Privacy Policy
Last updated May 8, 2026
We try to keep this short and human. Rice Cracker Club is a small coffee roastery, not an ad network — we only collect what we actually need to ship you fresh coffee, run your subscription, and answer your email. This policy explains what we hold, why, and how to take it back.
The short version
- We sell coffee. We don't sell your personal information — to anyone, ever.
- We collect the minimum needed: your email, your shipping address, what you ordered, and a few preferences.
- We share data with vendors that help us run the business (payments, shipping, email) — never with advertisers or data brokers.
- You can download everything we have on you, change any of it, or delete your account from Account → Privacy. No phone calls, no email tickets.
- We honor the Global Privacy Control (
Sec-GPC) browser signal automatically.
What we collect
The categories of personal information we collect, and where each piece comes from:
| Category | What it includes | Source |
|---|---|---|
| Account | Email, name (optional), magic-link sign-in tokens | You, when you sign up |
| Order history | Items ordered, prices, billing & shipping address, tracking number | You at checkout, Stripe, Shippo |
| Payments | Stripe customer ID, last-4 of card, invoice history | Stripe (we never see your full card) |
| Subscription preferences | Tier, frequency, quiz answers, gift recipient | You |
| Loyalty & referrals | Coffee Cash balance, referral code, who you referred | You + automatic accruals |
| Communication preferences | Marketing opt-in, analytics opt-in | You (default: opted in to product updates only) |
| Technical | IP address, browser/user agent, anonymous device ID | Your browser, captured by our app and PostHog |
Why we use it
- Run your account and ship your coffee. Take payment, print shipping labels, send order confirmations and tracking updates.
- Personalize the product. Use your quiz answers and order history to recommend roasts and lots.
- Customer support. Look up your account when you write in.
- Marketing — only if you opted in. Lot-drop announcements, occasional discounts, brewing tips. Unsubscribe in every message.
- Product analytics. Understand how the site is used so we can fix the slow pages and broken funnels. Off if you send the Global Privacy Control signal or toggle it off in your Privacy Center.
- Fraud, abuse, and security. Rate-limit suspicious activity, keep an internal audit trail of admin actions.
- Legal & accounting. Keep order and tax records as long as U.S. law requires us to (typically seven years for financial records).
Who we share it with
We use a small set of vendors to run the business. They only get the data needed to do their job, and they're contractually bound not to use it for anything else.
| Category | What it includes | Source |
|---|---|---|
| Stripe | Payments, subscription billing | Email, billing address, card token |
| Shippo | Shipping label generation | Name, shipping address, package weight, email |
| Resend | Transactional email (order confirmations, magic links) | Email, order details |
| Klaviyo | Marketing email — only if you opted in | Email, name, marketing preferences, lifecycle events |
| PostHog | Product analytics, feature flags, session replay | Anonymous device ID, page views, events; user ID once signed in |
| Vercel & Neon | Hosting and database | Everything we store, encrypted in transit and at rest |
We will share information when legally compelled (subpoena, valid court order) or to protect against fraud and abuse. We'll tell you about it if we're allowed to.
What we don't do
- We don't sell your personal information.
- We don't share data with advertising networks or data brokers for targeted advertising.
- We don't use your information to train AI models.
- We don't knowingly collect data from anyone under 16.
Your rights
U.S. state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and the newer 2024–25 wave) give you a set of rights over your data. We extend all of them to every customer regardless of state.
- Know what we have. Download a complete copy from Account → Privacy → Download my data.
- Correct it. Update name and preferences in Account → Settings; for shipping address use your active subscription page.
- Delete it. One click in your Privacy Center wipes your personal information. We keep order records anonymized for tax and accounting (legally required) but the rows can no longer be linked back to you.
- Opt out of analytics. Toggle it off in the Privacy Center, or send the
Sec-GPC: 1header (browsers like Brave and Firefox can do this automatically) and we'll honor it on every visit. - Opt out of marketing. Toggle off in Privacy Center, or click unsubscribe in any marketing email.
- Non-discrimination.We won't charge you more or give you worse service for exercising any of these rights.
To submit a request as a parent, guardian, or authorized agent on behalf of a customer — or if anything in your Privacy Center isn't working — email [email protected]. We respond within 45 days.
How long we keep things
- Account profile — until you delete it.
- Order and invoice records — at least seven years to satisfy U.S. tax and accounting law. After deletion these rows are anonymized.
- Sessions, magic-link tokens — sessions last 30 days; magic links expire in minutes.
- Quiz answers — kept for personalization until you delete your account.
- Marketing & analytics events — typically 12–24 months at our vendors (Klaviyo, PostHog), longer if needed for cohort analysis.
Security
We host on Vercel and Neon (Postgres), both of which encrypt data in transit and at rest. Magic-link sign-in means we never store your password — there isn't one. Admin actions on customer accounts are written to an append-only audit log. We run an external security review on a quarterly cadence. No system is perfect; if you find something, write us at [email protected].
Cookies and similar tech
A short list of every cookie we set, plus how to opt out of analytics, lives at /cookies.
Where we operate
Rice Cracker Club is operated by Rice Cracker Club LLC in California, and we ship within the United States. Our vendors are U.S.-based or process U.S. customer data under standard U.S. agreements. We do not intentionally market to or accept orders from EU/UK residents.
Changes to this policy
If we make a material change we'll update the "last updated" date and email signed-in customers. Older revisions are available on request.
Contact
Privacy questions, requests, or complaints — [email protected].
Rice Cracker Club LLC · Oakland, California, USA