Privacy Policy

Effective Date: November 17, 2025

Last Updated: November 17, 2025

I. INTRODUCTION AND SCOPE

A. Operator Identity and Scope of Services

This Privacy Policy ("Policy") describes how Gold Again Vintage, LLC (the "Company," "we," "us," or "our") collects, uses, protects, and discloses Personal Information ("PI") related to individuals ("Consumers" or "you") who access or utilize our online services ("Services"), specifically through our Squarespace-hosted website, www.goldagainvintage.com.

Gold Again Vintage, LLC operates as an online retail business specializing in the curated sale of vintage clothing, accessories, and housewares, primarily dating from the 1950s to the 2000s. We also offer unique products such as handmade/upcycled goods and personalized secondhand style bundles. The Company has identified itself as Gold Again Vintage, LLC in its business documentation. As the entity determining the purposes and means of processing personal data for our customers and general site visitors, Gold Again Vintage, LLC acts as the Data Controller under global data protection laws and as the "Business" under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

We maintain a rigorous commitment to transparency, which guides the structure and content of this document. This Policy serves as our comprehensive disclosure, outlining the precise mechanisms through which PI is managed. Although Gold Again Vintage, LLC is a United States entity, the appeal of vintage goods often results in engagement with international customers. Therefore, our data protection framework proactively integrates the stringent principles of the General Data Protection Regulation (GDPR), such as ensuring clear legal bases for processing, alongside the specific requirements of the CCPA/CPRA, thereby mitigating legal risk associated with cross-border commerce.


B. Defining Personal Information (PI)


Personal Information, for the purpose of this Policy, encompasses any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household. This broad definition ensures alignment with both modern data protection standards and the comprehensive requirements mandated by California law.

PI does not include publicly available information, lawfully obtained, or aggregated consumer information that is not capable of being associated with a specific individual. Our processing activities are strictly limited to what is necessary, relevant, and adequate for the intended purposes disclosed within this document, upholding the principle of data minimization.


II. CATEGORIES OF INFORMATION WE COLLECT


We collect PI through various mechanisms inherent to modern e-commerce operations: directly from the consumer during transactions or communications, automatically via the website infrastructure provided by the Squarespace platform, and indirectly through third-party service providers essential for functions like payment processing and fraud prevention.


A. Information Provided Directly by You


The following categories of PI are collected when you interact directly with our Services, such as when making a purchase or using a contact form:

  1. Identifiers: This foundational category includes first name, last name, email address, physical mailing address (required for both shipping and billing), and telephone number. This data is essential for establishing the consumer's identity and is required for order fulfillment, including shipping arrangements, and direct communication regarding the purchase lifecycle. When utilizing the "Contact" page, consumers are required to provide their Name, Email, Subject, and Message before submission.

  2. Commercial Information: This category covers detailed records of products or services purchased, obtained, or considered. This encompasses specifics regarding vintage items, such as unique garments, accessories, housewares, or specialized services, including the personalized style bundles offered by Gold Again Vintage. This purchase history data is necessary for managing returns, processing exchanges, and tracking consumer spending patterns on the Site.

  3. Limited Financial Information: During the online checkout process, we collect partial payment data, typically in the form of payment token identifiers and the last four digits of the payment card, strictly for internal transactional reference and reconciliation. It is critical to note that we have architected our system so that we do not store or retain full payment card details on our servers. The complete handling and encryption of sensitive payment card data is immediately transferred to, and managed by, third-party payment gateways.

  4. Communication and Sensory Data: This information is generated through correspondence sent to us, including messages submitted via the "Contact" form, or provided during customer service interactions. The Site also offers an explicit option for consumers to "Sign up for news and updates," which involves the collection of an email address for marketing purposes.

  5. Inference Data: We generate profiles or summaries based on the analysis of collected data, such as communication content and purchase history, used to infer consumer preferences. For example, patterns of interest may lead to the creation of a profile indicating a shopper is interested in "SHOES" or "SWEATERS & KNITS," which informs the creation of personalized secondhand style bundles.


B. Information Collected Automatically


When you visit our website, certain technical and activity information is passively generated and collected automatically by the Squarespace platform and associated tracking technologies to ensure site functionality, security, and performance:

  1. Internet or Other Electronic Network Activity Information: This encompasses comprehensive details related to how you access and interact with the Site, including your IP address, device identifiers, browser type, operating system, and hardware configuration.

