Policies
Privacy policy
Last updated June 25, 2026
I. Who we are
The Drydown is a fragrance boutique at 565 Grand Ave, Carlsbad, CA 92008. This policy covers drydownboutique.com (the site) and the services we run from it — the shop, sample credits, workshops, and events. When this policy says “we” or “us,” that's who we mean.
II. What we collect
When you place an order:your name, email, phone number, shipping address, and the items in your order. If you give us a separate billing address, we receive that too. Payment card details go directly to Square — we never see or store your card number, expiration date, or CVV.
When you redeem a sample credit: the email address tied to the credit, plus anything you add at checkout.
When you book a workshop or RSVP to an event: your name, email, and the ticket details.
When you ask us to notify you about a sold-out item: your email address, and which item you asked about. We use it once — to email you when that item is back — and then it's done.
When you sign up for Stylist’s Notes:your email address and where you signed up (online, at checkout, or by scanning the card in the shop). We confirm it's really you with a double opt-in — you're only added once you tap the confirmation link we email — and we use the address solely to send our Stylist’s Notes, about 4× a year. You can unsubscribe from any note with one tap.
When you create an account:the email address you sign in with, the short-lived one-time codes we email you (kept only as a salted hash, never in plain text), and — if you add a passkey — the public half of that passkey. There is no password, and we never store anything that could sign in as you.
When you sign in with Google:if you choose “Continue with Google,” Google tells us your email address, your name, and your Google account identifier so we can create or recognize your account. We never receive your Google password. We use this only to sign you in and link your scent wardrobe to your email.
When you visit the site:we run our own lightweight analytics on our server — not Google Analytics, not a tracking pixel. We record the pages you visit, UTM parameters in the URL, the referring site, the type of browser and device you use (for example, mobile or desktop — never the detailed device fingerprint), a hashed version of your IP address, and your approximate location (city, region, and country, derived from your IP address by our content-delivery network). We don't store your raw IP, and this location is city-level only — never a precise position. We don't build advertising profiles. We don't sell or share this data with marketers.
What we set in your browser: a session identifier (dd_sid) plus a one-byte first-touch dedup flag (dd_sftin localStorage) so we don't re-fire the same first-touch event on every page; a checkout-flow flag (drydown.checkout) that picks which checkout we route you to; a credit-session token and a small companion presence flag (__Host-dd_credit_token + __Host-dd_has_credit) when you arrive via a sample-credit link; and a small cart-state hint (dd_cart_count) and the anonymous cart contents themselves (drydown.cartin your browser's localStorage) so the cart page renders quickly; and, if you sign in to an account, a session token and a small companion presence flag (__Host-dd_account_session + __Host-dd_account) that keep you signed in. All of these are first-party — set by our own site. We don't load third-party advertising or tracking cookies, and we don't use any of these to build a profile of you or target you elsewhere on the web.
How this maps to California categories: the data above corresponds to Identifiers (name, email, phone, session id, hashed IP), Customer records (shipping and billing address), Commercial information (order contents, sample-credit history), and Internet or other electronic network activity (pages visited, UTM parameters, referring site, browser and device type), and Geolocation data(approximate, city-level location derived from your IP address). We don't collect biometric data, precise geolocation, audio or video, employment or education records, or inferences for profiling.
III. How we use it
To fulfill your order, send your receipt, deliver the sample-credit emails you've asked for, send the single back-in-stock alert you asked for, send the seasonal Stylist’s Notes you opted in to, run workshops you sign up for, answer your questions, and keep the site working and secure. We also use aggregated, non-identifying analytics to understand which scents people are looking at and where the checkout flow gets stuck — the same way a shopkeeper notices which shelves people linger at.
III-A. Your account and scent wardrobe
You can create a free account to see “Your Scent Wardrobe” — your purchase history in one place. We don't use passwords: you sign in with a one-time code we email you, a passkey you choose to add (Face ID, Touch ID, or your device's security key — we only ever store the public half, never anything that could sign in as you), or by continuing with your Google account.
