Privacy Policy.

01Information we collect

When you visit or buy from hudsonvalleybotanicals.com, we collect a limited set of information that is necessary to run the store and serve you properly.

Information you provide directly

• Name. Used to address shipping labels and customer-support replies.
• Email address. Order confirmations, shipping updates, and any newsletter you have opted into.
• Shipping and billing address. Provided to USPS or UPS for delivery.
• Phone number (optional). Used only if a carrier needs to reach you about a delivery problem.
• Order details. Product names, quantities, and order totals.
• Payment information. Card data is entered directly into our payment processor (Waave). We never store credit card numbers, expiration dates, or CVV codes on our own servers.
• Account credentials. Username and a bcrypt-hashed password if you choose to create an account.
• Support communications. Tickets, emails, and chat messages you send our team.
• Age confirmation. You must meet your state's minimum purchase age (18 or 21 depending on jurisdiction).

Information we collect automatically

• IP address and device info. Browser type, operating system, screen size. Used for fraud prevention and responsive layout.
• Usage data. Pages viewed, time on page, referring URL, clicks on product listings. Reviewed internally only, not shared with third-party trackers.
• Cookies and similar technologies. Detailed in the Cookies section below.

What we do not collect

• Social Security numbers.
• Driver's license or government ID numbers.
• Bank account or financial account numbers.
• Biometric data such as fingerprints or face scans.
• Political opinions, health data, or religious beliefs.

02How we use your information

We use the information above for a small, specific set of reasons. We do not sell personal information, and we do not share it with third parties for their own marketing purposes.

• To fulfill your orders. Processing payments, packing the right products, printing the right shipping label, and sending you order confirmations and tracking updates.
• To provide customer support. Responding to your questions, handling returns, and resolving any issues with an order.
• To operate and secure the site. Detecting fraud, preventing abuse, diagnosing technical problems, and keeping accounts safe.
• To send you email communications you've opted into. New product announcements, restock notices, and occasional updates. You can unsubscribe at any time using the link in any email.
• To comply with legal obligations. Including tax reporting, age verification, and responding to valid legal requests.

03Cookies and tracking

We use the minimum cookies necessary to run the store. No tracking pixels, no behavioral advertising cookies, no Google Analytics, no Facebook Pixel.

You can clear or block cookies in your browser settings at any time. Blocking strictly necessary cookies will break checkout and account features.

04Third-party services

We never sell, rent, or trade your personal information. Only two outside services receive customer data, and each gets only what is needed to do its specific job:

That is the complete list. No analytics vendors, no advertising platforms, no data brokers, no marketing trackers.

Legal disclosure. We may disclose information if required by subpoena, court order, or other valid legal process. We will notify you unless prohibited from doing so.

05Your rights and choices

You have several rights regarding the information we hold about you. To exercise any of these rights, reach our team through the contact page.

• Access. Request a copy of the personal information we hold about you.
• Correction. Ask us to correct information that is inaccurate or out of date.
• Deletion. Request that we delete your account and personal information, subject to retention obligations under tax and consumer-protection laws.
• Opt out of marketing. Unsubscribe from any marketing email using the link at the bottom of that email, or contact us directly.
• Data portability. Request your data in a structured, machine-readable format.
• Objection. Object to certain types of processing, such as marketing analytics.

We aim to respond to verified requests within 30 days. If the request is complex we may extend by an additional 30 days and will tell you in writing if that happens.

06Data retention and security

We keep personal information only as long as needed for the purposes we collected it, or as required by law.

Retention periods

• Order and transaction records: up to 7 years, as required by IRS and state tax rules.
• Account data: as long as your account is active, plus a reasonable window after closure to handle returns, disputes, and legal obligations.
• Support tickets: typically 2 years from the last message.
• Marketing email lists: until you unsubscribe, plus a suppression record so we do not email you again.
• Cookies: see the lifespan column in the cookie table above.

To request deletion outside these retention windows, use the contact page. We will action verified requests within 30 days.

How we protect information

• SSL/TLS 256-bit encryption on every page (the lock icon in your browser).
• PCI-DSS compliant payment processing through Waave. Card data is never stored on our servers.
• AES-256 encryption at rest for our database. Passwords hashed with bcrypt.
• Two-factor authentication for staff accounts and role-based access (the shipping team only sees what is needed to ship orders).
• Cloudflare WAF firewall blocks common automated attacks.
• Daily encrypted backups with 30-day retention and geo-redundant storage.
• Quarterly security reviews and ongoing intrusion monitoring.

No method of transmission over the internet is 100% secure, but we take our responsibility to protect your data seriously and review our controls regularly.

07International users

Hudson Valley Botanicals is based in the United States and our servers are located in the United States. If you visit or place an order from outside the US, your personal information will be transferred to and processed in the US. By using the site, you consent to this transfer.

Where required by law, we implement appropriate safeguards for international transfers, including standard contractual clauses for transfers from the EU, UK, and EEA.

08CCPA and GDPR rights

Depending on where you live, you may have additional rights under the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), or similar laws.

California residents (CCPA / CPRA)

• The right to know what personal information we collect and how we use it.
• The right to request deletion of your personal information.
• The right to correct inaccurate information.
• The right to opt out of the "sale" or "sharing" of personal information. We do not sell personal information.
• The right not to face discrimination for exercising these rights.

EU and UK residents (GDPR / UK GDPR)

• All rights listed in Section 05 above.
• The right to lodge a complaint with your local Data Protection Authority.
• The legal basis for our processing: contract performance (for orders), legitimate interests (for security and analytics), consent (for marketing emails), and legal obligations (for tax records).

If you're outside the US and place an order, your data will be transferred to and processed in the United States. We implement appropriate safeguards including standard contractual clauses where required.

09Children's privacy

Hudson Valley Botanicals is an age-restricted site. We do not knowingly collect personal information from anyone under 18, and we do not direct marketing or advertising to children or minors. The site and its services are intended for adults only.

Note that minimum purchase age for kratom products may be higher than 18 depending on where you live. Some US states require buyers to be 21 or older. Age requirements are enforced at checkout and are separate from the privacy threshold described in this section.

If we become aware that we have collected personal information from someone under 18, we will delete that information. If you are a parent or guardian and believe your child has provided us with personal information, please reach our team through the contact page.

10Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we do, we'll post the new version here and update the "last updated" date at the top.

If the change is material, we'll do our best to notify you by email or a clear notice on the site before it takes effect. Your continued use of the site after an updated policy takes effect means you accept the updated terms.

11Contact us

If you have a question about this Privacy Policy or want to exercise any of the rights above, reach our team through the contact page or by mail.