California Consumer Privacy Act (CCPA) Compliance

Effective Date: March 12, 2026

Introduction & CCPA Scope

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is a state privacy law that gives California residents greater control over the personal information that businesses collect about them. The CCPA applies to for-profit businesses that do business in California and meet at least one of the following thresholds:

  • Annual gross revenue exceeding $25 million;
  • Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices per year; or
  • Derive 50% or more of annual revenue from selling or sharing California residents' personal information.

Popupsmart Inc. ("we," "us," or "our") operates the website https://popupsmart.com and provides popup builder and conversion optimization services. We are committed to complying with the CCPA and respecting the privacy rights of California consumers. This page explains what personal information we collect, why we collect it, and how you can exercise your rights under the CCPA.

What Data We Collect

We collect the following categories of personal information from California residents:

Identifiers

  • First and last name
  • Email address
  • Phone number
  • IP address
  • Account credentials

Commercial Information

  • Subscription and billing history
  • Products or services purchased or considered
  • Payment information (processed securely through Stripe; we do not store payment card details)

Internet or Network Activity

  • Browser type and version
  • Pages visited on our website and time spent on those pages
  • Referring URLs and exit pages
  • Unique device identifiers
  • Mobile device type, operating system, and mobile browser type
  • Other diagnostic and usage data

Cookies and Tracking Technologies

  • Session Cookies: Used to operate our service and maintain your session.
  • Preference Cookies: Used to remember your settings and preferences.
  • Security Cookies: Used for security and fraud prevention purposes.
  • Advertising Cookies: Used to deliver relevant advertisements based on your interests.

Analytics Data

We use third-party analytics providers — including Google Analytics (GA4), Cloudflare Analytics, and Segment — to collect aggregated usage data about how visitors interact with our website.

Sensitive Personal Information

Popupsmart does not knowingly collect sensitive personal information (SPI) as defined by the CCPA/CPRA, such as Social Security numbers, driver's license numbers, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, genetic or biometric data, health information, sexual orientation, or the contents of private communications. If we ever begin collecting SPI in the future, we will update this page and provide you with the right to limit its use and disclosure.

Why We Collect Data

We collect and use personal information only for specific, legitimate business purposes. Below is a breakdown by category:

  • Identifiers: To create and manage your account, communicate with you about your subscription, provide customer support, and send service-related notices (including expiration and renewal notifications).
  • Commercial Information: To process payments, manage billing, fulfill contractual obligations, and maintain accurate transaction records.
  • Internet or Network Activity: To monitor and analyze usage patterns, improve our website and product functionality, detect and address technical issues, and strengthen security.
  • Cookies and Tracking Technologies: To operate our service, remember your preferences, secure your sessions, and — where permitted — serve relevant advertising.
  • Analytics Data: To understand how users interact with our service, identify areas for improvement, and make data-driven decisions about product development.

We may also use personal information to comply with legal obligations, enforce our Terms and Conditions, and protect our rights and the safety of our users.

Data Retention Periods

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected. Below are the retention criteria for each category:

  • Identifiers (name, email, phone, account credentials): Retained for the duration of your active account and for up to 3 years after account closure or last activity, unless longer retention is required by law.
  • Commercial Information (billing, subscription, payment history): Retained for the duration of your account relationship and for a minimum of 3 years afterward to comply with tax, accounting, and financial reporting obligations.
  • Internet or Network Activity (usage data, device data, browsing data): Generally retained for 3 years for analytics and product improvement purposes, unless longer retention is needed for security investigations or legal compliance.
  • Cookies and Tracking Technologies: Session cookies expire when you close your browser. Persistent cookies (preference, security, advertising) expire according to their individual settings, typically ranging from 30 days to 24 months. You can delete cookies at any time through your browser settings.
  • Analytics Data: Aggregated analytics data may be retained indefinitely as it does not identify individual users. Identifiable analytics data is retained in accordance with our analytics providers' retention policies (e.g., Google Analytics default retention is 14 months).

When personal information is no longer needed, we securely delete or anonymize it. If deletion is not immediately possible (for example, because the information is stored in backup archives), we isolate the information and apply protective measures until deletion is feasible.

Sale and Sharing of Personal Information

Popupsmart does not sell personal information to third parties in exchange for monetary consideration.

