Skip to main content
Ships in 3–5 days · No wholesale minimum · No membership required
Grocery Bundles

Privacy Policy

Effective April 23, 2026

Grocery Bundles ("we", "us", "our") operates grocerybundles.com and its subdomains (the "Service"). This policy explains what information we collect about you, how we use it, who we share it with, and the rights you have under California, Colorado, Connecticut, Virginia, Utah, Texas, Maryland, Tennessee, and other US state privacy laws. By using the Service you agree to the practices described below.

Service area. Grocery Bundles ships to the continental United States only (the lower 48 states). Visitors from outside the US may browse the Service but cannot place orders. If you are a resident of the European Economic Area, the United Kingdom, or another jurisdiction with stricter consent rules, we encourage you to use Your Privacy Choices to opt out of analytics and advertising before browsing.

1. Information we collect

1.1 Information you give us

  • Account data: name, email address, and a password you choose (or a Google account identifier if you sign in with Google).
  • Order and delivery data: shipping and billing addresses, phone number, items ordered, delivery notes.
  • Payment data: we do NOT store card numbers or bank credentials. Payments are processed by Stripe, Inc. ("Stripe"); we receive only a tokenized reference and the last four digits of your card.
  • Wholesale / business data: for wholesale applicants — business name, resale certificate, contact name, and order volume estimates.
  • Support correspondence: any messages you send us via email, forms, or chat.

1.2 Information we collect automatically

  • Session data: an HttpOnly session cookie (gb_refresh), a CSRF cookie (gb_csrf), and cart state. Session cookies are opaque random tokens; we store only a one-way hash of the token in our database.
  • Security telemetry: we record authentication events (sign-ins, sign-outs, failed attempts, session rotations, theft-detection events) with a SHA-256 hash of your IP address and a truncated user-agent string. We do not store raw IP addresses in the audit log.
  • Analytics: page views, on-site behavior, device type, approximate geographic region (country / state / city), and interactions with products and bundles. Collected via Google Analytics 4 through Cloudflare Zaraz with the originating IP stripped before forwarding to Google.
  • Advertising signals: when you visit certain product or bundle pages we may include you in remarketing audiences in Google Ads so we can show you Grocery Bundles ads on other websites and measure their performance. Tracked via Google Consent Mode v2.
  • Edge security telemetry: Cloudflare records request metadata (timestamps, response codes, geo) for DDoS mitigation, bot management, and rate limiting. This is processed by Cloudflare under their data processing agreement.

1.3 Information from third parties

  • Google Sign-In: if you sign in with Google, we receive your email, name, and profile picture URL from Google's OpenID Connect service. Staff sign-in is restricted to the grocerybundles.com Workspace domain; we read the hosted-domain claim to enforce that restriction. We do not receive your Google password or access your Gmail, Calendar, or Drive.
  • Stripe: transaction confirmations, risk signals, and dispute notifications related to your payments.
  • Shipping carriers: tracking numbers and delivery status for packages we send you.

2. Categories of personal information collected (CCPA)

Within the prior 12 months we have collected the following CCPA categories of personal information:

  • Identifiers — name, email, account ID, IP- derived geo region, device identifiers
  • Customer records — postal address, phone number, billing/shipping data
  • Commercial information — order history, products viewed, bundles purchased, refunds, returns
  • Internet/network activity — pages visited, referring URLs, session duration, search queries on our site
  • Geolocation data — coarse country / state / city derived from your network. We do not collect precise geolocation (street-level / GPS).
  • Inferences — product preferences, dietary tags you've shown interest in, predicted reorder cadence

3. How we use your information

  • Process orders, payments, refunds, and returns.
  • Authenticate you, protect your account (rate limiting, refresh rotation, theft detection, optional TOTP two-factor authentication).
  • Send transactional email (order confirmations, shipment notifications, password resets, wholesale approvals) via Resend, Inc.
  • Cart-recovery reminders if you leave items in your cart. You can unsubscribe in one click; unsubscribe is honored across future carts.
  • Marketing automation — welcome emails, replenishment reminders, re-engagement campaigns. Opt out by unsubscribing from any marketing email or by emailing us.
  • Advertising: Google Ads remarketing, audience building, and conversion measurement. Subject to your choices on the Your Privacy Choices page and any Global Privacy Control signal sent by your browser.
  • Google Ads Customer Match: we share a one-way SHA-256 hash of your email address (and, where available, a hash of your phone number) with Google Ads so Google can match you to an existing Google account for advertising purposes. The hashed values are computed in our infrastructure before transmission and Google cannot reverse them; they are used only as a join key against Google's own user data. Customer Match is used to build audiences of past purchasers, lapsed customers, and lookalikes for use as bidding signals on our Google Ads campaigns. You can opt out at any time on the Your Privacy Choices page or by emailing us; opting out removes your hashed identifiers from our next Customer Match upload. You can also exclude yourself from Google's ads platform-wide via Google's Ads settings.
  • Fraud prevention: flagging suspicious orders, rate-limiting failed logins, detecting refresh-token reuse.
  • Improve the Service — product recommendations, search quality, inventory planning, A/B testing.
  • Legal compliance — tax records, subpoena responses, audit logs required by applicable law.

4. Do we "sell" or "share" personal information?

Under California law, "sale" and "share" cover not just monetary transactions but also disclosures of personal information for cross-context behavioral advertising. By that definition, our use of Google Ads remarketing — which builds audiences on Google's platform from your visits to our Service — is considered "sharing" for cross-context behavioral advertising under the CPRA.

