Privacy Policy

Last updated: April 24, 2026

Who we are

Wavvy Supply Co. (“Wavvy,” “we,” “us”) is operated by Happy Travels LLC, a California licensed cannabis manufacturer (DCC License DDC-10003107) and distributor (DCC License C11-0001537-LIC). Contact: hello@wavvy.supply.

What we collect

We collect only what we need to run the site and comply with California cannabis regulation:

• Age-verification attestation: month and year of birth, state of residence, and a hashed representation of your IP address. We store the hash — not the raw IP — for a 2-year audit window required under the DCC age-gate compliance standard.
• Newsletter signups: email address, source (homepage, zine waitlist, event form), timestamp, and your marketing consent state.
• Admin account data: if you are a Wavvy Supply employee, your email, role, and a bcrypt-hashed password.
• Cookies: an age-verification cookie (30 days), a consent preferences cookie (365 days), and an admin session cookie (only set after login).
• Anonymous performance data: Core Web Vitals (LCP, CLS, INP) sampled per page, tied to URL and user-agent hash — never an identifier.

We do not collect your exact date of birth, your exact IP, your browsing history across other sites, or anything we do not actively need.

CCPA / CPRA rights (California residents)

If you are a California resident, you have the right to:

• Know what personal information we hold about you;
• Request deletion of that information;
• Opt out of the sale or sharing of your personal information — we do not sell or share personal information as defined under the CCPA/CPRA;
• Correct inaccurate information;
• Be free from retaliation for exercising any of the above rights.

To exercise any of these rights, email privacy@wavvy.supply.

Global Privacy Control (GPC)

We honor the Global Privacy Control signal automatically. If your browser sends a GPC header, we treat that as a valid opt-out of all non-essential tracking — no cookie banner click required.

How long we keep it

• Age-gate logs: 2 years (compliance);
• Newsletter signups: until you unsubscribe;
• Consent preferences: 365 days, then re-prompted;
• Admin audit logs: indefinitely, for accountability.

Third parties

We use Google Tag Manager for optional analytics, but only after you grant explicit consent via our cookie banner. Absent consent, GTM never loads. Our AI assistant (in the admin dashboard) is powered by Anthropic's Claude API — but no public-visitor data is sent to Anthropic.

Security

We use bcrypt (cost 12) for password storage, signed session cookies, CSP headers, CSRF tokens on every form, rate-limited login, and per-endpoint RBAC. The full security model is documented in our internal repository.

Changes

We will update the "last updated" date when this policy changes. Material changes will be announced via our newsletter.