Privacy Policy

Version: [1.0]

Last Updated: June 9, 2025

Effective Date: June 3, 2025

IMPORTANT: We currently only process direct website orders from customers located in the United States. International customers may access our mobile applications through their respective app stores, where transactions are processed by Apple or Google.

Table of Contents

  1. Introduction and Key Information
  2. Data Collection and Processing
  3. Your Rights and Choices
  4. Security and Data Protection
  5. Data Sharing and International Transfers
  6. Cookie and Tracking Technologies
  7. Children’s Privacy Protection
  8. Geographic-Specific Privacy Rights
  9. Updates, Resources, and Contact Information

1. Introduction and Key Information

How Not to Say Dumb Shit, LLC doing business as (DBA) Cancer Conversation SOS and also registered as How Not to Say

PO Box 41241

Mesa, AZ 85274

602 456 2350

info at cancer dot cards

A. Scope

This privacy policy applies to:

  • Visitors to our website from any location
  • Customers making purchases through our website (limited to United States residents)
  • Users of our mobile applications available through the Apple App Store and Google Play Store

B. Definitions

i. Personal Information

Any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household, including:

  • Names
  • Postal addresses
  • Email addresses
  • Phone numbers
  • Order histories

    ii. Processing

       Any operation performed on personal information, including:

  • Collecting
  • Storing
  • Using
  • Sharing
  • Deleting

   iii. Service Providers

        Third-party companies we use to help operate our business:

  • Stripe (Payment processing)
  • WordPress.com (Website hosting)
  • Kit (Email management)
  • Substack (Newsletter platform)
  • Apple App Store and Google Play Store (App platforms)

    iv. Third Parties

       Any entity that is not:

  • Our company
  • Our service providers
  • A person to whom we disclose personal information for business purposes under written contract

    v. Business Purpose

      Use of personal information for operational needs:

  • Fulfilling orders
  • Processing payments
  • Maintaining business records
  • Sending order confirmations
  • Providing customer service

    vi. Consent

       Clear affirmative action indicating agreement to information processing, such as checking a box to join our mailing list

2. Data Collection and Processing

A. Data Collection Categories

i. Direct Website Purchases

  • Name, shipping address, email for order fulfillment
  • Transaction records for business and tax requirements
  • Payment information handled by Stripe (not stored by us)

    ii. Optional Communications

       You may opt in through:

  • Website signup form or Stripe checkout (managed by Kit)
  • Separate Substack publication at https://letterswithoutarmor.substack.com/

   iii. Mobile App Services

  • Transactions processed by Apple App Store or Google Play Store
  • Data handling governed by their respective privacy policies
  • We do not directly process app-related personal information

    iv. Talks and Workshops

  • Contact information for scheduling
  • Payment processing through Stripe
  • Parent/guardian consent required for participants under 18

B. Data Use and Processing

i. Essential Business Operations

  • Order fulfillment and shipping
  • Payment processing
  • Tax and business record maintenance (7-year retention)
  • Customer service
  • Legal compliance

    ii. Optional Uses (With Consent)

  • Marketing communications
  • Newsletter subscriptions
  • Product updates

 

C. Legal Basis for Processing

i. Contract Performance

  • Processing orders
  • Providing services
  • Fulfilling agreements

    ii. Legal Obligations

  • Tax records
  • Business records
  • Regulatory compliance

   iii. Consent-Based Processing

  • Marketing communications
  • Newsletter subscriptions
  • Optional features

    iv. Legitimate Interests

  • Business operations
  • Security measures
  • Service improvements

 

D. Service Provider Data Sharing

i. Current Providers

  • Stripe: Payment processing
  • WordPress.com: Website hosting
  • Kit: Email management
  • Substack: Newsletter platform
  • Apple/Google: App platforms

    ii. Data Sharing Limitations

  • Only as necessary for business operations
  • Under written data protection agreements
  • With specified security requirements

E. Privacy Practices

   We do not:

  • Store payment information directly
  • Sell or share personal information for marketing
  • Use analytics tools or tracking software
  • Process data for automated decisions
  • Collect information from children under 13

3. Your Rights and Choices

 A. Core Privacy Rights

  • Access your personal information
  • Correct inaccurate information
  • Delete optional information (subject to retention requirements)
  • Obtain your data in a portable format
  • Withdraw consent for optional processing

