Privacy Policy

2.1 Information you provide

Account information (18+ only):

- Email address (used for login and account communication)

- Email verification status

Support communications:

- If you email us, we receive the contents of your message and your email address.

Payment-related information (18+ only):

- When you start a checkout, we may send your email and the product you are purchasing to Dodo Payments to initiate the checkout session.

- During checkout, Dodo Payments collects the information needed to process the transaction (such as name, billing address, and payment details). We do not collect or store your full payment card details.

- During checkout, Dodo Payments may display and process payment in your local currency and apply conversion rates and fees as shown in checkout. We do not control these currency conversion mechanics.

- After purchase, we store limited transaction metadata needed to grant access and support the purchase, such as: product ID, payment event ID, payment session ID, payment status, and created-at timestamp.

2.2 Information collected automatically

Device and usage data (via logs and analytics):

- Page URLs associated with pageviews/events, including limited campaign parameters where applicable (we sanitize URLs and only retain an allowlist such as utm_*).

- IP address (for example, in server/CDN logs and in PostHog), which may be used to derive approximate location (such as country/city)

- Device and browser information (user agent)

- Timestamps

- Error/diagnostic data (including client/server errors)

Coarse location:

- We may infer general location (e.g., country/region) from IP address.

Country for pricing:

- We may determine your country using an IP-to-country signal provided by our hosting provider (for example, the x-vercel-ip-country request header) in order to display localized pricing (such as INR pricing for visitors in India). We do not store your IP address for this pricing decision. However, IP addresses may still appear in standard server/security logs and in some of our vendors' logs.

2.3 Bouquet content data

We do not store your bouquet image output on our servers as part of the sharing flow. You export/download the image locally and share it via your device.

4.0 When analytics runs and when we request consent

- For anonymous users during onboarding, PostHog runs in memory mode until onboarding is complete and the cookie banner is shown.

- For signed-in users, the cookie banner is shown on first visit (or again if browser storage is cleared).

4.1 Cookie consent modes

- Anonymous users: PostHog runs in memory mode (no cookies; no localStorage persistence; identifiers reset each session).

- Signed-in users:

- If you accept cookies, PostHog may use cookies and localStorage for cross-session analytics.

- If you reject cookies, PostHog runs in memory mode (no cookies/localStorage persistence).

4.2 Anonymous users and minors

For users who are not logged in (including users under 18), we limit analytics to non-identifying, non-persistent measurement (memory mode), and we do not identify those users by email.

4.3 Geo information in analytics

PostHog and other providers may derive approximate location information (such as country or city) from IP address as part of providing their services. We do not send your country or city to PostHog as an event property, but such information may appear in PostHog based on their processing.

4.4 Logged-in users (18+)

If you are logged in, we may associate analytics/events with your account. We identify your account to PostHog using a non-email identifier (your internal user ID) and aim to minimize sensitive fields in analytics while ensuring URL/token sanitization.

4.5 URLs and query parameters

We may collect page URLs associated with events. To reduce privacy risk, we sanitize URLs before they are sent to analytics by removing query parameters by default and only retaining an allowlist of campaign parameters (such as utm_*). This is intended to prevent collection of sensitive tokens that may appear in URLs (for example, authentication or verification tokens).

8.1 Cookie choices

Use the cookie banner to accept or reject cookies. Note: your choice affects whether analytics may persist across sessions for signed-in users; anonymous analytics remains memory-only. At this time, we do not provide an in-product "Cookie Settings" page. You can change your choice by clearing cookies/localStorage for handpicked.you, which will cause the banner to be shown again.

8.2 Global Privacy Control and Do Not Track

We honor GPC and DNT signals as follows:

- If we detect a GPC/DNT signal, we will treat it as a request to opt out of analytics cookies where feasible and will apply a more privacy-protective mode (for example, memory-only analytics) even if you have not otherwise accepted cookies.

8.3 Requests about your data (DSARs)

You can request access, correction, or deletion of your account information by emailing support@myoberry.com.

We will respond within the time required by applicable law. For example, California guidance indicates businesses generally respond within 45 days, extendable by another 45 days with notice in some cases.

8.4 California (CCPA/CPRA) disclosures (best-practice)

We do not sell personal information and do not share it for cross-context behavioral advertising at this time. If we begin selling or sharing as defined by applicable law, we will update this Policy and provide appropriate opt-out mechanisms (including honoring GPC where applicable).

8.5 India (DPDP) best-practice

If you are in India, you may have rights under applicable law (such as access and correction). We provide email-based support at support@myoberry.com for such requests.