Privacy Policy

1.1 Information You Provide

When you interact with our website, you may voluntarily provide:

• Account & Identity Data - first name, last name, email address, phone number, password (hashed, never stored in plain text)
• Order & Billing Data - shipping address, billing address, vehicle year/make/model selected for your tint kit
• Payment Data - credit/debit card details, Apple Pay, Google Pay, or Link credentials. These are processed directly by Stripe and never touch or are stored on our servers
• Communication Data - any messages you send via our contact form, email, phone, or social media
• Review Data - product reviews, star ratings, photos you upload, and the name/email you provide when leaving a review
• Abandoned Cart Data - if you enter your email at checkout but do not complete your order, we store that email to send a reminder

1.2 Information Collected Automatically

When you browse our website, we automatically collect:

• Device & Browser Data - IP address, browser type and version, operating system, device type, screen resolution
• Usage Data - pages visited, time spent on pages, click patterns, referring URL, exit pages
• Location Data - approximate geographic location derived from your IP address (city/state level, not precise)
• Cookie & Tracking Data - see Section 6 below for full cookie disclosure

1.3 Information from Facebook & Messenger

When you interact with our Facebook Page or send us messages via Facebook Messenger, we collect:

• Facebook Page-Scoped ID (PSID) - a unique identifier assigned by Facebook that identifies you within our Page context only. This is not your personal Facebook profile ID and cannot be used to access your Facebook account
• Message Content - the text of messages you send to us via Facebook Messenger, used solely to respond to your inquiry
• Public Profile Name - your first and last name as set in your public Facebook profile, used to personalize our responses
• Comment Content - any comments you post on our Facebook Page posts, used to provide relevant responses

1.4 Information from Third Parties

• Payment processor (Stripe) - transaction status, payment confirmation, last 4 digits of card for order display
• Shipping carrier - delivery status and tracking updates
• Analytics providers - aggregated site performance and traffic data
• Meta / Facebook - message delivery confirmations and page interaction data via the Facebook Graph API

We use the information we collect for the following purposes:

Legal Basis for Processing

• Contract performance - processing orders, fulfilling shipments, managing your account
• Legitimate interest - improving our site, preventing fraud, customer service
• Consent - marketing emails, abandoned cart emails, product reviews
• Legal obligation - tax records, fraud reporting, law enforcement requests

We share your data only with the following categories of service providers, and only to the extent necessary:

Other Disclosures

We may also disclose your information:

• To comply with a legal obligation, subpoena, or court order
• To protect and defend our rights or property
• To prevent fraud or investigate potential violations of our Terms of Service
• In connection with a merger, acquisition, or sale of assets (you will be notified)

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

When data is no longer needed, we securely delete or anonymize it.

We implement industry-standard security measures to protect your personal information:

• Encryption in transit - all data transmitted between your browser and our servers is encrypted via TLS/SSL (HTTPS)
• Encryption at rest - sensitive data is encrypted in our database
• PCI compliance - payment processing is handled entirely by Stripe, a PCI-DSS Level 1 certified provider. Card numbers never touch our servers
• Access controls - only authorized personnel have access to customer data, using role-based permissions
• DDoS protection - our infrastructure is protected by Cloudflare
• Password hashing - account passwords are cryptographically hashed and salted; we cannot see your password
• Regular monitoring - we monitor for unauthorized access and security vulnerabilities

6.1 What Are Cookies

Cookies are small text files placed on your device when you visit a website. They help the site remember your preferences and actions.

6.2 Cookies We Use

6.3 Local Storage

We also use browser local storage (similar to cookies) to persist your shopping cart, saved vehicle selection, and authentication state across sessions. This data remains on your device and is not transmitted to third parties.

6.4 Managing Cookies

You can control or delete cookies through your browser settings. Disabling essential cookies may prevent you from using our shopping cart and checkout. Most browsers allow you to:

• View and delete existing cookies
• Block all or certain types of cookies
• Set preferences for specific websites
• Enable "Do Not Track" signals (see Section 9)

Depending on your location, you may have the following rights regarding your personal data:

7.1 Rights for All Users

• Access - request a copy of the personal data we hold about you
• Correction - request that we correct inaccurate or incomplete data
• Deletion - request that we delete your personal data (subject to legal retention requirements)
• Portability - receive your data in a structured, machine-readable format
• Opt-Out of Marketing - unsubscribe from marketing emails at any time via the unsubscribe link in every email
• Withdraw Consent - where processing is based on consent, you may withdraw it at any time

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know - you may request the categories and specific pieces of personal information we have collected about you in the past 12 months
• Right to Delete - you may request deletion of your personal information, subject to certain exceptions
• Right to Correct - you may request correction of inaccurate personal information
• Right to Non-Discrimination - we will not discriminate against you for exercising any of these rights
• Right to Opt-Out of Sale/Sharing - we do not sell or share your personal information for cross-context behavioral advertising
• Right to Limit Use of Sensitive Data - we only use sensitive personal information for purposes authorized under CPRA

We have not sold personal information of any consumer in the preceding 12 months. We do not have actual knowledge that we sell or share the personal information of minors under 16 years of age.