  2. Usage Data and Browsing History: This detailed information tracks your activity on the Site, such as the specific URLs visited, the sequence of pages viewed (e.g., analyzing traffic flow to categories like TOPS, BOTTOMS, DRESSES & JUMPSUITS, or Housewares), referral sources, mouse clicks, and the contents of your persistent shopping cart.

  3. Geolocation Data: We collect general, non-precise location data derived from your IP address or device settings. This is used strictly for technical functions such as calculating appropriate sales tax jurisdiction and optimizing site performance based on geographic region.

  4. Cookie Data: Small data files stored on your device that enable the website to recognize your browser, maintain shopping cart state, facilitate user authentication, and support analytics. This encompasses strictly necessary functional cookies, performance analytics cookies, and marketing cookies utilized for targeted advertising campaigns.


C. Information from Third-Party Sources


Our e-commerce operations rely on robust external partners for transaction management and risk mitigation. We receive specific data points from these external partners, primarily concerning payment status and fraud analysis:

  1. Transaction Data from Payment Processors: We receive confirmation of payment success or failure, transaction settlement status, and necessary data points for financial reconciliation from essential payment gateways such as Stripe, PayPal, Apple Pay, Klarna, and Afterpay/Clearpay. These processors perform their own analysis of the transaction details and provide us with necessary compliance data.

  2. Security and Fraud Scoring Data: To manage the significant financial risks inherent in online sales, certain technical data and identifiers are automatically shared with sophisticated fraud prevention services (which may include platforms like Sift) integrated into the payment process. These services analyze the data points against known fraud patterns and return a risk score or verification status that is essential for Gold Again Vintage, LLC to make a timely determination on whether to accept or cancel a given order, thereby upholding our commitment to security and loss prevention.


III. HOW WE USE YOUR INFORMATION (PURPOSES OF PROCESSING)


The collection and processing of Personal Information are rigorously limited to necessary, explicit, and legitimate purposes. For data subject to GDPR, each processing activity is supported by a defined legal basis, ensuring that our methods align with established international privacy requirements.


A. Processing for Contractual Necessity


This legal basis is engaged when processing is essential for initiating or fulfilling a transaction requested by the consumer. The primary purpose for collecting Identifiers, Commercial Information, and Limited Financial Information is the performance of the sales contract:

  1. Order Fulfillment and Delivery: The use of Identifiers (Name, Address) and Commercial Information (item purchased) is non-negotiable for accurately processing, packaging, and facilitating the shipment of goods, including vintage clothing, accessories, and style bundles.

  2. Payment and Transaction Management: The temporary exchange of Limited Financial Information with Payment Processors is necessary to authorize, verify, and settle transactions. Without this controlled data exchange, the commercial contract cannot be executed.


B. Processing Based on Legal Obligation


We process and retain certain categories of PI for mandatory periods required by law, overriding any immediate consumer request for erasure when necessary:

  1. Financial Compliance and Record Keeping: Gold Again Vintage, LLC is subject to legal obligations requiring the retention of Identifiers, Commercial Information, and associated transactional data for specific durations—standardly seven (7) years—to meet strict tax, audit, and comprehensive financial reporting requirements. This mandatory retention ensures the business complies with established financial statutes and preserves critical historical records.

  2. Responding to Legal Requests: Utilizing PI is required when complying with legally binding processes, such as court orders, subpoenas, or valid requests from regulatory agencies or public and government authorities. This obligation extends even to authorities potentially outside the consumer's country of residence, reflecting the international nature of digital commerce security and compliance.


C. Processing Based on Legitimate Interests


We process PI based on our legitimate business interests, provided those interests are carefully balanced against the consumer's fundamental rights and freedoms. This framework applies to processing necessary for business functionality beyond the strict execution of the sales contract:

  1. Security and Fraud Detection: E-commerce platforms inherently face significant risks from malicious actors. Processing Internet Activity, Geolocation Data, and Identity data for Compliance and Harm Prevention is a critical legitimate interest. This activity involves the continuous transaction monitoring and identity verification provided by our partners (like Stripe and potential fraud services). This processing is necessary to secure and protect the Services, rights, privacy, safety, and property of Gold Again Vintage, LLC, its customers, and its financial partners against malicious or fraudulent activity.

  2. Customer Service and Communication: Utilizing Identifiers and Communication Data to efficiently respond to customer service inquiries, handle returns, resolve disputes, and manage general communication submitted through the "Contact" page is necessary. Retaining a record of this communication history for a reasonable period constitutes a legitimate interest in ensuring quality assurance, operational continuity, and effective dispute resolution.

