Privacy policy

1. About this policy

This Privacy Policy explains how Zero Point One LLC (trading as "HolyMouthwash," "we," "us," or "our") collects, uses, and discloses personal information when you visit, use, or make a purchase on holymouthwash.com.

Data controller: Zero Point One LLC is the data controller (and "business" under applicable US state privacy laws) for personal information we collect through holymouthwash.com. Registered address: 426 Sunflower Dr, Ames, IA 50014, USA. Registered in the State of Wyoming.

Contact for privacy matters: support@holymouthwash.com

We are not required to appoint a Data Protection Officer under applicable law. For any data protection inquiries, please email the address above.

2. Where you live matters

This policy applies to residents of the United States, Canada, the United Kingdom, Ireland, the European Union, Australia, and New Zealand. We sell and ship only to these markets.

Depending on where you live, different data protection laws apply to your personal information:

  • United States: applicable state privacy laws, including the California Consumer Privacy Act (CCPA/CPRA) for California residents, and equivalent laws in Virginia, Colorado, Connecticut, Utah, Texas, and other states with applicable privacy legislation
  • UK: UK GDPR and the Data Protection Act 2018 (which apply to our processing of UK residents' personal information on an extraterritorial basis)
  • Ireland and EU: EU GDPR (which applies extraterritorially to our processing of EU residents' personal information)
  • Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, the Act respecting the protection of personal information in the private sector (Law 25)
  • Australia: Privacy Act 1988 and the Australian Privacy Principles
  • New Zealand: Privacy Act 2020

Regional-specific rights are described in Section 10.

3. Personal information we collect

We collect the following categories of personal information:

Contact details: name, shipping address, billing address, email address, phone number.

Payment information: credit/debit card number, card details, transaction information. Payment information is processed by Shopify Payments and our other payment processors (Stripe, PayPal). We do not store full card numbers on our systems.

Account information: username, password (encrypted), preferences, saved addresses, order history.

Transaction information: items viewed, added to cart, purchased, returned, or exchanged; past order history.

Communications: information included in emails, messages, support tickets, or reviews submitted to us.

Device and usage information: IP address, browser type, operating system, device identifiers, pages visited, time spent on pages, referring URLs.

Marketing data: marketing preferences, interactions with our emails and advertisements, responses to surveys.

4. How we collect personal information

We collect personal information:

  • Directly from you: when you create an account, place an order, subscribe to marketing emails, contact support, or submit a review
  • Automatically: when you visit our website, through cookies and similar technologies (see Section 7)
  • From our service providers: including Shopify, payment processors, shipping carriers, and marketing platforms
  • From advertising partners: Meta (Facebook/Instagram), Google, and other ad networks, who may share information about your interactions with our ads

5. Why we use your information and our legal basis

We process your personal information for the following purposes, under the following legal bases (UK/EU GDPR articles cited; equivalent grounds apply under other applicable laws):

Purpose Legal Basis (UK/EU GDPR)
Processing and fulfilling orders, managing your account, handling returns Contract (Article 6(1)(b))
Sending transactional emails (order confirmation, shipping updates) Contract (Article 6(1)(b))
Sending marketing emails and promotional communications Consent (Article 6(1)(a))
Serving personalized advertising on third-party platforms Consent (Article 6(1)(a))
Fraud prevention, security, and website analytics Legitimate interests (Article 6(1)(f))
Complying with legal, tax, and regulatory obligations Legal obligation (Article 6(1)(c))
Defending legal claims Legitimate interests (Article 6(1)(f))

You can withdraw consent for marketing communications or personalized advertising at any time (see Section 10).

6. How long we keep your information

We keep personal information only as long as necessary for the purposes described above, or as required by law:

  • Order and transaction data: 7 years after the order date (to comply with US tax and IRS recordkeeping requirements)
  • Customer accounts: until you request deletion, or 3 years of inactivity
  • Marketing consent records: until consent is withdrawn, or 3 years of inactivity
  • Support communications: 3 years after the last interaction
  • Website analytics data: 14 months (Google Analytics default retention)
  • Cookie data: varies by cookie (see our Cookie Policy)

After these periods, we either delete the information or anonymize it so it can no longer be linked to you.

7. Cookies and similar technologies

We use cookies and similar technologies on our website. Some cookies are strictly necessary for the site to function (e.g., remembering your cart contents). Others are used for analytics, personalization, and advertising.

We request your consent before placing non-essential cookies. You can manage your cookie preferences through our cookie consent banner or by visiting [Cookie Settings link].

For a full list of cookies we use, please see our [Cookie Policy link].

