Account

Cart

Your cart is empty

Continue shopping

Privacy policy

Privacy Policy

Last Updated: March 25, 2025

Introduction

Descendant of Thieves, Inc. (“Descendant of Thieves,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy describes how we collect, use, share, and safeguard your personal information when you use our website (www.descendantofthieves.com) and any related services (collectively, the “Services”). It is designed to be fully compliant with major privacy laws, including the California Consumer Privacy Act (CCPA) and California Online Privacy Protection Act (CalOPPA) in the United States, the EU and UK General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable international privacy standards. By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Services. 

If you have any questions about this Privacy Policy or our data practices, please contact us using the information provided in the Contact Us section below.

Personal Information We Collect

We collect various types of information from you in order to provide and improve our Services. This includes “personal data” or “personal information,” which means any information that identifies you or relates to you as an identifiable individual. Below is an overview of the information we may collect:

  • Identity and Contact Information: Such as your full name, email address, mailing/billing address, telephone number, and other contact details. For example, we collect this information when you create an account, place an order, or sign up for our newsletter.
  • Account Credentials: If you create an account, we collect login details like username and password (which are stored in encrypted form).
  • Payment and Transaction Information: If you make a purchase, we (or our third-party payment processors) collect payment details such as credit card number or PayPal information, billing address, and transaction history. Note: Payment information is processed securely and we do not store full credit card numbers on our servers.
  • Order Details: Information about the products you purchase from us, such as items ordered, sizes, quantities, and order date, as well as any returns or exchanges.
  • Preferences and Feedback: Information you provide regarding your preferences (for example, product interests, sizes, style preferences) and any feedback, reviews, or responses to surveys or promotions.
  • Communications: Copies of your communications with us, such as emails, customer support inquiries, or messages via our website or social media. This may include any information you choose to provide in these interactions.
  • Browsing and Usage Information: When you use our website, we automatically collect certain information about your device and how you interact with our Services. This may include your IP address, browser type, device type, operating system, referring URLs, pages viewed, links clicked, date/time stamps, and other usage statistics (e.g., page response times, time spent on pages, and navigation patterns).
  • Cookies and Tracking Data: We use cookies and similar tracking technologies (described in more detail in the Cookies and Tracking Technologies section) to collect information about your browsing activities over time and across our site. This can include cookie identifiers and other unique identifiers assigned to your device.
  • Location Data: We may infer your general location (e.g., city, state, country) from your IP address or mailing address. This is typically used for fraud prevention, analytics, and tailoring content (such as displaying prices in the correct currency). We do not collect your precise geolocation (e.g., GPS-based location) unless you explicitly provide it.
  • Non-Personal Information: We also collect data that does not identify you personally. For example, aggregated data or anonymized information about website traffic and usage patterns. This type of information does not reveal the identity of any individual user and is generally not considered personal data. However, if we combine or link non-personal information with personal information in a way that could identify you, we will treat the combined information as personal data.

You may choose not to provide certain personal information (for example, you can browse our site without creating an account or you may decline to submit optional information). However, refusing to provide some information may limit your ability to use certain features of our Services – for instance, we need basic contact and payment details to process your orders.

How We Collect Your Information

We collect personal information from and about you in a variety of ways:

  • Directly from You: Most of the information listed above is provided directly by you. For example, you give us personal and payment information when you place an order; you provide contact details and preferences when creating an account or filling out forms (such as newsletter sign-ups, contest entries, or surveys); and you share information when you communicate with us via email or customer support.
  • Through Your Use of the Services (Automatic Collection): As you interact with our website, we use cookies, web beacons, pixels, log files, and other automated technologies to collect technical data about your equipment and browsing actions. This includes the browsing and usage information and device data mentioned above (IP address, device info, pages visited, etc.). This data is collected automatically for all users to help us understand how our site is used and to secure our Services. (See Cookies and Tracking Technologies for more details.)
  • From Third-Party Service Providers: We may receive information about you from third parties that help us operate our business. For example, if you make a purchase, our payment processor (such as a credit card company or PayPal) will verify and confirm your payment details and send us certain information (like a payment confirmation or updated billing address). If we use an e-commerce platform or inventory management service (for instance, our website is powered by Shopify), those providers may collect information on our behalf as needed to process orders and will share that information with us. We might also receive updated delivery information from our shipping carriers or address verification services to correct our records. Additionally, we could receive information from social media platforms or marketing partners if you engage with us through those channels (for example, if you clicked an ad for Descendant of Thieves on social media, we may receive de-identified data like what ad was clicked and where).
  • From Analytics and Advertising Partners: We use third-party analytics tools (such as Google Analytics) that collect information about website traffic and user behavior. These partners use cookies and similar technologies to gather data on our behalf (e.g., what pages you visit, how long you stay, how you arrived at our site). This helps us analyze and improve our Services. We may also work with advertising networks (like Google Ads or social media ad platforms) which may provide us with aggregated insight into the effectiveness of our advertising campaigns (for example, how many people visited our site after clicking an ad). Typically, the information we obtain from analytics and ad partners does not identify you personally, but it may be linked to your device via cookies or other identifiers. (See Cookies and Tracking Technologies for how you can opt out of certain analytics/advertising).
  • Public Sources: We generally do not collect information from public databases or third-party data brokers about individual customers. In the rare case that we might need to verify information for fraud prevention or compliance (for example, verifying identity in the event of a high-value transaction), we could use publicly available information or third-party identity verification services. If we ever do so, it will be in compliance with applicable law.