  3. Service Optimization and Personalization: Processing Commercial Information, Usage Data, and Inference Data is done to continuously improve the site experience and tailor product offerings. Analyzing consumer behavior (e.g., frequent browsing of specific categories like SHOES or Housewares) allows us to refine inventory curation and enhance specialized offerings, such as creating personalized secondhand style bundles. This targeted approach is a value-add service driven by analyzing preferences, which directly benefits the consumer by providing a more relevant and curated shopping experience.


D. Processing Based on Consent


Processing that relies solely on explicit, freely given, informed consent includes:

  1. Marketing Communications: Using your Email Address to send promotional materials, newsletters, and updates is only undertaken after you have specifically requested or opted in to receive them, such as by subscribing through the designated option on the Contact page.

Processing Purpose

Data Categories Used

Legal Basis

Order Fulfillment and Delivery

Identifiers, Commercial Information, Limited Financial Information

Contractual Necessity

Financial Record Retention (7 Years)

Identifiers, Commercial Information, Transaction Data

Legal Obligation

Security, Fraud Prevention, and Verification

Identifiers, Internet Activity, Geolocation Data

Legal Obligation & Legitimate Interest

Customer Service and Inquiry Response

Identifiers, Communication Data

Legitimate Interest

Site Optimization and Personalization (Style Bundles)

Commercial Information, Usage Data, Inference Data

Legitimate Interest

Marketing Communications

Email Address, Marketing Preferences

Consent


IV. DISCLOSURE AND SHARING OF PERSONAL INFORMATION


We disclose Personal Information to third parties for the essential operational functions detailed above. The nature of these disclosures requires us to differentiate carefully between disclosures to Service Providers (who act strictly on our instructions) and disclosures that may be construed as "Sharing" for advertising purposes under specific privacy regulations.


A. Sharing with Service Providers and Processors


We utilize various third parties that assist in our business operations, acting as Data Processors (or "Service Providers" under CCPA/CPRA). These entities are contractually obligated to protect PI and use it only for the specific services directed by Gold Again Vintage, LLC, thereby minimizing the risk of unauthorized data use:

  1. Platform Hosting and Infrastructure: We share necessary operational data with Squarespace, which provides the technical backbone for the website platform, including analytics, hosting, and e-commerce cart functionality. Squarespace processes data to maintain site stability and facilitate transactional continuity.

  2. Payment Gateways (Independent Controllers): We share Identifiers and Limited Financial Information with major Payment Processors such as Stripe, PayPal, Apple Pay, Klarna, and Afterpay/Clearpay. It is a critical legal and technical distinction that once financial data is transmitted to these parties, they often act as independent Data Controllers for the purposes of managing the security, compliance, and processing of the actual payment. Stripe, for example, explicitly states that they collect and use Personal Data to perform comprehensive verification services, prevent fraud, and enhance security, sometimes involving biometric comparison if identity documents are uploaded. Consumers are strongly advised to consult the respective privacy policies of these providers for detailed information on their separate data handling practices.

  3. Shipping and Logistics: Necessary Identifiers (Name, Address, Phone Number) are shared with reputable postal services and shipping carriers solely to facilitate the physical transportation and delivery of purchased goods.

  4. Security and Risk Management Services: To ensure transactional integrity, certain data points, including technical data, device identifiers, and IP addresses, are shared with specialized fraud prevention partners (such as Sift or similar services integrated into the payment flow). This robust security measure is essential for screening transactions for high-risk indicators and protecting the business against financial loss and chargebacks, which in turn secures the entire e-commerce ecosystem.


B. Disclosure for Cross-Context Behavioral Advertising (CPRA "Sharing")


Gold Again Vintage, LLC confirms that it does not sell Personal Information to third parties for direct monetary compensation.

However, specific types of automatic data collection deployed through the underlying Squarespace platform—such as performance cookies, pixels, and tracking technologies used for analytics or displaying targeted advertisements based on your browsing history across other sites—may be defined as "sharing" for cross-context behavioral advertising under the CPRA. This shared data primarily consists of Internet Activity, Usage Data, and non-precise Geolocation Data. The recognition of this technical nuance is a critical compliance step under California law.

In compliance with the CPRA, consumers maintain the absolute right to opt-out of this sharing. Detailed mechanisms for exercising this right are provided in Section VI.


C. Disclosure for Legal Reasons and Corporate Transactions


We may disclose PI in specific, legally sanctioned circumstances:

  • In connection with, or during the contemplation of, any corporate restructuring, merger, sale of company assets, financing, or acquisition of all or a portion of our business by another entity. In such events, PI will be transferred subject to the same privacy commitments outlined in this Policy.

