Privacy policy

PRIVACY POLICY

of
Made and Co, Inc. dba PopFestCo

Website: https://www.popfestcoshop.com/
Company Name: Made and Co, Inc. dba PopFestCo (“PopFestCo”)
Jurisdiction (Principal Place of Business): California, United States
Effective Date:5th December 2025

1. Introduction and Scope

1.1 This Privacy Policy (“Policy”) explains how PopFestCo (“PopFestCo,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you visit or use our website at www.popfestcoshop.com, purchase our balloon arch kits and accessories, engage with our marketing, or otherwise interact with us (collectively, the “Services”).

1.2 This Policy applies to visitors and customers located in the United States and internationally (“you” or “your”), subject to any local laws that provide you with additional rights.

1.3 Our separate Cookie Policy describes in more detail how we use cookies, pixels, and similar technologies. Please read this Policy together with our Cookie Policy and our Terms and Conditions.

1.4 Compliance with U.S. Federal & State Privacy Laws.
Where applicable, we comply with United States privacy laws, including:

·        California Consumer Privacy Act (CCPA) as amended by the CPRA,

·        California Online Privacy Protection Act (CalOPPA),

·        Children’s Online Privacy Protection Act (COPPA),

·        CAN-SPAM Act,

·        other U.S. state privacy laws (Colorado, Virginia, Connecticut, Utah), and

·        any other federal or state laws governing marketing, consumer privacy, and electronic communications.

1.5 By Using the Services. By accessing or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree, you must discontinue use of the Services.

2. Who We Are and Role as Controller

2.1 Data Controller. Made and Co, Inc. dba PopFestCo, established in California, is generally the “controller” of personal information collected through the Services. This means we determine how and why your personal information is processed.

2.2 Service Providers / Processors. We engage third parties (for example, Shopify, payment processors, analytics providers, and shipping carriers) who process personal information on our behalf and under our instructions, subject to contractual safeguards.

2.3 Local Applicability. Depending on where you are located, your local data protection laws may provide specific rights or obligations that supplement this Policy. Where those laws apply and cannot be limited, we will comply with them.

3. Personal Information We Collect

We may collect the following categories of personal information, depending on how you interact with us:

3.1 Information You Provide Directly:

  • Identifiers and contact details: name, email address, phone number, billing and shipping address.
  • Order and transaction details: products purchased, order dates, order value, chosen shipping method.
  • Payment-related details: payment method type (e.g., card, wallet). Full payment card data is typically handled by our payment processors, not stored by us.
  • Account information: username, password, order history, saved addresses (if you create an account).
  • Communications: messages or content you send us via email, contact forms, or social media (e.g., questions about balloon kits, support requests).

3.2 Information Collected Automatically:

  • Device and technical data: IP address, browser type and version, device type and identifiers, operating system.
  • Usage data: pages visited, time and date of visits, click paths, time on page, referring URLs, and interactions with content.
  • Approximate location data: derived from your IP address (e.g., city, region, country).

3.3 Information From Third Parties:

  • E-commerce and payment platforms (e.g., Shopify, payment gateways): to complete transactions and detect fraud.
  • Shipping carriers and logistics providers: delivery status updates, tracking events.
  • Analytics and marketing partners: aggregated or pseudonymised information about how users interact with our website and ads (for example, via Google Analytics, Meta/Facebook Pixel, Pinterest Tag).

3.4 Sensitive Information. We do not intentionally seek to collect sensitive personal information (e.g., health data, government IDs, precise GPS location). If you choose to provide such information in free text fields or communications, you do so voluntarily and we handle it only as necessary for the relevant purpose or as required by law.

4. How We Use Your Personal Information

We use personal information for the following purposes, to the extent permitted by applicable law:

4.1 To Provide and Operate the Services.
Processing and fulfilling orders, managing payments, shipping Products, handling returns where legally required, and providing order confirmations and updates.

4.2 Customer Support.
Responding to inquiries, providing assistance with balloon kit selection or assembly questions, resolving complaints, and handling any service-related issues.