We will indicate at the time of collection whether certain information is mandatory or optional. If we ask for personal information due to legal requirements or to fulfill a contract with you (e.g., requiring your address to deliver products), we will inform you at that time. If you have questions about why certain information is requested, feel free to contact us.

How We Use Your Information

We use the personal information we collect for various legitimate business purposes, in accordance with the manner described in this Policy. The primary purposes for which we process your information include:

  • To Process Orders and Provide Services: We use your personal information to carry out our obligations arising from any orders or contracts entered into between you and us. For example, we use your information to process payments, fulfill your purchases, handle shipping and deliveries, and provide you with the products or services you have requested.
  • Customer Service and Support: Your information (like contact details and order history) is used to provide you with customer support. This includes responding to your inquiries, confirming your orders, processing returns or exchanges, and addressing any issues or concerns you have.
  • Account Management: If you create an account, we use your information to maintain your account, allow you to log in, and verify your identity as a registered user. We may also use it to enable account features like saved preferences, order history review, or wishlists.
  • Personalization of User Experience: We may use your data to personalize the Services and improve your experience. For example, we might use your browsing history or past purchases to recommend products you may like, display content that is more relevant to your interests, or customize what you see on our website (such as showing you items available in your region or in your preferred size).
  • Marketing and Promotional Communications: With your consent (where required by law), we use your contact information (e.g., email address) to send you marketing communications. These may include newsletters, special offers, announcements about new arrivals or services, or other updates we think may interest you. You can opt out of marketing emails at any time by clicking the unsubscribe link in any email or by contacting us (opting out will not affect transactional communications, like order updates).
  • Analytics and Service Improvement: We analyze how users interact with our website and services in order to understand what is working and what can be improved. Information about usage and preferences helps us troubleshoot problems, improve the content and functionality of our website, develop new features, and enhance the overall quality of our products and Services. For instance, we may use aggregated usage data to see which webpages are most visited or to identify and fix usability issues.
  • Advertising and Retargeting: We may use browsing information and cookies to provide you with relevant advertisements for our products on our site or on third-party platforms (such as showing you ads for Descendant of Thieves on other websites or social media after you have visited our site). We also use information like marketing email engagement or site visits to measure the effectiveness of our advertising campaigns. Any advertising or retargeting activities are done in accordance with applicable law (for example, if required, we will ask for your consent before using non-essential cookies or similar technologies for advertising purposes).
  • Fraud Detection and Security: Your information is also processed to maintain the safety and security of our Services, our business, and our users. For example, we may use certain data (like device information, IP address, and transaction history) to detect and prevent fraud, credit card misuse, or other unauthorized or illegal activities. We also use this information to debug and protect against technical issues and cyber attacks, and to enforce our Terms of Service.
  • Legal Obligations and Compliance: In some cases, we need to use your personal information to comply with laws and regulations. For instance, we may retain transaction records for tax filings and accounting purposes, or disclose information in response to valid requests from law enforcement or to meet other legal obligations (more details in Sharing Your Information below). We also use personal data to fulfill our obligations under consumer protection laws and privacy laws (such as responding to verified consumer requests to exercise privacy rights).
  • Other Purposes (with Notice to You): If we intend to use your information for any purpose that is materially different from the purposes listed in this Policy, we will provide you with specific notice at the time of collection or before the new use, and obtain your consent when required. For example, if we launch a new feature or service that involves processing your data in a new way, we will update this Policy and/or ask for agreement as needed.

We will only use your personal information for the purposes for which we have collected it, unless we reasonably consider that we need to use it for another compatible purpose that is consistent with the original reason for collection. If we need to use your personal information for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so.

Legal Bases for Processing (GDPR/UK GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we must have a valid legal basis to process your personal data under the GDPR/UK GDPR. This means that for each use of your data (as outlined in the previous section), we rely on one of a few permitted grounds. These are the legal bases we typically rely on:

