Privacy Policy

Privacy Policy

Effective Date: September 22, 2025

Introduction

The Elijah Project (“EP,” “we,” “us,” or “our”) is the data controller/responsible party for the personal information we collect. We respect your privacy and are committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, and your rights. We may update this policy from time to time and will revise the “Effective Date” above. Your continued use of our site means you accept the revised policy.

Information We Collect

We collect and process the following personal information when you interact with our site:

• Mailing List Sign-up: first name, email address.
• Orders via Shopify: first name, last name, email address, shipping address, and order details.
• Payments: We do not collect or store your payment card details. All payment processing is handled securely by Shopify and its payment processors.

How We Use Your Information

• Fulfill and ship orders, provide customer support.
• Communicate about purchases and send updates you request (e.g., newsletter).
• Maintain, secure, and improve our website.

Cookies, Tags & Analytics

• Essential cookies (required): used for cart/checkout and security (Shopify). These cannot be disabled as they are necessary for core functionality.
• Google Tag Manager (GTM): used as a tag container to load only the tags described in this Policy. GTM does not read or store personal data beyond what is necessary to deliver tags.
• Email engagement: Brevo may use a tracking pixel to measure opens and link clicks in emails you receive.
• Cookie Consent: Essential cookies are automatically enabled. You can manage non-essential cookies in your browser settings.

We do not use analytics, advertising, or retargeting cookies on this site.

Legal Basis for Processing

• Consent: newsletter sign-ups and email marketing.
• Contractual necessity: order placement, fulfillment, and customer service.
• Legitimate interest: site security and performance analytics conducted in a privacy-preserving manner.

You may withdraw consent at any time without affecting prior processing. These legal bases apply where required by law and your rights may vary depending on your country or region. We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Third-Party Services (Processors)

We share data with service providers only as necessary to provide our services:

• Shopify—online store and payment processing; uses essential cookies for cart, checkout, and fraud prevention; PCI DSS compliant. Privacy: shopify.com/legal/privacy.
• Brevo—email delivery and subscription management; processes your name and email; uses an email tracking pixel for engagement metrics. Privacy: brevo.com/legal/privacy-policy. If you have subscribed, we use your email for direct marketing (e.g., newsletters). You can withdraw at any time by clicking “Unsubscribe.”
• Google Tag Manager—tag container that deploys only the tags listed in this section; does not itself profile users.
• Stamps.com—used for shipping label creation and postage services; processes your name, email, shipping address, package weight, and postage cost as needed to mail shipments. Privacy: stamps.com/privacy-policy.

We do not sell or share your personal information with anyone. We honor Global Privacy Control (GPC) browser signals.

International Data Transfers

Your information may be processed outside your country (e.g., in the United States). Where your information is transferred outside your country, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or comparable safeguards as required by law.

Your Rights

Depending on your location, you may have the right to: access, correct, delete, or port your data; restrict or object to processing; withdraw consent; and receive information about automated decision-making. To exercise rights, contact us with proof of identity. We respond within 30–45 days and provide appeal options if requests are denied. You may also lodge complaints with your local data protection authority.

Children’s Privacy

We do not knowingly collect personal data from children under 13 (or the minimum legal age in your country). If we learn such data was collected, we will delete it promptly.

Security

We use SSL/TLS encryption and a mix of administrative, technical, and physical safeguards to protect your information. Access is limited to trained staff under confidentiality obligations, and our practices are reviewed regularly.

Payment processing is handled securely through Shopify, which is PCI DSS compliant. While no online system is 100% secure, we take reasonable steps to reduce risks, including role-based access, staff training, data minimization, secure backups, and disaster recovery.

Our third-party providers (e.g., Shopify, Brevo) are contractually required to follow comparable security standards.

Data Breach Notification

If a data breach occurs, we will notify affected individuals within 72 hours and regulators when required by law.

Retention

• Newsletter data: kept while your subscription is active and deleted within 30 days after you unsubscribe (subject to secure backups and legal retention needs).
• Order data: kept only as long as necessary for fulfillment and legal, tax, and accounting obligations (typically up to 7 years in the U.S.).

California Notice at Collection

California Privacy Rights (CCPA/CPRA)

California residents have the right to know what personal information we collect, request access, correction, or deletion of their information, opt out of any sale or sharing of personal information (we do not sell or share), and not face discrimination for exercising these rights.

Contact

To exercise your rights or ask questions about this Privacy Policy, you can reach us at: [email protected]

We will respond to verified requests within the timeframes required by applicable law (usually within 30–45 days). If you live in a region with privacy laws (e.g., EU, UK, Brazil, Canada, Australia), you may also contact your local data protection authority to file a complaint.

Effective Date

This Privacy Policy was last updated on August 5, 2025.