Dallmann Confections – Privacy Policy (Effective May 20, 2025)

Last updated: May 20, 2025

Dallmann Confections Inc. ("Dallmann," "Company," "we," "our," or "us") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit www.dallmannconfections.com (the "Site") or engage with any of our services (collectively, the "Services"). It also describes your privacy rights and how to exercise them.

Quick‑read: A concise Notice at Collection for California residents appears directly below. Detailed disclosures and instructions for all U.S. users follow in the full Policy.

---

1. Notice at Collection (California)

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"), we are required to provide you with a notice at or before the point of collection describing:

Category of Personal Information	Examples	Purpose of Processing	Retention Period	Sold or Shared¹?
Identifiers	Name, email, postal address, IP address, unique IDs, phone number	Account creation, order fulfilment, marketing communications, fraud prevention	7 years (tax & legal); device identifiers 24 months	Yes (share) for cross‑context advertising
Commercial Information	Purchase history, shopping preferences	Order fulfilment, customer service, marketing analytics	7 years	Yes (share)
Internet / Network Activity	Browsing data, device & session information, referring URLs	Site security, analytics, advertising, debugging	24 months	Yes (share)
Geolocation (coarse)	City, state derived from IP	Content & promotional localization	24 months	No
Sensitive Personal Information (SPI)	Precise geolocation (disabled by default); account log‑in & payment credentials	Fraud prevention, secure payment	For the life of the account + 7 years archival	Not sold or shared

¹ "Sold" means we disclose personal information to a third party for monetary or other valuable consideration. "Shared" means we disclose personal information to a third party for cross‑context behavioural advertising.

You have the right to opt‑out of sale or sharing and to limit the use and disclosure of SPI (see § 10 below).

---

2. Who We Are

Dallmann Confections Inc.
757 N Twin Oaks Valley Rd #1,
San Marcos, CA 92069 USA
info@dallmannconfections.com

3. Applicability

This Policy applies to visitors, customers, and prospective customers in the United States. If you reside outside the U.S., additional rights may apply under your local law (see § 11.6 for GDPR).

4. Definitions

Capitalised terms used but not defined here have the meanings given in the CCPA or other applicable privacy statutes.

5. Personal Information We Collect

We collect personal information from the following sources:

• Directly from you – e.g., when you place an order or sign up for emails.

• Automatically – via cookies, pixels, and similar technologies.

• Third parties – e.g., payment processors, advertising networks, analytics providers, social networks.

A full inventory of data elements, purposes and retention periods is provided in Appendix A.

6. Cookies & Tracking Technologies

We use first‑ and third‑party cookies, pixels, and local storage objects to:

• Operate the Site (strictly necessary)

• Measure performance (analytics)

• Personalise content & ads (advertising)

Non‑essential cookies are disabled by default until you grant consent via our Consentmo banner. You can change your preferences at any time through the "Cookie Settings" link in the footer. We also honour the Global Privacy Control (GPC) signal for opt‑out of sale/sharing.

7. How We Use Personal Information

We use personal information to:
1. Provide, maintain and improve the Services
2. Process and deliver orders
3. Authenticate user accounts and prevent fraud
4. Send transactional and marketing communications
5. Provide real‑time customer support through recorded phone or chat interactions (with prior consent)
6. Personalise ads and measure campaign effectiveness
7. Comply with legal obligations
8. Detect, investigate, and remediate security incidents
9. Undertake business transfers (e.g., mergers, acquisitions)

8. How We Disclose Personal Information

We disclose personal information to:

• Service Providers & Contractors (e.g., Shopify, Klaviyo, PayPal, Square) bound by written agreements.

• Advertising & Analytics Partners (only identifiers, commercial info, and network activity; may be deemed "sharing").

• Affiliates & Business Partners under common control.

• Law enforcement or regulators when required by law.

• Successors in the event of a merger or acquisition (with notice to you).

We do not knowingly sell or share the personal information of children under 16.

9. Sensitive Personal Information (SPI)

We do not use or disclose SPI for any purpose other than those permitted by Cal. Civ. Code § 1798.121(a) (e.g., completing a transaction, security and fraud prevention). Accordingly, we do not offer a "Limit SPI" link because our processing is already limited.

Audio & Electronic Communications (CIPA Compliance)

We value your privacy in all communications channels. To comply with the California Invasion of Privacy Act ("CIPA"):

• Recorded phone calls – Our customer‑support and corporate phone lines may record calls for quality assurance and training. A voice prompt at the start of every call notifies all participants, and recording begins only after both parties remain on the line.

