Effective Date: November 15, 2025

This Privacy Policy describes how Luma Brush ("we," "us," or "our"), a company based in California, collects, uses, shares, and protects your personal information when you visit our website at https://trylumabrush.com (the "Website") or use our services (collectively, the "Services"). We are committed to protecting your privacy and complying with applicable laws, including the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), the California Online Privacy Protection Act (CalOPPA), and other relevant U.S. federal and state privacy laws. Our Services are intended for users in the United States only, and we do not knowingly collect or process personal information from individuals outside the U.S. We do not sell your personal information to third parties. If you have any questions about this Privacy Policy, please contact us at the details provided in the "Contact Us" section below. By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Information We Collect

We collect personal information that you provide to us directly, information collected automatically, and information from third-party sources. "Personal information" means any information that identifies, relates to, describes, or is capable of being associated with you. Personal Information You Provide to Us We may collect the following categories of personal information when you interact with our Services, such as when you create an account, place an order, sign up for our newsletter, or contact us:

Identifiers: Name, email address, postal address, phone number. Commercial Information: Purchase history, products viewed or added to cart, payment information (e.g., credit card details, processed securely by third-party payment processors like Stripe; we do not store full payment details). Internet or Other Electronic Network Activity: Browsing history on our Website, search queries, and interactions with our emails or ads. Geolocation Data: Approximate location based on IP address (not precise geolocation). Sensitive Personal Information: We do not collect sensitive information such as Social Security numbers, racial or ethnic origins, biometric data, or precise geolocation unless required for a specific service and with your explicit consent.

Information Collected Automatically When you visit our Website, we automatically collect certain information using cookies, web beacons, and similar technologies:

Device and Usage Data: IP address, browser type, operating system, device identifiers, pages visited, time and date of visits, and referral sources. Log Data: Error reports, access times, and other technical data for security and analytics.

For more details, see our "Cookies and Tracking Technologies" section below. Information from Third-Party Sources We may receive limited information from third parties, such as:

Analytics providers (e.g., Google Analytics) for usage trends. Marketing partners for targeted advertising. Social media platforms if you interact with us there or log in via social media.

We do not purchase personal information from data brokers.

We use your personal information for legitimate business purposes, including:

Providing and Improving Services: To process orders, fulfill shipments, provide customer support, and manage your account.

Communicating with You: To send order confirmations, shipping updates, and respond to inquiries. Marketing and Promotions: To send promotional emails about products, offers, or newsletters (you can opt out at any time).

Analytics and Personalization: To analyze Website usage, improve user experience, and personalize content.

Security and Fraud Prevention: To detect and prevent fraudulent activity, unauthorized access, or abuse. Legal

Compliance: To comply with laws, respond to legal requests, or enforce our terms.

Business Operations: For internal research, auditing, and reporting.

We will not use your information for purposes incompatible with those listed without your consent.

We do not sell your personal information as defined under the CCPA/CPRA (i.e., we do not exchange it for money or other valuable consideration). However, we may share your information in the following situations:

Service Providers: With vendors who assist us, such as payment processors (e.g., Stripe), shipping carriers (e.g., USPS, UPS), email service providers (e.g., Mailchimp), and analytics tools (e.g., Google Analytics). These providers are contractually obligated to use your information only for our purposes and to protect it. Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction.

Legal Requirements: If required by law, subpoena, or government request, or to protect our rights, safety, or property. Affiliates: With our parent company or subsidiaries, if any, under common control.

We do not share personal information with third parties for their own marketing purposes without your consent.

4. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience, analyze usage, and deliver personalized ads. Categories include:

Essential Cookies: Necessary for Website functionality (e.g., session management). Performance Cookies: To track usage and improve performance.

Marketing Cookies: To deliver relevant ads via third parties like Google Ads.

You can manage cookies through your browser settings or our cookie consent banner. We honor "Do Not Track" (DNT) signals where applicable, but note that some third-party services may not. For more details, visit our separate Cookie Policy (if applicable).

We implement reasonable organizational, technical, and administrative measures to protect your personal information, such as encryption, access controls, and secure servers. However, no method of transmission or storage is 100% secure, so we cannot guarantee absolute security. In the event of a data breach, we will notify affected individuals as required by law.

We retain your personal information only as long as necessary for the purposes described in this Policy, or as required by law. For example:

Account and order data: Retained for up to 7 years for tax and accounting purposes. Marketing data: Retained until you opt out.

After the retention period, we securely delete or anonymize your information.

As a California resident, you have specific rights under the CCPA/CPRA:

Right to Know: Request details about the personal information we collect, use, disclose, or share about you in the past 12 months (up to twice per year).

Right to Delete: Request deletion of your personal information, subject to certain exceptions (e.g., for legal compliance).

Right to Correct: Request correction of inaccurate personal information.

Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising, but if we did, you could opt out via a "Do Not Sell or Share My Personal Information" link.

Right to Limit Use of Sensitive Information: Request we limit use of sensitive personal information to necessary purposes.

Right to Non-Discrimination: We will not discriminate against you (e.g., by denying services or charging different prices) for exercising your rights.

Residents of other states may have similar rights under laws like Virginia's VCDPA or Colorado's CPA; contact us for details.

To exercise your rights, submit a verifiable request via:

Email: privacy@trylumabrush.com

Include your name, contact information, and the nature of your request. We may verify your identity (e.g., by matching provided details to our records). We will respond within 45 days (extendable by 45 days if needed) and provide the information free of charge, except for excessive requests. Authorized agents may submit requests on your behalf with proper authorization.

Our Services are not directed to children under 13 (or 16 for certain rights under CCPA). We do not knowingly collect personal information from children. If we learn we have collected such information, we will delete it. Parents or guardians who believe we have collected their child's information should contact us immediately.

Since we operate solely in the U.S. and our servers are located in the U.S., your information is not transferred internationally. If this changes, we will update this Policy and ensure appropriate safeguards.

We may update this Policy from time to time. Changes will be posted here with the updated effective date. We will notify you of material changes via email or a prominent notice on the Website. Continued use of our Services after changes constitutes acceptance.

If you have questions or concerns about this Privacy Policy or our practices:

Email: privacy@trylumabrush.com Mail: Luma Brush 861 sixth ave, #310, San Diego, California, 92101 USA