Remy Sales ("we," "us," or "our") operates the website remysales.com (the "Site") and the physical retail location at Toronto, Ontario, Canada. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you visit our Site, place an order, or interact with us in any way.

We are committed to protecting your privacy in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5), Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23), the Ontario Consumer Protection Act, 2002 (S.O. 2002, c. 30), the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA, Cal. Civ. Code 1798.100-1798.199.100).

Remy Sales is the data controller for the purposes of the GDPR.

1. Information We Collect

1.1 Information You Provide Directly

• Account Registration: name, email address, and password (stored as a one-way cryptographic hash; we never store your password in plain text).
• Orders & Checkout: billing and shipping address, phone number, email address.
• Payment Information: credit or debit card details are collected and processed exclusively by our PCI DSS Level 1 certified payment processor, Stripe, Inc. Remy Sales never receives, stores, or has access to your full card number, CVV, or expiration date.
• Customer Communications: any information you provide when contacting us, including through email or our contact form.
• Product Reviews: rating, review text, and associated account information.

1.2 Information Collected Automatically

• Session Data: encrypted authentication tokens stored in secure, HttpOnly cookies to maintain your login session.
• Analytics Data: pages visited, referral source, device and browser type, screen resolution, approximate geographic location, session duration, and interaction events. Collected via Google Analytics and Vercel Analytics.
• Error and Performance Data: browser type, operating system, device information, URL where an error occurred, and diagnostic stack traces. Collected via Sentry for the purpose of debugging and improving Site reliability.
• Server Logs: IP address, timestamps, request URLs, and HTTP status codes.

1.3 Information from Third Parties

We receive payment confirmation data from Stripe (transaction ID, payment status, and last four digits of your card) to update your order status.

2. How We Use Your Information

We use your personal information for the following purposes:

• Order Fulfillment: processing, shipping, and delivering your orders; sending transactional emails (order confirmations, shipping updates, delivery notifications).
• Account Management: creating and maintaining your account, authenticating your identity, managing your preferences.
• Payment Processing: facilitating secure payment transactions through Stripe.
• Customer Support: responding to your inquiries, resolving disputes, and providing assistance.
• Site Improvement: analyzing usage patterns, monitoring performance, and debugging errors to improve your experience.
• Fraud Prevention: detecting and preventing fraudulent transactions and unauthorized access.
• Legal Compliance: maintaining records required by tax laws, responding to lawful requests from authorities, and enforcing our Terms of Service.
• Marketing Communications: sending promotional emails only with your express opt-in consent, in compliance with CASL.

GDPR Legal Bases

For individuals in the EU/EEA, we process your personal data on the following legal bases under Article 6(1) of the GDPR:

• Contractual Necessity (Art. 6(1)(b)): order processing, account management, payment processing, transactional emails.
• Legitimate Interests (Art. 6(1)(f)): analytics, error tracking, fraud prevention, website security.
• Consent (Art. 6(1)(a)): marketing emails, non-essential analytics cookies.
• Legal Obligation (Art. 6(1)(c)): tax record retention, responding to lawful government requests.

3. Your Privacy Rights

3.1 All Customers (PIPEDA)

Under PIPEDA, you have the right to:

• Access your personal information held by us.
• Request correction of inaccurate or incomplete information.
• Withdraw consent for the collection, use, or disclosure of your information (subject to legal or contractual restrictions).
• File a complaint with the Office of the Privacy Commissioner of Canada.

3.2 European Economic Area Residents (GDPR)

Under the GDPR, you additionally have the right to:

• Request erasure of your personal data ("right to be forgotten").
• Request restriction of processing.
• Receive your data in a portable, machine-readable format.
• Object to processing based on legitimate interests, including direct marketing.
• Withdraw consent at any time without affecting the lawfulness of prior processing.
• Not be subject to decisions based solely on automated processing.
• Lodge a complaint with your local data protection supervisory authority.

3.3 California Residents (CCPA/CPRA)

Under the CCPA/CPRA, California residents have the right to:

• Know what personal information is collected, used, and disclosed.
• Request deletion of personal information.
• Request correction of inaccurate personal information.
• Opt out of the sale or sharing of personal information. Remy Sales does not sell or share your personal information as defined under the CCPA/CPRA.
• Not be discriminated against for exercising your privacy rights.

We honor Global Privacy Control (GPC) browser signals as a valid opt-out request.

3.4 How to Exercise Your Rights

To exercise any of your privacy rights, contact us at privacy@remysales.com. We will respond within the timeframes required by applicable law: 30 days (PIPEDA), one month (GDPR), or 45 days (CCPA/CPRA). We may need to verify your identity before processing your request.

4. Marketing Communications & CASL

We only send marketing or promotional emails with your express opt-in consent, in full compliance with Canada's Anti-Spam Legislation (CASL). Every marketing email includes our name, physical address, and a functional unsubscribe link. Unsubscribe requests are processed within 10 business days. Transactional emails (order confirmations, shipping updates, password resets, security alerts) are sent without separate consent as they are necessary for the performance of our contract with you.

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• TLS/HTTPS encryption for all data in transit.
• Encryption at rest for stored data.
• Passwords stored using bcrypt cryptographic hashing with salt.
• Secure, HttpOnly, SameSite cookies for session management.
• Rate limiting to prevent brute-force and abuse attacks.
• Role-based access controls for administrative functions.
• PCI DSS compliance achieved through full delegation of card processing to Stripe (SAQ-A).

No method of electronic transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

6. Children's Privacy

Our Site is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete such information. If you believe a child has provided us with personal information, please contact us at privacy@remysales.com.

7. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Material changes will be communicated by posting a prominent notice on our Site and, where we have your email address, by sending you a notification. We encourage you to review this page periodically. Your continued use of the Site after changes become effective constitutes your acknowledgment of the updated Policy.

8. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Regulatory Complaints: If you are unsatisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada, your local EU data protection authority, or the California Attorney General, as applicable.