference signals as an opt-out of both “sale/share” and “targeted advertising,” where required by law. We honor your opt-out choices and recognized signals for both client- and server-side tracking.
7. Cookies & Tracking Technologies
7.1 Types of Cookies We Use
Essential (cannot be disabled)
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
| _secure_session_id | Shopify | Cart/checkout session | Session |
| cart | Shopify | Cart contents | 2 weeks |
| checkout_token | Shopify | Secure checkout | 1 hour |
Functional
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
| customer_preferences | Doretti Black | Preferences | 1 year |
| language_preference | Doretti Black | Locale | 1 year |
Analytics
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
| _ga | User analytics | 2 years | |
| _gid | Session analytics | 24 hours | |
| hjSessionUser{site_id} | Hotjar | Persistent site user ID for session analytics | 1 year |
| hjSession{site_id} | Hotjar | Holds current session data | 30 minutes |
| _hjIncludedInSessionSample | Hotjar | Indicates inclusion in current session sampling | 2 minutes |
Advertising
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
| _fbp | Meta | Ads/measurement | 3 months |
| _ttp | TikTok | Ads optimization/attribution | up to ~13 months (region/settings dependent) |
| _pin_unauth | Targeting | 1 year |
Cookie names, categories, and durations may change as providers update their services. The Preference Center is the authoritative source for the current list and legal bases by region.
7.2 Consent Management
We provide a Consent/Preference Center where you can accept or reject non-essential cookies, modify choices anytime, view details, and withdraw consent. In the EEA/UK, we seek prior consent for non-essential cookies/trackers. Non-essential cookies/trackers are off by default and activate only after your consent. You can change your choices at any time in the Preference Center. In the US, we rely on legitimate interests (with opt-out) unless a state requires opt-in or recognition of a UOOM (see 6.3/7.3).
7.3 Managing Cookies & Signals
Use the Preference Center (footer link “Privacy Choices”), browser settings, and industry tools (e.g., NAI/DAA). We do not respond to “Do Not Track” signals, but we honor recognized UOOMs, including Global Privacy Control (GPC) in California and Colorado and global opt-out technology in Texas, and will extend recognition to additional state-recognized UOOMs. Choices via signals apply to the browser/device that sends the signal; signed-in users can persist preferences to their account.
8. Your Rights & Choices
8.1 Universal Rights
- Access/Know (information we collected, sources, purposes, sharing).
- Correction (inaccurate/incomplete data).
- Deletion (subject to legal exceptions: complete transactions, legal duties, security, free speech, fraud, debugging).
- Portability (machine-readable copy).
8.2 Specific Rights by Jurisdiction
California (CCPA/CPRA). Right to Know; Delete; Opt-Out of Sale/Share; Limit Use of SPI; Non-Discrimination. We currently use SPI only for permitted purposes (e.g., payments, security, fraud prevention) and do not use SPI to infer characteristics. The “Limit the Use of My SPI” control applies if and when we process SPI beyond permitted purposes. Where a law requires separate consent to process SPI (e.g., CO/CT/OR), we will obtain that consent, and you may withdraw it at any time. “Do Not Sell or Share…” and “Limit SPI” links are in our footer and Preference Center.
Non-Discrimination. We will not discriminate against you for exercising your rights (e.g., by denying goods/services, charging different prices/rates, providing a different level or quality of services, or offering discounts only if you waive rights). This does not prohibit permitted financial incentive programs or price/service differences that are reasonably related to the value of your data, as disclosed in our Notice of Financial Incentive.
Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA). Access, Correct, Delete, Portability; opt-out of targeted advertising and sale (and profiling in CO for decisions with legal or similarly significant effects). Appeal rights available (see 8.3).
Additional States (e.g., Texas, Oregon, Delaware, New Jersey, Montana, Tennessee, Iowa, Utah, Indiana). These laws provide similar rights (access, correction, deletion, portability, and opt-out of targeted advertising/sale/profiling). We provide these rights where applicable and honor required universal opt-out signals. Where a state law provides an appeal right for denied privacy requests, we offer an appeal process consistent with that law (see Section 8.3).
Nevada (NRS 603A): Residents may submit a “sale” opt-out request at hello@dorettiblack.com; we do not sell “covered information” as defined by NRS 603A.
Canada (PIPEDA/CASL). You have rights to access and correct personal information we hold about you. You may submit requests via hello@dorettiblack.com. Marketing to Canadian residents complies with CASL (consent required; clear unsubscribe; withdraw at any time). Cross-border transfers are made under contractual safeguards and appropriate measures. You may file complaints with the Office of the Privacy Commissioner of Canada (OPC) (see 15.2).
EEA/UK (GDPR/UK GDPR). Access; Rectification; Erasure; Restriction; Objection (including to direct marketing); Portability; Withdraw consent; Lodge a complaint with a supervisory authority.
