Privacy Policy

JUSTINJARCANDLES ("we," "us," or "our") operates the website at www.justinjarcandles.com (the "Site"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our Site, create an account, or make a purchase. We are based in Pittsburgh, Pennsylvania.

1. Information We Collect

Information You Provide Directly

• Contact information: name, email address, phone number
• Shipping and billing addresses
• Account credentials (email and password, or Google OAuth profile)
• Order details and product preferences
• Communications you send us (contact form messages, support requests)
• Subscription preferences (Candle Club plan selection)

Information Collected Automatically

• IP address and approximate geolocation
• Browser type, operating system, and device information
• Pages visited, time spent, and referring URLs
• Cookies and similar tracking technologies (see Section 5)

Information from Third Parties

• Google OAuth: name and email if you sign in with Google
• Stripe: payment confirmation status (we never receive or store full card numbers)
• Cloudflare Turnstile: bot detection signals used to prevent spam (no personal data is shared with Cloudflare beyond your IP address)

2. How We Use Your Information

• Process, fulfill, and ship your orders
• Send transactional emails: order confirmations, shipping updates, delivery notifications
• Manage your account and provide customer support
• Process payments and prevent fraud
• Administer subscriptions (Candle Club billing and renewals)
• Issue and track gift cards, discounts, and loyalty points
• Improve our website, products, and services through analytics
• Comply with legal obligations, including tax reporting
• Protect the security and integrity of our Site

3. How We Share Your Information

We do not sell your personal information. We share data only with service providers necessary to operate our business:

• Stripe — Payment processing. Your payment data is handled directly by Stripe under their PCI-DSS compliant infrastructure.
• Shippo — Shipping label generation. Your name and shipping address are shared to create USPS/UPS labels.
• Resend — Transactional email delivery (order confirmations, shipping notifications).
• Cloudinary — Product image hosting and optimization.
• Cloudflare — Bot protection (Turnstile) and DNS/CDN services.
• Vercel — Website hosting infrastructure.
• Railway — Database hosting.
• Google — OAuth authentication (only if you choose to sign in with Google).

We may also disclose information when required by law, court order, or to protect our rights, property, or safety.

4. Payment Information

All payment processing is handled by Stripe. Your credit card number, CVV, and expiration date are transmitted directly to Stripe's PCI-DSS Level 1 certified servers and are never stored on or transmitted through our systems. We only receive confirmation of payment status and a card fingerprint used to recognize returning customers at our point-of-sale terminal.

5. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Essential cookies: Shopping cart persistence, authentication session, CSRF protection
• Functional cookies: Remembering your preferences and recently viewed products
• Security cookies: Cloudflare Turnstile bot detection tokens

You can control cookies through your browser settings. Disabling essential cookies may prevent you from completing purchases.

6. Data Security

We implement industry-standard security measures to protect your information:

• TLS/HTTPS encryption for all data in transit
• Passwords hashed with bcrypt (never stored in plaintext)
• Rate limiting and bot protection on all public endpoints
• Admin access protected by authenticated sessions with JWT verification
• Database hosted on encrypted infrastructure with restricted access

No method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Data Retention

• Order data: Retained for 7 years to comply with tax and accounting obligations under Pennsylvania and federal law.
• Account data: Retained until you request deletion.
• Session data: Authentication sessions expire after 30 days of inactivity.
• Communication logs: Contact form submissions retained for 2 years.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your account and associated data (subject to legal retention requirements).
• Opt-out: Unsubscribe from marketing emails at any time via the link in every email.
• Data portability: Request your data in a machine-readable format.

To exercise any of these rights, email us at orders@justinjarcandles.com. We will respond within 30 days.

9. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the CPRA):

• Right to know what personal information we collect and how it is used
• Right to delete personal information (with certain exceptions)
• Right to opt out of the sale or sharing of personal information — we do not sell or share your data for cross-context behavioral advertising
• Right to non-discrimination for exercising your privacy rights

To submit a request, email orders@justinjarcandles.com with the subject line "CCPA Request."

10. Pennsylvania Residents

Pennsylvania does not currently have a comprehensive consumer data privacy law. However, we comply with the Pennsylvania Breach of Personal Information Notification Act (73 P.S. § 2301 et seq.). In the event of a data breach affecting your personal information, we will notify you and the Pennsylvania Attorney General as required by law.

11. Children's Privacy

Our Site is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

12. International Visitors

Our Site is operated from the United States. If you access the Site from outside the US, your information will be transferred to and processed in the United States. By using the Site, you consent to this transfer.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date. Your continued use of the Site after changes are posted constitutes acceptance of the revised policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices:

• Email: orders@justinjarcandles.com
• Address: JUSTINJARCANDLES, Pittsburgh, PA