1. Scope and Applicability
This Privacy Policy ("Policy") explains how NUVRELL ("NUVRELL," "we," "us," or "our"), a business operating from the State of Maryland, United States, collects, uses, shares, and protects information about visitors to nuvrell.com and customers who purchase NUVRELL jewelry ("Services"). It applies whether you visit as a guest, create an account, or place an order.
By using the Services, you acknowledge that you have read this Policy. If you do not agree with this Policy, please do not use the Services.
2. Information We Collect
The categories of personal information we collect, in CCPA terminology, are summarized below.
| Category | Examples | Source |
|---|---|---|
| Identifiers | Name, postal address, email, phone number, IP address, device identifiers, account ID | You, your device, and Cloudflare logs |
| Customer records | Shipping/billing address, order history | You, at checkout |
| Commercial information | Products viewed, items purchased, returns, reviews | You and our systems |
| Internet/network activity | Browsing pages, referring URL, time on site, clickstream | Your browser; analytics tools |
| Geolocation (general) | City/region inferred from IP for tax and shipping | Your IP address |
| Payment information | Card brand, last four digits, expiration; full PAN is never received or stored by NUVRELL — Stripe processes it directly. | Stripe, Inc. |
| Inferences | Product preferences derived from browsing/purchase history for personalization | Our recommendation system |
We do not knowingly collect "sensitive personal information" as defined under the CPRA (e.g., government IDs, precise geolocation, health, racial/ethnic origin, religious beliefs, biometrics).
3. How We Use Your Information
- Order fulfillment: processing payments, shipping orders, tax calculation, customer service.
- Account management: authenticating you, saving order history, managing wishlists.
- Communications: sending order confirmations, shipping notifications, return updates, and — only if you opt in — marketing emails. You can unsubscribe from marketing at any time.
- Site operation and security: preventing fraud, abuse, and unauthorized access; debugging; maintaining service integrity.
- Personalization: showing recently viewed items, related-product recommendations, and abandoned-cart reminders.
- Analytics: understanding aggregate site usage to improve user experience and product offerings.
- Legal compliance: meeting tax, accounting, anti-fraud, and consumer-protection obligations.
We do not use your personal information to make automated decisions that produce legal or similarly significant effects on you.
4. How We Share Information (Third-Party Service Providers)
We share information only as needed to operate the Services and only with vendors who are contractually bound to use the data solely for the purposes we direct. We do not sell personal information for monetary value, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CPRA.
| Recipient | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. | Payment processing (PCI-DSS Level 1) | Payment card data (collected directly by Stripe), billing address, order amount |
| Resend (Resend Inc.) | Transactional and marketing email delivery | Email address, name, order details |
| United States Postal Service (USPS) | Shipping and tracking | Recipient name, shipping address |
| Cloudflare, Inc. | Content delivery, DDoS protection, WAF, TLS termination | IP address, request metadata, device fingerprint for bot detection |
| Google LLC (if Analytics enabled) | Aggregate site analytics | Pseudonymous identifiers, page views, IP (anonymized) |
| Meta Platforms, Inc. (if Pixel enabled) | Conversion measurement; advertising on Meta properties | Hashed email, event data, browser fingerprint |
| Hosting infrastructure (Hetzner Online GmbH, U.S. region) | Server hosting | All Service data at rest |
We may also disclose information when required by law (e.g., subpoena, court order), to enforce our Terms, to protect our rights, property, or safety, or in connection with a merger, acquisition, or sale of assets — in which case we will provide notice on this page.
5. Cookies and Similar Technologies
We use cookies and equivalent technologies (localStorage, session tokens) to operate the Services. The categories are:
- Strictly necessary: session authentication, cart contents, CSRF protection, fraud prevention. These cannot be disabled if you wish to use the Services.
- Functional: remembering preferences such as wishlist contents and recently viewed items.
- Analytics (only if enabled): Google Analytics 4. Set with anonymized IP. You can opt out at tools.google.com/dlpage/gaoptout.
