Legal
Privacy Policy
Last updated: March 25, 2026 · Effective for all users of threadsofmercy.com
Your privacy matters. This Privacy Policy explains what personal information Threads of Mercy collects, how we use it, who we share it with, and your rights as a consumer. We do not sell your personal information to third parties for monetary compensation.
Section 01
Introduction
This Privacy Policy ("Policy") applies to Threads of Mercy ("we," "us," or "our") and governs the collection, use, and disclosure of personal information obtained through our website at threadsofmercy.com (the "Site") and any related services, sales, or marketing activities.
By visiting the Site, creating an account, or placing an order, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please do not use the Site.
This Policy applies to all residents of the United States. For residents of specific states with enhanced privacy rights (including California, Virginia, Colorado, Connecticut, Utah, Texas, and others), additional rights are described in Sections 11 and 12.
Section 02
Information We Collect
Information You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Identity Data | First name, last name | Account creation, order fulfillment |
| Contact Data | Email address, phone number | Order confirmations, support, marketing (with consent) |
| Shipping Data | Delivery address, city, state, ZIP | Order fulfillment and shipping |
| Payment Data | Billing address, last 4 digits of card (tokenized via Stripe) | Payment processing — full card data handled by Stripe only |
| Account Data | Username, hashed password, order history | Account management |
| Design Content | Uploaded artwork, design files | Custom order production |
| Communications | Support emails, contact form messages | Customer service |
Information We Collect Automatically
| Category | Examples | Purpose |
|---|---|---|
| Device & Technical Data | IP address, browser type, OS, screen resolution | Security, fraud prevention, analytics |
| Usage Data | Pages viewed, click paths, time on site, referring URLs | Site optimization, analytics |
| Transaction Data | Purchase history, order amounts, cart activity | Order management, fraud prevention |
| Cookie & Tracking Data | Cookie IDs, session tokens, advertising identifiers | See Section 6 |
Information from Third Parties
We may receive information about you from third-party sources, including:
- Stripe — payment status, fraud risk signals, billing address verification;
- Google Analytics / Meta Pixel — aggregated demographic and interest data (only if you consent to analytics/marketing cookies);
- Google OAuth — if you log in via Google, we receive your name and email address only;
- Shipping Carriers — delivery confirmation and tracking events.
Section 03
How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Process and fulfill your orders | Contract performance |
| Process payments securely via Stripe | Contract performance / legal obligation |
| Send order confirmations, shipping updates, and receipts | Contract performance |
| Respond to customer support inquiries | Legitimate interest / contract |
| Detect and prevent fraud and unauthorized access | Legitimate interest / legal obligation |
| Improve website functionality and user experience | Legitimate interest (with analytics consent) |
| Send marketing emails (with your opt-in consent) | Consent (CAN-SPAM / opt-in) |
| Comply with applicable laws and legal obligations | Legal obligation |
| Enforce our Terms & Conditions | Legitimate interest / contract |
We do not use your personal information to make automated decisions that produce legal or similarly significant effects about you without your knowledge.
Section 04
How We Share Your Information
We do not sell, rent, or trade your personal information for monetary consideration. We may share your information with the following categories of recipients:
| Recipient | What is Shared | Why |
|---|---|---|
| Stripe, Inc. | Billing address, order amount, customer email | Payment processing, fraud prevention |
| Shipping Carriers (USPS, FedEx, UPS) | Name, shipping address | Parcel delivery |
| Email Service Provider | Email address, order details | Transactional and marketing emails |
| Analytics Providers (Google Analytics 4) | Anonymized usage data (with consent) | Site performance analysis |
| Advertising Platforms (Meta, TikTok, Pinterest) | Hashed email, pixel data (with consent) | Retargeting and ad measurement |
| Law Enforcement / Legal Process | As legally required | Legal obligation, court order, subpoena |
| Business Transfers | All data in the event of merger/acquisition | Corporate transaction (with notice) |
All third-party service providers are contractually required to handle your data in compliance with applicable privacy laws and to use your data only for the specified purpose.
Section 05
Stripe & Payment Data
All payment processing is handled by Stripe, Inc., a PCI DSS Level 1 certified payment processor. We do not store, process, or transmit your full credit card number, CVV, or card expiration date on our servers.