• Chat transcripts – Messages you send through our on‑site chat widget are stored after you click “Send.” We do not capture keystrokes or text that you type before you submit the message.

• Affirmative consent – By continuing the call after the recording notice or by clicking “Send” in the chat widget, you give consent to recording or logging. If you do not consent, please end the call or use alternative contact methods (email or postal mail).

• No secret monitoring – We do not eavesdrop on, intercept, or monitor audio or electronic communications without notice and consent.

10. Your Privacy Rights

Depending on your state of residence, you may have the rights listed below. We will not discriminate against you for exercising any of them.

Right	Available To
Access / Know	CA, CO, CT, VA, UT, TX, FL, OR, MT, IA, DE, NJ, NE, NH, MD, MN
Deletion	Same as above
Correction	CA, CO, CT, VA, OR, MT, TX, NJ, NH, MD
Data Portability	Same as above
Opt‑out of Sale	All states above
Opt‑out of Sharing / Targeted Ads	CA, CO, CT, VA, UT, MT, OR, TX, NJ, NH, MD
Opt‑out of Profiling	CO, CT, VA, OR, TX, NJ, NH
Appeal (for denied requests)	CO, CT, VA, OR, TX, NJ, NH

10.1 How to Submit a Request

Email us at info@dallmannconfections.com or call *(760) ‑ (toll‑free). We will verify your identity by matching at least two data points (for sensitive requests, three) and respond within 45 days (extension of 45 more if reasonably necessary).

10.2 Opt‑out of Sale/Sharing & GPC

• Click "Do Not Sell or Share My Personal Information" in the footer, or

• Enable the Global Privacy Control (GPC) in your browser. We treat GPC as a valid request to opt‑out of sale/sharing for that device and browser.

11. Additional Disclosures

11.1 Colorado, Connecticut, Utah, Virginia, Florida, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, Nebraska, New Hampshire, Maryland, Minnesota

If you reside in one of these states, the definitions of "sale," "targeted advertising," and "profiling" under your state law apply. We process opt‑out requests in a uniform manner.

11.2 Nevada

Nevada residents may opt‑out of the sale of covered information by emailing info@dallmannconfections.com with "Nevada Opt‑Out" in the subject line.

11.3 Children’s Privacy

Our Site is not directed to children under 13 and we do not knowingly collect personal information from them. If you believe we have unintentionally collected such information, contact us at info@dallmannconfections.com and we will delete it.

11.4 Data Retention

We retain personal information only as long as necessary for the purposes described above or as required by law. See Appendix A for category‑specific periods. After retention periods expire, data is anonymised or securely deleted.

11.5 Data Security

We use industry‑standard administrative, technical and physical safeguards—including TLS‑encrypted transmission, limited‑access environments, and periodic security assessments—to protect your data. No system is 100 % secure; please use strong passwords and keep them confidential.

11.6 International Users & GDPR

We are located in the United States. If you access the Site from the EEA, UK or Switzerland, we process your personal data as a "data controller" under GDPR Art. 6(1)(b) (contract), (c) (legal obligation) or (f) (legitimate interests) as applicable. We rely on Standard Contractual Clauses (SCCs) for transfers.

12. Changes to This Privacy Policy

We may update this Policy from time to time. If we make material changes, we will post a prominent notice on the Site 30 days before the new policy takes effect and email registered users when feasible. The "Last updated" date will reflect the revision date.

13. Contact Us

Questions or concerns? Email info@dallmannconfections.com or write to Privacy Officer, Dallmann Confections Inc., 757 N Twin Oaks Valley Rd #1, San Marcos, CA 92069 USA.

---

Appendix A – Data Inventory & Retention Schedule

Category & Elements	Source	Purpose	Retention
Identifiers (name, email, phone, address, IP, device IDs)	Direct; automatic	Fulfil orders, account login, marketing, fraud detection	7 yrs; device IDs 24 mo
Commercial Info (purchase history, cart contents, preferences)	Direct	Fulfil orders, customer service, analytics	7 yrs
Internet / Network Activity (page views, clicks, referrer, browser)	Automatic	Site security, analytics, targeted ads	24 mo
Geolocation (city/state from IP)	Automatic	Localised content & ads	24 mo
Payment & Transaction (last‑4 of card, tokenised IDs)	Direct via PCI DSS processors	Process payments, refunds, fraud prevention	7 yrs
Sensitive Personal Info (account log‑in, precise location if enabled)	Direct; automatic	Security, fraud prevention, geofencing (opt‑in)	Life of account + 7 yrs archival