4.3 Improving Our Website and Products.
Analyzing how our site is used, understanding which balloon themes are most popular, testing new layouts and features, and improving our Products and Services.

4.4 Marketing and Promotions.
Sending you marketing communications (where permitted) about new themes, promotions, and special offers; personalizing content and offers based on your interests and previous interactions.

4.5 Analytics and Performance.
Using analytics tools (such as Google Analytics) and pixels/tags (such as Meta/Facebook Pixel and Pinterest Tag) to understand traffic patterns, measure campaign effectiveness, and optimize our marketing strategy.

4.6 Security and Fraud Prevention.
Detecting and preventing fraudulent orders, abuse of discount codes, unauthorized account access, or other suspicious activity.

4.7 Legal and Compliance.
Complying with legal obligations (for example, tax and accounting rules), responding to lawful requests from public authorities, and establishing, exercising, or defending legal claims.

4.8 With Your Consent.
For any other purpose that we clearly explain at the time of collection and for which we ask and obtain your consent, where required.

4.9 CAN-SPAM Compliance for Email Communications.
We send promotional emails in accordance with the CAN-SPAM Act, including clear identification of promotional content where required, providing a valid physical mailing address, and offering a functional opt-out mechanism in every commercial email.

5. Legal Bases for Processing (EEA/UK and Similar Jurisdictions)

Where European, UK, or similar data protection laws apply, we process personal information on the following legal bases:

5.1 Performance of a Contract.
To process your orders, provide the Services, manage your account, and fulfill our contractual obligations to you.

5.2 Legitimate Interests.
To operate, secure, and improve our business; prevent fraud; understand how our customers use our Services; and market to existing customers, provided those interests are not overridden by your rights and interests.

5.3 Consent.
For certain uses of cookies, analytics, and marketing where required by law. You may withdraw your consent at any time, without affecting the lawfulness of processing before withdrawal.

5.4 Legal Obligations.
To comply with legal requirements, such as tax, accounting, and consumer protection laws, or to respond to lawful requests from authorities.

6. Cookies, Pixels, and Similar Technologies

6.1 We use cookies, pixels, tags, scripts, and similar technologies (“Cookies”) on the Site to:

  • Enable core site functions and secure checkout (including Shopify cookies).
  • Remember your preferences and improve user experience.
  • Analyze site usage and performance (e.g., via Google Analytics).
  • Measure and optimize advertising campaigns (e.g., via Meta/Facebook Pixel and Pinterest Tag).

6.2 Our separate Cookie Policy provides detailed information about the types of Cookies we use, the partners involved, and the options you have to control or disable Cookies. In certain jurisdictions, we will request your consent for non-essential Cookies via a banner or consent tool.

6.3 Cross-Context Behavioral Advertising (CPRA).
Certain Cookies and advertising tools may constitute “cross-context behavioral advertising” or “sharing” of personal information under the CPRA. Your opt-out rights are described in Section 11 and our Cookie Policy.

7. How We Share Personal Information

We may share personal information with the following categories of recipients, in each case only to the extent reasonably necessary for the purposes described in this Policy:

7.1 Service Providers (Processors).
Third-party vendors who provide services on our behalf, such as:

  • E-commerce and hosting (including Shopify).
  • Payment processors and financial institutions.
  • Shipping and logistics providers.
  • IT and security providers.
  • Email and marketing platforms.
  • Analytics and advertising partners.

7.2 Business Partners.
Limited sharing with advertising or social media partners to measure and improve our marketing, where permitted by law and subject to your choices.

7.3 Legal, Regulatory, and Safety Recipients.
Law enforcement, regulators, courts, or other third parties where required by law or reasonably necessary to protect our rights, property, or safety, or the rights, property, or safety of others.

7.4 Corporate Transactions.
In connection with a potential or actual merger, acquisition, reorganization, sale of assets, or similar corporate transaction, in which personal information may be transferred as part of the business assets, subject to appropriate protections.

