Privacy policy

PRIVACY POLICY
of
Made and Co, Inc. dba Harper & Lo

Website: https://www.harperandlo.com
Company Name: Made and Co, Inc. dba Harper & Lo (“Harper & Lo”)
Jurisdiction (Principal Place of Business): California, United States
Effective Date: 5th December 2025

1. Introduction and Scope

1.1 Purpose of this Policy. This Privacy Policy (“Policy”) explains how Harper & Lo (“Harper & Lo,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you visit or use our website at www.harperandlo.com, purchase our personalized baby accessories, engage with our marketing, or otherwise interact with us (collectively, the “Services”).

1.2 Who this Policy Applies To. This Policy applies to individuals (“you,” “your”) located in the United States and internationally who access or use the Services, subject to any local laws that grant additional rights or impose additional requirements.

1.3 Separate Cookie Policy. We use cookies, pixels, and other tracking technologies on our website. Our separate Cookie Policy explains these technologies and your choices in more detail. Please read this Policy together with our Cookie Policy and our Terms and Conditions.

1.4 By Using the Services. By accessing or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree, you must discontinue use of the Services.

1.5 Compliance with U.S. Federal & State Privacy Laws.
Where applicable, we comply with U.S. privacy laws including the California Consumer Privacy Act (CCPA) as amended by the CPRA, the California Online Privacy Protection Act (CalOPPA), the Children’s Online Privacy Protection Act (COPPA), the CAN-SPAM Act, and other federal and state laws governing marketing, consumer privacy, and electronic communications. Your rights under these frameworks are explained in Sections 14–17.

2. Controller and Contact Details

2.1 Data Controller. For most processing activities described in this Policy, Made and Co, Inc. dba Harper & Lo, established in California, is the entity that determines the purposes and means of processing your personal information (“Controller”).

2.2 Service Providers / Processors. We engage third parties, including Shopify, payment processors, analytics providers, and shipping carriers, who process personal information on our behalf pursuant to written contracts and only in accordance with our instructions (“Processors” or “Service Providers”).

2.3 Contact Details. If you have questions about this Policy or wish to exercise your privacy rights, you may contact us at:

  • Email: ____________________
  • Postal Address:
    Made and Co, Inc. dba Harper & Lo

California, United States

3. Information We Collect From You

We may collect the following categories of personal information that you provide directly to us:

3.1 Identifiers and Contact Details.

  • Name, email address, phone number, billing and shipping address.

3.2 Order and Transaction Information.

  • Products ordered (e.g., birth announcement frames, milestone cards, name signs, growth charts, night lights, toys), quantities, order dates, order value, and chosen shipping options.

3.3 Payment-Related Information.

  • Payment method type and limited payment details (e.g., last four digits of card number). Full payment card data is typically collected and processed directly by our payment processors and not stored by us.

3.4 Personalization and Content Details.

  • Names, dates of birth, birth details, personalized messages, photographs, color choices, and any other content you provide for Personalized Products or when submitting special instructions.

3.5 Account and Profile Information.

  • Username, password, saved addresses, and order history if you create an account on the website.

3.6 Customer Support and Communications.

  • Content of messages and communications you send to us, such as questions about products, personalization, shipping, or issues with an order.

4. Information Collected Automatically

When you access or use the Services, we and our partners may automatically collect certain information from your device and usage:

4.1 Device and Technical Information.

  • IP address, browser type and version, device identifiers, operating system, language settings, and similar technical details.

4.2 Usage and Interaction Data.

  • Pages visited, items viewed, time and date of visits, click paths, referring URLs, time spent on each page, and interactions with elements on the Site (e.g., adding products to cart, starting checkout, abandoning cart).

4.3 Approximate Location Data.

  • Approximate geographic location inferred from IP address (e.g., city, region, country) to help localize the experience and for analytics and fraud prevention purposes.

4.4 Log and Diagnostic Data.

  • Log files and diagnostic information related to website performance, error reports, and security events.

5. Information from Third Parties

We may also receive personal information about you from third parties in connection with the Services:

5.1 E-Commerce and Payment Platforms.

  • From Shopify and payment processors, we may receive confirmation of payment status, limited card or payment token details, fraud risk signals, and transaction identifiers.

5.2 Shipping and Logistics Providers.

  • From carriers, we may receive tracking updates, delivery status, and confirmations of successful or failed deliveries.

5.3 Analytics and Marketing Partners.

  • From partners such as Google Analytics, Facebook (Meta) Pixel, and Pinterest Tag, we may receive aggregated or pseudonymised information about how users interact with our website and ads.

5.4 Social Media Platforms.

  • If you interact with our social media pages or tag us in publicly visible content, we may see your username, profile information, and content you choose to share, subject to your privacy settings on those platforms.