7.3 Virginia, Colorado, Connecticut, Utah & Other State Residents

If you reside in a state with comprehensive privacy legislation (VCDPA, CPA, CTDPA, UCPA, etc.), you may have similar rights to access, correct, delete, and opt out of targeted advertising. Contact us to exercise these rights.

7.4 How to Exercise Your Rights

To submit a privacy request, you may:

• Email us at [email protected] with the subject line "Privacy Request"

We will verify your identity before processing any request. We aim to respond within 30 days (45 days for complex requests, with notice). You may designate an authorized agent to make a request on your behalf.

8.1 Email Marketing

We may send promotional emails about new products, special offers, or other information we think you may find interesting. We will only send marketing emails if you have opted in (e.g., by checking a box at checkout or subscribing to our newsletter).

• Every marketing email includes an unsubscribe link at the bottom
• You can also email us at [email protected] to opt out
• We honor all opt-out requests within 10 business days
• Opting out of marketing does not affect transactional emails (order confirmations, shipping updates)

8.2 Abandoned Cart Emails

If you enter your email address during checkout but do not complete your purchase, we may send you a reminder email. These are considered transactional in nature but you can opt out by contacting us. Abandoned cart email data is automatically deleted after 90 days if no purchase is made.

8.3 SMS / Text Messages

We do not currently send SMS marketing messages. If we implement SMS communications in the future, it will be strictly opt-in with clear consent and easy opt-out.

TintRebel operates an AI-powered customer service system through our Facebook Page (facebook.com/tintrebel). This section specifically explains how we handle data when you interact with us on Facebook.

9.1 How Our Facebook Integration Works

When you send a message to our Facebook Page via Messenger, or comment on one of our posts, our automated system may respond using artificial intelligence. This system is designed to:

• Answer common questions about our products, pricing, shipping, installation, and order status
• Provide quick, accurate customer support 24/7
• Reply to relevant comments on our Facebook Page posts
• Escalate complex issues to a human team member when AI cannot provide an adequate answer

9.2 Data We Collect via Facebook

Through the Facebook Graph API, we access the following data with your consent:

• Page-Scoped User ID (PSID) - used to identify your conversation thread. This ID is unique to our Page and cannot be used to access your Facebook profile or other personal data
• Public profile name - your first and last name as displayed publicly on Facebook, used to personalize responses
• Message content - the text you send us, used solely to generate a helpful response
• Comment content - public comments on our posts, used to provide relevant replies

9.3 AI Processing

Your messages are processed by Google Gemini AI to generate relevant responses. When your message is sent to the AI:

• Only the message content and relevant product/order context is shared — no personal identifiers are sent to the AI model
• The AI does not store or learn from your conversations
• Responses are quality-checked before being sent to you
• If the AI cannot provide an adequate response, your message is escalated to a human team member

9.4 Data Storage & Retention

• Messenger conversations are stored locally on our secure servers for up to 14 days to maintain conversation context, then automatically deleted
• Comment reply records are stored to prevent duplicate responses
• Escalation records for messages requiring human attention are kept for up to 30 days
• Message deduplication records are kept for 3 days, then purged

9.5 Your Rights Regarding Facebook Data

You have full control over your Facebook interactions with us:

• Stop messaging - simply stop sending messages to our Page; your conversation history will be automatically deleted after 14 days
• Request deletion - email us at [email protected] to request immediate deletion of your conversation data
• Block our Page - you can block our Facebook Page at any time to prevent all future interactions
• Revoke permissions - you can remove our app's access to your data through your Facebook Settings → Apps and Websites

9.6 Facebook's Own Data Practices

Please note that Facebook (Meta Platforms, Inc.) has its own privacy policy governing how they collect and use your data on their platform. Our privacy policy covers only the data we access and process through our Facebook Page integration. For information about Facebook's data practices, please visit Facebook's Privacy Policy.

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. There is currently no uniform standard for responding to DNT signals.

We respect your privacy preferences. If you enable DNT in your browser, we will not use non-essential tracking cookies. Essential cookies required for cart and checkout functionality will still be used.

Our website and services are not directed to individuals under the age of 13 (or 16 in certain jurisdictions). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.

If you believe a child has provided us with personal information, please contact us at [email protected].

TintRebel is based in the United States and our services are directed to US customers. If you access our website from outside the US, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located.

By using our website, you consent to the transfer of your information to the United States, which may have different data protection laws than your country of residence. We will take reasonable steps to ensure your data is treated securely and in accordance with this policy.

Our website may contain links to third-party sites (e.g., social media profiles, payment processors, shipping trackers). We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

• We will update the "Last updated" date at the top of this page
• For significant changes, we will provide notice via email or a prominent notice on our website
• Your continued use of our website after changes are posted constitutes acceptance of the updated policy

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: