Free standard shipping and returns on all US orders

Standard shipping on all international orders

Your cart

Your cart is empty

Continue shopping

Privacy policy

Privacy Policy

Last Updated: March 10, 2026

Hot Chocolate Design, LLC ("Hot Chocolate Design," "HCD," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit www.hotchocolatedesign.com (the "Site") or make a purchase from us.

Please read this Privacy Policy carefully. By using our Site, you acknowledge that you have read and understood its terms. If you do not agree with its terms, please discontinue use of the Site.

Table of Contents

  1. Information We Collect
  2. How We Use Your Information
  3. How We Share Your Information
  4. Cookies and Tracking Technologies
  5. Data Retention
  6. Data Security
  7. Children's Privacy (COPPA)
  8. California Residents — Your Privacy Rights (CCPA/CPRA)
  9. Other US State Privacy Rights
  10. EU and UK Residents — Your Rights (GDPR / UK GDPR)
  11. International Data Transfers
  12. Data Breach Notification
  13. Third-Party Links and Services
  14. Changes to This Privacy Policy
  15. Contact Us

1. Information We Collect

1.1 Information You Provide Directly

When you interact with our Site, we may collect the following categories of personal information that you provide voluntarily:

  • Identifiers: First and last name, email address, phone number, username, and account password.
  • Commercial Information: Purchase history, products browsed, items added to cart, and transaction details.
  • Financial Information (Sensitive): Billing address and payment card details. Note: Full payment card numbers are processed directly by our payment processor (Shopify Payments / Stripe) and are never stored on our servers.
  • Shipping Information: Delivery address, including any gift recipient addresses.
  • Communications: Messages you send us via email, contact forms, or customer service channels.
  • Newsletter / Marketing Preferences: Email address and communication preferences when you subscribe to our newsletter.
  • Account Information: If you create an account, your login credentials and account preferences.

1.2 Information We Collect Automatically

When you visit our Site, we automatically collect certain information through cookies and similar technologies, including:

  • Internet or Network Activity: IP address, browser type and version, operating system, referring URLs, pages viewed, time spent on pages, links clicked, and other browsing behavior on our Site.
  • Device Information: Device type, device identifiers, and mobile network information.
  • Geolocation Data: General location information derived from your IP address (country and region level). We do not collect precise GPS-level location data.
  • Inferences: We may derive inferences about your preferences and interests based on your browsing and purchase history on our Site.

1.3 Information From Third Parties

We may receive information about you from third-party sources, including:

  • Advertising and analytics partners (such as Google and Meta/Facebook) when you interact with our ads on third-party platforms.
  • Shopify, our e-commerce platform provider, in connection with operating our online store.
  • Payment processors, to verify and complete transactions.
  • Shipping and logistics providers, to fulfill and track your orders.

2. How We Use Your Information

We use the information we collect for the following purposes:

Purpose Categories of Data Used Legal Basis (GDPR)
Process and fulfill your orders; send order confirmations and shipping updates Identifiers, Commercial Info, Financial Info, Shipping Info Performance of contract
Manage your customer account Identifiers, Account Info Performance of contract
Process payments and prevent fraud Identifiers, Financial Info, Device Info, Network Activity Performance of contract; Legitimate interest
Send transactional emails (order confirmation, shipping, returns) Identifiers, Commercial Info Performance of contract
Send marketing emails and promotional communications (with consent or where permitted by law) Identifiers, Marketing Preferences, Inferences Consent (EU/UK); Legitimate interest (US, existing customers)
Personalize your shopping experience and product recommendations Commercial Info, Network Activity, Inferences Legitimate interest; Consent (where required)
Improve our Site, products, and services through analytics Network Activity, Device Info, Inferences Legitimate interest; Consent (for analytics cookies)
Serve targeted advertising on third-party platforms (e.g., Facebook, Google, Pinterest) Identifiers, Network Activity, Commercial Info (via tracking pixels) Consent (EU/UK); Opt-out available (US — see Section 8)
Comply with legal obligations (tax, accounting, consumer protection law) All relevant categories Legal obligation
Respond to customer service inquiries and complaints Identifiers, Communications, Commercial Info Performance of contract; Legitimate interest
Detect, investigate, and prevent security incidents and fraudulent transactions Identifiers, Network Activity, Device Info, Financial Info Legitimate interest; Legal obligation

3. How We Share Your Information

We do not sell your personal information to third parties for monetary compensation. However, we do share your information with the following categories of recipients for the purposes described:

