Privacy policy

Last Update: January 9, 2025

Welcome

This Privacy Policy (“Policy”) explains how we collect, use, store, protect, and share your personal information through our services. The Honest Kitchen, Inc. is the data controller of the personal information collected by the Services, as defined in our Terms of Service (“Terms”). The Honest Kitchen, Inc. is referred to in this Policy as “THK”, “we”, “our” or “us”.

How we handle your information depends on which services you use, and how you use them. This Policy is grouped into these sections:

• about us and this Policy;

• information we collect & why we use it;

• our disclosures of information to others;

• how to control your privacy; and

• information about local privacy laws.

We encourage you to read this Policy carefully. If you have questions, please contact us.

About us and this Policy

This Policy is designed to explain how we process your personal information and how you can exercise control over our processing. Capitalized terms used but not defined in this Policy are defined in our Terms. The Terms describe how the Services work in general, and establish a contract between you and us governing your use of the Services.

Contact us

If you have any questions or feedback about this Policy, contact us at questions@thehonestkitchen.com or write to us at: The Honest Kitchen, Inc., 1785 Hancock St, Ste 100, San Diego, CA 92110. To exercise your privacy rights online, use our Privacy Request Form.

Changes to this Policy

Because the Services change often, this Policy may change over time. Anytime we modify the Policy, we post a revised version on the Services, as noted at Last Update above.

If we intend to materially change our collection or use of your information, we’ll notify you before the material changes to this Policy take effect, so you have time to review them. If we have your contact information (such as your email), we’ll try to notify you that way. We may also post a temporary notice on the Services, or notify you by other means to the extent required by law.

Check the Last Update periodically to ensure you’re aware of the current Policy. By using or accessing the Services, you signify that you have read, understand and agree to be bound by this Policy and the Terms.

When this Policy applies

This Policy applies to you when you use the Services, effective as of the Last Update. However, some collection and use of information falls outside this Policy:

• Outside services: The Services link to, embed, integrate or otherwise connect you with third-party websites, services or other events or activities that are not owned or controlled by THK (“Outside Materials”). Outside Materials are not part of the Services. THK can’t control information you transmit or receive from providers of Outside Materials. Those third parties have their own policies and practices about data. We encourage you to familiarize yourself with their privacy notices and applicable contractual terms.

» Key example: the Services may embed content, like YouTube videos and X posts. Those embedded containers, like the content they display, are Outside Materials. For example, YouTube controls the embedded player containing a YouTube video. If you interact with the YouTube video, YouTube decides the data it will require before YouTube serves its video to you.

» If you interact with embedded content—click a link or play a video—information about you, such as your originating IP address, may be collected by the player. For example, YouTube’s container may pull Google identifiers and data about you from your browser or local storage. The player may also collect information about the URL of your browser (a page on the Service), without the involvement of our Services.

• Our personnel: If you are a current or former employee or contractor of ours, this Policy does not apply to you. Reach out to your human-resources partner or supervisor with any inquiries about your personal information.

• When we don’t control your information: If we receive your information in our role as a service provider to another business, our agreement with that business governs our use of your information. We will refer any questions or concerns of yours to that business.

Information we collect & why we use it

We and our third-party service providers collect and process information when you interact with the Services. This includes:

• information you submit or provide directly,

• data collected automatically by various technologies (which we call “Usage Data”), and

• information we receive from other sources.

The following tables describe, comprehensively, how the services collect and use your information, and the purpose behind that processing.

Information You Submit

What we collect	How we use it	Why we process it	Legal basis	Retention
Account data – login credentials, permissions, and account actions (such as when your account is created, when you log in, add information, or change your account).	We collect, analyze, process, and store your account management data.	• To create and maintain an account at your direction.	Account data is processed as part of performance of a contract.	Account lifetime, or as applicable law requires
Product & order data – products you’ve purchased, browsed or put in your cart	We collect, analyze, and store your product & order data.	• To create and maintain an account at your direction.	Product & order data is processed as part of performance of a contract.	Account lifetime, or as applicable law requires
Communication data – interactions with or through THK, via our SMS or email service providers	We collect, analyze, profile and store your communication data.	• To send you relevant marketing emails. • To improve our Services.	• Consent. And you can opt out of marketing messages anytime. • Performance of a contract (such as order-related messages)	Account lifetime
User feedback and satisfaction data – including ratings and plain text feedback on how we can improve our services.	We process, review, store, and analyze feedback and satisfaction data.	• To inform our product roadmap and services with user feedback.	Our legitimate interest in operating, managing, and improving our Services.	Account lifetime

Usage Data

What we collect

How we use it

Why we process it

Legal basis

Retention

Device information – IP address, device identifiers, user agent.

