Privacy Policy

Last updated: June 15, 2024

1. Introduction

Portal Puff Inc. ("PortalPuff," "we," "us," or "our") is a corporation organized under the laws of the State of Delaware. We operate the portalpuff.com website (the "Site") and provide software-as-a-service products for smoke shop merchants, including online ordering, websites, inventory management, loyalty programs, rewards, and point-of-sale solutions (collectively, the "Services").

This Privacy Policy explains how we collect, use, disclose, store, and protect your information when you visit our Site, use our Services, or otherwise interact with us. By accessing or using our Site or Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Site or Services.

This Privacy Policy should be read in conjunction with our Terms and Conditions, which govern your use of the Site and Services.

2. Scope and Applicability

This Privacy Policy applies to all individuals who interact with our Site and Services, including:

  • Merchants: Smoke shop business owners and operators who subscribe to and use the Services, including their authorized employees, contractors, and sub-users who access the Services through a Merchant account.
  • End Consumers: Individuals who purchase products from Merchants through the Services, including through the Online Ordering platform, or who participate in Merchant loyalty programs, rewards programs, or other consumer-facing features powered by the Services.
  • Site Visitors: Individuals who visit the Site, submit contact or inquiry forms, subscribe to newsletters, or otherwise interact with the Site without creating an account.

The types of information we collect and how we use it may differ depending on your relationship with us. Where specific practices apply only to Merchants, End Consumers, or Site Visitors, we note this distinction below.

3. Age Restriction

Our Services — including Account creation, product ordering, and loyalty program participation — are intended exclusively for individuals who are at least twenty-one (21) years of age. The Site may be accessed for informational purposes (such as browsing content, reading blog posts, or viewing pricing) without meeting this age requirement. We do not knowingly collect, solicit, or maintain personal information from anyone under the age of 21 in connection with Account creation, product purchases, or Service usage. If we learn that we have collected personal information from an individual under 21 in connection with the Services, we will promptly delete that information. If you believe we have inadvertently collected information from someone under 21, please contact us immediately at support@portalpuff.com.

4. Information We Collect

We collect information in several ways depending on how you interact with our Site and Services:

4.1 Information Provided by Merchants and Site Visitors

  • Contact and inquiry information: When you schedule a walkthrough, submit a contact form, or reach out to us, we collect your first name, last name, email address, phone number, store name, store address(es), number of locations, product interests, plan selection, billing preference, and any message you include.
  • Support ticket information: When you submit a support ticket through our Help Center, we collect your full name, email address, phone number, store name, store address, support category, a description of your issue, and any file attachments you upload (images, PDFs, or documents up to 10 MB).
  • Newsletter subscription: When you subscribe to our blog newsletter, we collect your email address.
  • Merchant account information: If you create a PortalPuff account, we may collect your name, email address, password, business details, and other information necessary to provide our Services.
  • Payment information: If you purchase our Services, we may collect billing details such as your name, billing address, and payment card information. Payment card data is processed by our third-party payment processor(s) and is not stored on our servers.
  • Merchant Content: Product listings, images, descriptions, pricing, and other business content that Merchants upload or submit through the Services.

4.2 Information Collected from End Consumers

When End Consumers interact with the Services — such as placing orders through a Merchant's Online Ordering platform, enrolling in a Merchant's loyalty program (Ten Star Loyalty), or participating in a Rewards program — we may collect the following information:

  • Identity and contact information: Full name, email address, phone number, and date of birth.
  • Delivery information: Delivery address, delivery instructions, and any other information necessary to fulfill delivery orders.
  • Age verification data: Government-issued identification images (such as a driver's license or state ID) submitted for the purpose of verifying that the End Consumer meets the minimum age requirement for purchasing age-restricted products. See Section 10.3 for retention details.
  • Order information: Products ordered, order history, order amounts, and payment information. Payment card data is processed by our third-party payment processor(s) and is not stored on our servers.
  • Loyalty and rewards data: Loyalty program membership details, points balances, rewards earned and redeemed, referral activity, and SMS/MMS communication preferences.
  • Account information: If an End Consumer creates an account, we collect login credentials and account preferences.

4.3 Information Collected Automatically

  • Device and browser data: IP address, browser type and version, operating system, device type, screen resolution, and unique device identifiers.
  • Usage data: Pages visited, time spent on pages, referring and exit URLs, click patterns, and other interaction data collected through analytics tools.
  • Security and anti-fraud data: Form submission timestamps, interaction patterns (mouse, keyboard, touch, and scroll events), rate-limiting counters, and proof-of-work verification tokens used to detect bots and prevent abuse.
  • Log data: Server logs that record request timestamps, IP addresses, user-agent strings, email addresses submitted in forms, and spam detection flags for security auditing purposes.