  • Shopify Inc.: Our e-commerce platform provider processes data on our behalf to operate the Site. Shopify acts as a data processor under a Data Processing Agreement. For more information, see Shopify's Privacy Policy.
  • Payment Processors (Shopify Payments / Stripe): To securely process payment transactions. These processors are PCI-DSS compliant.
  • Shipping and Fulfillment Partners (UPS, USPS, DHL, and others): To deliver your orders. We share your name, shipping address, and order details.
  • Email Marketing Platform (Klaviyo): To send transactional and marketing emails on our behalf.
  • Analytics Providers (Google Analytics / GA4): To analyze Site traffic and improve our services. Google may use this data in accordance with its own privacy policy. You can opt out via Google's tools or your cookie preferences.
  • Advertising Platforms (Meta/Facebook, Instagram, Google Ads, Pinterest): We use tracking pixels from these platforms to measure the effectiveness of our advertising and to serve you relevant ads on those platforms. This constitutes "sharing" of personal data under California's CPRA. You have the right to opt out — see Section 8.
  • Customer Service Tools: Third-party tools used to manage and respond to customer inquiries.
  • Legal Compliance and Protection: We may disclose your information when required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business Transfers: In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Site before your information becomes subject to a different privacy policy.
  • With Your Consent: We may share your information for any other purpose with your explicit consent.

We do not share your personal information with unaffiliated third parties for their own independent marketing purposes without your consent.

4. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve our Site. A cookie is a small text file stored on your device. We use the following categories of cookies:

  • Strictly Necessary Cookies: Essential for the Site to function. These include session cookies, shopping cart functionality, and security cookies. These cannot be disabled.
  • Analytics Cookies: Help us understand how visitors use our Site (e.g., Google Analytics). We collect this data only with your consent (where required).
  • Marketing / Advertising Cookies: Used to serve you relevant advertisements on third-party platforms (e.g., Meta Pixel, Google Ads, Pinterest Tag). These track your browsing behavior across sites. We set these only with your consent (where required).
  • Preference / Functional Cookies: Remember your preferences, such as currency selection and language settings.

Your Cookie Choices: When you first visit our Site, you will be presented with a cookie consent banner where you can accept, reject, or customize your cookie preferences. You can update your preferences at any time by clicking the "Cookie Preferences" link in our website footer. You may also opt out of certain tracking through:

For a complete list of the cookies we use, their purposes, and their retention periods, please see our Cookie Policy.

5. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law.

  • Order and Transaction Records: 7 years (required for tax and accounting compliance under US federal and state law).
  • Customer Account Information: For the duration your account is active, plus 3 years after account closure or last interaction.
  • Marketing Email Lists: Until you unsubscribe or withdraw consent, or after 3 years of no engagement, whichever comes first.
  • Analytics and Browsing Data: Up to 26 months (per Google Analytics default settings), or as configured in our analytics platform.
  • Customer Service Communications: 3 years from the date of the interaction.
  • Fraud Prevention Records: Up to 5 years from the transaction date.

When personal data is no longer required, we securely delete or anonymize it.

6. Data Security

We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect it, including:

  • SSL/TLS encryption for all data transmitted between your browser and our Site (look for "https" in your address bar).
  • Hosting on Shopify's secure, PCI-DSS compliant infrastructure.
  • Payment card data is processed directly by PCI-DSS Level 1 compliant payment processors. We do not store full payment card numbers on our systems.
  • Access to personal data is restricted to employees and contractors who need it to perform their job duties, and who are bound by confidentiality obligations.
  • Regular review of our data collection, storage, and processing practices.

Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at international@hotchocolatedesign.com.

7. Children's Privacy (COPPA)

Our Site is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are under 13, please do not use our Site or submit any personal information. Users between the ages of 13 and 18 may use our Site only with the involvement and consent of a parent or legal guardian.

If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information as soon as possible. If you are a parent or guardian and believe we may have collected information from your child, please contact us at international@hotchocolatedesign.com.

8. California Residents — Your Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights regarding your personal information:

8.1 Your Rights

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collecting or sharing it, and the categories of third parties with whom we share it.
  • Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (e.g., data needed to complete a transaction or comply with a legal obligation).
  • Right to Correct: You have the right to request that we correct inaccurate personal information we hold about you.
  • Right to Opt-Out of Sale or Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information. As described in Section 3, we share data with advertising platforms (Meta, Google, Pinterest) through tracking pixels, which may constitute "sharing" under CPRA. To opt out, click the link below or use our cookie preferences tool.
  • Right to Limit Use of Sensitive Personal Information: You have the right to request that we limit our use of your sensitive personal information (such as payment information and account login credentials) to uses necessary to provide the services you request.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge different prices, or provide a different quality of service because you exercised your rights.

8.2 How to Submit a Privacy Request

To exercise any of the rights described above, please contact us using one of the following methods:

We will acknowledge your request within 10 business days and respond within 45 calendar days. If we need additional time (up to 90 days), we will notify you of the extension and the reason.

8.3 Do Not Sell or Share My Personal Information

To opt out of the sharing of your personal information with advertising platforms for cross-context behavioral advertising, please click here or use the "Cookie Preferences" link in our footer to adjust your advertising cookie settings. We also honor the Global Privacy Control (GPC) browser signal as an opt-out request.

