1. Who we are

WebHead Workshop ("we", "us", "our") is a small business operating from South Florida, USA. We design and sell 3D-printed products, including functional web shooters and custom pole vault tips, through our website at webheadworkshop.com and through marketplace listings on Etsy, eBay, and Cults3D.

For purposes of this policy, WebHead Workshop is the entity responsible for deciding how and why your personal information is processed (the "data controller" under EU/UK law, or the "business" under California law).

2. Information we collect

Information you provide directly

• Customer accounts: when you create an account, we collect your name, email address, password (stored hashed, never in plain text), and your marketing email preferences.
• Orders: name, email address, shipping and billing addresses, phone number (optional), order details, personalization choices (colors, custom text, uploaded images), and order notes. Payment card information goes directly to Square — we do not see or store your card number.
• Custom request form (homepage): name, email, phone (optional), request type, and the message you write.
• Pay Later requests (schools and organizations): organization name, contact name, email, phone, optional purchase order number, requested payment terms, plus the IP address and timestamp of terms acceptance for our audit record.
• Support messages: the content of any messages you send us through the order support chat or by email.
• Personalization uploads: any image files you upload for custom orders (logos, artwork). Used only to fulfill the specific order.

Information collected automatically

• Analytics: Google Analytics (GA4) collects information about how you use the site — pages viewed, time on page, approximate location from IP, device type, browser, referring site, and similar interaction data.
• Advertising pixels: Google Ads, Meta Pixel (Facebook/Instagram), and Pinterest Pixel collect information about pages you visit, items you view, items added to cart, and purchases completed, so we can measure ad campaign effectiveness and show you relevant ads on those platforms. See Section 6.
• Server logs: our host (Hostinger) maintains standard web logs including IP address, user agent, requested URLs, and timestamps for security, debugging, and abuse prevention.
• Local storage: your shopping cart, promo code, and certain UI preferences are stored in your browser's local storage so the site works smoothly across visits. This data stays on your device until you clear it.
• Cookies: see Section 7 for the full cookie list.

Information we receive from others

• Etsy orders: when someone buys from our Etsy shop, Etsy passes us the customer's name, shipping address, order contents, and order number. Etsy is the seller of record for those transactions and applies its own privacy policy to buyer data.
• Square (payments): after you pay, Square returns a payment confirmation, last 4 digits of card, and a receipt URL — but never your full card number.

3. Categories of personal information (CCPA)

The California Consumer Privacy Act (CCPA/CPRA) defines specific categories of personal information. In the past 12 months we have collected the following categories:

Category	Examples we collect	Sources
Identifiers	Name, email address, postal address, phone number, IP address, account ID	You, marketplace order data, server logs
Customer records	Name, address, phone, payment information (last 4 only)	You, Square
Commercial information	Products viewed, products purchased, order history, returns, support history, marketing preferences, promo codes used	You, your activity on the site
Internet activity	Browsing behavior on our site, pages viewed, links clicked, time on page, search terms	Google Analytics, advertising pixels, server logs
Geolocation (approximate)	Approximate city/state derived from IP address (we don't collect precise GPS location)	Server logs, analytics
Inferences	Inferred interests based on browsing (e.g., interested in cosplay, pole vault, etc.) — used by advertising partners to determine ad relevance	Advertising partners (Google, Meta, Pinterest)
Audio/visual	Images you upload for personalization	You (only when you upload)

We do not collect: biometric information, precise geolocation, health information, government IDs, financial account numbers (beyond what Square processes), or sensitive demographic data.

4. How we use your information

• Order fulfillment: to produce, package, ship, and track your order; to contact you about order status; to process returns or warranty claims.
• Customer accounts: to provide order history, downloads library, address book, support messaging, and account management features.
• Marketing emails (with consent): if you opt in, we send you periodic emails about new products, blog posts, sales, and promotions. You can unsubscribe at any time using the one-click link in every email, or by toggling the preference in your account.
• Promo codes: when you use a promo code, we record the redemption (code, email, customer ID if applicable, and discount amount) to enforce usage limits and to detect abuse.
• Advertising and measurement: we work with advertising partners (Google Ads, Meta, Pinterest) to measure the effectiveness of ad campaigns and show our products to people who have shown interest. See Section 6.
• Analytics and improvement: to understand how people find and use the site, which pages convert, and where we can improve.
• Custom request response: to reply to inquiries you submit through the contact form.
• Payment processing: via Square; we also issue invoices for Pay Later requests.
• Pay Later audit: the IP address and terms-acceptance timestamp are stored so we have a verifiable record of agreement, protecting both parties in a dispute.
• Business records and tax: to keep accurate records of sales, expenses, and customer transactions as required by U.S. tax law.
• Security and fraud prevention: to detect, prevent, and respond to abuse, fraud, or technical problems.

5. Who we share it with

We share personal information only with the service providers we use to run the business, and with advertising partners as described in Section 6. Each provider has its own privacy policy.