However, under the CCPA's broad definition of "sharing," certain activities may qualify as sharing personal information for cross-context behavioral advertising purposes. Specifically, the following activities may constitute "sharing" under the CCPA:

  • Advertising Cookies: Third-party advertising cookies from Google Ads, Facebook, and Twitter may collect identifiers and internet activity data to deliver targeted advertisements across other websites and platforms.
  • Analytics Tools: Third-party analytics services (Google Analytics, Cloudflare Analytics, Segment) may receive usage data that could be used for their own purposes as described in their respective privacy policies.

Disclosure Summary (Preceding 12 Months)

The following table summarizes the categories of personal information we have disclosed and the categories of third parties who received them:

Category of Personal Information Categories of Third-Party Recipients Purpose
Identifiers (name, email, IP address) Analytics providers, advertising networks, email service providers Service delivery, marketing, analytics
Commercial Information (billing, subscription data) Payment processors (Stripe) Payment processing, billing
Internet or Network Activity (browsing, device data) Analytics providers (Google Analytics, Cloudflare, Segment), advertising networks (Google Ads, Facebook, Twitter) Analytics, targeted advertising, remarketing
Cookies and Tracking Data Advertising networks (Google, Facebook, Twitter) Behavioral remarketing, interest-based advertising

We have not sold personal information for monetary consideration in the preceding 12 months. To opt out of sharing for cross-context behavioral advertising, see the Opt-Out Mechanism section below.

Categories of Third Parties

We may disclose personal information to the following categories of third parties for the business and commercial purposes described in this page:

  • Payment Processors: Stripe — to process subscription payments and manage billing. Stripe is PCI-DSS compliant and does not share your payment data with us beyond transaction confirmations.
  • Analytics Providers: Google Analytics (GA4), Cloudflare Analytics, and Segment — to monitor website traffic, analyze usage patterns, and improve our service.
  • Advertising Networks: Google Ads (AdWords), Facebook, and Twitter — to deliver remarketing advertisements and measure advertising effectiveness.
  • Cloud Infrastructure and Hosting Providers: To host, store, and deliver our service securely.
  • CI/CD and Development Tools: GitHub — for code management and development workflow.
  • Subsidiaries and Affiliates: Companies within our corporate group, as necessary for business operations.
  • Legal and Regulatory Authorities: Law enforcement agencies, courts, or regulators when required by law or valid legal process.
  • Business Transaction Parties: Potential acquirers, merger partners, or their advisors in connection with a merger, acquisition, or sale of assets.

Our Responsibilities Under the CCPA

As a business subject to the CCPA, Popupsmart Inc. commits to the following obligations:

Transparency

We provide clear and accessible information about the categories of personal information we collect, the purposes for which it is used, how long we retain it, and the rights available to you. This page, together with our Privacy Policy, serves as our notice at collection.

Honoring Consumer Rights

We have processes in place to receive, verify, and respond to consumer requests within the timeframes required by law. We do not charge a fee for processing standard requests.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. This means we will not:

  • Deny you goods or services;
  • Charge you different prices or rates;
  • Provide you with a different level or quality of service; or
  • Suggest that you will receive any of the above treatments.

Financial Incentives

We do not currently offer any financial incentives, price differences, or service differences in exchange for the retention, sale, or sharing of your personal information. If we introduce any such programs in the future, we will provide you with clear notice, explain the material terms, obtain your opt-in consent, and allow you to withdraw at any time.

Data Security

We implement commercially reasonable security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction. While no method of transmission over the Internet is completely secure, we continuously work to safeguard your data. Payment card details are handled exclusively by our PCI-DSS compliant payment processor, Stripe, and are never stored on our systems.

Service Provider Oversight

We require our service providers and third-party partners to handle personal information in accordance with applicable privacy laws and our contractual obligations. Third parties who receive personal information from us are contractually bound to use it only for the specific purposes outlined in our agreements.

Your Rights as a California Resident

Under the CCPA, California residents have the following rights regarding their personal information:

Right to Know

You have the right to request that we disclose:

  • The categories of personal information we have collected about you;
  • The categories of sources from which personal information was collected;
  • The business or commercial purpose for collecting or selling your personal information;
  • The categories of third parties with whom we share your personal information; and
  • The specific pieces of personal information we have collected about you.

You may submit a Right to Know request up to twice in a 12-month period.

Right to Delete

You have the right to request that we delete the personal information we have collected from you, subject to certain legal exceptions (for example, when the data is needed to complete a transaction, detect security incidents, comply with a legal obligation, or exercise legal rights).

Right to Correct

You have the right to request that we correct inaccurate personal information that we maintain about you. Upon receiving a verified request, we will use commercially reasonable efforts to correct the information.

Right to Opt-Out of Sale or Sharing

You have the right to opt out of the sale or sharing of your personal information. While Popupsmart does not sell personal information for monetary consideration, certain uses of advertising cookies and third-party analytics tools may constitute "sharing" under the CCPA's broad definition. You can exercise this right as described in the Opt-Out Mechanism section below.

Right to Limit Use of Sensitive Personal Information

If a business collects sensitive personal information, California residents have the right to limit its use to only what is necessary for providing the requested services. As stated above, Popupsmart does not knowingly collect sensitive personal information. If this changes, we will provide a clear mechanism for you to exercise this right.

Right to Non-Discrimination

You have the right to exercise any of the above rights without receiving discriminatory treatment from us.

How to Submit a Request (Know, Delete, or Correct)

To exercise your Right to Know, Right to Delete, or Right to Correct, follow these steps:

  1. Submit your request using one of the following methods:
    • Email us at: [email protected] with a subject line indicating your request type (e.g., "CCPA Deletion Request," "CCPA Right to Know Request," or "CCPA Correction Request");
    • Fill out our Data Request Form.
  2. Include the following information in your request: your full name, email address associated with your account, the specific right you are exercising, and a description of your request. For correction requests, please specify the information you believe is inaccurate and the corrected information.
  3. Identity verification: For your protection, we will verify your identity before processing any request. Depending on the type of request and the sensitivity of the information involved, we may:
    • Ask you to confirm information associated with your account (e.g., email address, account details);
    • Send a verification email to the email address on file;
    • Request additional documentation if we cannot otherwise verify your identity
    For requests to know specific pieces of personal information, we apply a higher level of verification to protect your data. We will not fulfill a request if we are unable to verify your identity.
  4. Processing timeline: We will acknowledge your request within 10 business days and fulfill it within 45 calendar days of receipt. If we need additional time, we will notify you in writing and may extend the response period by up to 45 additional days (90 days total from the original request).
  1. Confirmation: Once your request has been processed, we will send you a confirmation detailing the actions taken.

Please note that certain information may be exempt from deletion where retention is required by law or necessary to complete a transaction, detect security incidents, or exercise legal rights.

Authorized Agents

You may designate an authorized agent to submit a CCPA request on your behalf. To do so:

  • The authorized agent must provide written proof of authorization signed by you (such as a power of attorney or a signed written authorization letter);
  • We may still require you to verify your own identity directly with us, unless the agent has a valid power of attorney under California Probate Code sections 4121–4130;
  • The authorized agent must submit the request using the same methods described above (email or Data Request Form), along with proof of their authorization.

We may deny a request from an authorized agent who cannot provide sufficient proof of authorization.

Opt-Out Mechanism

You have the right to opt out of the sale or sharing of your personal information. Here is how you can exercise this right:

"Do Not Sell or Share My Personal Information" Link

Click the link below to submit an opt-out request directly:

Do Not Sell or Share My Personal Information

Other Ways to Opt Out

  • Email: Send a request to [email protected] with the subject line "CCPA Opt-Out Request."
  • Web form: Submit your request through our Data Request Form.
  • Browser signals: We honor Global Privacy Control (GPC) signals. If your browser or an extension sends a GPC signal, we will treat it as a valid opt-out request for that browser. You do not need to submit a separate request.

We will process opt-out requests within 15 business days. You do not need to create an account or verify your identity to opt out.

Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to refuse all cookies or alert you when a cookie is being sent. You can also opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. For advertising cookies, you can adjust your preferences through:

Please note that disabling cookies may affect certain features of our service.

Children's Privacy

Our services are not intended for use by individuals under the age of 18. We do not knowingly collect personally identifiable information from children under 18. Under the CCPA, businesses must obtain opt-in consent before selling or sharing the personal information of consumers under 16 years of age (with parental consent required for consumers under 13). Because we do not knowingly collect data from minors, we do not sell or share the personal information of consumers under 16. If we learn that we have inadvertently collected personal information from a minor, we will promptly delete it. If you believe a child has provided us with personal information, please contact us at [email protected].

Contact Information

If you have questions about this CCPA Compliance Page, wish to exercise your rights, or need further assistance, please contact us:

We aim to respond to all inquiries within 10 business days. For formal CCPA requests, the response timeline outlined in the relevant sections above applies.

This page was last updated on March 12, 2026.