5.5 Advertising Classification Notice (CPRA). Some third-party analytics and advertising partners may engage in activities considered “cross-context behavioral advertising” under the CPRA. Your opt-out rights related to these practices are described in Section 14 and our Cookie Policy.

 

6. How We Use Personal Information

We use personal information for the following purposes, only as permitted by applicable law:

6.1 Provision of Products and Services.

  • Processing and fulfilling your orders, creating personalized items, arranging shipment, managing payments, and providing order confirmations and updates.

6.2 Customer Support.

  • Responding to your inquiries, handling complaints, assisting with personalization choices, and resolving issues with orders or delivery.

6.3 Operation and Improvement of the Site.

  • Operating, maintaining, and improving our website, user experience, and product offerings, including testing new features and layouts.

6.4 Analytics and Performance.

  • Using analytics tools to understand traffic patterns, identify popular products and content, measure engagement, and improve the effectiveness of the Site and our marketing.

6.5 Marketing and Promotions.

  • Sending marketing communications (where permitted by law) about new designs, seasonal collections, promotions, or special offers, and tailoring messaging based on your preferences and prior interactions with Harper & Lo.

6.6 Personalization and Recommendations.

  • Remembering your preferences and showing you relevant products (e.g., items related to previously viewed categories like growth charts or name signs).

6.7 Security, Fraud Prevention, and Misuse Detection.

  • Detecting and preventing fraudulent transactions, misuse of discount codes, unauthorized account access, or suspicious activity.

6.8 Legal Compliance and Protection.

  • Complying with legal and regulatory obligations (such as tax and accounting requirements), responding to lawful requests from public authorities, and protecting our rights, property, customers, and the public.

6.9 Other Purposes with Your Consent.

  • Any additional purpose for which we clearly explain the use of data and obtain your consent, where required.

6.10 CAN-SPAM Compliance (Email Communications).

  • If we send commercial email communications, we do so in compliance with the CAN-SPAM Act, including providing accurate sender information, a valid physical address, clear opt-out instructions, and honoring opt-out requests in a timely manner.

7. Legal Bases for Processing (EEA/UK and Similar Jurisdictions)

Where European, UK, or similar data protection laws apply, we process personal information under the following legal bases:

7.1 Performance of a Contract.

  • To process your orders, personalize and deliver Products, manage your account, and otherwise fulfill our contractual obligations.

7.2 Legitimate Interests.

  • To operate, improve, and secure our Services; prevent fraud; understand how customers use our site and products; and market to existing customers, provided such interests are not overridden by your rights and interests.

7.3 Consent.

  • For certain cookies, analytics tools, or marketing communications where the law requires consent. You may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before withdrawal.

7.4 Legal Obligations.

  • To comply with legal duties such as maintaining appropriate business records, tax documentation, and responding to lawful requests from authorities.

8. Cookies, Pixels, and Similar Technologies

8.1 Use of Cookies. We use cookies, pixels, tags, and similar technologies (“Cookies”) on the Site to recognize your browser or device, remember your preferences, keep your cart intact, measure site performance, and tailor our marketing efforts.

8.2 Technologies Used. These technologies may be implemented by us or our service providers and partners, including:

  • Shopify tracking (for checkout, cart, and store functionality),
  • Google Analytics (for site metrics and performance),
  • Facebook (Meta) Pixel (for ad measurement and retargeting),
  • Pinterest Tag (for campaign tracking and retargeting).

8.3 Your Choices. Details about the specific Cookies we use and how to manage or disable them (including consent mechanisms used in certain jurisdictions) are set out in our Cookie Policy and may also be accessible via cookie banners or browser settings.

8.4 Cross-Context Behavioral Advertising (CPRA).

Some Cookies or advertising identifiers may constitute “sharing” of personal information for cross-context behavioral advertising under the CPRA. Your rights and opt-out options are described in Section 14 and our Cookie Policy

9. How We Share Personal Information

We may share personal information with the following categories of recipients, each only to the extent reasonably necessary for the purposes described in this Policy:

9.1 Service Providers.

  • Shopify and other hosting providers, payment processors, logistics and shipping companies, IT and security providers, email and marketing platforms, and analytics and advertising partners.

9.2 Business Partners.

  • Limited sharing with advertising or social media partners to measure and improve our campaigns and to deliver more relevant ads, subject to your choices and applicable law.

9.3 Legal and Regulatory Recipients.

  • Law enforcement authorities, regulators, courts, or other third parties where required by law or reasonably necessary to protect our rights, property, or safety or that of others.

9.4 Corporate Transactions.

  • Potential or actual buyers, successors, or affiliates in connection with a merger, acquisition, reorganization, or sale of assets, subject to confidentiality and appropriate safeguards.

9.5 With Your Consent.

  • Any additional sharing for which you provide explicit consent at the time of disclosure.