Once you've proven you own an email address by entering that code, your wardrobe shows the purchases tied to it — both online and in our store. We match in-store purchases by looking them up in Square by your email at the moment you view the page; we never build a cross-customer profile. Because the match is by email, a shared inbox or a gift bought under your email may appear — only someone who can receive the sign-in code for that address can ever see it. If something in your history doesn't look like yours, tell us and we'll sort it out. You can sign out of any device, remove a passkey, or ask us to close your account at any time.
IV. Who we share it with
We share your information only with the service providers we need to run the boutique:
- Square— processes your payment and stores your card on their PCI-compliant infrastructure. We receive only a confirmation and the last four digits.
- Resend— delivers your order confirmation, sample-credit, back-in-stock alert, and Stylist’s Notes emails.
- Google— if you choose “Continue with Google,” verifies your identity and confirms your email address so we can sign you in. We only use it for sign-in; you can use a one-time email code or a passkey instead.
- Cloudflare— routes traffic to our site, blocks abusive requests, and serves images.
- Hetzner— hosts the site.
- Neon— hosts the database where your order is stored.
We don't sell your personal information, and we don't share it for cross-context behavioral advertising. We don't run advertising trackers on the site and we don't report your activity to any ad network. We'll release information only if required by a valid legal request or to protect someone's safety.
Our newsletter lives on Substack. If you subscribe there, Substack collects and processes your information under its own privacy policy — we don't hold the list.
V. How long we keep it
Order and tax records: at least seven years, as required by California tax law. Sample-credit tokens: until they're redeemed, voided, or two years past the issue date. Cart sessions: cleaned up automatically once they're inactive. Back-in-stock alert requests: deleted about thirty days after we send the alert (or you opt out), and within ninety days if the item never comes back. Stylist’s Notes subscribers: kept until you unsubscribe; if you start a sign-up but never confirm it, we delete the unconfirmed address after about thirty days. Analytics events: ninety days for detailed event-level data, longer for aggregated counts. Account sign-in codes and sessions: expired or revoked ones are cleared automatically (swept daily). Passkeys: kept until you remove them. Your account and scent-wardrobe records: kept until you ask us to close the account.
VI. Your choices and rights
Access, correction, deletion. You can ask us what we have on file for you, ask us to correct it, or ask us to delete it. Email hello@drydownboutique.com from the address we have on file. We respond within forty-five days. Order records we're required to keep for tax purposes we won't delete, but we'll tell you what stays and why.
California residents. Under the California Consumer Privacy Act (as amended by the CPRA), you have the right to know what we collect, the right to deletion, the right to correct inaccurate information, the right to opt out of any sale or share of your personal information for cross-context behavioral advertising, and the right not to be discriminated against for exercising these rights. The categories of personal information we collect are described in Section II.
We don't sell personal information, and we don't share it for cross-context behavioral advertising. We don't run advertising trackers on the site and we don't report your activity to any ad network, so there is no sale or share to opt out of — which is why we don't post a “Do Not Sell or Share My Personal Information” link.
Marketing email.Our order-confirmation and sample-credit emails are transactional — we send them because you bought something or have a credit waiting. Reply to any of them and we'll help.
Stylist’s Notes.Our seasonal notes are the one marketing email we send, and only to people who asked for it: you opt in, then confirm by tapping a link we email you, and we never add an address without that confirmation. Every note carries a one-tap unsubscribe link, and you can opt out any time — you'll stop hearing from us straight away.
VII. Security
We use HTTPS site-wide, store sample-credit and session tokens hashed, keep our software up to date, and limit who on our team can see customer records. No system is perfect — if we ever discover a breach affecting your information, we'll notify you as required by California Civil Code §1798.82.
VIII. Children
The site isn't designed for or directed at children under thirteen, and we don't knowingly collect their information. If you believe a child has given us information, email us and we'll delete it.
IX. Changes
We'll update this page when our practices change. The date at the top reflects the most recent revision. Material changes will get a notice on the site or in a transactional email.
X. Contact
Questions about this policy, or a request about your information: email hello@drydownboutique.com · (760) 283-6108 · or write to The Drydown, 565 Grand Ave, Carlsbad, CA 92008.
See also our terms of sale and shipping & returns.