- Advertising (only if enabled): Meta Pixel. You can opt out at facebook.com/settings?tab=ads.
You can also refuse or delete cookies via your browser settings; doing so may break parts of the Services.
6. Your Privacy Rights — California (CCPA/CPRA) and Other States
If you are a California resident, the CCPA as amended by the CPRA grants you the rights below. We honor equivalent rights for residents of other U.S. states with comprehensive privacy laws (e.g., Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA) to the extent those laws apply.
- Right to know what personal information we collect, use, disclose, or sell/share, including specific pieces collected about you.
- Right to delete personal information we have collected, subject to legal exceptions (e.g., completing a transaction, complying with tax law).
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing. NUVRELL does not sell or share personal information for cross-context behavioral advertising. If this changes we will update this Policy and provide an opt-out link.
- Right to limit use of sensitive personal information. We do not use sensitive PI beyond what is reasonably necessary to provide the Services, so this right is honored by default.
- Right to non-discrimination. We will not deny goods or services, charge different prices, or provide a different level of quality because you exercised any of these rights.
- Right to data portability: we will provide a copy in a machine-readable format on request.
How to exercise your rights: email [email protected] with the subject "Privacy Request." Please describe your request and provide enough information for us to verify your identity (typically: name, email associated with your orders, and recent order number). We will respond within 45 days as required by California law and may extend an additional 45 days when reasonably necessary, with notice.
You may use an authorized agent. We require written authorization and will verify your identity directly when permitted by law.
7. Do Not Track and Global Privacy Control
NUVRELL's analytics framework is configured to honor the Global Privacy Control (GPC) signal and the Do Not Track (DNT) browser header where present. When either signal is detected, third-party analytics and advertising pixels are not loaded. Strictly necessary cookies remain active so that the Services continue to function.
8. Data Retention
We retain personal information only as long as needed to fulfill the purposes described in this Policy, including legal, accounting, tax, and reporting obligations. Typical retention periods:
- Order records: 7 years (IRS recommended retention for sales records).
- Account data: until account deletion plus 30 days for backups.
- Marketing email lists: until you unsubscribe or 24 months of inactivity.
- Server logs: 30 days, unless required for security investigations.
- Abandoned-cart data: 7 days from last activity, after which the cart and any associated email are purged.
9. How We Protect Your Information
We implement industry-standard technical and organizational measures, including: TLS 1.2+ encryption in transit, encrypted database backups, JWT-based admin authentication with short-lived access tokens, role-based access control, hardware-backed SSH keys for server administration, Cloudflare WAF, and continuous logging and monitoring. Payment card data is processed and tokenized by Stripe; NUVRELL never receives full card numbers.
Despite these measures, no online service is 100% secure. If we become aware of a security incident affecting your personal information, we will notify you and applicable regulators in accordance with the law (including, where applicable, California Civil Code § 1798.82).
10. Children's Privacy (COPPA)
The Services are not directed to, and we do not knowingly collect personal information from, children under the age of 13. If you believe a child has provided us with personal information, please email [email protected] and we will delete it promptly.
11. International Visitors
The Services are intended for use by residents of the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States, where data-protection rules may differ from those in your country. By using the Services, you consent to that transfer.
12. Changes to This Policy
We may update this Policy from time to time. The "Last updated" date at the top of this page indicates when the latest revision took effect. Material changes will be communicated through a banner notice on the homepage and, where required by law, by email. Your continued use of the Services after a change becomes effective constitutes acceptance of the updated Policy.
13. How to Contact Us
For privacy questions, requests, or complaints:
- Privacy email: [email protected]
- General support: [email protected]
- Postal mail: NUVRELL · Privacy Officer · [Insert street address] · Maryland · United States · [ZIP]
© 2026 NUVRELL. All rights reserved. NUVRELL is a registered trade name doing business in the State of Maryland, United States. This document was last reviewed by NUVRELL on the date shown above and is published in good faith. Where any provision is found to be unenforceable under applicable law, the remaining provisions remain in full force and effect.