  • Performance of a Contract: When we need to process your personal data to fulfill a contract with you or to take steps at your request before entering into a contract. For example, when you buy products from us, we process your payment and address details to deliver your order and provide the services you requested. Without this data, we cannot perform the contract with you.
  • Your Consent: We will rely on your consent in situations where we ask for it explicitly. For instance, we seek your consent to send marketing emails or newsletters to you (if you are not already an existing customer, or if law otherwise requires consent), and we obtain consent via the cookie banner to place and read certain cookies for analytics/advertising on your device (where required by law). Where we rely on consent, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing done before you withdrew consent.
  • Legitimate Interests: We process certain data as necessary for our (or others’) legitimate business interests, provided that those interests are not overridden by your data protection rights and interests. We believe our legitimate interests in processing your data include: improving and personalizing our services; securing our platform; preventing fraud; understanding how customers use our products; direct marketing of similar products to existing customers; and running a successful e-commerce business. For example, it is in our legitimate interest to analyze our web traffic to improve our website’s functionality, or to send promotional offers to our existing customers. When we rely on legitimate interests, we consider and balance any potential impact on you (both positive and negative) and your rights under data protection laws. We will not use your personal data for activities where our interests are overridden by the impact on your privacy (such as certain types of tracking or profiling) without your consent or unless otherwise required or permitted by law.
  • Legal Obligation: In some cases, we need to process personal data to comply with a legal obligation to which we are subject. For example, we may keep records of purchases as required by tax law, or we may be required to disclose information to comply with a court order or regulatory requirement. Processing of data for these purposes is necessary for us to fulfill duties imposed by law.
  • Vital Interests or Public Interest: These bases are less likely to apply in the context of a retail website. However, if ever there is a situation where processing is necessary to protect someone’s life or vital interests (vital interests), or for a task carried out in the public interest, we could rely on those bases. For example, in the unlikely event of a serious product safety concern requiring us to contact customers, we might process data under vital interests to warn individuals of a danger. (This is mentioned for completeness; ordinarily our processing will rely on the other bases above.)

GDPR/UK Note: Where applicable, we will always ensure we have a valid legal ground to process your personal data. If you have questions about the legal basis for any specific processing activity, please contact us and we will provide additional explanation.

Sharing Your Personal Information

We value your privacy and handle your personal information with care. We do not sell your personal data to third parties for their own marketing or commercial purposes. However, in the normal course of running our business and providing our Services, we do share personal information with certain third parties, as described below. Whenever we share your data, we take steps to ensure that those recipients use your data only for the intended purposes and treat your data with confidentiality and security.

Categories of Third Parties with whom we may share information:

  • Service Providers (Processors): We share personal information with trusted third-party companies that perform services on our behalf and under our instructions. These include, for example: payment processors (to securely handle credit card transactions); e-commerce platform providers and order management systems (to power our online store and manage orders); shipping carriers and logistics partners (to deliver your purchases); email service providers and marketing platforms (to send communications); cloud storage and IT providers (for data hosting, backups, and other IT support); and customer service tools (to manage live chats or support inquiries). We only provide these companies with the information they need to perform their specific services. They are contractually obligated to protect your data and not to use it for any purpose other than providing the agreed-upon service to us.
  • Analytics and Advertising Partners: As mentioned, we use third-party analytics tools (like Google Analytics) and may partner with advertising or social media networks for marketing purposes. These third parties may receive certain information about your device and browsing actions through cookies or similar tracking technologies on our site. For instance, Google Analytics may receive your IP address and browsing data, or a social media platform may know that a user on your device clicked an ad for our products. We generally do not share information that directly identifies you (like your name or email) with our analytics or ad partners, but they may collect unique identifiers (like cookie IDs or device IDs) when you interact with our site. Any data shared with these partners is used to evaluate and improve our marketing efforts, measure site performance, and deliver relevant ads about our products to you. These third parties are responsible for their use of your data, and their use is governed by their own privacy policies. You can learn more about our use of cookies and how to opt out of certain tracking in the Cookies and Tracking Technologies section.
  • Affiliates and Business Partners: We currently do not have parent or subsidiary companies that share in the data; however, if Descendant of Thieves ever becomes part of a corporate group, we may share information within that family of affiliated companies under similar privacy protections. Additionally, we may share information with co-marketing partners or event partners if you participate in a joint promotion (in such cases, we will inform you at the time of data collection that the information will be shared, and often you will have the chance to opt-in or opt-out of such sharing).
  • Legal Requirements and Protection of Rights: We may disclose personal information when we believe in good faith that such disclosure is necessary to comply with a legal obligation or valid legal process. This includes responding to subpoenas, warrants, or court orders, or to meet national security or law enforcement requests. We may also share your information in order to enforce our Terms of Service or other agreements, protect our rights and property, protect the safety of our customers or others, or investigate and deter fraud or security issues. For example, if we detect fraudulent activity, we might share information with law enforcement or fraud prevention agencies.
  • Business Transfers: In the event that our company undergoes a business transaction such as a merger, acquisition by another company, reorganization, or sale of all or part of our assets, your personal information may be one of the assets transferred to the new entity. This would typically occur as part of due diligence or completion of the transaction, under confidentiality agreements. If such a transfer happens, the successor organization will be bound by this Privacy Policy (or one with materially the same protections for your privacy) and your personal information would remain subject to the promises made in this Policy. We will notify you (for example, via a notice on our website or email) of any such change in ownership or control of your personal information, as required by law.
  • With Your Consent or At Your Direction: Aside from the situations above, we will share your personal information with third parties only if you provide us with consent or request that we do so. For instance, if you ask us to share your information with a stylist or personal shopper, or if you intentionally interact with third-party plug-ins (like social media sharing buttons on our site), we may share data at your direction. In such cases, we will make it clear at the time of obtaining your information that the information will be shared in that manner.