8.4 Authorized Agents

You may designate an authorized agent to submit a CCPA request on your behalf. We will require written proof of the agent's authorization and may verify your identity directly with you.

8.5 Categories of Personal Information — 12-Month Disclosure

In the past 12 months, we have collected the following categories of personal information from California consumers:

CCPA Category Collected? Shared for Advertising?
Identifiers (name, email, IP address, device ID) Yes Yes (via advertising pixels)
Customer Records (payment info, shipping address) Yes No
Commercial Information (purchase history, browsing) Yes Yes (via advertising pixels)
Internet / Network Activity (pages visited, clicks) Yes Yes (via analytics & advertising pixels)
Geolocation Data (IP-based, country/region level) Yes No
Inferences (shopping preferences derived from above) Yes No
Sensitive Personal Information (payment card data) Yes (processed by PCI-DSS processor — not stored by HCD) No
Biometric Data No No
Health or Medical Data No No

9. Other US State Privacy Rights

Residents of the following states have privacy rights similar to those described in Section 8, including the rights to access, delete, correct, and opt out of targeted advertising: Virginia, Colorado, Connecticut, Texas, Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee.

To exercise your rights as a resident of any of these states, please contact us using the methods described in Section 8.2. We will respond within the timeframes required by your state's applicable law.

10. EU and UK Residents — Your Rights (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR respectively:

  • Right of Access (Article 15 GDPR): You have the right to obtain a copy of the personal data we hold about you and information about how we process it.
  • Right to Rectification (Article 16 GDPR): You have the right to request that we correct inaccurate personal data about you.
  • Right to Erasure / Right to Be Forgotten (Article 17 GDPR): You have the right to request deletion of your personal data, subject to certain conditions and legal obligations.
  • Right to Restriction of Processing (Article 18 GDPR): You have the right to request that we limit how we process your personal data under certain circumstances.
  • Right to Data Portability (Article 20 GDPR): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to Object (Article 21 GDPR): You have the right to object to our processing of your personal data based on legitimate interests or for direct marketing purposes. When you object to direct marketing, we will stop processing your data for that purpose immediately.
  • Rights Related to Automated Decision-Making (Article 22 GDPR): You have the right not to be subject to decisions based solely on automated processing that produce significant legal or similarly significant effects on you.
  • Right to Withdraw Consent: Where we rely on your consent as the legal basis for processing, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

10.1 How to Exercise Your GDPR Rights

To exercise any of your GDPR/UK GDPR rights, please contact us at:

We will respond within 30 days of receiving your request. If we need additional time (up to 2 months total), we will inform you of the extension within the initial 30-day period.

10.2 Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.

10.3 Our Representative

Hot Chocolate Design, LLC is based in the United States. We process the personal data of EU and UK residents in connection with offering goods directly to consumers in those regions. We are taking steps to designate an EU representative as required under Article 27 GDPR. In the meantime, EU and UK residents may contact us directly at international@hotchocolatedesign.com with any data protection inquiries.

11. International Data Transfers

Hot Chocolate Design is based in the United States. If you are located outside the United States, your personal data will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

For transfers of personal data from the EEA or UK to the United States, we rely on the following transfer mechanisms:

  • For transfers processed by Shopify: Shopify has implemented Standard Contractual Clauses (SCCs) as approved by the European Commission, and participates in the EU-U.S. Data Privacy Framework where applicable.
  • For transfers processed by other third-party processors (Google, Meta, Klaviyo, etc.): We rely on their published transfer mechanisms, which may include SCCs or participation in recognized adequacy frameworks. Links to their privacy and data transfer documentation are available on their respective websites.

By using our Site or providing us with your information, you acknowledge that your personal data may be processed in the United States as described above.

12. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (for EU/UK residents) within 72 hours of becoming aware of the breach, where feasible.
  • Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
  • For US residents: We will notify affected individuals and relevant state authorities in accordance with applicable state breach notification laws. Most states require notification within 30 to 72 hours of discovery.

Breach notifications will be sent to the email address associated with your account or posted prominently on our Site.

Our Site may contain links to third-party websites and services. We are not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of any third-party site you visit. This Privacy Policy applies solely to information collected by Hot Chocolate Design through our Site.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other business reasons. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page.
  • Post a prominent notice on our Site.
  • Where required by law, notify you by email.

We encourage you to review this Privacy Policy periodically. Your continued use of the Site after any changes constitutes your acceptance of the revised Privacy Policy.

15. Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or our privacy practices, please contact us:

Hot Chocolate Design, LLC
Privacy & Data Protection
Email: international@hotchocolatedesign.com
Website: www.hotchocolatedesign.com
Customer Service: international@hotchocolatedesign.com

For California-specific privacy requests, please email international@hotchocolatedesign.com with the subject line "California Privacy Request."

For GDPR/UK GDPR requests, please email international@hotchocolatedesign.com with the subject line "GDPR Data Request."

This Privacy Policy was last reviewed and updated on March 10, 2026.