We collect, process and store your device information.

• For security and fraud prevention.

• To administer your account and tailor the Services (such as currency) to you.

• Our legitimate interests in keeping our services safe and secure and to provide a valid and relevant service to our users.

• We only collect imprecise location data, and only when you have not indicated that you do not wish to share it.

Account lifetime; otherwise, deleted in the ordinary course.

Activity data – pages you visit, your origin URL, your interactions with content or advertising on the Services, and the time and duration of the activity.

We collect, analyze, process, and store activity data including via automated means.

• For security fraud prevention.

• To improve our services.

• Our legitimate interests in understanding how users interact with and use our services; and keeping our services safe and secure.

• part of performance of a contract.

Periodically deidentified and/or deleted in the ordinary course

Information We Receive From Others

What we collect

How we use it

Why we process it

Legal basis

Retention

Analytics and advertising data – we receive unique identifiers and demographic, location and interest-based info

We receive and process analytics & advertising data from providers of advertising, analytics and technical services. In many cases, THK cannot, or does not, associate this data with information you’ve provided

• To present advertising relevant to your interests

• To develop and enrich datasets about visitors, users and others

Our legitimate interest in presenting you with products and offers tailored to your preferences, history and/or demography.

Advertising and analytics data collected by third parties and Outside Materials. Where retained by THK in identifiable form, periodically deleted in the ordinary course of business.

Purchase & Delivery Data – we receive information about your payments, such as partial payment-card details, and the shipment and delivery of orders, from payment processors and logistics partners.

We receive purchase & delivery data from providers of technical, payment and delivery services

• To associate purchases with your account or profile

• To validate purchases and interactions attributable to activity on the Services

As part of performance of a contract.

our legitimate interest in operating, managing, and improving our Services.

Account lifetime, or as long as applicable law requires

All personal information THK obtains from other third-party sources is processed by THK in accordance with this Policy, our contracts with those sources and applicable law. For example, our use and transfer of information via Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.

Technologies we use

When you use and interact with the Services, software automatically collects Usage Data. To give you more insight, this section summarizes the main types of technologies the Services to generate and collect Usage Data:

Cookies and Local Storage

Cookies and local storage may be set and accessed on your device. Upon your first visit to the Services, a cookie or local storage will be sent to your device that uniquely identifies your browser. “Cookies” and local storage are small files containing a string of characters that is sent to your computer’s browser and stored on your device when you visit a website. Most Web services use cookies to provide useful features for their users.

Most browsers are initially set up to accept cookies. You can reset your browser to refuse all cookies or to indicate when a cookie is being sent; however, if you reject cookies, you will not be able to sign in to the Services or take full advantage of our Services.

Pixel Tags

Like most websites, pages on the Services embed “pixel tags” and other small graphic files that allow us and third parties to monitor the use of the Services and collect Usage Data. A pixel tag can collect information such as the IP address of the device that downloaded the page on which the tag appears; the URL of the page on which the pixel tag appears; the time (and length of time) the page containing the pixel tag was viewed; the type of browser that retrieved the pixel tag; and the identification number of any cookie previously placed by that server on your device.

Security

THK has implemented technical, administrative and physical security measures designed to protect your information from unauthorized access, use or disclosure. Still, no data transmission online is 100% secure, so we cannot guarantee or warrant the security of any information you provide, and you do so at your own risk. We cannot promise that your information will remain absolutely secure in all circumstances. We are not responsible for the circumvention of any privacy settings or security measures we may provide.

Our disclosures of information to others

This section describes how and why we exchange personal information with contractors and third parties. It also describes our disclosures for marketing and advertising efforts and for legal reasons. We also often disclose deidentified and/or anonymized data for these purposes.

Functional disclosures

We also contract with other businesses to provide certain services related to the functionality and features of the Services, including payment processing, email and hosting services, software development, shipping and fulfillment, data management, and administration of contests and other promotions. We refer to them as “contractors.”

Contractors may collect information about you on our behalf, such as Personal Identifiers, Commercial Information, Internet Activity and Device Information, as necessary for them to perform their services. At other times, we disclose information about you to contractors.