  • When necessary to comply with legal mandates, enforce our contractual rights, protect our property, or ensure the physical safety and transactional security of our customers and personnel.


V. DATA RETENTION POLICY


We implement clear and specific data retention periods based on the principle of data minimization and legal necessity. Personal Information is stored only for as long as required to achieve the explicit processing purposes, after which it is subject to secure deletion or irreversible anonymization. This policy aligns with the stipulation that the right of access or erasure cannot be enforced after the retention period expires.


A. Retention Schedules and Justification


The precise duration for which we retain PI is governed by the nature of the data and the mandatory legal requirements imposed on an active e-commerce operation:

  1. Statutory and Financial Records: Commercial Information, Identifiers, and associated transactional data are retained for a minimum of seven (7) years from the date of the underlying purchase. This duration is legally mandatory for tax and audit compliance purposes as required for Gold Again Vintage, LLC as a commercial entity. The necessity of meeting these governmental financial reporting requirements constitutes a legally mandated exception to the general Right to Erasure for this specific historical data set.

  2. Customer Support Records: Data generated through customer service, including communication content from the contact form, is generally retained for a period of up to eighteen (18) months following the final resolution of the inquiry. This extended retention period supports effective customer relationship management, facilitates seamless handling of related subsequent requests, and provides necessary documentation for potential disputes.

  3. Marketing Data: Email addresses and consent records used for sending news and updates are retained only until the consumer actively exercises their right to opt-out or unsubscribe from the mailing list.

  4. Usage and Technical Data: Non-aggregated and identifiable browsing data, such as site activity logs, IP logs, and technical diagnostics used for analytics, are retained for a period of up to twelve (12) months for site optimization and trend analysis purposes.

Data Category

Retention Period

Legal Justification / Purpose

Customer Purchase Records (PII & Financial)

Minimum 7 Years

Legal requirement for tax, audit, and financial compliance

Contact Form Inquiries & Support Data

Up to 18 Months

Operational necessity for quality assurance and reference

Marketing Subscription (Email)

Until Opt-Out/Unsubscribe

Based on user consent and ongoing communication

Non-Aggregated Usage Data

Up to 12 Months

Site optimization and analysis of customer trends


B. Consequences of Retention Expiration


Upon expiration of the defined retention period, all associated Personal Information will be permanently and securely deleted using industry-standard methods. Once the deletion process is complete, the data cannot be recovered, and consumer rights, including the right of access and erasure, cease to be applicable regarding the deleted data.


VI. YOUR PRIVACY RIGHTS AND CHOICES


Consumers are afforded comprehensive rights concerning the control and disposition of their Personal Information, designed to foster trust and credibility in our data handling practices. Gold Again Vintage, LLC is committed to facilitating the exercise of these rights in full accordance with all applicable laws, including the CCPA/CPRA and GDPR principles.


A. General Consumer Rights (GDPR Principles)


Consumers globally, and particularly residents of the European Economic Area, the United Kingdom, and Switzerland, are afforded the following rights related to their Personal Information:

  1. Right of Access and Portability: You have the right to request confirmation as to whether or not PI concerning you is being processed, and where that is the case, to obtain access to the PI and related supplementary information regarding the processing purposes, the categories of PI processed, and the recipients to whom the data has been disclosed. Furthermore, you have the right to receive the PI you have provided to us in a structured, commonly used, and machine-readable format, with the right to transmit that data to another controller where technically feasible.

  2. Right to Rectification: You have the right to request the prompt correction of inaccurate or incomplete Personal Information we hold about you. This includes utilizing the right to correct inaccurate PI explicitly granted under the CPRA.

  3. Right to Erasure (Right to Be Forgotten): You have the right to request the deletion of your Personal Information without undue delay when the data is no longer necessary for the purposes for which it was collected, or if you withdraw consent and no other overriding legal basis for processing exists. This right is systematically evaluated against legal exceptions, such as the mandated requirement to retain financial transaction data for seven years for tax compliance.

  4. Right to Object to and Restrict Processing: You have the right to object to the processing of your PI where the processing is based on our legitimate interests. Additionally, you may request the temporary restriction of processing your PI in specific circumstances, such as while the accuracy of the data is being investigated or if the processing is determined to be unlawful but the consumer prefers restriction over erasure.