7.5 With Your Consent.
Any other sharing where you have expressly consented.

7.6 CPRA “Selling” and “Sharing.”
Under the CPRA, certain data uses—particularly those involving advertising identifiers and analytics tools—may be classified as a “sale” or “sharing” of personal information, even if no money is exchanged. Your opt-out rights regarding such uses are described in Section 11 and our Cookie Policy.

We do not sell your personal information in the ordinary sense. If certain uses of Cookies or advertising identifiers are deemed a “sale” or “sharing” under applicable law (e.g., California), your rights and choices are described in Section 11 and our Cookie Policy.

8. International Transfers

8.1 The Services are operated from the United States, and your personal information may be processed in the United States or other countries where our service providers operate.

8.2 Where data protection laws require specific safeguards for international transfers, we implement appropriate measures (such as standard contractual clauses or comparable mechanisms) to protect your personal information.

8.3 If you would like more information about these safeguards, you may contact us using the details in Section 18.

9. Data Retention

9.1 We retain personal information only for as long as reasonably necessary to fulfill the purposes described in this Policy, including to:

  • Complete your transactions.
  • Provide customer support.
  • Comply with legal, tax, and accounting obligations.
  • Resolve disputes and enforce our agreements.

9.2 The precise retention period depends on the type of information and the context in which it was collected. For example:

  • Order and transaction data is generally retained for the period required by tax and accounting laws.
  • Marketing-related data is kept until you opt out or until it is no longer useful, subject to reasonable technical and organizational limits.

9.3 We may anonymise or aggregate information so that it no longer identifies you and may retain such information for longer periods for analytics, business, or statistical purposes.

10. Security of Personal Information

10.1 We use reasonable technical, organizational, and administrative measures designed to protect personal information under our control against unauthorized access, destruction, loss, alteration, or misuse.

10.2 While we strive to protect your information, no system or transmission method is completely secure. You are responsible for keeping your account credentials confidential and for notifying us promptly if you suspect any unauthorized access or misuse of your account.

11. Your Privacy Rights – California and U.S. Residents

If you are a resident of California or another U.S. state with similar privacy laws, you may have some or all of the rights described below, subject to legal conditions and limitations:

11.1 Right to Know / Access.
To request information about the categories and specific pieces of personal information we have collected about you, the sources, purposes of collection, and categories of third parties to whom personal information is disclosed.

11.2 Right to Delete.
To request deletion of personal information we hold about you, subject to certain exceptions (for example, where we must retain information to complete a transaction, comply with legal obligations, detect fraud, or for other permitted reasons).

11.3 Right to Correct.
To request correction of inaccurate personal information we maintain about you.

11.4 Right to Opt Out of Certain Data Uses.
Where use of Cookies or advertising identifiers constitutes a “sale” or “sharing” of personal information, you may have the right to opt out. You can exercise this right through the tools described in our Cookie Policy and any “Do Not Sell or Share My Personal Information” mechanism we make available.

11.5 Right to Non-Discrimination.
We will not discriminate against you for exercising your privacy rights, though we may offer different prices or benefits if reasonably related to the value of your data, where allowed by law.

11.6 Exercising Your Rights.
You may exercise your rights by contacting us using the details in Section 18 and specifying that you are a resident of California (or another relevant state) making a privacy rights request. We may need to verify your identity and may ask for additional information to do so. You may also designate an authorized agent, subject to verification requirements.

11.7 Additional California Rights (CalOPPA).
California residents have the right to know how we respond to “Do Not Track” signals (see Section 14), to view the effective date of this Policy, and to understand how categories of personal information and third-party disclosures apply to them, which are detailed throughout this Policy.

11.8 California “Shine the Light” Law.
Under California Civil Code § 1798.83, California residents may request information about whether we share personal information with third parties for their direct marketing purposes. At this time, we do not share personal information with third parties for their independent direct marketing.

11.9 Other U.S. State Laws.
Residents of states such as Colorado, Virginia, Connecticut, and Utah may also have rights relating to access, deletion, correction, opt-out of targeted advertising, and limits on profiling. We honor such rights to the extent required by each applicable law.

