Privacy Policy
Last updated: 15 May 2026 · Effective: 1 June 2026
1. Who we are
Roast & Rise Coffee Co., LLC ("Roast & Rise", "we", "us") is the data controller of the personal information described in this policy. Our registered address is 2247 SE Salmon Street, Portland, OR 97214, United States.
For any question about this policy or your personal information, write to privacy@roastandrise.example.
2. Information we collect
2.1 Information you give us
- Account details: name, email address, password (stored hashed with bcrypt, not in plaintext).
- Order details: shipping and billing address, phone number, the products you ordered.
- Payment details: handled by Stripe, Inc. We receive only the last four digits, card brand, and expiry — never the full card number.
- Communications: the content of any email, contact form message, or support conversation you send us.
- Marketing preferences: whether you have opted in to our newsletter.
- User content: reviews, ratings, or photographs you submit.
2.2 Information collected automatically
- Device and browser data: IP address, browser type and version, operating system, screen size.
- Usage data: pages viewed, referring URL, time on site, links clicked.
- Cookies: see our Cookie Policy for the full list.
2.3 Information from third parties
- Payment processors: transaction confirmations and fraud signals from Stripe.
- Shipping carriers: tracking and delivery status from USPS and UPS.
- Social sign-in (if used): your public profile and email from Google.
3. How we use your information
We use personal information for the following purposes:
- to process, ship, and support your orders and subscriptions;
- to manage your account and authenticate you when you sign in;
- to send you order confirmations, shipping notifications, and other transactional messages;
- to send you marketing emails (only if you have opted in);
- to respond to your inquiries;
- to prevent, detect, and investigate fraud, abuse, and security incidents;
- to improve our website and products, including through anonymized analytics;
- to comply with our legal obligations (tax records, accounting, subpoenas).
4. Legal bases for processing (GDPR)
If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases:
- Contract: to process your orders and provide your subscription.
- Consent: for marketing emails and non-essential cookies. You can withdraw consent at any time.
- Legal obligation: to keep tax and accounting records.
- Legitimate interests: to secure the site, prevent fraud, and improve our products, provided those interests are not overridden by your rights.
5. How we share your information
We do not sell your personal information. We share it only with the parties below and only for the purposes described:
- Stripe, Inc. — payment processing.
- Shopify Inc. — our e-commerce platform.
- Amazon Web Services (US-West-2) — hosting.
- USPS and UPS — shipping.
- Klaviyo, Inc. — transactional and marketing email.
- Plausible Analytics (EU) — anonymous, cookieless site analytics.
- Sentry, Inc. — error logging.
- Legal and regulatory bodies — where required by law, court order, or subpoena, and only after we have reviewed the legal basis.
- Successor entity — in the event of a merger, acquisition, or sale of assets, subject to reasonable confidentiality safeguards.
Each processor is bound by a written data-processing agreement that limits their use of your data to the service they provide us.
6. Cookies and tracking
See our Cookie Policy for the full list of cookies we use, their purpose, and how to control them.
7. Data retention
We keep your data only as long as we need it:
- Order records: 7 years, for tax and accounting compliance.
- Account details: until you close your account, then 30 days for backup recovery.
- Marketing consent records: 3 years after your last interaction.
- Support conversations: 2 years.
- Anonymous analytics: 12 months.
8. Data security
We protect your data with reasonable technical and organizational measures, including:
- TLS 1.2+ encryption for all traffic to and from our site;
- encryption at rest for account databases;
- bcrypt hashing of passwords;
- role-based access to our admin systems, limited to employees who need it;
- quarterly access reviews and mandatory two-factor authentication for all staff.
No system is perfectly secure. If a data breach occurs and affects your personal data, we will notify you and the relevant authorities within the timelines required by law (72 hours under GDPR).
9. Your rights
Depending on where you live, you may have some or all of the following rights:
- the right to access the personal data we hold about you;
- the right to correct inaccurate data;
- the right to delete your data, subject to our legal obligations;
- the right to restrict or object to certain processing;
- the right to portability — a machine-readable copy of your data;
- the right to withdraw consent at any time (this does not affect prior processing).
To exercise any of these rights, email privacy@roastandrise.example. We will respond within 30 days. If you are in the EEA or UK and believe we have not handled your data correctly, you can complain to your local supervisory authority.
10. Children's privacy
Our site is not directed to children under 16, and we do not knowingly collect personal information from them. If we learn we have collected data from a child under 16, we will delete it promptly.
11. International transfers
We are based in the United States, and our primary servers are in Oregon. If you access the site from outside the United States, your data will be transferred to and stored in the United States, which may have different data-protection laws than your country.
For transfers from the EEA and UK, we rely on Standard Contractual Clauses approved by the European Commission and take additional safeguards where required.
12. California privacy rights
If you are a California resident, the California Consumer Privacy Act (CCPA/CPRA) gives you the following rights, in addition to those in section 9:
- the right to know what categories of personal information we have collected, the purposes, and the categories of third parties we share it with;
- the right to opt out of the "sale" or "sharing" of personal information — we do not sell or share personal information in the CCPA sense;
- the right to limit use of sensitive personal information — we do not collect the categories of "sensitive personal information" defined in the CPRA;
- the right not to be discriminated against for exercising your rights.
To exercise these rights, contact us at privacy@roastandrise.example. We may need to verify your identity before responding.
13. Changes to this policy
We may update this policy from time to time. Material changes will be notified to registered users by email at least 14 days before they take effect. The "Last updated" date at the top of the page shows the current version.
14. Contact us
Roast & Rise Coffee Co., LLC
Attn: Privacy
2247 SE Salmon Street
Portland, OR 97214, USA
privacy@roastandrise.example