Service provider	What they receive	Why
Hostinger (hosting + email)	All site traffic, server logs, order data stored in our database, and outgoing email	Runs the website, database, and business email infrastructure.
Square, Inc. (payment processing)	Card information, billing address, order total, email	Processes payments. We never see or store your card number.
Google Analytics (Google LLC)	Site usage data, approximate location, device info, cookies	Aggregate analytics for site improvement.
Google Ads (Google LLC)	Conversion events (orders placed after ad clicks), retargeting cookies, hashed email for customer match (where applicable)	Measure ad effectiveness, show ads on Google and partner sites. This counts as "sharing" under CCPA — see Section 8.
Meta Platforms, Inc. (Facebook/Instagram Pixel)	Page views, products viewed, items added to cart, purchases completed, hashed email for customer match	Measure ad effectiveness, build audiences, show ads on Facebook and Instagram. Sharing under CCPA — see Section 8.
Pinterest, Inc. (Pinterest Pixel)	Page views, products viewed, purchases completed	Measure ad effectiveness, show ads on Pinterest. Sharing under CCPA — see Section 8.
Google Fonts & Font Awesome	IP address and browser data when fonts/icons load	Provides typography and icons.
Formspree (contact form)	Everything you enter into the custom request form	Receives form submissions and forwards them to us.
Etsy	N/A (Etsy sends data to us for fulfillment)	Etsy is the seller of record for marketplace transactions.
YouTube (embedded videos)	IP and browser data when a video loads	Hosts our tutorial videos.
USPS & other shipping carriers	Recipient name and address	Required to deliver your order.

We may also disclose information if legally required (valid subpoena or court order) or if necessary to protect the rights, property, or safety of our customers, ourselves, or others.

We do not sell personal information for monetary consideration. However, the use of advertising pixels described above constitutes "sharing" under California law and similar laws. See Section 8 for opt-out options.

6. Advertising & cross-context tracking

We use the following advertising and measurement tools:

Google Ads & Google Analytics

Google's tracking tag (gtag.js) measures conversions from Google Ads campaigns and may set cookies for remarketing. When you visit our site after clicking a Google ad, or when you complete an order, that information is sent to Google. We may also upload hashed customer emails to Google Ads for customer match audiences.

• Opt out of Google's personalized advertising: adssettings.google.com
• Opt out of Google Analytics: Google Analytics Opt-out Browser Add-on
• Google's privacy policy: policies.google.com/privacy

Meta Pixel (Facebook / Instagram)

The Meta Pixel tracks page views, content views, add-to-cart events, and purchases. This lets us measure how Facebook/Instagram ads perform and build retargeting audiences. We may also share hashed customer emails through Meta's Conversions API.

• Manage your Meta ad preferences: facebook.com/adpreferences
• Opt out of off-Facebook activity: facebook.com/off_facebook_activity
• Meta's privacy policy: facebook.com/privacy/policy

Pinterest Pixel

The Pinterest Pixel tracks page views, content views, and conversions to measure Pinterest ad performance.

• Manage Pinterest ad preferences: pinterest.com/settings/privacy
• Pinterest's privacy policy: policy.pinterest.com/en/privacy-policy

Network-wide opt-outs

You can also opt out of interest-based advertising across many networks at once:

• Digital Advertising Alliance (DAA): optout.aboutads.info
• Network Advertising Initiative (NAI): optout.networkadvertising.org
• European users: youronlinechoices.eu

7. Cookies and similar technologies

Functional storage

• Shopping cart (local storage, key: whw_cart): your in-progress cart contents. Stays on your device until you clear it or complete checkout.
• Promo code (local storage, key: whw_promo_code): any promo code you've entered, so it persists across cart/checkout navigation. Cleared on successful order.
• Account session (cookie): if you sign in, a PHP session cookie keeps you logged in. Expires when you sign out or after extended inactivity.

Analytics cookies

• Google Analytics (GA4): sets _ga and _ga_* cookies to distinguish visitors and sessions. Default expiry: 24 months.

Advertising cookies

• Google Ads / DoubleClick: _gcl_au, IDE, and related cookies for conversion tracking and remarketing.
• Meta Pixel: _fbp and related cookies for tracking page views and conversions for Facebook/Instagram ads.
• Pinterest Pixel: _pinterest_ct, _pinterest_sess, and related cookies.

Third-party embed cookies

• YouTube videos: when a page contains an embedded YouTube video and you play it, Google may set cookies for that video player.

Your browser controls

Most browsers let you view, manage, and delete cookies and local storage on a per-site basis. Blocking third-party cookies is increasingly the default in modern browsers (Safari, Firefox, Brave) and will not break essential functions of our site.