We do not exchange your personal information for money. We do not sell or share your information with data brokers. We do not knowingly sell or share the personal information of consumers under the age of 16.

You can opt out of this sharing at any time on the Your Privacy Choices page, by enabling Global Privacy Control in your browser, or by emailing support@grocerybundles.com.

5. Who we share information with

We share only what is necessary to run the Service. Categories of recipients:

  • Payment processor: Stripe (card authorization, fraud scoring, payouts).
  • Email delivery: Resend (transactional and marketing email).
  • Infrastructure: Cloudflare (hosting, DNS, caching, D1 database, edge security, Zaraz tag management).
  • Analytics: Google Analytics 4 (page views, events, conversions). IP address is stripped before forwarding.
  • Advertising: Google Ads (remarketing audiences, conversion measurement, customer match where you've opted in). Subject to your privacy choices.
  • Shipping carriers: the carrier you select at checkout, limited to the shipping address and package details.
  • Identity provider: Google (only if you chose to sign in with Google).
  • Logo + brand enrichment: Brandfetch (we send brand domain names — never customer data — to fetch brand logos for the catalog).
  • Legal compliance: courts, regulators, or law enforcement when compelled by valid legal process.
  • Business transfers: if we are acquired or merged, your data may transfer to the successor, subject to this policy.

6. Cookies and similar technologies

We use the following cookie categories:

  • Strictly necessary: gb_refresh (HttpOnly session), gb_csrf (CSRF double-submit), gb_oauth_pkce (during Google sign-in handshake), cart identifier. Required to use the Service; cannot be opted out.
  • Functional: preference cookies (region, diet filters, viewed-items lists) if you set them.
  • Analytics: Google Analytics 4 cookies for site usage measurement. Subject to Your Privacy Choices.
  • Advertising: Google Ads cookies and pixels for remarketing and conversion measurement. Subject to your privacy choices and any GPC signal.
  • Consent state: gb_consent_v1 stores your privacy choices (1-year retention) so we don't ask you again on every visit.

7. Your privacy choices

We honor the following opt-out mechanisms:

  • Your Privacy Choices page (/privacy/choices): toggle analytics and advertising cookies on/off. Saves a 1-year preference cookie.
  • Global Privacy Control (GPC): if your browser sends the Sec-GPC: 1 header (Brave, Firefox with GPC enabled, DuckDuckGo, others), we treat that as an opt-out of sale/share for advertising and disable analytics for that session — no action required from you.
  • Marketing email: every marketing email includes an unsubscribe link. We honor unsubscribes within one business day.
  • Browser-level cookie controls: you can clear our cookies any time from your browser settings; doing so will sign you out and reset your preferences.

8. Your rights under state privacy laws

Depending on your state of residence, you may have some or all of the following rights:

  • Right to know what personal information we have collected about you and the categories of recipients we've shared it with.
  • Right to delete personal information we hold about you (subject to retention exceptions for tax, fraud, and legal-compliance purposes).
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing for cross-context behavioral advertising (use Your Privacy Choices or send GPC).
  • Right to limit use of sensitive personal information. We do not collect sensitive personal information beyond payment data (held only by Stripe), so this right has limited application here.
  • Right to data portability — request an electronic copy of your data.
  • Right to non-discrimination — we will not charge you a different price, deny you service, or provide a different level of quality because you exercised a privacy right.

To exercise any of these rights, email support@grocerybundles.com with the subject line "Privacy Request" and a description of what you want. We may need to verify your identity before fulfilling the request. We respond within 45 days as required by California law (similar windows apply in other states; some allow up to 90 days for complex requests). You may also designate an authorized agent to make a request on your behalf — we'll require written proof of authorization.

9. Data retention

  • Active account data: kept while your account is open.
  • Order and tax records: 7 years after the order (US tax compliance).
  • Session records: active sessions until you sign out; revoked session rows pruned after 30 days.
  • Auth audit log: 13 months, then purged.
  • Analytics raw events: retained 26 months in Google Analytics by default, then aggregated.
  • Cart-recovery opt-out records: retained indefinitely so we never re-contact a user who unsubscribed.
  • Privacy choice cookie: 1 year on the device you set it from.
  • Deleted accounts: we remove identifiable fields within 30 days of deletion; anonymized order history may be retained for tax and fraud analysis.

10. Security

Passwords are hashed with bcrypt (cost factor 10). Sessions use short-lived access tokens (15-minute JWTs) with long-lived opaque refresh tokens stored only as SHA-256 hashes. Refresh tokens rotate on every use; a reused token is treated as theft and all sessions for that account are revoked. Two-factor authentication via TOTP is optional for customers and required for staff who use password-based sign-in. Communications are encrypted in transit with TLS 1.2+; stored secrets (such as TOTP seeds) are encrypted with AES-GCM. No security program is perfect — if you suspect a breach of your account, contact us immediately.

11. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. We do not sell or share personal information of users known to be under 16. If you believe we have collected data from a child, contact us and we will delete it.

12. International users

The Service is operated from the United States and accepts orders only from the continental US. By using it from outside the US, you understand that your information will be processed in the US and in Cloudflare's global edge network. We do not purposefully target EU/UK/EEA residents and do not currently maintain a GDPR Article 27 representative. EU/UK visitors who wish to limit data collection should opt out via Your Privacy Choices before further use.

13. Changes to this policy

We may update this policy. Material changes will be posted here with a new effective date; significant changes that affect how we use your personal information will also be emailed to account holders. Continued use of the Service after the new effective date constitutes acceptance.

14. Contact

Questions, requests, or complaints:
support@grocerybundles.com
Grocery Bundles, Limestone County, Alabama, United States