Contractors are not permitted to use information about you for any purpose other than performing their services for us. In the past twelve (12) months, we have received or disclosed these types of information with these types of contractors:

• Analytics providers, such as Elevar and Google Analytics, to tell us how the Services perform, such as which parts interest visitors and how long they visit before leaving. Among other data, they may receive your IP address.

• Various hosting services and data processors to provide the infrastructure of the Services, such as Shopify, which powers our store. Among other data, they may receive your IP address.

• Payment providers, namely Apple Pay, Recharge and Shop Pay, to process payments between you and us, such as for subscriptions or products. These providers receive information about your order in order to tie your payment process to your order. We don’t receive all of the information you may provide to them as part of that process (for instance, we don’t receive full payment-account numbers).

• Marketing providers, such as Attentive, to send marketing communications to the email or phone number you provide.

• Loyalty providers, such as Yotpo and Klaviyo, to power our rewards and loyalty programs.

• Support providers, such as Zendesk, to provide assistance to you when you request it. They are able to retrieve information about you that is relevant and necessary to your requests, such as account information and order details.

For marketing purposes

We use and disclose your information for marketing purposes in the following ways:

Matched Identifier Communications. Some third party services, such as Facebook Custom Audiences, allow us to reach users with online marketing about our content or services by sending deidentified representations of contact information (typically, a long alphanumeric sequence of characters deidentified from an email address or phone number) to keep the original information from being revealed. The third party compares our deidentified representations with the deidentified representations in its own database and there will be a match only if you have used the same contact information with us and the third party. If there is a match, THK can then choose whether or not to send THK marketing to you on or through that third party service, and can optimize and better measure the effectiveness of such marketing.

Targeted ads

We share information with advertising partners to make the advertising presented to you more relevant to you. We also market the Services to you through ads facilitated by marketing vendors.

For example, we use Google to serve ads on the Services and we may market the Services to you on third party services through Google. Google uses cookies or unique device identifiers, in combination with their own data, to show you ads based on your visits to our webpages and to other sites. You can opt out of the use of the Google cookie by visiting the related Google privacy policy.

We try to limit how our third-party advertising technology vendors use information they collect from you. Most providers require us to enter contracts that allow them to optimize their ad services and products. Essentially, they combine any information they may gather about you through our Services with information they receive from their other clients. This helps them target ads to you on behalf of their other clients, not just us.

In the past twelve months, we have shared these categories of personal information with third parties to personalize advertising:

• Device Information (including Personal Identifiers)

• Commercial Information

• Internet Activity

• Geolocation

With your consent or at your request

We may periodically ask for your consent to share your contact information to third parties. Whenever we ask your consent for this reason, we will summarize the purpose and scope of the disclosure. For example, we may offer discounts to you if you consent to join our mailing list or participate in a promotion involving direct marketing communications.

In those cases, the Services will display a tickbox near an email-entry field explaining that by submitting your information, you agree to share your email with the content provider.

To be clear, we only exchange information about you with third parties for direct marketing purposes if you opt in, and will only do so until you opt out.

For legal reasons

Finally, we may disclose personal information:

• In response to subpoenas, court orders, or other legal process; to establish or exercise our legal rights; to defend against legal claims; or as otherwise required by law. In such cases we reserve the right to raise or waive any legal objection or right available to us;

• When we believe it is appropriate to investigate, prevent, or take action regarding illegal or suspected illegal activities; to protect and defend the rights, property, or safety of our company, our users, or others; and in connection with the enforcement of our Terms and other agreements; or

• In connection with a corporate transaction, such as a divestiture, merger, consolidation, or asset sale, or in the unlikely event of bankruptcy.

How long we retain your information

We retain your information only as long as we need it for the purposes described under Information we collect & how we use it, except when longer retention is required by our compliance policies and efforts toward applicable legal, tax, accounting and regulatory requirements.

How long we need information for those purposes varies by category, and even within categories. These retention determinations always consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from its unauthorized use or disclosure and whether we can achieve those purposes without using the personal information.

• For example, we delete some Usage Data as soon as you exit the Services, whereas we may retain records of your orders for services and products for several years as required by law or contract, such as agreements with our payment processors or under our accounting standards.

Use by minors

The Services are intended for adult users. We do not knowingly collect information from anyone under the age of 16, and we do not share or sell information about anyone under 16 without affirmative authorization. If we learn that we have collected information from a person under age 16, we will delete that information as quickly as possible.