9.6 CPRA “Selling” and “Sharing” Clarification.

We do not “sell” personal information in the traditional sense. However, under California’s CPRA, certain uses of Cookies, pixels, and advertising identifiers may be classified as a “sale” or “sharing” of personal information. Your opt-out rights are described in Sections 14 and 16 and in our Cookie Policy.

We do not sell your personal information in the ordinary sense of the word. If certain uses of Cookies or identifiers are deemed a “sale” or “sharing” under applicable law (e.g., California), your rights and options are described in Sections 14 and 16 and in our Cookie Policy.

10. International Transfers

10.1 Transfers to the United States and Other Countries. The Services are operated from the United States, and your personal information may be processed in the United States or other countries where our service providers or partners are located.

10.2 Safeguards for International Transfers. Where required by law, we implement appropriate safeguards for cross-border transfers of personal information, such as standard contractual clauses, or other mechanisms approved by relevant authorities.

10.3 Further Information. If you would like additional information about these safeguards, you may contact us using the details in Section 20.

11. Data Retention

11.1 Retention Principles. We retain personal information only for as long as reasonably necessary to fulfill the purposes for which it was collected, including to:

  • Provide the Services and complete transactions,
  • Manage your relationship with us,
  • Comply with legal, tax, and accounting obligations, and
  • Resolve disputes and enforce our agreements.

11.2 Examples.

  • Order and transaction records are typically retained for the period required by tax and accounting laws.
  • Customer support communications are kept for as long as needed to manage your inquiry and maintain appropriate records.
  • Marketing-related information is retained until you opt out or until it is no longer useful, subject to technical limits and backup policies.

11.3 Anonymised and Aggregated Data. We may anonymise or aggregate personal information so that it can no longer be associated with you. We may retain such data for longer periods for business, analytical, or statistical purposes.

12. Security of Personal Information

12.1 Security Measures. We implement reasonable technical, organizational, and administrative measures designed to protect personal information under our control against unauthorized access, destruction, loss, alteration, or misuse.

12.2 Limitations. While we strive to protect your information, no system or transmission method is completely secure. You are responsible for keeping your account credentials confidential and notifying us promptly if you suspect any unauthorized access or misuse of your account.

13. Children’s Privacy and Baby-Focused Marketing

13.1 Not Directed to Children. Although our Products are designed for babies and young children, our Services are intended for use by adults (such as parents, guardians, or gift buyers), and are not directed to children under 13 years of age.

13.2 No Knowing Collection from Children. We do not knowingly collect personal information directly from children under 13. If we learn that we have collected such information without appropriate consent, we will take steps to delete it as required by law.

13.3 Parental Responsibility. Parents and guardians are responsible for supervising their children’s use of Products and for deciding what information (such as names and birth details) they wish to include on Personalized Products.

13.4 If You Believe a Child Has Provided Data. If you believe that a child has provided us with personal information inappropriately, please contact us using the details in Section 20 so we can address the matter.

13.5 COPPA Compliance Statement.

We comply with the Children’s Online Privacy Protection Act (COPPA). If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will delete it as required by law. Parents may contact us using Section 20 to exercise COPPA rights.

14. Your Privacy Rights – United States (Including California)

If you are a resident of California or another U.S. state with similar privacy laws, you may have some or all of the rights described below, subject to legal conditions and limitations:

14.1 Right to Know / Access.

  • To request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties with whom we share personal information.

14.2 Right to Delete.

  • To request deletion of personal information we hold about you, subject to exceptions (for example, where we must retain information to complete a transaction, detect security incidents, comply with legal obligations, or for other permitted purposes).

14.3 Right to Correct.

  • To request correction of inaccurate personal information maintained about you.

14.4 Right to Opt Out of Certain Data Uses.

  • If certain uses of Cookies or identifiers are deemed a “sale” or “sharing” of personal information, you may have the right to opt out of such activities through tools described in our Cookie Policy and any “Do Not Sell or Share My Personal Information” mechanism we provide.

14.5 Right to Non-Discrimination.

  • We will not discriminate against you for exercising your privacy rights, although we may offer different prices or benefits related to the value of your data, where permitted by law.

14.6 Exercising Your U.S. Privacy Rights.

  • You may contact us using the details in Section 20, specifying that you are exercising privacy rights as a resident of California or another relevant state. We may need to verify your identity and may request additional information for that purpose. You may also be able to appoint an authorized agent, subject to verification.

·        14.7 Additional California Rights (CalOPPA).
California residents have the right to know how we handle “Do Not Track” (DNT) signals (see Section 16), to view the effective date of this Policy, and to understand how categories of personal information and disclosures apply to them, which is detailed throughout this Policy.

·        14.8 California Shine the Light Law.
Under California Civil Code § 1798.83, California residents may request information about whether we share personal information with third parties for their direct marketing purposes. At this time, we do not share personal information with third parties for their independent marketing.