4.4 Information from Third Parties

We may receive information about you from third-party services we integrate with, including hosting providers, analytics platforms, delivery service providers, and payment processors. We treat this information in accordance with this Privacy Policy.

5. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing Services: To operate, maintain, and deliver our Site and Services, process transactions, manage accounts, fulfill orders, coordinate deliveries, administer loyalty and rewards programs, and fulfill our contractual obligations.
  • Order fulfillment and delivery: To process End Consumer orders, coordinate with Merchants and third-party delivery partners, verify age for age-restricted products, and facilitate pickup and delivery.
  • Communication: To respond to inquiries, support requests, and walkthrough scheduling; to send order confirmations, delivery updates, loyalty program notifications, service updates, and administrative notices.
  • Marketing: To send newsletters, promotional materials, and product updates, but only when the recipient has opted in to receive such communications. You may opt out at any time.
  • Improvement: To analyze usage trends, monitor the effectiveness of our Site and Services, and improve our products, content, and user experience.
  • Security: To detect, investigate, and prevent fraudulent transactions, spam, unauthorized access, and other illegal or harmful activities; to enforce rate limits and protect the integrity of our systems.
  • Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests; to establish, exercise, or defend legal claims.

6. Our Role in Data Processing

PortalPuff's role in processing personal data depends on the specific Service and the nature of the data processing activity:

6.1 PortalPuff as Data Controller

PortalPuff acts as an independent data controller when we process personal data for our own business purposes, including:

  • Operating and improving the Site and Platform
  • Managing Merchant accounts and subscriptions
  • Processing payments and billing
  • Fraud detection and prevention
  • Security monitoring and enforcement
  • Compliance with legal obligations
  • Marketing and communications (with consent where required)
  • Analytics and product development

6.2 PortalPuff as Data Processor

PortalPuff acts as a data processor on behalf of Merchants when we process End Consumer personal data solely to provide the Services at the Merchant's direction, including:

  • Processing and fulfilling orders placed through a Merchant's Online Ordering platform
  • Managing End Consumer loyalty program memberships and rewards on behalf of the Merchant
  • Sending SMS, MMS, or other communications to End Consumers on behalf of the Merchant through Ten Star Loyalty or other messaging features
  • Storing and displaying End Consumer order history and account information for the Merchant's business operations

When acting as a data processor, PortalPuff processes End Consumer personal data in accordance with this Privacy Policy, our Terms and Conditions, and applicable law. PortalPuff does not sell End Consumer personal data and does not use End Consumer personal data processed on behalf of Merchants for PortalPuff's own independent marketing purposes.

6.3 Merchant Responsibilities

To the extent that a Merchant is considered a data controller under applicable law with respect to End Consumer personal data, the Merchant is responsible for: (a) ensuring a lawful basis exists for the collection and processing of End Consumer personal data; (b) providing required privacy notices and disclosures to End Consumers; (c) obtaining any required consents from End Consumers, including for SMS and marketing communications; (d) honoring End Consumer data rights requests; and (e) complying with all applicable privacy and data protection laws and regulations. For further detail, see our Terms and Conditions.

7. Legal Bases for Processing

We process personal information based on the following legal grounds:

  • Contractual necessity: Processing required to perform our contract with you (e.g., providing Services you have purchased, fulfilling orders placed by End Consumers).
  • Consent: Processing based on your explicit consent (e.g., newsletter subscriptions, marketing communications, SMS opt-in). You may withdraw consent at any time.
  • Legitimate interests: Processing necessary for our legitimate business interests (e.g., fraud prevention, Site security, product improvement, age verification for age-restricted products), provided those interests are not overridden by your rights.
  • Legal obligation: Processing necessary to comply with applicable laws and regulations.

8. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We may share your information in the following circumstances:

8.1 With Merchants (End Consumer Data)

When an End Consumer places an order, enrolls in a loyalty program, or otherwise interacts with a Merchant through the Services, we share relevant End Consumer information with that Merchant as necessary to fulfill the transaction and provide the Service. This may include the End Consumer's name, contact information, delivery address, order details, loyalty membership information, and age verification data (including government-issued identification images, which Merchants may access through the Services to review and verify orders for age-restricted products). Merchants receive this information in their capacity as independent businesses and are responsible for their own use of End Consumer data in compliance with applicable laws.

8.2 Service Providers

We engage trusted third-party companies and individuals to perform services on our behalf. These providers have access to personal information only to the extent necessary to perform their services and are contractually obligated to protect the data. Our current service providers include:

  • Twilio SendGrid: Email delivery service used to send form submission notifications, support ticket confirmations, and newsletter communications.
  • Vercel: Cloud hosting platform that serves our Site and processes API requests, including form submissions.
  • Upstash: Redis-based data store used for rate limiting and duplicate submission detection. Stores IP addresses and submission hashes temporarily.
  • Third-party delivery partners: Delivery service providers who receive End Consumer information (such as name, delivery address, phone number, and order details) as necessary to fulfill delivery orders placed through the Online Ordering platform. PortalPuff contracts with these delivery partners and is responsible for delivery-related fees owed to them.
  • Payment processors: Third-party payment processors who handle payment transactions for both Merchant subscriptions and End Consumer orders. Payment card data is processed directly by these providers and is not stored on PortalPuff's servers.