Minors (CPRA + other state laws). We do not sell or share PI of consumers we know are under 16 without an opt-in. For teens ages 13–17, where required by law, we will not process personal data for targeted advertising or sell/share such data without prior opt-in consent (teen or parent/guardian, as applicable). Consent may be withdrawn at any time via the same channel.
Profiling/Automated Decisions. Where required by law, you may request information about automated decision-making that produces legal or similarly significant effects, and you may seek human review. You can exercise these rights via our Privacy Choices portal or by emailing hello@dorettiblack.com.
8.3 Exercising Your Rights
Submit requests via (a) our Privacy Choices portal (footer link), (b) hello@dorettiblack.com (subject: “Privacy Request”), or (c) mail: Doretti Black LLC, Attn: Privacy Rights, 2125 Biscayne Blvd, Ste 204 #22155, Miami, FL 33137.
Verification:
• Account holders: login + account details.
• Non-account: email verification + relevant info.
• Sensitive/high-risk: additional steps; authorized agents must provide proof of authority and verification.
Timelines:
• Standard: 30 days (GDPR) / 45 days (CCPA).
• Extensions: up to 60 (GDPR) / 90 (CCPA) with notice.
• Where a state law specifies different timelines, we follow that law.
Appeals (e.g., VA/CO/CT and other states that provide appeal rights): Email hello@dorettiblack.com with subject “Privacy Appeal.” We respond within 45 days. If denied, we will provide how to contact your state AG/authority.
Opt-Out Signals: We honor GPC/UOOM as described in Sections 6.3 and 7.3. If your browser sends a UOOM (for example, GPC in California or Colorado or a global opt-out in Texas), we will apply your choice automatically without additional verification.
Metrics: Where we meet thresholds that require public request metrics reporting under applicable law, we will publish those metrics annually in this Policy or a linked page.
9. Data Security
9.1 Technical Safeguards
SSL/TLS in transit; role-based access & MFA; firewalls/IDS; minimization; regular patching. However, no method of transmission or storage is 100% secure.
9.2 Organizational Safeguards
Employee training; background checks for privileged access; incident response procedures; vendor security reviews; periodic audits.
9.3 Payment Security
PCI DSS; tokenization; real-time fraud monitoring; we do not store full card PANs.
9.4 Breach Notification
We will notify affected individuals and regulators as required by applicable law and without undue delay where legally mandated, with information on the incident and protective measures.
10. Data Retention
10.1 Retention Schedule
| Data Category | Retention | Legal Basis |
|---|---|---|
| Account Info | 3 years after account closure | Service needs; compliance |
| Orders & Transactions | 7 years after purchase | Tax & legal compliance |
| Marketing Data | 2 years after last interaction | Consent; legitimate interests |
| Website Analytics | 2 years from collection | Analytics |
| Customer Support | 3 years after case closure | Service quality; legal protection |
| Security Logs | 1 year (longer if needed for investigations) | Security & incident response |
| Financial Records | 7 years | Tax & legal compliance |
| Consent/Unsubscribe & UOOM/GPC Logs | 3 years from last message/signal (or longer if required by law) | Legal compliance; audit defense |
10.2 Retention Factors
Legal/regulatory duties; operational needs; dispute/time-bar periods; service commitments; security/fraud risks.
10.3 Secure Deletion
At end of period, we delete or anonymize data using industry-standard methods.
11. International Data Transfers
11.1 Transfer Mechanisms
For transfers outside your country:
• EEA/UK: EU Standard Contractual Clauses; EU-U.S. Data Privacy Framework (and UK Extension/Swiss-U.S. DPF) where the provider is certified; and supplementary measures as appropriate.
• Other jurisdictions: Contractual safeguards and recognized certification frameworks where applicable.
11.2 Examples of Transfer Recipients
| Provider | Location | Safeguards | Data |
|---|---|---|---|
| Shopify | Canada/USA | Adequacy (CA)/SCCs | Account, order |
| Stripe | USA/Ireland | SCCs; DPF where certified | Payments |
| Klaviyo | USA | SCCs | Email marketing |
| Global | SCCs; DPF where certified | Analytics | |
| Meta | USA/Ireland | SCCs; DPF where certified | Advertising |
11.3 Your Rights Regarding Transfers
Request info about transfers; object in certain cases; receive copies of safeguards; lodge complaints with authorities.
Data Protection Assessments. Where required by law (e.g., CT/CO/OR), we conduct data protection assessments for high-risk processing such as targeted advertising, sale/share, and certain profiling.
11.4 EU/UK Representative (GDPR Art. 27) — Future Appointment
We do not currently offer delivery in the EEA/UK and do not target those markets. If we later offer goods/services to individuals in the EEA/UK, we will appoint an EU/UK Representative as required and update this Policy with their contact details. Where we detect EEA/UK traffic, non-essential trackers are disabled until consent is obtained via our CMP.