12. Your Privacy Rights – EEA, UK, and Similar Jurisdictions

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with similar data protection laws, you may have the following rights, subject to conditions and exceptions:

12.1 Right of Access.
To obtain confirmation of whether we process personal information about you and to request a copy.

12.2 Right to Rectification.
To correct inaccurate or incomplete personal information.

12.3 Right to Erasure.
To request that we delete personal information in certain circumstances (e.g., when it is no longer necessary for the purposes for which it was collected, or you withdraw consent and there is no other legal basis).

12.4 Right to Restriction.
To restrict our processing of your personal information in certain situations.

12.5 Right to Data Portability.
To receive personal information you provided to us in a structured, commonly used, machine-readable format and to have it transmitted to another controller where technically feasible.

12.6 Right to Object.
To object to certain processing activities, including where we rely on legitimate interests as our legal basis, and to opt out of direct marketing at any time.

12.7 Right to Withdraw Consent.
Where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

12.8 Right to Lodge a Complaint.
To lodge a complaint with the data protection authority in your country of residence, place of work, or the place of the alleged infringement.

13. Rights and Choices in Other Regions

13.1 Residents of other countries or states may have similar or additional rights under their local laws.

13.2 We will handle any privacy-related request in accordance with applicable law. If you wish to understand which rights apply to you, or to exercise any available rights, please contact us using the details in Section 18.

14. Marketing Communications and Preferences

14.1 Email and SMS Marketing.
Where allowed by law, we may send you marketing communications about new balloon themes, promotions, and updates. You can opt out at any time by using the “unsubscribe” link in our emails or by contacting us.

14.2 Account and Transactional Messages.
Even if you opt out of marketing, we may still send you transactional or service-related messages (for example, order confirmations, shipping updates, or changes to our terms and policies).

14.3 Advertising Choices.
Your ability to opt out of certain analytics or advertising technologies (including interest-based advertising) is described in our Cookie Policy and may also be managed via your browser or device settings and relevant platform privacy controls (e.g., Google, Meta, Pinterest).

14.4 Global Privacy Control (GPC).
Where required by law (including California), we honor valid GPC signals as a mechanism to opt out of “selling” or “sharing” personal information for targeted advertising purposes.

14.5 Do Not Track (CalOPPA Requirement).
Some browsers send a “Do Not Track” (DNT) signal. Because no industry standard governs DNT, we may not respond to all such signals. Instead, we provide other mechanisms for opting out of advertising-related data uses, as outlined in this Section and in our Cookie Policy.

15. Children’s Privacy

15.1 Our Services are not directed to children under age 13, and we do not knowingly collect personal information from children under 13. We comply with the Children’s Online Privacy Protection Act (COPPA).

15.2 If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete it in accordance with COPPA requirements.

15.3 If you are a parent or legal guardian and believe your child may have provided personal information to us, you may contact us using the details in Section 18 to request deletion or review.

15.4 Users aged 13–17 may use the Services only with the supervision and permission of a parent or legal guardian.

16. Third-Party Websites and Services

16.1 The Services may include links to third-party websites, apps, or services that are not operated or controlled by PopFestCo.

16.2 This Policy does not apply to those third-party properties, and we are not responsible for their content, privacy practices, or security. We encourage you to review the privacy policies of any third-party sites you visit.

16.3 Social media features (such as “like” or “share” buttons) may be hosted by third parties and may collect information about your interaction with our site. Your interactions with these features are governed by the privacy policies of the providers.

17. Changes to This Privacy Policy

17.1 We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

17.2 When we make material changes, we will revise the Effective Date at the top of this Policy and may provide additional notice (such as a prominent notice on our Site or, where required, direct communication).

17.3 Your continued use of the Services after the Effective Date of an updated Policy constitutes your acknowledgment of the updated Policy.

18. How to Contact Us

If you have any questions about this Policy, our privacy practices, or wish to exercise your rights, you may contact us at:

Email: hello@popfestcoshop.com
Postal Address: 14747 Artesia Blvd 3A, La Mirada, CA 90638
Made and Co, Inc. dba PopFestCo

California, United States

We will review and respond to your request within a reasonable period and in accordance with applicable law.