B. California Consumer Privacy Act (CCPA/CPRA) Rights


If you are a resident of California, you are granted the following specific, reinforced rights under the CCPA/CPRA:

  1. The Right to Know: You have the right to request that we disclose, free of charge, the categories and specific pieces of Personal Information we have collected about you, the categories of sources from which the PI is collected, the specific purposes for collecting or sharing that PI, and the categories of third parties with whom we disclose or share the PI over the preceding 12 months.

  2. The Right to Opt-Out of Sale or Sharing: You have the absolute right to direct Gold Again Vintage, LLC not to sell your Personal Information, nor to "share" your PI, where "sharing" is defined specifically as disclosing PI for cross-context behavioral advertising. We honor the Global Privacy Control (GPC) signal as a valid, global request to opt-out of such sharing based on cookie data.

  3. The Right to Limit Use and Disclosure of Sensitive Personal Information (SPI): You have the right to limit our use and disclosure of Sensitive Personal Information (SPI) to only those purposes necessary to perform the Services, such as transaction processing, security verification, and necessary fraud prevention. Since we only collect SPI (limited financial data) for these essential functions, our standard practice aligns with this limitation, but this right ensures consumer control over any potential future expansion of processing.

  4. The Right to Correct Inaccurate Personal Information: You have the right to request that we correct any inaccurate Personal Information that we maintain about you. This requires us to use commercially reasonable efforts to correct the information as requested.

  5. The Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising any of your CCPA/CPRA privacy rights. We will not deny you goods or services, charge different prices or rates, or provide a different level or quality of goods or services solely because you exercised your rights under this Policy.


C. Exercising Your Rights and Verification Procedure


To exercise any of the rights described in this section, the consumer must submit a verifiable consumer request to us using the contact methods provided in Section IX.

Verification Requirement: To safeguard the security and privacy of your Personal Information and prevent malicious requests, we are legally obligated to verify your identity before responding to any request for access, deletion, or correction. This verification process ensures that the person making the request is, in fact, the consumer whose PI is being processed, or an authorized agent acting on their behalf. Depending on the type and sensitivity of the data involved, verification may require matching two or three distinct pieces of identifying information provided in your request (such as email address, order number, or last four digits of the payment method) against the PI already maintained in our systems. If we cannot sufficiently verify identity using reasonable methods, we may be unable to fulfill the request.

Authorized Agents: If you elect to use an authorized agent to submit a request on your behalf, we will require written proof that the agent possesses the authority to act on your behalf, which may include written permission signed by the consumer.


VII. CHILDREN'S PRIVACY


The Services provided by Gold Again Vintage, LLC are focused on the retail sale of vintage goods and apparel, designed for adult consumers capable of entering into legally binding transactions. Accordingly, our website is not intended for use by Children under the age of 13. We do not knowingly collect Personal Information from children under 13 years of age. If we become aware that we have inadvertently received or collected Personal Information from a child under 13, we will initiate immediate steps to securely delete that information from our records.


VIII. THIRD-PARTY WEBSITES AND PROCESSORS


Our website may contain links to various third-party websites or services, such as social media platforms or external review services referenced in our blog. These external links are provided for informational and navigational convenience. Once you navigate away from our domain, Gold Again Vintage, LLC has no control over the collection, use, or disclosure of your information by those independent third parties. Consequently, we are not responsible for the content or privacy practices of any external websites.

We reiterate the vital distinction regarding our payment processors, specifically Stripe, Square, and PayPal. Because these entities act as independent Data Controllers for the purposes of managing the security, compliance, and processing of sensitive financial data, consumers are strongly encouraged to review the respective privacy policies of these providers. Stripe's documentation confirms their robust security infrastructure, including the segregation of card numbers in separate hosting environments and the implementation of multi-factor authentication procedures, underscoring the independent nature of their security commitments.


IX. CONTACT INFORMATION AND UPDATES



A. Changes to This Privacy Policy


Gold Again Vintage, LLC reserves the right to amend this Privacy Policy at any time to reflect changes in our legal obligations, business operations, or technological advancements in data handling. We will notify consumers of significant changes by posting the updated Policy on the Site with a revised "Last Updated" date. Any changes become effective immediately upon posting. This Policy is set to become officially effective on November 17, 2025.


B. How to Contact Us


If you have any questions or comments about this Privacy Policy, our data handling practices, or if you wish to exercise your consumer rights under applicable law (such as CCPA/CPRA or GDPR), please contact us using the information below:

Business Entity:

Gold Again Vintage, LLC

Designated Privacy Email (for Rights Requests and Inquiries):

goldagainvintage@gmail.com