When you enter payment information at checkout, it is transmitted directly to Stripe via an encrypted connection. Stripe returns a payment token to our system, which we use to complete your transaction. The only payment-related information we retain is your billing address (for tax and fraud purposes) and the last four digits of your card (for your reference).
Your use of Stripe's payment services is subject to Stripe's Privacy Policy. We encourage you to review it.
Section 06
Cookies & Tracking Technologies
We use cookies and similar tracking technologies (pixels, beacons, local storage) on our Site. The categories are:
| Type | Examples | Consent Required? |
|---|---|---|
| Strictly Necessary | Session, cart, CSRF token, Stripe session, consent preference | No — always active |
| Analytics | Google Analytics 4 (_ga, _gid, _ga_*) | Yes |
| Marketing | Meta Pixel (_fbp, _fbc), TikTok Pixel, Pinterest Tag | Yes |
| Functional | Saved preferences, recently viewed, chat widget | Yes |
You can manage your cookie preferences at any time using the Cookie Settings button at the bottom of every page, or by adjusting your browser settings. Note that disabling certain cookies may impact your experience on the Site.
We do not load analytics or marketing cookies until you have provided explicit consent via our cookie consent banner.
Section 07
Data Retention
We retain your personal information for as long as necessary to fulfill the purposes described in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements:
- Account data: Retained for the duration of your account plus 3 years after account closure, unless deletion is requested;
- Order & transaction records: Retained for 7 years for tax and accounting compliance;
- Payment records (Stripe tokens, billing address): Retained for 7 years;
- Marketing email lists: Retained until you unsubscribe or request deletion;
- Support communications: Retained for 3 years;
- Design upload files: Retained for 90 days post-order completion, then deleted.
When your data is no longer needed, we will securely delete or anonymize it in accordance with our data retention schedule.
Section 08
Data Security
We implement industry-standard technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These include:
- TLS/SSL encryption for all data transmitted to and from the Site (HTTPS enforced);
- Argon2id password hashing — passwords are never stored in plaintext;
- Time-based one-time password (TOTP) two-factor authentication support;
- PCI DSS-compliant payment processing via Stripe (we never handle raw card data);
- Access controls and role-based permissions for internal systems;
- Rate limiting and fraud detection on account and checkout endpoints;
- HTTP security headers including HSTS, CSP, X-Frame-Options, and X-Content-Type-Options.
Despite our best efforts, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security. In the event of a data breach that materially affects your rights, we will notify you as required by applicable state data breach notification laws.
Section 09
Children's Privacy (COPPA)
The Site is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information without consent, please contact us immediately at privacy@threadsofmercy.com and we will promptly delete that information.
Users between 13 and 17 may use the Site only with verifiable parental consent. We comply with the Children's Online Privacy Protection Act (COPPA) and will not knowingly retain data from children under 13.
Section 10
Your Rights (All US Residents)
Regardless of your state of residence, you have the following rights regarding your personal information:
- Right to Know: You can request a summary of the personal information we hold about you;
- Right to Correct: You can request correction of inaccurate information via your account settings or by contacting us;
- Right to Delete: You can request deletion of your personal information, subject to our legal retention obligations. Account deletion is available directly from your Account Settings;
- Right to Opt Out of Marketing: You can unsubscribe from marketing emails at any time via the unsubscribe link in any email;
- Right to Data Portability: You can request a copy of your personal data in a structured, machine-readable format;
- Right to Non-Discrimination: We will not deny you services, charge you different prices, or provide a lower quality of service because you exercised a privacy right.
To exercise any of these rights, submit a request to privacy@threadsofmercy.com with the subject line "Privacy Request." We will respond within 45 days (or sooner as required by state law). We may need to verify your identity before processing your request.
Section 11
California Residents — CCPA / CPRA Rights
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
If you are a California resident, you have the following additional rights under the CCPA/CPRA:
- Right to Know (Categories & Specific Pieces): The right to request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months;
- Right to Delete: The right to request deletion of your personal information, subject to certain exceptions;
- Right to Correct: The right to request correction of inaccurate personal information;
- Right to Opt Out of Sale or Sharing: The right to opt out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising;
- Right to Limit Use of Sensitive Personal Information: The right to limit the use of sensitive personal information to necessary purposes;
- Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA right.