Third-Party Websites and Links: Our website may contain links to third-party websites, plug-ins, or services that are not operated by us (for example, links to our profiles on Instagram, Facebook, or other partner sites). If you click on those links or otherwise engage with third parties, you will be leaving our site and this Privacy Policy will not apply to those external sites. We are not responsible for the privacy practices of any third-party websites or services. We encourage you to read the privacy policies of every website you visit or service you use that collects your personal information.

Rest assured, we do not sell or rent your personal information to unrelated third parties for their own marketing. We may share certain limited data (like cookie-based data) with advertising partners as described, but this is solely to serve you Descendant of Thieves advertisements and is done in a privacy-conscious manner. Under the definitions of some laws (like the CCPA), certain uses of cookies for advertising might be considered a “sale” or “sharing” of personal information. We address those scenarios and your rights in the Your Rights and Choices section below. If you have any questions about who we share your information with, please contact us.

Cookies and Tracking Technologies

Like most websites, we use cookies and similar tracking technologies to make our Services function properly and to enhance your experience. This section explains these technologies and your choices.

What Are Cookies?
Cookies are small text files that are placed on your computer or device when you visit a website. They allow the website to recognize your device and store certain information about your preferences or past actions. Cookies can be “first-party” (set by us, the site you visit) or “third-party” (set by someone other than us, such as an analytics or advertising partner). Cookies may be session cookies (which expire when you close your browser) or persistent cookies (which remain on your device for a set period or until you delete them).

How We Use Cookies:
Descendant of Thieves uses cookies and similar technologies (like pixel tags, web beacons, and device identifiers) for a variety of purposes, including:

  • Necessary Cookies: These cookies are essential for the operation of our website and to enable you to use its features. For example, they allow you to navigate the site, add items to your cart, and checkout securely. Without these cookies, certain basic functions of the site would not work. Because they are necessary, you cannot opt out of these cookies (other than by completely disabling cookies in your browser, which will affect site functionality).
  • Functional Cookies: These cookies remember your preferences and choices to provide a more personalized experience. For instance, they may recall your location or language preference, keep you logged in to your account, or remember other customizations. While not strictly necessary, these cookies enhance convenience and site functionality.
  • Analytics Cookies: We use analytics or performance cookies to collect information about how visitors use our site. These cookies help us understand things like which pages are visited most often, how users move through the site, and if they encounter errors. The information collected is generally aggregated and does not directly identify individuals. For example, we use Google Analytics to gather data on site usage; Google’s cookies may track things like your IP address and browsing activity on our site, which we use for analytical reports. This helps us improve the website’s performance and design.
  • Advertising and Targeting Cookies: Our advertising partners may set cookies on our site to collect information about your browsing activities, in order to provide you with advertisements that are more relevant to your interests. For example, if you browse our site, you might later see an ad for Descendant of Thieves on another website—this is enabled by cookies that remember your visit to our site and inform advertising networks. These cookies can also limit the number of times you see the same ad and help measure the effectiveness of our marketing campaigns. The data collected through these cookies does not typically identify you by name or email; instead, it’s tied to unique identifiers associated with your device or browser. If required by law, we will obtain your consent before using advertising cookies.

Other Tracking Technologies:
In addition to cookies, we may use similar tracking technologies:

  • Pixel Tags and Web Beacons: These are tiny graphics or code snippets embedded on webpages or emails that track whether you’ve performed a specific action. For example, we may use pixels in our marketing emails to know if you opened an email or clicked a link, which helps us gauge campaign effectiveness and adjust our content.
  • Device Identifiers: We might collect unique identifiers for your device (such as an IDFA on iPhones or Android Advertising ID on Android) to recognize your device and support any personalization or advertising efforts. These can often be reset by the user in device settings.

Third-Party Cookies:
Some cookies and tracking technologies on our site are placed by third parties that we work with. For example, as mentioned, we use Shopify as our e-commerce platform, and Shopify may set cookies necessary for shopping cart and checkout functionality. Third-party analytics services like Google Analytics set their own cookies to collect usage data. Also, if we have embedded content from other platforms (for instance, a YouTube video or Instagram feed), those platforms may set their own cookies. We do not control third-party cookies, and their use is governed by the privacy policies of the third parties. However, we do contractually require our service providers to only use cookies and data collected from our site for the purposes we specify. Note: You can learn about how Google uses data collected via our site by visiting Google’s privacy site (e.g., Google’s Advertising Privacy & Terms). For Shopify’s use of cookies, you can see their cookie policy on Shopify’s website.