• If you are under 16: sorry, but please leave the Services. If you’ve already sent us information, please contact us first so we can delete it.

• If you are a parent or guardian of a person under 16 years of age and you believe that person provided information to us, please contact us.

How to control your privacy

In General

As a user of the Services, you have rights and choices about your personal information. We want you to be in control of your information, so we want to remind you of the following options and tools available to you:

• Account controls: You can update the personal information in your Account through the account settings made available on the services. Any updated information will be reflected in our records and throughout the services promptly.

• Marketing opt-outs: you may opt-out of any marketing communications from us by following the unsubscribe instructions in the communication you receive. We may continue to send you communications regarding the Services, such as notices about administrative updates, transaction reports, and changes to the Services, this Policy or the Terms.

• Push notifications. You can choose to receive mobile or browser push notifications from our services. The services will send you push notifications from time to time in accordance with any notification preferences you have set on your device or browser. If you later decide you no longer want to receive these notifications, you can use your device or browser’s settings to turn them off.

• Exercising rights: If any of the local privacy laws listed below apply to you, see Requesting information to exercise your rights.

• Personalized ads: The Services honor opt-out preference signals. Most browsers have settings offering additional control over common web technologies (like cookies, Indexed DB). Many provide the ability to adjust ‘tracking’ settings and clear browser storage. For more about targeted advertising, go to the DAA Webchoices Browser Check or the NAI Opt Out of Interest-Based Advertising page. You can download the AppChoices app to opt out in mobile apps.

International Data Transfers

If you reside outside the United States, we transfer information about you for processing in the United States. By providing your information to us, you consent to the processing of the information in the United States. The transfer of this information to the United States is necessary for the performance of our contract for use of the Services.

• When we transfer personal data subject to GDPR outside of THK, we use standard contract clauses approved by the EU for this purpose, or another appropriate transfer mechanism.

• U.S. law is not equivalent to laws in other countries, such as GDPR in Europe or PIPEDA in Canada. As of the Last Update, the U.S. has not been deemed an ‘adequate’ jurisdiction under GDPR for the purposes of international data transfers.

Information about local privacy laws

The Services operate from the United States, but this Policy applies worldwide. Our practices generally do not differ based on your location, but your rights and choices depend in part on the law where you live.

If any of these local privacy laws apply to you, that section overrides any contrary descriptions elsewhere in the Policy as they relate to you. If you have questions about your rights under other data privacy laws, please contact us.

Requesting information

Submitting requests

To exercise any rights described in this Policy, please use our Privacy Request Form. You can also contact us directly.

• Your request must include sufficient information to identify you and the law that applies to you, such as your name, e-mail address, home or work address, or other information we maintain.

• Don’t include sensitive information, like driver’s license numbers, full payment-card number, or health information.

Verifying requests

We verify requests by attempting to match information in the request to information we maintain. We may require you to confirm your identity by authenticating via your account or other access method.

• If your request is unclear or we are unable to authenticate your identity, we may ask for more information, in accordance with law that applies to you.

• If you are an authorized agent submitting a request on a user’s behalf (where permitted), we may require proof of the user’s written authorization before processing the request.

• If we cannot verify the identity of the data subject in the request, we may deny it, in full or in part.

Responses to requests

We will respond to your request promptly, taking into account the nature of your request and the volume of pending requests. The content of our response will vary with the nature of your request, but will always respond in accordance with any deadlines or requirements specified by the laws that applies to you.

• At times, we redact or are unable to provide responsive personal information, such as when disclosure would create a substantial, articulable and unreasonable risk to the security of the information, user accounts, or the security of our systems or networks. We do not disclose account passwords or any other non-personal information that enables access to an account.

• We reserve the right to retain an archive of any deleted information, to the extent permitted by law. We do not produce or delete deidentified or aggregate data derived from personal information in response to requests.

Appealing decisions

Residents of jurisdictions that provide for an appeal mechanism may appeal a decision we have made regarding their requests by contacting us.

Information for Users in Certain U.S. States

As described in the “How to control your privacy" section of the Policy, all users have control over their information and can limit what data we process.

If you reside in California, Colorado, Connecticut, Utah, Virginia or another state with a similar data-privacy law, you may have additional rights.