B. Response Timelines

i. United States Requests

  • Initial response: 45 calendar days
  • Possible extension: 45 additional days
  • Extension notice: Prior to initial deadline

    ii. International Requests

  • Initial response: 30 calendar days
  • Extension if needed: Based on complexity
  • Notice of extension: Prior to deadline

C. Exercising Your Rights

i. Simple Requests

  • Marketing: Use email unsubscribe link
  • Newsletter: Manage through Kit/Substack
  • App-related: Through Apple/Google platforms

    ii. All Other Requests

       Submit to info@cancer.cards including:

  • Your name
  • Contact information
  • Request description
  • State of residence (US)
  • Verification information

D. Required Data Retention

i. Business Records

  • Order records: 7 years (tax requirement)
  • Transaction records: 2-7 years
  • Legal correspondence: Per applicable statutes

    ii. Deletion Limitations

       Some information must be retained for:

  • Tax compliance
  • Legal requirements
  • Business records
  • Fraud prevention

E. Additional Protections

i. Non-Discrimination

      We will not:

  • Deny goods or services
  • Charge different prices
  • Provide different service quality
  • Penalize for exercising rights

    ii. Authorized Agents

       May act on your behalf with:

  • Written authorization
  • Identity verification
  • Documentation of authority

   iii. Appeals Process

  • Submit within 45 days of denial
  • Include original request details
  • Receive response within 45 days
  • Right to contact regulators preserved

4. Security and Data Protection

 A. Security Infrastructure

   i. Technical Measures

  • HTTPS protocol
  • SSL/TLS encryption
  • Access controls
  • Authentication requirements
  • Regular security updates

    ii. Administrative Controls

  • Limited personnel access
  • Employee training
  • Security reviews
  • Incident response procedures
  • Provider verification

   iii. Physical Security

  • Secure record storage
  • Facility access controls
  • Secure document disposal
  • Equipment protection

B. Breach Response Protocol

i. Initial Response

  • Investigation within 24 hours
  • Documentation of incident
  • Impact assessment
  • Containment measures

    ii. Notification Procedure

       Within 72 hours of discovery:

  • Affected individuals notified
  • Incident details provided
  • Response steps outlined
  • Contact information given
  • Authorities notified as required

C. Provider Security Management

   i. Requirements

  • Security measure maintenance
  • Regular assessments
  • Contractual obligations
  • Breach notification procedures

    ii. Current Provider Security

       Provider security policies:

  • Stripe: https://stripe.com/docs/security
  • WordPress: https://wordpress.org/about/security/
  • Kit: https://kit.com/privacy
  • Substack: https://substack.com/ccpa
  • Apple: https://www.apple.com/privacy/
  • Google: https://safety.google/privacy/

D. Ongoing Compliance

i. Regular Reviews

  • Annual policy assessment
  • Security practice evaluation
  • Provider verification
  • Staff training updates

    ii. Documentation

  • Security incidents
  • Access logs
  • Policy updates
  • Request responses

5. Data Sharing and International Transfers

 A. Sharing Principles

   i. Authorized Sharing

  • Listed service providers
  • Legal requirements
  • Explicit consent

    ii. Prohibited Sharing

       We never:

  • Sell personal information
  • Share for marketing
  • Allow advertising tracking
  • Transfer to unauthorized parties

B. Service Provider Framework

i. Processing Agreements

  • Written contracts
  • Protection requirements
  • Use limitations
  • Security standards
  • Breach protocols

    ii. Provider Roles

       Service | Provider | Purpose | Data Access

       Payments | Stripe | Transaction processing | Payment data

       Website | WordPress.com | Site hosting | Usage data

       Email | Kit | Newsletter delivery | Email, preferences

       Newsletter | Substack | Content delivery | Email, preferences

       Apps | Apple/Google | Distribution | App-related data

C. International Considerations

i. Data Storage

  • Primary storage: United States
  • Backup systems: United States
  • Provider storage: Varies by service

    ii. Cross-Border Activities

  • Website orders: US only
  • App users: International via Apple/Google
  • Marketing: International permitted

D. Legal Requirements

i. Law Enforcement

  • Request evaluation
  • User notification when permitted
  • Minimum necessary disclosure
  • Record maintenance

    ii. Other Obligations

  • Court orders
  • Subpoenas
  • Regulatory compliance
  • Tax requirements

E. Records and Documentation

i. Maintained Records

  • Sharing agreements
  • International transfers
  • Legal requests
  • Consent documentation

    ii. Access Procedures

  • Available upon request
  • Legal restrictions apply
  • Standard response times
  • Identity verification required

6. Cookie and Tracking Technologies

 A. Limited Cookie Usage

   i. Essential Website Cookies

  • Provider: WordPress.com
  • Purpose: Basic functionality
  • Duration: Session/30 days
  • Type: First-party essential
  • Required for site operation

    ii. Non-Used Technologies

  • Analytics cookies
  • Marketing cookies
  • Tracking pixels
  • Advertising identifiers
  • Cross-site tracking
  • Social media cookies

B. Cookie Management

i. Browser Controls

   Browser | Cookie Settings Path | Direct Link

   Chrome | Privacy and Security → Cookies | chrome://settings/cookies

   Firefox | Privacy & Security → Cookies | https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox

   Safari | Privacy → Manage Website Data | https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac

   Edge | Privacy → Clear Browsing Data | https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09

    ii. Default Settings

  • Essential cookies: Active
  • Optional cookies: None
  • Third-party cookies: None

C. Third-Party Platforms

i. App Store Cookies

  • Managed by Apple/Google
  • Platform-specific policies
  • Outside our control

    ii. Payment Processing

  • Stripe cookie policy applies
  • Required for payments
  • Independently managed

D. Technical Details

i. Essential Cookies

   Cookie Name | Purpose | Duration | Type

   wp-settings | Website functionality | 1 year | Essential

   wordpress_logged_in | Session management | Session | Essential

   wordpress_test_cookie | Cookie testing | Session | Essential

E. Additional Information

i. Do Not Track

  • Signals honored
  • No tracking regardless
  • Privacy-first approach

    ii. Documentation

  • Request availability
  • Regular updates
  • Compliance records

7. Children’s Privacy Protection

 A. Age Restrictions

   i. Website and Orders

  • Minimum age: 18 years
  • No collection under 13
  • Adult transactions only

    ii. Mobile Applications

  • App store age ratings apply
  • Parental controls available
  • No direct child data collection

   iii. Workshops and Talks

  • Under 18: Parent/guardian consent
  • Under 13: No direct collection
  • All communication through adults

B. Protective Measures

i. Collection Safeguards

  • Age verification
  • No child-targeted features
  • No intentional collection
  • Immediate deletion if discovered

    ii. Parental Rights

  • Information review
  • Deletion requests
  • Collection restrictions
  • Participation control

   iii. Verification Requirements

  • Identity proof
  • Relationship proof
  • Request details
  • Contact information

C. Accidental Collection

i. Discovery Response

  • Immediate deletion
  • Parent notification
  • Record maintenance
  • Process review

D. Educational Programs

i. Requirements

  • Parental consent forms
  • Minimum data collection
  • Secure handling
  • Limited retention
  • No marketing use

E. Compliance

   i. Training

  • COPPA requirements
  • Handling procedures
  • Verification processes
  • Incident response

    ii. Reviews

  • Collection practices
  • Consent mechanisms
  • Security measures
  • Deletion procedures

8. Geographic-Specific Privacy Rights

 A. California Rights (CCPA/CPRA)

   i. Information Handling

   Category | Collection | Purpose | Retention

   Identifiers | Name, email, address, phone | Orders, communication | 7 years (orders); Until unsubscribe (marketing)

   Commercial | Purchase history, preferences | Processing, records | 7 years

   Financial | Via Stripe | Payments | Not stored

   Communications | Email preferences | Marketing | Until unsubscribe

    ii. Specific Rights

       Beyond core rights:

  • Sale/share verification
  • Sensitive data limits
  • Collection details access

   iii. Exercise Process

  • Submit to info@cancer.cards
  • 45-day response
  • No account needed
  • Free service
  • Identity verification

B. Other US State Rights

i. Coverage

  • Virginia (VCDPA)
  • Colorado (CPA)
  • Connecticut (CTDPA)
  • Utah (UCPA)
  • Nevada (NRS 603A)

    ii. State Authorities

   State | Authority | Website

   Virginia | Attorney General | https://www.oag.state.va.us/consumer-protection/privacy

   Colorado | AG’s Office | https://coag.gov/resources/data-privacy-laws/

   Connecticut | Privacy Office | https://portal.ct.gov/DCP/Data-Privacy/Data-Privacy/The-Connecticut-Data-Privacy-Act

   Utah | Consumer Protection | https://dcp.utah.gov/privacy-security.html

   Nevada | Attorney General | https://ag.nv.gov/About/Consumer_Protection/Bureau_of_Consumer_Protection/

   iii. Appeals

  • Submit within 45 days
  • Include request details
  • 45-day response
  • Written explanation
  • Authority referral

C. European Union/UK (GDPR)

i. Legal Bases

  • Contract performance
  • Legal obligations
  • Legitimate interests
  • Consent

    ii. Additional Rights

  • Processing restriction
  • Processing objection
  • Consent withdrawal
  • Authority complaints

   iii. Response Time

  • 30 days initial
  • 60 days if extended
  • Free of charge

D. Canadian Rights (PIPEDA)

i. Core Rights

  • Access
  • Accuracy
  • Consent withdrawal
  • Understanding use

    ii. Timeline

  • 30-day response
  • Extension notification
  • Free service

E. Australian Rights

i. Privacy Act Rights

  • Information access
  • Correction rights
  • Complaint process
  • Transparency

    ii. Response

  • Prompt handling
  • Written responses
  • Clear resolutions

F. International Processing

i. Location

  • US storage
  • US processing
  • Provider variation

    ii. Safeguards

  • Provider agreements
  • Security measures
  • Compliance monitoring

   iii. Operations

  • App transactions: Apple/Google
  • Payments: Stripe
  • Marketing: Consent-based
  • Retention: Per policy

9. Updates, Resources, and Contact Information

A. Policy Management

i. Review Schedule

  • Annual minimum
  • Law change updates
  • Practice modifications
  • Version tracking

    ii. Change Notice

  • 30-day advance
  • Website updates
  • Email notification
  • App announcements

 

B. Contact Methods

   Primary Contact:

  • Email: info@cancer.cards
  • Phone: 602  456  2350
  • Mail: How Not to Say Dumb Shit, LLC

          PO Box 41241

          Mesa, AZ 85274

 C. Response Times

   Type | US Timeline | International Timeline

   General Requests | 45 days | 30 days

   Appeals | 45 days | 30 days

   Security Incidents | 72 hours | 72 hours

   Simple Changes | Immediate | Immediate

D. Privacy Authorities

i. US State Resources

   State | Authority | Website

   California | Privacy Protection Agency | https://cppa.ca.gov

   Virginia | Attorney General | https://www.oag.state.va.us/consumer-protection/privacy

   Colorado | Attorney General | https://coag.gov/resources/data-privacy-laws/

   Connecticut | Privacy Office | https://portal.ct.gov/DCP/Data-Privacy/Data-Privacy/The-Connecticut-Data-Privacy-Act

   Utah | Consumer Protection | https://dcp.utah.gov/privacy-security.html

    ii. International Resources

  • EU: European Data Protection Board (https://edpb.europa.eu)
  • UK: Information Commissioner’s Office (https://ico.org.uk)
  • Canada: Privacy Commissioner (https://www.priv.gc.ca)
  • Australia: Privacy Commissioner (https://www.oaic.gov.au)

 

E. Service Provider Policies

Privacy Policies

  • Stripe: https://stripe.com/privacy
  • WordPress: https://wordpress.org/about/privacy
  • Kit: https://kit.com/privacy
  • Substack: https://substack.com/privacy
  • Apple: https://www.apple.com/legal/privacy/en-ww/
  • Google: https://policies.google.com/privacy

F. Documentation

i. Available Records

  • Privacy assessments
  • Security incidents
  • Policy updates
  • Compliance records

    ii. Individual Records

  • Data requests
  • Response tracking
  • Deletion confirms
  • Consent records

G. Additional Resources

  • Browser settings
  • App privacy
  • Identity protection
  • Security practices

All practices subject to applicable laws. Legal requirements take precedence where conflicts exist.