Do Not Sell or Share My Personal Information: We do not sell personal information for monetary compensation. We may "share" (as defined under CPRA) certain identifiers with advertising platforms (Meta, TikTok, Pinterest) if you have consented to marketing cookies. You can opt out at any time by adjusting your Cookie Settings at the bottom of any page, or by emailing privacy@threadsofmercy.com.
To submit a verifiable California consumer request, contact us at privacy@threadsofmercy.com. We will respond within 45 days, with one 45-day extension available if necessary. You may also designate an authorized agent to submit requests on your behalf, subject to identity verification.
Section 12
Other State Privacy Rights
The following state privacy laws may grant additional rights to residents of those states. We honor these rights for all qualifying residents:
| State | Law | Key Rights |
|---|---|---|
| Virginia | VCDPA | Know, correct, delete, portability, opt out of sale / targeted advertising / profiling |
| Colorado | CPA | Know, correct, delete, portability, opt out of sale / targeted advertising / profiling |
| Connecticut | CTDPA | Know, correct, delete, portability, opt out of sale / targeted advertising |
| Utah | UCPA | Know, delete, portability, opt out of sale / targeted advertising |
| Texas | TDPSA | Know, correct, delete, portability, opt out of sale / targeted advertising / profiling |
| Montana | MCDPA | Know, correct, delete, portability, opt out of sale / targeted advertising |
| Nevada | NRS 603A | Opt out of sale of covered information |
| Oregon | OCPA | Know, correct, delete, portability, opt out of sale / targeted advertising / profiling |
| All other states | Varies | We honor reasonable requests under applicable state law |
To exercise rights under any of the above laws, contact privacy@threadsofmercy.com with your state of residence and the right you are exercising. We will respond within the timeframe required by your state's law (typically 45–60 days).
Section 13
Marketing Communications & CAN-SPAM
If you opt in to marketing communications, we may send you promotional emails about new products, sales, and updates. All marketing emails comply with the CAN-SPAM Act:
- Every marketing email clearly identifies Threads of Mercy as the sender;
- Every marketing email includes our contact address for legal correspondence;
- Every marketing email contains a clear, one-click unsubscribe link;
- We honor opt-out requests within 10 business days;
- We do not use deceptive subject lines or false header information.
You can unsubscribe at any time by clicking the "Unsubscribe" link in any marketing email or by emailing unsubscribe@threadsofmercy.com. Transactional emails (order confirmations, shipping updates) will continue to be sent regardless of marketing opt-out status, as they are necessary to fulfill your order.
Section 14
Third-Party Links
Our Site may contain links to third-party websites or services that are not operated by us. We have no control over the content, privacy policies, or practices of any third-party site and encourage you to review the privacy policy of every site you visit.
Our inclusion of any link does not imply our endorsement of that site or any association with its operators. We are not responsible for the privacy practices of third-party sites.
Section 15
Changes to This Privacy Policy
We reserve the right to update this Privacy Policy at any time. We will notify you of material changes by updating the "Last updated" date at the top of this Policy and, where required by applicable law, by sending an email notice to the address associated with your account or by displaying a prominent notice on the Site.
Your continued use of the Site after the effective date of any changes constitutes your acceptance of the revised Policy. If you do not agree to the updated Policy, please discontinue use of the Site and contact us to request account deletion.
Section 16
Contact & Privacy Requests
Privacy Officer — Threads of Mercy
Email: privacy@threadsofmercy.com
General inquiries: support@threadsofmercy.com
Unsubscribe requests: unsubscribe@threadsofmercy.com
For data deletion, access requests, CCPA requests, or opt-out of sale requests, email us with the subject line "Privacy Request — [Your Right]". We respond within 45 days.
You can also delete your account directly from your Account Settings page.
This Privacy Policy was prepared for informational purposes. Nothing herein constitutes legal advice. Threads of Mercy recommends consulting a licensed attorney familiar with US privacy law for advice specific to your situation.