Your Choices for Cookies:
You have several options to control or limit how cookies are used on your device:

  • Browser Settings: Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies or alert you when a cookie is being placed on your device. Please note that if you disable or reject certain cookies, some parts of our site may become inaccessible or not function properly (for example, blocking “necessary cookies” may prevent you from placing orders).
  • Cookie Banner & Preferences: If we provide a cookie consent banner or settings on our site (as required in some jurisdictions), you can use that tool to customize your cookie preferences. For example, you might choose to accept only certain categories of cookies and not others (like disabling advertising cookies while allowing necessary ones).
  • Opt-Out of Analytics: You can opt out of Google Analytics tracking by using the Google Analytics Opt-Out Browser Add-on, available for most browsers. Some other analytics providers may offer similar opt-out mechanisms.
  • Advertising Choices: For third-party advertising cookies, you can typically opt out of targeted advertising by using industry opt-out tools. For instance, the Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA) offer opt-out websites for participating companies. In the EU/UK, the European Interactive Digital Advertising Alliance (EDAA) offers a similar service. These tools allow you to opt-out of behavior-based advertising from participating networks. Keep in mind, opting out through these mechanisms usually relies on setting an opt-out cookie on your device, so if you clear all cookies, you might need to opt out again.
  • Do Not Track: “Do Not Track” (DNT) is a setting available in most web browsers that requests a website not track your online activities. However, there is currently no uniform standard for how websites should respond to DNT signals. As a result, our website does not respond to Do Not Track signals at this time. We will update this practice if an industry standard for browser-based do-not-track signals is established in the future.

For more information about cookies and how to manage or delete them, you can visit www.allaboutcookies.org. Keep in mind that completely disabling cookies may affect your experience on our site, as some features rely on cookies to function.

International Data Transfers

Descendant of Thieves is based in the United States, and that is where our website is operated and the majority of our data processing occurs. If you are accessing our Services from outside the U.S. (for example, from the European Union, United Kingdom, Canada, or any other country), please be aware that your personal information will likely be transferred to, and stored on, servers in the United States or other jurisdictions where our service providers are located. These locations may have data protection laws that are different from those in your country of residence (and, in some cases, may not be as protective).

However, we take steps to ensure that your personal information is treated securely and in accordance with this Privacy Policy and applicable law, regardless of where it is processed. When we transfer personal data internationally, we implement appropriate safeguards as required by relevant data protection laws. These may include:

  • Standard Contractual Clauses: For personal data originating from the EEA, UK, or Switzerland, we may rely on European Commission-approved Standard Contractual Clauses (SCCs) or equivalent legal mechanisms to ensure that your data is afforded an adequate level of protection in the U.S. or any other country to which it is transferred. These clauses contractually bind our service providers to protect the privacy and security of your data according to EU/UK standards.
  • Adequacy Decisions: Where applicable, we may transfer data to countries that have been officially deemed to provide an adequate level of data protection by the European Commission or relevant authority (note: as of the last update of this policy, the U.S. is not generally considered “adequate” except via specific frameworks or safeguards, so we rely on other mechanisms like SCCs for EU data transfers).
  • Privacy Frameworks: We comply with relevant cross-border privacy frameworks to the extent they apply. For example, if a new EU-U.S. or Swiss-U.S. data transfer framework is adopted by regulators, we will consider participation to facilitate lawful transfers.
  • Service Provider Agreements: We require that our non-US service providers who handle personal data from international users also implement adequate safeguards. Many of our major providers (for instance, e-commerce platforms, payment processors, cloud providers) are multinational companies with their own robust compliance programs to secure data transfers. We review their privacy practices and agreements to ensure they meet the necessary standards.

By using our Services or providing us with your information, you consent to the transfer of your personal information to the United States and other jurisdictions as described above, if permitted under your local laws. We will of course process your information in accordance with this Policy no matter where it is transferred. If you have questions about our international data practices, or need more information about the safeguards in place, please contact us.

Data Retention

We retain personal information only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. How long we keep your data can vary depending on the type of information and the reasons we collected it:

  • Customer and Order Information: We generally keep information related to your purchases (such as your name, contact info, and order details) for as long as you have an account with us or as needed to provide you with our Services. Even if you don’t have an account, we may retain order records for a certain period to handle any returns, refunds, or warranty issues, and to comply with financial and legal obligations. For example, we are typically required by law to keep basic information about transactions (including payment and shipping data) for a number of years for tax and bookkeeping purposes.
  • Account Data: If you create an account on our site, we will keep your account information for as long as your account is active. If you decide to close your account, we will delete or anonymize your personal information associated with the account within a reasonable time after closure, except for any data we are required or authorized to retain (e.g., past order records as noted, or logs needed for security and fraud prevention). Inactive accounts (accounts that haven’t been used in a long time) may also be removed or anonymized after a prolonged period of inactivity, in line with our data retention policies.
  • Marketing Communications Data: We retain information used for email marketing or other direct marketing until you opt out of such communications. If you unsubscribe from our marketing emails, we will stop sending them and may keep your email address on a suppression list to ensure we honor your opt-out.
  • Analytics Data: Analytics data that is collected automatically (like web usage data) is typically retained only for a short period in identifiable form. We may aggregate or anonymize this data for longer-term analytics and improvements, in which case it ceases to be personal information. For example, Google Analytics data is retained for a set period (which we configure, often 26 months or less) before deletion, and we may receive only aggregated reports thereafter.
  • Logs and Security Data: Our web server logs and security logs (which can include IP addresses and device identifiers) are generally retained for a short duration, unless they are being used to investigate a security incident or to provide evidence for a legal matter.
  • Legal and Compliance Retention: In certain cases, we may need to retain data for longer if required by law or if needed to resolve disputes or enforce our agreements. For instance, if we receive a legal hold or preservation request, or if data is needed to investigate a violation of our terms, we will retain the specific information as necessary until the issue is resolved.

