Legal

    Privacy Policy

    Effective May 1, 2026

    This Privacy Policy explains how Madame Zuzu's Tea House & Record Shop ("Madame Zuzu's," "we," "us," or "our") collects, uses, discloses, and safeguards information when you visit madamezuzus.com and our related sites (the "Site"), shop with us, attend our events, or otherwise interact with us. Madame Zuzu's is operated from Highland Park, Illinois, USA.

    1. Information We Collect

    We collect the following categories of personal information:

    • Identifiers & contact data: name, shipping/billing address, email, phone number, account credentials.
    • Order & commercial data: products purchased, order history, cart contents, returns, gift card usage.
    • Payment data: processed by our payment processor (Shopify Payments / Shop Pay). We do not store full card numbers on our servers.
    • Device & usage data: IP address, browser type, device identifiers, pages viewed, referring URLs, session recordings (Microsoft Clarity), and approximate location derived from IP.
    • Marketing data: email preferences, SMS opt-ins, responses to campaigns, attribution data.
    • Event & in-store data: RSVPs, ticket purchases, photos taken at public events, and information you provide when booking private events.
    • Communications: messages, customer-service inquiries, and survey responses.

    2. How We Collect Information

    • Directly from you when you place an order, create an account, sign up for our newsletter, contact us, or attend an event.
    • Automatically through cookies, pixels, SDKs, and similar technologies (see Section 7).
    • From service providers, including payment processors, shipping carriers, analytics, and advertising partners.
    • From publicly available sources and social media platforms when you engage with us.

    3. How We Use Your Information

    We use personal information to:

    • Process orders, fulfill shipments, handle returns, and provide customer support.
    • Operate, secure, and improve the Site, our products, and our events.
    • Send transactional messages (order confirmations, shipping updates).
    • With your consent, send marketing emails and SMS about new releases, events, and offers.
    • Personalize your experience and recommend products.
    • Measure and improve marketing, including conversion tracking and audience modeling.
    • Detect, prevent, and respond to fraud, abuse, and security incidents.
    • Comply with legal obligations, including tax, accounting, and consumer-protection laws.

    Where required by law (including under the EU/UK GDPR), our legal bases are: performance of a contract, your consent, our legitimate interests in operating and growing our business, and compliance with legal obligations.

    4. How We Share Information

    We share personal information with:

    • Service providers who process data on our behalf, including Shopify (e-commerce platform and order management), Stripe (payment processing via Shopify Payments / Shop Pay), Supabase (cart and event data), shipping carriers (USPS, UPS, FedEx, DHL), email and SMS marketing providers (Klaviyo and Omnisend), analytics (Google Analytics 4, Microsoft Clarity), and advertising platforms (Meta Pixel, TikTok Pixel, Google Ads).
    • Event partners (e.g., Eventbrite) when you register for ticketed events.
    • Professional advisors such as lawyers, accountants, and auditors.
    • Authorities when required by law, subpoena, or to protect rights, safety, or property.
    • Successors in the event of a merger, acquisition, financing, or sale of assets.

    We do not sell personal information for money. We may "share" or process certain identifiers with advertising partners for cross-context behavioral advertising as defined under California law; you may opt out at any time (see Section 9).

    5. International Transfers

    Madame Zuzu's is based in the United States. If you access the Site from outside the U.S., your information will be transferred to, processed, and stored in the U.S. and other countries where our service providers operate. Where required (e.g., from the EEA, UK, or Switzerland), we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

    6. Data Retention

    We retain personal information for as long as needed to provide our services, comply with legal, tax, and accounting obligations (typically up to 7 years for transaction records), resolve disputes, and enforce our agreements. Saved cart sessions are kept for up to 14 days and then automatically cleared. Marketing preferences are retained until you opt out.

    7. Cookies & Tracking Technologies

    The specific tracking technologies we use include:

    • Google Analytics 4 (GA4) — site usage analytics, conversion measurement.
    • Microsoft Clarity — session replay and heatmaps to improve UX.
    • Meta Pixel (Facebook/Instagram) — advertising, retargeting, conversion tracking.
    • TikTok Pixel — advertising and conversion tracking on TikTok.
    • Google Ads — advertising and conversion tracking across Google properties.
    • Klaviyo and Omnisend — email and SMS marketing attribution.
    • Strictly necessary cookies — cart session, checkout, security (cannot be disabled).

    We use Google Consent Mode v2. Until you grant consent through our cookie banner, advertising and analytics cookies remain disabled. You can change your choices at any time via the "Cookie Settings" link in the footer or by clearing your browser storage for this Site.

    8. Your Rights (EU/UK/EEA — GDPR)

    If you are in the EEA, UK, or Switzerland, you have the right to:

    • Access the personal data we hold about you.
    • Request correction of inaccurate data.
    • Request erasure ("right to be forgotten") subject to legal exceptions.
    • Restrict or object to processing, including direct-marketing processing.
    • Data portability — receive your data in a structured, machine-readable format.
    • Withdraw consent at any time where processing is based on consent.
    • Lodge a complaint with your local supervisory authority.

    To exercise any right, email cafe@madamezuzus.com. We respond within 30 days.

    9. Your Rights (California — CCPA/CPRA)

    California residents have the right to:

    • Know the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
    • Delete personal information, subject to legal exceptions.
    • Correct inaccurate personal information.
    • Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising.
    • Limit the use of sensitive personal information.
    • Non-discrimination for exercising your rights.

    To opt out of sharing for advertising, use our cookie banner or send a Global Privacy Control (GPC) signal — we honor GPC. To make any other CCPA request, email cafe@madamezuzus.com with the subject line "California Privacy Request." We will verify your identity by matching against information on file. You may use an authorized agent with written permission.

    In the prior 12 months we have collected the categories described in Section 1 and disclosed them to the recipients described in Section 4. We have not knowingly sold the personal information of consumers under 16.

    10. Other U.S. State Rights

    Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have similar rights to access, correct, delete, and opt out of targeted advertising and profiling. Contact us at cafe@madamezuzus.com to exercise these rights. You may appeal a denial by replying to our response email.

    11. Children's Privacy

    The Site is not directed to children under 13, and we do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA). If you believe a child has provided us with personal information, contact us and we will delete it.

    12. Security

    We use administrative, technical, and physical safeguards designed to protect personal information, including TLS encryption in transit, access controls, and PCI-DSS-compliant payment processing through Shopify. No method of transmission or storage is 100% secure.

    13. Marketing Communications

    You may unsubscribe from marketing emails using the link in any message, or reply STOP to marketing SMS. Message and data rates may apply. Transactional messages (order updates) will continue regardless of marketing preferences.

    14. Third-Party Links

    The Site may link to third-party sites (e.g., Spotify, Eventbrite, Instagram). We are not responsible for the privacy practices of those sites; please review their policies.

    15. Changes to This Policy

    We may update this Privacy Policy from time to time. The "Effective" date at the top will reflect the latest revision. Material changes will be communicated via the Site or email where appropriate.

    16. Contact Us

    Madame Zuzu's Tea House & Record Shop
    1876 First Street, Highland Park, IL 60035, USA
    Email: cafe@madamezuzus.com