Privacy Policy

1. Who we are

NightVeil ("we", "us", "our") is an online store selling weighted sleep masks to customers in the United States. NightVeil is operated by SdJ Adv., registered with the Dutch Chamber of Commerce (KvK) under number 90555813, Brink 17, 2742 LD Waddinxveen, the Netherlands. The store ships exclusively to US addresses.

We are the data controller for the personal information described in this policy. For any privacy question or request, contact us at info@nightveilmask.com — we respond within 1 business day and resolve formal requests within the timeframes required by law (at most 45 days).

2. Information we collect

We only collect what we need to run the store. We do not buy data about you from third parties, and we never sell your personal information.

Information you provide directly:

• Order details — your name, email address, shipping address and phone number, collected during checkout.
• Payment information — handled entirely by Stripe, our payment processor. Your card number never touches our servers and we never see or store it.
• Communications — emails you send us (for example about a return), including their content and your contact details.

3. Information collected automatically

When you visit nightveilmask.com, we and our analytics/advertising partners automatically receive certain technical data:

• Device and browser data — browser type, operating system, screen size, language.
• Usage data — pages viewed, time on page, clicks, approximate (city-level) location derived from your IP address.
• Events — actions like viewing the product, starting checkout, or completing a purchase. These power our analytics and advertising measurement (see sections 6 and 7).
• Our hosting provider (Vercel) keeps short-lived technical server logs, including IP addresses, for security and reliability.

4. How we use your information

We use personal information for the following purposes, and nothing else:

• Fulfilling your order — processing payment, shipping the product, sending the order confirmation, tracking link and delivery updates.
• Customer service — answering questions, handling returns, refunds and our 30-night guarantee.
• Measuring and improving the store — understanding which pages work, fixing problems, improving the product experience.
• Advertising measurement — knowing whether our ads actually led to a visit or a purchase, so we don't waste ad budget (see section 7).
• Legal obligations — keeping transaction records for tax and accounting purposes, preventing fraud, and responding to lawful requests from authorities.

5. Who we share information with

We share personal information only with service providers that help us run the store, and only what each of them needs to do their job. They are contractually bound to process your data on our behalf and not for their own purposes (except where noted for Google and Meta below).

• Stripe (payments) — receives your payment details and billing information to process the transaction and prevent fraud.
• Our fulfilment partner and postal carriers — receive your name, shipping address, email and phone number to pack, ship and deliver your order.
• Resend (email delivery) — sends our transactional emails (order confirmation, shipping notification, delivery follow-up) to your email address.
• Vercel (hosting) — serves the website and processes technical logs.
• Google (Google Analytics 4) — receives usage data as described in section 6.
• Meta (Facebook/Instagram advertising) — receives event and order data as described in section 7.
• Authorities — only if we are legally required to (for example a valid legal order), and only the minimum required.

6. Analytics (Google Analytics 4)

We use Google Analytics 4 to understand how visitors use the site — which pages are read, where visitors come from, and where they drop off. GA4 sets cookies (such as _ga) and collects usage data linked to a random identifier, not to your name.

We have not enabled Google Ads data sharing for personalised advertising. You can decline analytics entirely via our cookie banner, and Google offers a browser opt-out add-on at tools.google.com/dlpage/gaoptout.

7. Advertising (Meta Pixel & Conversions API)

We advertise on Facebook and Instagram. To measure whether those ads work and to optimise who sees them, we use two Meta tools:

You can opt out of this at any time: decline via our cookie banner (stops the Pixel), adjust your ad preferences in your Facebook/Instagram settings, or email us to request that we exclude your data.

• The Meta Pixel — a small script on our site that tells Meta when someone views the product, starts checkout, or purchases. It sets cookies such as _fbp.
• The Meta Conversions API — when an order is completed, our server sends Meta a purchase confirmation including order value and hashed (irreversibly scrambled) versions of your email, name, phone number and address region. Hashing means Meta can match the purchase to an ad view without receiving your readable contact details.

8. Cookies & your choices

On your first visit, a banner lets you accept or decline analytics and advertising cookies. Your choice is stored in your browser and respected on every future visit: if you decline, the Meta Pixel stops sending events and Google Analytics is disabled.

Strictly necessary items — such as the stored consent choice itself and Stripe's fraud-prevention cookies during checkout — are always active because the store cannot function without them. For the full list of cookies and how to manage them, see our Cookie Policy at nightveilmask.com/cookies.

9. International data transfers

We operate from the Netherlands, our service providers run infrastructure in the United States and the European Union, and orders are fulfilled from warehouses in Asia and the US. Where personal data crosses borders, we rely on our providers' standard contractual safeguards (such as EU Standard Contractual Clauses and the EU–US Data Privacy Framework, where applicable) to protect it.

10. Data retention

We keep personal information no longer than necessary:

• Order and transaction records — up to 7 years, as required by Dutch tax law.
• Customer service emails — up to 2 years after the conversation is closed.
• Analytics data — up to 14 months (GA4 default), after which it is automatically deleted.
• Advertising event data — retained by Meta according to its own data policy; our consent banner controls whether it is collected at all.

11. How we protect your information

All traffic to nightveilmask.com is encrypted with TLS (https). Payments are processed by Stripe, a PCI-DSS Level 1 certified provider — the highest security standard in the payment industry. We never store card numbers. Access to order data is limited to the people who need it to fulfil your order, and our systems are protected by industry-standard security headers and access controls.

12. Your privacy rights

We extend the following rights to all customers, wherever you live:

If you are a California resident, these correspond to your rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of "sharing" for cross-context behavioral advertising (which you can do via the cookie banner or by emailing us). We do not sell personal information, and we do not use or disclose sensitive personal information beyond what is necessary to provide the service. Residents of other states with privacy laws (such as Virginia, Colorado, Connecticut and Texas) have equivalent rights. If you are in the EU/EEA, the same rights apply under the GDPR, and you may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

To exercise any right, email info@nightveilmask.com from the email address linked to your order. We verify requests by matching your email to our order records, never discriminate against you for exercising a right, and respond within 45 days.

• Access — request a copy of the personal information we hold about you.
• Correction — have inaccurate information corrected.
• Deletion — have your information deleted, except records we are legally required to keep (such as invoices).
• Portability — receive your data in a portable, machine-readable format.
• Opt out of advertising — stop the use of your data for ad measurement and targeting.
• Objection — object to a specific use of your data.

13. Do Not Track & opt-out signals

Our cookie banner is the reliable way to control tracking on this site. Browser "Do Not Track" and Global Privacy Control signals are not currently processed automatically — if you have them enabled and want certainty, decline via the banner or email us and we will honour your choice manually.

14. Children's privacy

NightVeil is not directed at children. We do not knowingly collect personal information from anyone under 16, and our products are sold to adults. If you believe a child has provided us personal information, contact us and we will delete it promptly.

15. Changes to this policy

We may update this policy as the store, our tools, or the law changes. The "Last updated" date at the top always reflects the current version. For material changes we will post a clear notice on the site. Continued use of the store after a change means the updated policy applies.

16. Contact

Privacy questions, requests or complaints: info@nightveilmask.com. We aim to resolve every concern directly. California residents may also contact the California Attorney General; EU/EEA residents may contact the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).