·        14.9 Other U.S. State Privacy Laws.
Residents of states such as Colorado, Virginia, Connecticut, and Utah may have rights similar to California’s related to access, deletion, correction, and opting out of targeted advertising or profiling. We will honor these rights in accordance with applicable law.

15. Your Privacy Rights – EEA, UK, and Similar Jurisdictions

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with similar data protection laws, you may have the following rights, subject to legal conditions and limitations:

15.1 Right of Access.

  • To obtain confirmation as to whether we process personal information about you and to receive a copy of that information.

15.2 Right to Rectification.

  • To request correction of inaccurate or incomplete personal information.

15.3 Right to Erasure.

  • To request deletion of personal information in certain circumstances (for example, where it is no longer necessary for the purposes for which it was collected or you have withdrawn consent and there is no other legal basis).

15.4 Right to Restriction.

  • To request that we restrict our processing of your personal information under certain conditions.

15.5 Right to Data Portability.

  • To receive personal information you provided to us in a structured, commonly used, machine-readable format and to transmit it to another controller where technically feasible.

15.6 Right to Object.

  • To object to certain processing activities, including where we rely on legitimate interests, and to object at any time to the processing of personal information for direct marketing.

15.7 Right to Withdraw Consent.

  • Where processing is based on your consent, to withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.

15.8 Right to Lodge a Complaint.

  • To lodge a complaint with a supervisory authority in your place of residence, place of work, or place of the alleged infringement.

16. Rights and Choices in Other Regions; Global Privacy Controls

16.1 Other Regions. Residents of other countries or states may have privacy rights similar to or in addition to those described above. We will handle requests in accordance with applicable local law.

16.2 Global Privacy Controls and “Do Not Track.”

  • Where required by law (for example, in certain U.S. states), we will honor qualifying Global Privacy Control (GPC) signals as an opt-out of certain data “sales” or “sharing” when technically and legally appropriate.
  • Some browsers send “Do Not Track” (DNT) signals. There is no standardized industry response at this time, and we may not respond to all DNT signals, but we provide other means for you to manage cookies and marketing preferences as described in this Policy and our Cookie Policy.

16.3 Global Privacy Control (GPC) Signals (CPRA Requirement).

Where legally required (including California), we honor valid GPC signals as an opt-out of the “sale” or “sharing” of personal information for cross-context behavioral advertising.

16.4 Do Not Track (CalOPPA).

Some browsers transmit a “Do Not Track” signal. Because there is no standardized industry response, we may not respond to all DNT signals. Instead, we provide alternative cookie and advertising opt-out mechanisms described in our Cookie Policy.

17. Marketing Communications and Advertising Choices

17.1 Email and SMS Marketing.

  • Where permitted by law, we may send you marketing communications about new products, style launches, promotions, and updates. You may opt out at any time by clicking the “unsubscribe” link in our emails or by contacting us.

17.2 Transactional Communications.

  • You may continue to receive non-marketing communications related to your orders, account, or changes to our terms or policies, even if you opt out of marketing.

17.3 Advertising and Analytics Preferences.

  • Your ability to limit or configure advertising and analytics Cookies (including from Google Analytics, Meta/Facebook, and Pinterest) is explained in our Cookie Policy and may also be managed via browser settings, device settings, and platform-specific privacy controls.

18. Third-Party Websites, Apps, and Social Media Features

18.1 Third-Party Properties. The Services may include links to third-party websites, apps, or services that are not operated or controlled by Harper & Lo. This Policy does not apply to those properties, and we are not responsible for their content, security, or privacy practices.

18.2 Social Media Features. Our Services may implement social media features (such as “like,” “share,” or “shop” buttons, or embedded content from platforms like Instagram or Pinterest). These features may collect your IP address, which page you are visiting, and may set Cookies to enable functionality. Your interactions with these features are governed by the privacy policies of the third-party providers.

19. Changes to This Privacy Policy

19.1 Updates. We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other operational needs.

19.2 Notice of Changes. When we make material changes, we will update the Effective Date at the top of this Policy and may provide additional notice (for example, by displaying a prominent notice on our website or, where required, by contacting you directly).

19.3 Continued Use. Your continued use of the Services after the Effective Date of an updated Policy constitutes your acknowledgment of the updated Policy.

20. How to Contact Us

20.1 Contact Details. If you have any questions about this Policy, our privacy practices, or wish to exercise your privacy rights, you may contact us at:

  • Email: hello@harperandlo.com
  • Postal Address: 14747 Artesia Blvd 3A, La Mirada, CA 90638
    Made and Co, Inc. dba Harper & Lo

California, United States

20.2 Response Time. We will review and respond to your request within a reasonable time frame and in accordance with applicable law.