Exercising your rights: You (or, in certain states, an authorized agent acting on your behalf) can exercise by contacting us, including the right to:

• Access and/or receive a copy of certain personal information we hold about you (including the categories and specific pieces of information we have collected and disclosed for a business purpose in the last 12 months)

• Correct your personal information

• Delete certain personal information we hold about you

• Receive information about the financial incentives that we offer to you, if any

• Opt-out of the processing of your personal information for the purposes of targeted advertising, profiling in furtherance of decisions that produce legal or similarly significant effects, if applicable

You also have the right to not be discriminated against for exercising your rights.

Certain information may be exempt from the requests above under applicable law. For example, we do not disclose information that could be used to jeopardize the security or integrity of the Services, and we need to retain certain information in order to provide our services to you. We also need to take reasonable steps to verify your identity before responding to a request.

If you have any questions about these rights, wish to exercise them, or request an appeal, see Requesting information or contact us.

Additional Information for Users in California

In addition to the rights described above, consumers residing in California are afforded the right to certain additional information with respect to their personal information under laws like the California Consumer Privacy Act (“CCPA”). If you are a California resident, this section applies to you.

Our collection and use of personal information: Information we collect falls into these CCPA-defined categories of personal information:

• identifiers (such as your username and the identifiers you use to sign up, like your email address, social login and/or phone number);

• commercial information (a record of what you’ve bought from THK, if anything);

• financial data (payment records and your history of purchases from THK);

• internet or other network information (how you interact with the services);

• location information (for example: as inferred from your IP address, or your precise location, if you grant us access to precise location data);

• inference data about you (for example, what content you may be interested in); and

• other information that identifies or is reasonably associable with you.

For more information about what we collect and the sources of such collection, please see the “Information we collect & why we use it” section of the Privacy Policy. To the extent we collect or use sensitive personal information as defined by law (such as the CCPA), we do so in accordance with applicable legal requirements, and we do not use or disclose it other than for purposes for which there is not a right to limit under the CCPA.

Disclosure of personal information: We may disclose and share your personal information with service providers and third parties as described in the “Our disclosures of information to others” section of the Policy. We disclose the categories of personal information mentioned in that section for business or commercial purposes.

• We disclose personal information for the following categories of purposes, as defined by CCPA:

» Advertising and Marketing

» Error Management

» Internal Research

» Provide Products or Services

» Quality Assurance

» Security

» Short-Term Transient Use

• We retain personal information as described in the “How long we retain your information” section of the Policy.

California’s ‘Shine the Light’ law. Under certain circumstances, Californians can request information about third parties who’ve received contact information and certain other types of personal information (as defined in the Shine the Light law), for their direct marketing purposes. We only share your personal information with third parties for their own direct marketing purposes with your consent and, if you have consented, only until you withdraw your consent. Consensual disclosures for direct marketing are generally exempt from Shine the Light’s disclosure requirement.

If you have any questions about these rights, wish to exercise them, or request an appeal, see Requesting information or contact us.

Information for Users in the European Union and Switzerland

Overview: As described in the “How to control your privacy" section of the Policy, all our users have control over their information and can limit what data we process. In addition to these rights, users residing in the European Union and Switzerland are afforded the right to certain additional information with respect to their personal information under the GDPR. If you reside in any of those jurisdictions, this section applies to you.

Data retention and destruction: We retain personal information until we determine it is no longer necessary for (1) the processing purposes justifying its collection or (2) legal compliance purposes.

Exercising your rights: All our users have control over their information and can directly edit or delete information from their account and limit what data we process. Users in the European Union and Switzerland have additional rights that you can exercise by contacting us. Those rights include:

• Right of access to your personal data

• Right to rectify your personal data if they are incorrect

• Right to erase your personal data

• Right to limit the processing of your personal data

• Right to the portability of your personal data

• Right to object to the processing of your personal data

• Right to withdraw consent. Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal.

If you have any questions about these rights, wish to exercise them, or request an appeal, see Requesting information or contact us. Additionally, you may contact THK’s Privacy Officer by emailing questions@thehonestkitchen.com.

Information for users in Canada

Overview: As described in the “How to control your privacy” section of the Policy, all our users have control over their information and can limit what data we process. In addition to these rights, users residing in Canada are afforded the right to certain additional information with respect to their personal information under the Personal Information and Electronic Documents Act (PIPEDA). If you are a Canadian resident, this section applies to you.

Exercising your rights: Users in Canada have additional rights that you can exercise by contacting us. Those rights include: