Privacy policy

The Drydown is a fragrance boutique at 565 Grand Ave, Carlsbad, CA 92008. This policy covers drydownboutique.com (the site) and the services we run from it — the shop, sample credits, workshops, and events. When this policy says “we” or “us,” that's who we mean.

When you place an order: your name, email, phone number, shipping address, and the items in your order. If you give us a separate billing address, we receive that too. Payment card details go directly to Square — we never see or store your card number, expiration date, or CVV.

When you redeem a sample credit: the email address tied to the credit, plus anything you add at checkout.

When you book a workshop or RSVP to an event: your name, email, and the ticket details.

When you visit the site: we run our own lightweight analytics on our server — not Google Analytics, not a tracking pixel. We record the pages you visit, UTM parameters in the URL, the referring site, and a hashed version of your IP address. We don't store your raw IP. We don't build advertising profiles. We don't sell or share this data with marketers.

When you arrive from a Google ad: Google appends a short click identifier (gclid, or gbraid / wbraid on iOS) to the URL. We store that identifier in a first-party cookie (dd_gclid) for up to ninety days. When you complete a purchase, we send Google the click identifier, the order total, and the time of the order so Google can credit the ad that brought you. We don't send your name, email, address, or what you bought. We don't load any Google tracking pixel or script on the site. If your browser sends a Global Privacy Control signal, we skip this entirely — no cookie, no report.

What we set in your browser: a session identifier (dd_sid) plus a one-byte first-touch dedup flag (dd_sftin localStorage) so we don't re-fire the same first-touch event on every page; a checkout-flow flag (drydown.checkout) that picks which checkout we route you to; a credit-session token and a small companion presence flag (dd_credit_token + dd_has_credit) when you arrive via a sample-credit link; a small cart-state hint (dd_cart_count) and the anonymous cart contents themselves (drydown.cartin your browser's localStorage) so the cart page renders quickly; and — only when you arrive from a Google ad — an ad-click identifier pair (dd_gclid + dd_gclid_kind, see above). All of these are first-party — set by our own site. We don't load third-party advertising or tracking cookies. The ad-click cookies' only job is measuring which Google ad brought you to us — we don't use them to build a profile of you or target you elsewhere on the web.

How this maps to California categories: the data above corresponds to Identifiers (name, email, phone, session id, hashed IP, ad-click id), Customer records (shipping and billing address), Commercial information (order contents, sample-credit history), and Internet or other electronic network activity (pages visited, UTM parameters, referring site). We don't collect biometric data, precise geolocation, audio or video, employment or education records, or inferences for profiling.

To fulfill your order, send your receipt, deliver the sample-credit emails you've asked for, run workshops you sign up for, answer your questions, and keep the site working and secure. We also use aggregated, non-identifying analytics to understand which scents people are looking at and where the checkout flow gets stuck — the same way a shopkeeper notices which shelves people linger at. If you arrived from a Google ad, we also use the click identifier and order total to measure which ads led to sales, so we can spend our small ad budget on what works.

We share your information only with the service providers we need to run the boutique:

• Square— processes your payment and stores your card on their PCI-compliant infrastructure. We receive only a confirmation and the last four digits.
• Resend— delivers your order confirmation and sample-credit emails.
• Google— when you complete an order after arriving from a Google ad, we send Google the ad-click identifier and the order total so the ad can be credited (CCPA categories: internet or other electronic network activity and commercial information). We don't send your name, email, address, or order contents. We don't load any Google script on our site; this is a server-to-server report. Google receives this information as our service provider for ad measurement, contractually limited to that use.
• Cloudflare— routes traffic to our site, blocks abusive requests, and serves images.
• Hetzner— hosts the site.
• Neon— hosts the database where your order is stored.

We don't sell your personal information, and we don't share it for cross-context behavioral advertising. The Google ad-conversion report (above) is limited to measuring our own ads — Google receives the data as our service provider and can't use it to target you elsewhere on the web on Google's or another advertiser's behalf. We'll release information only if required by a valid legal request or to protect someone's safety.

Our newsletter lives on Substack. If you subscribe there, Substack collects and processes your information under its own privacy policy — we don't hold the list.

Order and tax records: at least seven years, as required by California tax law. Sample-credit tokens: until they're redeemed, voided, or two years past the issue date. Cart sessions: cleaned up automatically once they're inactive. Analytics events: ninety days for detailed event-level data, longer for aggregated counts.

Access, correction, deletion. You can ask us what we have on file for you, ask us to correct it, or ask us to delete it. Email [email protected] from the address we have on file. We respond within forty-five days. Order records we're required to keep for tax purposes we won't delete, but we'll tell you what stays and why.

California residents. Under the California Consumer Privacy Act (as amended by the CPRA), you have the right to know what we collect, the right to deletion, the right to correct inaccurate information, the right to opt out of any sale or share of your personal information for cross-context behavioral advertising, and the right not to be discriminated against for exercising these rights. The categories of personal information we collect are described in Section II.

We don't sell personal information, and we don't share it for cross-context behavioral advertising. One transfer worth naming explicitly: when you arrive from a Google ad and later buy something, we send Google the ad-click identifier and order total so the ad can be credited. Google receives that information as our service provider for measurement of our own campaigns — contractually limited to that purpose, not used to target you elsewhere on the web.

If you'd prefer we exclude your purchase from that report: set a Global Privacy Controlsignal in your browser and we'll skip storing the identifier automatically, or email [email protected] and we'll suppress it. Because this disclosure isn't a sale or a share, we don't post a “Do Not Sell or Share My Personal Information” link, but we'll honor the request either way.

Marketing email. Our order-confirmation and sample-credit emails are transactional — we send them because you bought something or have a credit waiting. Reply to any of them and we'll help.

We use HTTPS site-wide, store sample-credit and session tokens hashed, keep our software up to date, and limit who on our team can see customer records. No system is perfect — if we ever discover a breach affecting your information, we'll notify you as required by California Civil Code §1798.82.

The site isn't designed for or directed at children under thirteen, and we don't knowingly collect their information. If you believe a child has given us information, email us and we'll delete it.

We'll update this page when our practices change. The date at the top reflects the most recent revision. Material changes will get a notice on the site or in a transactional email.

Questions about this policy, or a request about your information: email [email protected] · 760-283-6108 · or write to The Drydown, 565 Grand Ave, Carlsbad, CA 92008.

See also our terms of sale and shipping & returns.