Once the retention period for a piece of data expires, or if the data is no longer needed for the purposes listed above, we will either delete it securely or anonymize it (so that it can no longer be associated with you). If deletion is not immediately feasible (for example, because the data is stored in a secure backup archive), we will isolate it from any further active use until deletion is possible.

If you have any questions about our data retention practices for specific types of information, you can contact us for more details. We also honor verified user requests to delete personal data as required by applicable law (see Your Rights and Choices below), and will delete data earlier than the retention periods above if we are legally obligated to do so.

Data Security

We take the security of your personal information seriously. Descendant of Thieves implements appropriate technical and organizational security measures designed to protect your personal data from unauthorized access, disclosure, alteration, or destruction. These measures include, but are not limited to:

  • Secure Networks and Encryption: Our website uses Secure Sockets Layer (SSL) or equivalent encryption technology to protect data transmitted between your browser and our servers. You can verify this by looking for the “https” in the URL of our website. Sensitive information (such as payment details) is transmitted securely to our payment processors using encryption. We do not store full credit card numbers on our systems; such information is handled by compliant payment providers.
  • Access Controls: We limit access to personal information to employees, contractors, and service providers who need that data to perform their jobs or provide services to us. All such parties are subject to confidentiality obligations and are required to handle your data securely. We employ access controls to our systems to ensure that only authorized personnel can access sensitive data.
  • Authentication and Network Security: Our systems are protected by authentication mechanisms (such as passwords and, where feasible, multi-factor authentication for administrative access). We maintain firewalls and monitoring systems to guard against unauthorized network access. Regular security assessments are conducted to identify and address potential vulnerabilities.
  • Data Storage Security: Personal data is stored on secure servers. We (and our hosting providers) apply industry-standard practices for securing data at rest, which may include encryption, intrusion detection systems, and regular backups. Our service providers that handle data (like cloud storage or our e-commerce platform) are vetted for strong security practices and certifications (for example, many adhere to ISO 27001, SOC 2, or PCI-DSS standards as relevant).
  • Payment Security: All payment transactions on our site are handled through PCI-DSS compliant providers. These providers specialize in the secure processing of payment information. We ensure that any payment forms on our site meet security standards and that we do not unnecessarily expose your payment details.
  • Employee Training and Policies: We train our team members about the importance of confidentiality and privacy. We have internal policies in place to handle personal information appropriately and to respond quickly and correctly in the event of a security concern.

Despite our efforts, please be aware that no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. It is also important for you to guard against unauthorized access to your account and personal information by adopting good security practices. Make sure to use a strong, unique password for our website (if you create an account) and do not share your password with others. If you suspect any unauthorized access or activity in your account, please notify us immediately.

In the unfortunate event of a data breach that affects your personal information, we will follow all applicable laws and regulations regarding notification. This may include notifying you and/or relevant authorities if required by law.

Your Rights and Choices

You have certain rights and choices regarding your personal information. These rights may vary depending on your location and the applicable privacy laws, but we are committed to honoring the rights of individuals as required by law and, in many cases, even when not strictly required. The following outlines your key privacy rights and how you can exercise them:

Access and Transparency: You have the right to request access to the personal information we hold about you and to receive information about how we use and share it. This includes the right to ask us for confirmation whether we are processing your personal data, and to obtain a copy of the personal data we have about you. We will provide the information in a readily usable format, and for California residents or others as required by law, in a portable format.

Correction (Rectification): If any of your personal information is inaccurate or incomplete, you have the right to request that we correct or update it. For example, if you change your name or email address, or if you believe we have an incorrect address or outdated information, please let us know so we can update it. Many account details can be corrected by you directly by logging into your account settings (if you have an online account with us). For other data corrections, contact us and we will address them.

Deletion (Right to Erasure): You have the right to request that we delete your personal information. This is sometimes called the “right to be forgotten.” Upon your valid request, we will delete (and direct our service providers to delete) your personal information from our records, subject to certain exceptions. For example, we might retain information if needed to complete a transaction you requested, to detect or prevent fraud, to exercise our legal obligations or rights, or to comply with a legal obligation (we will let you know if any such exceptions apply to a deletion request). If you have an account, you may also simply close your account, after which we will delete or anonymize the personal data associated with it (except as required for legitimate purposes like proof of transactions).

Withdrawal of Consent: Where we rely on your consent to process your personal information (for example, for sending marketing emails or for using certain cookies), you have the right to withdraw your consent at any time. You can do this by, for instance, unsubscribing from our newsletter (using the “unsubscribe” link in emails) or adjusting your cookie settings. Withdrawal of consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it will not affect processing that is based on other legal grounds. However, it might mean that you can no longer receive certain services or benefits (for example, if you withdraw consent to marketing emails, we will stop sending them to you).

Objection to Processing: In certain situations, you have the right to object to the processing of your personal information.

  • Direct Marketing Objection: You can always opt out of our direct marketing communications. If you object to receiving marketing messages, we will stop processing your personal data for that purpose. (As noted, you can opt out by using the unsubscribe mechanism in emails or by contacting us.)
  • General Objection: If our processing of your data is based on a “legitimate interest” (see the Legal Bases section) and you feel that our processing impacts your rights, you have the right to object to that processing. If you raise an objection, we will consider whether we have compelling legitimate grounds that override your rights and interests, or if we need to continue processing your data for legal reasons. If we do not have such grounds, we will stop the processing in question. For example, you might object to us using your data for certain analytics or personalization; unless we have an overriding need to do so, we would stop or limit using your data in that way.

Restriction of Processing: You have the right to request that we restrict the processing of your personal information in certain circumstances. This means we would store your data but temporarily pause any other processing. You might request restriction if you are contesting the accuracy of your data (while we verify it), or if you want us to preserve data while you pursue a legal claim, or if you have objected to processing and await our verification of overriding grounds. When processing is restricted, we will appropriately mark the data and only process it for permitted reasons (such as with your consent or for legal compliance).

Data Portability: For data that you have provided to us and that we process by automated means on the basis of your consent or for performance of a contract, you have the right to obtain a copy in a structured, commonly used, machine-readable format. You also have the right to request that we transmit that data to another service provider (where technically feasible). In practice, this right primarily applies to data you provided (e.g., account information, order history) and would be fulfilled by providing you with an electronic file of your data.

California Privacy Rights: If you are a California resident, you have specific privacy rights under the CCPA (as amended by the CPRA) in addition to the general rights listed above. These include:

  • Right to Know: You can request that we disclose to you (up to twice per 12-month period) the categories and specific pieces of personal information we have collected about you in the past 12 months, the categories of sources of that information, the business or commercial purposes for collecting (or selling/sharing, if applicable) the information, and the categories of third parties with whom we shared the information. We believe this Privacy Policy provides much of that information. Upon a verified request, we will provide an individualized response to you with these details.
  • Right to Delete: As mentioned, you can request deletion of your personal information (with certain exceptions as allowed under CCPA, such as if the information is needed to complete a transaction or for another lawful purpose).
  • Right to Correct: You can request correction of inaccurate personal information we hold about you.
  • Right to Opt-Out of Sale or Sharing: We do not sell personal information for money. We also do not share personal information for cross-context behavioral advertising (the CCPA’s definition of “sharing”) without consent. In other words, we do not exchange your data with third parties for them to market their own products to you. The only context in which “sale” or “sharing” might be interpreted is our use of certain advertising cookies (as discussed, third-party advertising cookies may be considered a “sale/sharing” under California law). We have provided you options to control cookies in the Cookies and Tracking section. If you have set your browser to broadcast a Global Privacy Control (GPC) signal, which is a mechanism some browsers offer to opt out of sale/sharing, we will treat that as a valid opt-out request under CCPA for that browser on our site. If you believe we are selling or sharing your personal information in a way that you want to opt out of, please contact us.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means we won’t deny you our services, charge you a different price, or provide a different level of quality just because you exercised your rights. (Note: If you request deletion of data that is necessary to provide you a service, we may not be able to continue providing that service—but that’s a consequence of the deletion, not an intent to discriminate. We will always inform you if your request would affect your use of the Services.)
  • “Shine the Light” (California Civil Code § 1798.83): Separate from CCPA, California’s “Shine the Light” law allows residents to request certain information about our disclosure of personal information to third parties for their direct marketing purposes. However, we do not share personal information with third parties for their own direct marketing except with your consent. Therefore, we believe we have no disclosure obligations under that law. If you have questions about this, you can contact us.

Canadian Privacy Rights: If you are in Canada, you have similar rights to access and correct your personal information under PIPEDA and equivalent provincial laws. You also have the right to withdraw consent to the extent our processing is based on consent. We will accommodate your requests as required by Canadian law. If you are a Canadian resident and have questions or requests regarding your data, you may contact us (and you also have the right to contact the Office of the Privacy Commissioner of Canada or your provincial privacy regulator if you have any complaints).

Exercising Your Rights:
To exercise any of the rights described above, please contact us using the details in the Contact Us section of this Policy. Please be specific in your request so we can understand and respond appropriately. For example, if you want a copy of your data, it helps to mention the context (account info, orders, etc.) that you are interested in, or if you want deletion, let us know if it’s for certain data or all data.

For certain requests, especially those involving access, deletion, or disclosure of specific pieces of personal information, we will need to verify your identity to ensure we are dealing with the correct individual. Verification procedures may vary depending on your relationship with us (for instance, if you have an account, we may verify through your account login, or we might ask for confirmation of specific details we have on file such as a recent order number or billing address). If you are making a request on someone else’s behalf as an authorized agent (e.g., a legal representative or someone with power of attorney), we will ask for proof of authorization and also take steps to verify the identity of the individual for whom the request is made, where required by law.