Third-party cookies in use include:

  • Google Analytics (analytics)
  • Meta Pixel / Facebook Pixel (advertising)
  • Google Ads (advertising)
  • Klaviyo (email marketing, behavioral targeting)
  • Shopify (core platform, fraud prevention)

You can opt out of personalized advertising from:

  • Google: adssettings.google.com
  • Meta: facebook.com/adpreferences/ad_settings
  • Network Advertising Initiative: optout.networkadvertising.org
  • Digital Advertising Alliance (US): optout.aboutads.info

8. Who we share your information with

We share personal information with the following categories of third parties:

Service providers who help us operate the business:

  • Shopify (platform, hosting, some fraud prevention)
  • Shopify Payments, Stripe, PayPal (payment processing)
  • Shipping carriers (DHL eCommerce, FedEx, USPS, Australia Post, New Zealand Post, Canada Post)
  • Klaviyo (email marketing)
  • Google Workspace (customer support email)
  • Analytics providers (Google Analytics)

Advertising partners:

  • Meta, Google, TikTok (advertising and retargeting)

Legal and compliance:

  • Law enforcement, government agencies, or regulatory authorities when legally required
  • Professional advisors (lawyers, accountants) when necessary

In corporate transactions:

  • In the event of a merger, acquisition, or bankruptcy, personal information may be transferred as part of the business assets

We do not sell your personal information for monetary consideration. However, our use of tracking cookies and sharing of personal information with advertising partners may be considered "selling" or "sharing" under some state privacy laws, including the CCPA. See Section 10 for your rights.

9. International data transfers

We are based in the United States, and personal information you provide is processed in the United States. Personal information may also be transferred to and processed in other countries where our service providers operate, including Canada, the United Kingdom, and the European Economic Area. Data protection laws in these countries may differ from those in your home country.

When personal information is transferred from the UK, EU, or EEA to the United States or other non-adequate countries, we rely on the following legal safeguards:

  • UK to US/non-adequate countries: UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses (SCCs)
  • EU/EEA to US/non-adequate countries: EU Standard Contractual Clauses (SCCs), and where applicable, the EU-US Data Privacy Framework
  • Canada: PIPEDA accountability principle and contractual safeguards
  • Australia/New Zealand: binding contractual commitments under the respective Privacy Acts

You may request a copy of the transfer mechanism we use for your personal information by emailing support@holymouthwash.com.

10. Your rights

Depending on where you live, you have different rights over your personal information. We honor all legally applicable rights. To exercise any right, email support@holymouthwash.com with "Privacy Request" in the subject line. We may need to verify your identity before fulfilling requests.

California residents (CCPA/CPRA)

You have the right to:

  • Know what personal information we collect, use, and share
  • Delete personal information we hold about you
  • Correct inaccurate personal information
  • Opt out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising
  • Limit use of sensitive personal information
  • Non-discrimination for exercising these rights

To opt out of sharing for advertising purposes, click "Do Not Sell or Share My Personal Information" in our footer, or email us.

Other US states

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or another state with applicable privacy law, you have similar rights to California residents. Contact us at the email above.

UK, Ireland, and EU residents

Under UK GDPR and EU GDPR, you have the right to:

  • Access the personal information we hold about you
  • Rectify inaccurate personal information
  • Erase your personal information ("right to be forgotten")
  • Restrict how we process your personal information
  • Object to processing based on legitimate interests
  • Port your data to another service
  • Withdraw consent at any time for consent-based processing
  • Not be subject to automated decision-making that has legal or similarly significant effects

We aim to respond within one month. If you are unsatisfied with our response, you can lodge a complaint with your local data protection authority:

  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • Ireland: Data Protection Commission — dataprotection.ie
  • Other EU member states: your national supervisory authority

Canadian residents

Under PIPEDA, you have the right to:

  • Access and correct personal information
  • Withdraw consent for marketing
  • Lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca)

Quebec residents have additional rights under Law 25, including data portability, automated decision-making disclosures, and the right to lodge a complaint with the Commission d'accès à l'information du Québec.

Australian residents

Under the Privacy Act 1988, you have the right to:

  • Access and correct personal information
  • Complain to the Office of the Australian Information Commissioner (oaic.gov.au) if you believe we have mishandled your information

New Zealand residents

Under the Privacy Act 2020, you have the right to:

  • Access and correct personal information
  • Complain to the Office of the Privacy Commissioner (privacy.org.nz)

11. Marketing communications

If you have consented to receive marketing communications (or are an existing customer under soft opt-in rules where applicable), we may send you promotional emails.

You can unsubscribe at any time by clicking the unsubscribe link in any marketing email, or by emailing us.

Unsubscribing from marketing does not affect transactional communications (order confirmations, shipping updates, customer service responses).

12. Security

We implement reasonable technical and organizational measures to protect personal information, including:

  • TLS/SSL encryption on our website
  • Payment card processing through PCI-DSS-compliant providers
  • Access controls and authentication for our systems
  • Regular security reviews of our processors

However, no security measures are perfect. We cannot guarantee that personal information will never be accessed without authorization. If a data breach occurs that affects you, we will notify you and the relevant authorities as required by law.

13. Children

Our services are not intended for anyone under 16 years of age. We do not knowingly collect personal information from anyone under 16 (or under 13, where US COPPA applies). If you believe we have collected information from a child under these ages, please contact us and we will delete it.

14. Automated decision-making

We do not use fully automated decision-making that produces legal effects or significantly affects you. Our payment processors may use automated fraud screening, but a human reviews any decision before it affects your order.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where legally required, notify you by email or website notice.

16. Contact us

Company name: Zero Point One LLC Business Address: 426 Sunflower Dr, Ames, IA 50014, USA Email: support@holymouthwash.com Phone Number: +1 307-637-5151 Business Hours: 9 AM to 5 PM, Monday to Friday Time zone: (GMT-07:00) Mountain Time — America/Denver