Privacy Policy

Effective Date: 2025-05-19 (supersedes the version dated 2025-04-21)

At The Crafty Can (“we,” “us,” or “our”) your privacy is extremely important. This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information in accordance with Canadian privacy law, including the Personal Information Protection and Electronic Documents Act (PIPEDA), and—in limited circumstances—the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA/CPRA).

By using https://thecraftycan.ca (the “Site”) or any of our services, you agree to the practices described below.

1 Scope

This Policy applies to personal information we collect when you:

  • browse or shop on the Site;

  • purchase or pre-order products;

  • subscribe to our newsletters or marketing lists;

  • interact with us on social media, email, chat, or support tickets; or

  • otherwise provide information to us.

2 Information We Collect

2.1 Information You Provide Directly

Category Examples Typical Purpose
Identification Name, billing & shipping address, province/state, country Order processing, tax calculation
Contact Email, phone number Receipts, shipping notifications, support
Payment Card or account details (handled by PayPal, Square, WooPayments) Complete transactions
Order & Preference Data Products ordered, variation choices, “pre-order” dates, instructions provided via Advanced Product Fields Fulfilment, warranty
Marketing Consents Newsletter opt-in, cookie banner choices CASL-compliant marketing

2.2 Information We Collect Automatically

  • IP address, browser & device type, referrer URL, date/time stamps

  • On-site actions (pages viewed, items added to cart, search terms)

  • Abandoned-cart and purchase history

This data is collected via cookies, pixels, and similar technologies provided by WooCommerce, Google Analytics (GA4), SmartCrawl Pro, Hummingbird Pro, Smush Pro, and Jetpack.

2.3 Cookies & Tracking Technologies

We use:

  • Essential cookies – keep the cart working, maintain session security.

  • Analytics cookies (_ga, _gid, _hjSession*) – measure traffic and improve usability.

  • Marketing cookies (mailpoet_*, paypal.com cookies) – send or suppress promotional emails, prevent fraud.

You can manage non-essential cookies at any time via our Cookie Settings banner (click the “⏿ Cookie Settings” link in the footer) or through your browser.

3 How We Use Your Information

We process personal information to:

  1. Take and fulfil orders (WooCommerce).

  2. Collect payments (PayPal, Square, WooPayments).

  3. Manage pre-orders (YITH Pre-Order for WooCommerce).

  4. Send transactional and marketing emails (MailPoet – double opt-in, unsubscribe any time in one click).

  5. Provide customer support and prevent fraud.

  6. Improve performance, SEO, and accessibility (Hummingbird Pro, SmartCrawl Pro, Smush Pro).

  7. Secure the Site (Defender Pro, WPMU DEV Dashboard).

  8. Comply with legal obligations (tax, bookkeeping, consumer protection).

  9. Perform limited automated analysis—e.g., abandoned-cart reminders or product recommendations (no decisions with legal or similar significant effects are taken solely by automated means).

4 Legal Basis (for international visitors)

Where GDPR applies, our primary legal bases are:

  • Contract (Art. 6 (1)(b)) – to supply goods you purchase;

  • Consent (Art. 6 (1)(a)) – newsletters, non-essential cookies;

  • Legal obligation (Art. 6 (1)(c)) – tax records;

  • Legitimate interests (Art. 6 (1)(f)) – fraud prevention, service improvement.

5 Third-Party Service Providers & International Transfers

We share data only with vendors that enable us to operate the Site. They may store or process information outside Canada (primarily in the United States):

Vendor Purpose Location
PayPal, Square, WooPayments Payment processing USA / global
WPMU DEV (Defender, Hummingbird, Smush, SmartCrawl) Performance & security USA
MailPoet (email infrastructure) Newsletters EU / USA
Google (Analytics) Usage statistics USA / global

Where data leave Canada, they may be subject to foreign laws and accessible to foreign courts or law-enforcement. We use contractual and technical safeguards (TLS encryption in transit, key-restricted access) to mitigate these risks.

6 Security and Breach Notification

We employ industry-standard safeguards including HTTPS, firewalls, malware scanning, and role-based access controls. If we identify a breach of security safeguards that poses a real risk of significant harm, we will:

  1. Notify affected individuals as soon as feasible;

  2. Report the incident to the Office of the Privacy Commissioner of Canada; and

  3. Maintain a breach log for at least 24 months, as required by PIPEDA §10.1.

We never sell or rent personal data.

7 Data Retention

Data Category Typical Retention Period Reason / Legal Basis
Completed orders & invoices 7 years Tax & accounting records
Abandoned carts 30 days Customer convenience & fraud analysis
Support tickets 2 years Service quality & dispute resolution
Marketing email logs Until you unsubscribe + 30 days Compliance with CASL/GDPR
Security & error logs 365 days Site integrity & incident analysis

We delete or anonymize data once the retention period expires, unless a legal obligation requires longer storage.

8 Marketing Communications (CASL Compliance)

We send promotional emails only with express consent (double opt-in). Every marketing email contains an unsubscribe link that immediately removes you from the list, or you can email us at the address below.

9 Your Rights & Choices

Subject to limited exemptions, you may:

  • Access the personal information we hold.

  • Correct inaccurate or incomplete data.

  • Withdraw consent for marketing or cookies.

  • Request deletion (erasure) of data that are no longer required.

  • Port your order history in a machine-readable format (GDPR/CPRA).

  • Complain to the Office of the Privacy Commissioner of Canada if you believe we have mishandled your information.

To exercise any right, email us at privacy@thecraftycan.ca. We will respond within 30 days.

10 Children’s Privacy

The Site is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided data, please contact us so we can delete it.

11 Automated Decision-Making & Profiling

We use basic automation (e.g., abandoned-cart reminders, product suggestions) but no automated decision produces legal or similarly significant effects on individuals.

12 Changes to this Policy

We may update this Policy periodically. Material changes will be announced via a banner on the Site or, for registered customers, by email. The “Effective Date” above indicates the latest revision.

13 How to Contact Us

Privacy Officer
The Crafty Can
Email: create@tcoops.ca (please add Subject: “Attn: Privacy Officer”)