12. Children’s & Teens’ Privacy
12.1 Age Restrictions
Our Services are not directed to children under 13, and we do not knowingly collect their data.
12.2 Parental Rights
If we learn we collected data from a child under 13, we will delete it promptly and cease processing/disclosure.
12.3 Teens (13–17)
Parental consent may be required for certain activities; enhanced protections apply. For ages 13–15 under CPRA, sale/share requires prior opt-in. For teens ages 13–17, where required by applicable law (e.g., certain state privacy laws), we do not process personal data for targeted advertising or sell/share such data without prior opt-in consent (teen or parent/guardian, as applicable). You may withdraw consent at any time via the same channel.
13. State-Specific Disclosures
13.1 California (CPRA) — Notice at Collection
We collect the categories of PI listed below for the purposes indicated, from the sources indicated, retain them for the periods indicated (see Sections 3/5/10), and may sell/share certain identifiers/online activity for advertising unless you opt out.
| Category of PI | Examples | Sources | Primary Purposes | Sold/Shared? |
|---|---|---|---|---|
| Identifiers | Name, email, IP, device IDs, hashed contact identifiers (e.g., hashed email/phone), mobile advertising IDs (MAIDs) | You; devices; service providers | Account, orders, support, security | Advertising identifiers/online activity and hashed contact identifiers/MAIDs used to create or measure advertising audiences may be sold/shared for ads (opt-out available). |
| Commercial Info | Purchase history, cart | You; transactions | Orders, recommendations, support | Not sold; may inform ads as aggregated/first-party |
| Internet/Network Activity | Pages viewed, clicks | Devices; analytics/ads partners | Analytics, personalization, ads | May be sold/shared for ads (opt-out available). |
| Geolocation (approx.) | IP-based location | Devices | Personalization, fraud | Not sold/shared |
| Inferences | Preferences | Analytics/your interactions | Personalization, marketing | Not sold; used internally |
| Sensitive PI (SPI) | Payment tokens; precise location (only with consent) | You; payment providers | Payments, security, fraud | Not sold/shared; not used to infer characteristics. |
“Identifiers” include hashed contact information (e.g., hashed email/phone) and mobile advertising IDs used to create or measure advertising audiences; such uses may constitute a “sale” or “share” under applicable law unless you opt out.
A detailed, current Notice at Collection mapping categories to purposes, sources, retention, and sale/share status is available in our Privacy Choices center and linked at points of collection.
Shine the Light. You may request details about disclosures to third parties for their direct marketing. Submit “Shine the Light” requests to hello@dorettiblack.com with subject “Shine the Light Request.”
Notice of Financial Incentive. We may offer discounts/rewards/loyalty benefits in exchange for PI (e.g., email/phone, purchase history, engagement metrics). Participation is voluntary, and you can withdraw anytime via the program page or Privacy Choices, without penalty or impact on baseline services. We reasonably estimate PI value using incremental revenue from participants, pro-rata marketing cost savings, and the average value of benefits. Program-specific terms are provided at enrollment.
13.2 Virginia (VCDPA)
Rights to access, correct, delete, obtain a copy, and opt out of targeted advertising and sale; appeal rights (see 8.3).
13.3 Colorado (CPA)
Rights similar to Virginia plus opt-out of profiling for decisions producing legal or similarly significant effects; appeal rights (see 8.3).
13.4 Connecticut (CTDPA)
Rights broadly aligned with Virginia/Colorado; appeal rights (see 8.3).
Other States (e.g., TX, OR, DE, NJ, MT, TN, IA, UT, IN). We extend comparable mechanisms where those laws apply and honor required UOOM signals (see 6.3/7.3).
14. Changes to This Policy
14.1 Updates
We may update this Policy for changes in practices, legal requirements, or new features.
14.2 Notification
For material changes, we will provide prominent notice (e.g., email to registered users and/or website banner) for 30 days. Changes expanding your rights or minor clarifications may take effect immediately.
14.3 Effective Date
See the “Last updated” date at the top.
15. Contact Us & Accessibility
15.1 Privacy Contacts & Requests
Email: hello@dorettiblack.com
Mail: Doretti Black LLC, Attn: Privacy, 2125 Biscayne Blvd, Ste 204 #22155, Miami, FL 33137, USA
Support hours: Monday–Friday, 9am–6pm ET.
15.2 Supervisory Authority Complaints
EEA: Contact your local Data Protection Authority (see EDPB website).
UK: Information Commissioner’s Office (ICO).
Canada: Office of the Privacy Commissioner of Canada (OPC).
Accessibility Statement
We are committed to making this Policy accessible. To request it in an alternative format or report accessibility concerns, email hello@dorettiblack.com.
Effective Date: August 3, 2025