Privacy Policy

VivaRitual is committed to protecting your personal information under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Québec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), and the California Consumer Privacy Act (CCPA) as amended by the CPRA. This notice explains what we collect, why, how long we keep it, and how you exercise your rights.

Last updated: 2026-04-22

1. Who is responsible

The legal entity operating this store is VivaRitual Inc., with registered office at 500 Place d'Armes, Montreal, QC H2Y 2W2, Canada. We are the sole controller of the personal information collected through vivaritual.com.

Privacy Officer (required under Law 25, art. 3.1): Privacy Office - VivaRitual. Contact: privacy@vivaritual.com. Phone: +1 (438) 800-2026.

2. Information we collect and why

We collect only what is necessary for the purposes described. We never sell your data. We do not make automated decisions with legal effect.

Order fulfilment: name, shipping address, email, phone, billing details. Purpose: ship the product, send transactional emails. Legal basis: contract performance.
Account (optional): email, password hash. Purpose: access order history. Legal basis: your express consent.
Marketing communications: email, consent timestamp. Purpose: send non-transactional emails. Legal basis: express opt-in consent (Law 25 art. 8.1). Withdrawable any time via the unsubscribe link or by emailing the Privacy Officer.
Site analytics: pseudonymous usage data. Purpose: measure site performance. Legal basis: explicit cookie-banner consent. Never collected without your click on Accept.
Advertising (Meta Pixel + Conversions API): hashed email, IP, user-agent, event data. Purpose: measure ad effectiveness. Legal basis: explicit opt-in. Fully blocked if the Sec-GPC: 1 signal is detected or you use the Do Not Sell button.

3. Retention periods

Order records: 7 years after the transaction date, to comply with Canada Revenue Agency (CRA) tax-record rules.

Marketing consent records: 24 months after your last interaction or until you withdraw consent, whichever is earlier.

Website analytics: 14 months maximum, pseudonymised after 30 days.

Sentry error telemetry: 90 days, PII scrubbed before ingestion.

4. Service providers (data processors)

We transfer data to the following processors, all located in the United States. Transfers are carried out under PIPEDA Principle 1 (Accountability) with contractual safeguards. If you reside in Québec, you are informed in accordance with Law 25 art. 17 that these are out-of-province transfers subject to assessment.

Shopify (Canada + United States): commerce platform and order processing.
Vercel (United States): website hosting and edge delivery.
Resend (United States): transactional email delivery.
Meta Platforms (United States): advertising and Pixel/CAPI measurement (only if you consent).
Google LLC (United States): analytics and AI email assistance (only if you consent).
Upstash (United States): rate-limiting, queueing, and caching infrastructure.

5. Your rights under Law 25, PIPEDA, CCPA, VCDPA, CPA

You may at any time, free of charge, request:

Access to the personal information we hold about you (Law 25 art. 27; PIPEDA Principle 9; CCPA right-to-know).
Correction of inaccurate data (Law 25 art. 28; CCPA right-to-correct).
Deletion (Law 25 right to de-indexing; CCPA right-to-delete).
Portability in a structured, commonly used and machine-readable format (Law 25 art. 27 added by PL-64).
Withdrawal of your consent at any time, without justification.
Opt-out of any sale or sharing of personal information (CCPA § 1798.120 / § 1798.135) via the Do Not Sell button in our cookie banner.
Opt-out of targeted advertising (VCDPA / CPA) via the same mechanism; we also honour the Sec-GPC: 1 browser signal automatically.
File a complaint with the Commission d'accès à l'information du Québec (CAI), the Office of the Privacy Commissioner of Canada (OPC), or the California Attorney General.

6. Response timelines

Under Law 25, we respond to access and rectification requests within 30 days. Under PIPEDA, the default statutory limit is 30 days, extendable to 60 days with notice. Under CCPA, we respond within 45 days, extendable once by 45 days with notice.

Identity verification is required before we disclose personal information. We will request only the minimum necessary to confirm it is you.

7. Minors

VivaRitual products are dietary supplements sold exclusively to adults 18 years and older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with data, contact the Privacy Officer; we will delete it within 30 days.

8. Security

Industry-standard controls are applied: TLS 1.3 in transit, encryption at rest by Shopify and Vercel, SHA-256 hashing before transmission to advertising partners, HMAC signature verification on every webhook, strict Content-Security-Policy and HSTS on all pages, and incident detection via Sentry with PII scrubbing.

If a confidentiality incident occurs, we notify the CAI and affected individuals without unreasonable delay as required by Law 25 art. 3.5 and PIPEDA's breach-of-security-safeguards regulations.

9. Changes to this notice

This policy was last updated on 2026-04-22. Material changes will be announced by email to opted-in subscribers at least 30 days before taking effect.