Privacy policy

The Drydown is a fragrance boutique at 565 Grand Ave, Carlsbad, CA 92008. This policy covers drydownboutique.com (the site) and the services we run from it — the shop, sample credits, workshops, and events. When this policy says “we” or “us,” that's who we mean.

When you place an order: your name, email, phone number, shipping address, and the items in your order. If you give us a separate billing address, we receive that too. Payment card details go directly to Square — we never see or store your card number, expiration date, or CVV.

When you redeem a sample credit: the email address tied to the credit, plus anything you add at checkout.

When you book a workshop or RSVP to an event: your name, email, and the ticket details.

When you visit the site: we run our own lightweight analytics on our server — not Google Analytics, not a tracking pixel. We record the pages you visit, UTM parameters in the URL, the referring site, and a hashed version of your IP address. We don't store your raw IP. We don't build advertising profiles. We don't sell or share this data with marketers.

Cookies we set: a session identifier (dd_sid), a checkout flow flag (drydown.checkout), a credit-token cookie when you arrive via a sample-credit link, and short-lived cart state. These are first-party cookies used to make the site work — no advertising cookies, no cross-site trackers.

To fulfill your order, send your receipt, deliver the sample-credit emails you've asked for, run workshops you sign up for, answer your questions, and keep the site working and secure. We also use aggregated, non-identifying analytics to understand which scents people are looking at and where the checkout flow gets stuck — the same way a shopkeeper notices which shelves people linger at.

We share your information only with the service providers we need to run the boutique:

• Square— processes your payment and stores your card on their PCI-compliant infrastructure. We receive only a confirmation and the last four digits.
• Resend— delivers your order confirmation and sample-credit emails.
• Cloudflare— routes traffic to our site, blocks abusive requests, and serves images.
• Hetzner— hosts the site.
• Neon— hosts the database where your order is stored.

We don't sell your personal information, and we don't share it for cross-context behavioral advertising. We'll release information only if required by a valid legal request or to protect someone's safety.

Our newsletter lives on Substack. If you subscribe there, Substack collects and processes your information under its own privacy policy — we don't hold the list.

Order and tax records: at least seven years, as required by California tax law. Sample-credit tokens: until they're redeemed, voided, or two years past the issue date. Cart sessions: cleaned up automatically once they're inactive. Analytics events: ninety days for detailed event-level data, longer for aggregated counts.

Access, correction, deletion. You can ask us what we have on file for you, ask us to correct it, or ask us to delete it. Email [email protected] from the address we have on file. We respond within forty-five days. Order records we're required to keep for tax purposes we won't delete, but we'll tell you what stays and why.

California residents. Under the California Consumer Privacy Act, you have the right to know what we collect, the right to deletion, the right to correct inaccurate information, and the right not to be discriminated against for exercising these rights. The categories of personal information we collect are described in Section II. We don't sell or share personal information for cross-context behavioral advertising, so there's no opt-out link to provide.

Marketing email. Our order-confirmation and sample-credit emails are transactional — we send them because you bought something or have a credit waiting. Reply to any of them and we'll help.

We use HTTPS site-wide, store sample-credit and session tokens hashed, keep our software up to date, and limit who on our team can see customer records. No system is perfect — if we ever discover a breach affecting your information, we'll notify you as required by California Civil Code §1798.82.

The site isn't designed for or directed at children under thirteen, and we don't knowingly collect their information. If you believe a child has given us information, email us and we'll delete it.

We'll update this page when our practices change. The date at the top reflects the most recent revision. Material changes will get a notice on the site or in a transactional email.

Questions about this policy, or a request about your information: email [email protected] · 760-283-6108 · or write to The Drydown, 565 Grand Ave, Carlsbad, CA 92008.

See also our terms of sale and shipping & returns.