We will respond to your request within the timeframes required by law. Under GDPR, that’s typically one month (with a possible extension in certain cases); under CCPA, that’s generally 45 days (with a possible 45-day extension). We will let you know if we need more time. In general, we aim to address requests as promptly and efficiently as possible.

Please note that some rights are not absolute. There are circumstances where we may lawfully decline your request, such as when fulfilling it would infringe on the rights of others or if an exemption applies. If we deny your request, we will explain the reason, as well as any options you may have to appeal the decision.

We do not charge a fee for processing a reasonable request to exercise your rights. However, if requests become manifestly unfounded or excessive (for example, repetitive requests), we reserve the right to charge a reasonable fee or decline the request as permitted by law. We will never charge a fee for requests under CCPA.

Finally, if you have concerns about how we handle your data, you have the right to lodge a complaint with a supervisory authority (for EU/UK individuals, this would be your country’s Data Protection Authority; for Canada, the Privacy Commissioner; for others, your local regulator if one exists). We sincerely encourage you to contact us first so we can try to address your concerns directly.

Children’s Privacy

Protecting the privacy of minors is especially important. Our Services are not directed to or intended for children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are under 13, please do not use our website or provide any information about yourself to us (including your name, address, email, or phone number). If we learn that we have inadvertently collected personal data from a child under 13 without verified parental consent, we will take immediate steps to delete that information from our records.

If you are a parent or guardian and believe that we might have any information from or about a minor child, please contact us so that we can investigate and delete the information as necessary.

For teens aged 13 to 16 (or the applicable age of digital consent in your region), our policy is that they should only use the site with the involvement of a parent or guardian. If we intend to collect personal information from users in this age range in a manner that requires consent (for example, for certain marketing activities in jurisdictions where consent is required from a parent for those under 16), we will comply with those requirements. Generally, we treat all users under 18 as needing parental consent for any data practices that go beyond what’s allowed without consent.

California minors under 18 years old may request the removal of any content or information they have posted on our website (for example, if our site had public forums or reviews). Currently, our website does not allow minors to post content publicly. However, if that changes and a minor does publicly post content, they can request deletion by contacting us (California Business & Professions Code § 22581). We will then make reasonable good-faith efforts to remove the content (though complete or comprehensive removal from the Internet may not be possible, especially if third parties have reposted the content).

In summary, we do not knowingly engage in data collection from children under 13, and we strive to comply with laws like the U.S. Children’s Online Privacy Protection Act (COPPA) and other applicable minors’ privacy regulations. If you are aware of any data we have collected from children, please inform us so we can address it.

Changes to This Privacy Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will notify users as appropriate:

  • Posting of Revised Policy: Any changes will be posted on this page with an updated “Last Updated” date at the top. We encourage you to review this page periodically to stay informed about how we are protecting your information.
  • Additional Notice for Significant Changes: If we make any material changes to how we collect, use, or share your personal information, we will take additional steps to notify you. This may include prominently posting a notice of the changes on our website’s homepage or login screen, or directly notifying you via the email address associated with your account (if you have provided one) prior to the change becoming effective. The notification will outline the key changes and give you an opportunity to review the revised Policy.
  • Consent for Substantial Changes (if required): If any change requires your consent (for example, if we plan to use your personal data for a new purpose that requires consent under applicable law), we will obtain that consent before the new processing occurs.

Your continued use of our Services after a Privacy Policy update signifies your acceptance of the revised terms, to the extent permitted by law. However, if any changes are so significant that legal requirements mandate we get your explicit consent, we will do so.

In summary, always check the “Last Updated” date and review any summaries of changes we provide to understand the current terms. This Privacy Policy is not a contract and does not create any legal rights or obligations beyond what the law requires, but it is a reflection of our commitment to transparency and your privacy.

Contact Us

If you have any questions, comments, or concerns about this Privacy Policy or about our privacy practices, please do not hesitate to contact us. We are here to help and will gladly address any inquiries you may have.

Contact Information for Privacy Inquiries:

  • Email: hello@ofthieves.com
  • Postal Mail:
    Descendant of Thieves, Inc. – Attn: Privacy Team
    247 Mulberry St.
    New York, NY 10012
    United States

You may also use the above contact information to exercise your rights as described in the Your Rights and Choices section. If you contact us by mail, please mark the letter “Attn: Privacy” so we can route it to the correct team. For requests regarding your personal data, please include your name and contact information and a description of your request (do not include sensitive information like a password or full credit card number via email or mail).

We will respond to legitimate inquiries as soon as reasonably possible, typically within 30 days. If you do not receive a response from us or if your concern is not resolved to your satisfaction, you may have the option to contact your local data protection authority or regulator (as noted in the Your Rights and Choices section for your region).

Thank you for reading our Privacy Policy. We value your trust and are dedicated to protecting your personal information while providing you with a great shopping experience at Descendant of Thieves.

Descendant of Thieves Icon Descendant of Thieves New York Logo
Stores
203 Bleecker Street
247 Mulberry Street
If you are reading this, you pay as
close attention to the details as we do.

Company Info →

Your Privacy →