8. Do Not Sell or Share My Personal Information

Opting out of sharing for advertising does not affect:

• Your ability to place orders or use your account
• Order confirmation emails, shipping notifications, and other transactional messages required to fulfill your purchase
• Marketing emails you've separately opted into (those have their own unsubscribe link in every email)
• Basic site analytics in aggregate (these don't identify you individually)

9. How long we keep it

• Order records: at least 7 years (U.S. tax/business record requirements).
• Customer account data: as long as the account is active. If you delete your account, we anonymize the account record and detach it from order history (which is retained per the above).
• Promo code usage records: retained as long as the promo code exists for audit purposes; soft-deleted with the code if it had redemptions.
• Marketing email subscription: until you unsubscribe; unsubscribe records are retained indefinitely so we don't accidentally re-email you.
• Contact form submissions: up to 24 months in Formspree, longer if part of an ongoing project.
• Pay Later records: life of the invoice plus 7 years.
• Analytics data: Google Analytics retention configured to 14 months for user-level data; aggregate reports retained longer.
• Advertising pixel data: retention is governed by the advertising partner (Google, Meta, Pinterest). Typically 60–180 days for cookies, longer for hashed audiences.
• Server logs: per Hostinger's standard retention (typically weeks to a few months).
• Support messages: retained for the life of the thread plus a reasonable archival period.

10. Your rights and choices

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct information that is inaccurate or incomplete.
• Delete your information (subject to legal record-keeping obligations).
• Port your information in a portable, readable format.
• Opt out of sharing for cross-context behavioral advertising (see Section 8).
• Opt out of marketing emails (one-click unsubscribe link in every email).
• Withdraw consent for processing where we rely on consent.
• Non-discrimination: we will not deny goods or services, charge different prices, or provide a different level of service because you exercised a privacy right.

To make any of these requests, email [email protected]. We will respond within the timeframe required by applicable law (typically 45 days for CCPA, 30 days for GDPR). We may ask you to verify your identity before acting on the request.

11. State-specific rights

California (CCPA / CPRA)

California residents have all the rights listed in Section 10, plus the right to know what categories of personal information we have collected, sold, or shared in the past 12 months (see Section 3) and the right to limit the use of "sensitive personal information." We do not collect sensitive personal information as defined by CPRA.

We do not sell personal information for monetary consideration. We do "share" personal information for cross-context behavioral advertising — see Section 8 for opt-out.

In the past 12 months, the categories of personal information we have shared for cross-context behavioral advertising are: identifiers (hashed email), internet activity, commercial information (products viewed and purchased), and inferences. We did this with the categories of third parties listed in Section 5 (Google, Meta, Pinterest).

Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA)

Residents of these states have substantially similar rights to access, correct, delete, and port their personal information, plus the right to opt out of targeted advertising and sales. See Section 8 for opt-out. Some states (Colorado, Connecticut, Texas, Virginia) require us to honor the GPC browser signal — we do.

Appeals (Colorado, Connecticut, Virginia)

If we deny a privacy request, you have the right to appeal. Reply to the denial email or send a new email to [email protected] with subject line "Privacy Request Appeal." We will respond within 60 days.

12. EU / UK visitors (GDPR / UK GDPR)

If you are in the EU, EEA, or UK, you have rights under GDPR including: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection to processing (including to profiling for direct marketing), and the right not to be subject to solely automated decision-making.

Our legal bases for processing:

• Performance of a contract: processing order data to fulfill your purchase.
• Consent: marketing emails, advertising pixels (where consent is required — we recognize "Do Not Track" / GPC signals and require explicit opt-in for marketing).
• Legitimate interests: security, fraud prevention, aggregate analytics, transactional emails.
• Legal obligation: tax and business records retention.

To exercise any GDPR right, email [email protected]. You also have the right to complain to your local data protection authority.

13. Children's privacy

Our website is a general-audience site and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has submitted information to us, contact [email protected] and we will delete it.

Consistent with the CCPA, we do not knowingly sell or share the personal information of consumers under 16 years of age without affirmative authorization. Buyers under 18 should have parent or guardian permission before placing an order.

14. Security

We take reasonable steps to protect the information we collect. Our site uses HTTPS for all traffic, payment data is handled by a PCI-compliant processor (Square) and never touches our servers, passwords are stored hashed, and access to internal dashboards is restricted to authenticated team members. No system is perfectly secure, but we work to reduce risk where we can. In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law.

15. International visitors

WebHead Workshop operates from the United States. If you are visiting from outside the U.S., your information will be transferred to and processed in the U.S. by us and our service providers. By using our site, you consent to this transfer. The U.S. may have different data protection standards than your country.

16. Changes to this policy

We may update this policy from time to time. The date at the top will be updated when that happens. If we make material changes affecting how we use information we already hold about you, we will take reasonable steps to notify you — for example, by posting a banner on the site or emailing customers directly.

17. Contact us

Questions about this policy, or requests to exercise your rights, should go to:

WebHead Workshop
Email: [email protected]
Location: South Florida, USA