Data Privacy & Security Policy

Effective Date: March 1, 2026. This document explains how Brooklyn Candle Studio collects, processes, and protects operational data, including D2C transaction records and B2B wholesale logistics metadata.

1. Information Collection & Operational Scope

As an enterprise D2C and B2B wholesale operation, Brooklyn Candle Studio acts as the Data Controller. Our transactional infrastructure strictly processes data necessary for fulfilling orders, managing logistics, and securing accounts. We collect:

  • Identity & Contact Data: Authorized representative names, corporate email addresses, and encrypted billing/shipping coordinates.
  • System & Metadata: IP addresses (for security auditing), delivery status receipts (bounces, opens, clicks limited to transactional context), and browser user-agent strings during 2FA authentication.
  • Payload Data: Invoice contents, Safety Data Sheets (SDS) requests, and wholesale tier approval documentation.

2. Strict Limitation of Data Usage

We process the collected data solely for operational necessity. We do not sell, rent, or trade Personally Identifiable Information (PII) to third-party data brokers or marketing agencies. The data is used exclusively to:

  • Execute API-triggered transactional communications (e.g., password resets, order confirmations).
  • Maintain compliance with B2B supply chain Service Level Agreements (SLAs).
  • Detect, prevent, and mitigate fraudulent activity within our wholesale portal.
  • Fulfill legal and tax reporting obligations in the State of New York and federal jurisdictions.

3. Infrastructure Sub-Processors & Third Parties

To guarantee 99.99% uptime and low-latency delivery of mission-critical alerts, we utilize certified Tier-1 infrastructure providers (Sub-Processors). Data shared with these entities is strictly governed by Data Processing Agreements (DPAs):

  • Email Service Providers (ESPs): For routing transactional SMTP traffic and webhook delivery.
  • Cloud Infrastructure: For secure database hosting and API payload processing (e.g., AWS).
  • Logistics Partners: Webhook integrations with carriers (FedEx, UPS, USPS) for real-time tracking alerts.

4. Data Security & Retention Protocols

Brooklyn Candle Studio employs industry-standard security measures, including TLS 1.3 encryption for data in transit and AES-256 encryption for data at rest.

Retention Policy: Transactional payload data (the content of the messages) is retained only for a maximum of 30 days to facilitate customer support and troubleshooting. System logs and metadata required for audit, security compliance, and tax purposes may be retained for up to 7 years in cold storage.

5. Data Protection Officer (DPO) Contact

For inquiries regarding data deletion requests (CCPA/GDPR compliance), access to records, or security concerns regarding our infrastructural routing, please contact our authorized representative:

Data Controller: Brooklyn Candle Studio

Headquarters: 147 41st Street, Suite BE, Brooklyn, NY 11232

DPO / Ops Lead: Michael Dawson