We may also use additional service providers for analytics, account authentication, and other operational needs as our Services evolve. This Privacy Policy will be updated accordingly.

8.3 Legal Requirements

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to: (a) comply with a legal obligation, court order, or governmental request; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Site or Services; (d) protect the personal safety of users or the public; or (e) protect against legal liability.

8.4 Business Transfers

If Portal Puff Inc. is involved in a merger, acquisition, reorganization, bankruptcy, dissolution, sale of all or a portion of its assets, or other corporate transaction, your personal information may be transferred as part of that transaction. We will provide notice before your personal information becomes subject to a different privacy policy.

8.5 With Your Consent

We may share your information for any other purpose with your explicit consent.

9. Cookies, Tracking Technologies, and Analytics

9.1 Current Practices

Our Site currently uses browser localStorage for functional purposes, including form rate limiting, bot protection state, and submission tracking. We do not currently deploy third-party tracking cookies or advertising pixels.

9.2 Analytics

We may use first-party and third-party analytics services (such as Google Analytics or similar tools) to understand how visitors use our Site. These services may collect information such as your IP address, browser type, pages visited, and time spent on pages. Where analytics services are used, data may be processed by the analytics provider in accordance with their own privacy policies.

9.3 Cookie Consent and Opt-Out

If we introduce cookies or similar tracking technologies in the future, we will provide clear notice and, where required by law, obtain your consent before placing non-essential cookies on your device. You may manage cookie preferences through your browser settings or through any cookie consent mechanism we provide. Please note that disabling certain cookies may affect the functionality of our Site.

9.4 Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals. Because there is no universally accepted standard for how to respond to DNT signals, we do not currently respond to them. We will update this policy if a standard is established.

10. Data Retention

We retain personal information for as long as reasonably necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. Specific retention practices include:

  • Contact form submissions: Retained as long as necessary for sales follow-up, onboarding, and ongoing business relationship management.
  • Support tickets: Retained as long as necessary to resolve the issue and provide ongoing support, plus any additional period required for quality assurance or legal compliance.
  • Newsletter subscriptions: Retained until the subscriber unsubscribes or requests deletion.
  • Merchant account data: Retained for the duration of the Merchant's account and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and support legitimate business operations.
  • End Consumer account data: Retained for the duration of the End Consumer's account. End Consumers may request deletion of their account, at which point PortalPuff will delete all personal information associated with that account in a timely manner, subject to any legal retention requirements.
  • Age verification data (ID images): Government-issued identification images are stored for as long as the End Consumer's account remains active, as such identification is required for Merchants to verify and confirm orders for age-restricted products. ID images are deleted when an End Consumer's account is deleted.
  • Order history and transaction data: Retained for as long as necessary for business operations, accounting, tax compliance, and dispute resolution.
  • Loyalty and rewards data: Retained for the duration of the End Consumer's participation in the applicable program and for a reasonable period thereafter.
  • Security logs: IP addresses, rate-limiting data, and spam detection records are retained temporarily for security purposes and are purged on a rolling basis.

Post-termination retention: Following termination of a Merchant account, PortalPuff will retain Merchant account data and any associated End Consumer data for a reasonable period as necessary for legitimate business operations, legal compliance, dispute resolution, and enforcement of our Terms and Conditions. After such retention period, data will be securely deleted or anonymized.

When personal information is no longer needed for any of the purposes described above, we will securely delete or anonymize it.

11. Data Security

We take the security of personal information seriously and implement appropriate technical and organizational measures to protect it, including:

  • HTTPS/TLS encryption for all data transmitted between your browser and our servers
  • Server-side input validation and sanitization to prevent injection attacks
  • HTML escaping to prevent cross-site scripting (XSS)
  • Rate limiting (per IP address) to prevent abuse and denial-of-service attacks
  • Multi-layered bot protection including honeypot fields, timing analysis, interaction verification, and proof-of-work challenges
  • File upload validation using magic byte verification and extension blocking
  • Spam detection filtering to prevent malicious submissions
  • Email validation including checks against known disposable email domains
  • Encryption of sensitive data at rest, including age verification images
  • Access controls limiting employee and contractor access to personal data on a need-to-know basis

Despite these measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee the absolute security of your information, and you provide it at your own risk.

12. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information. We honor these rights for all users — including both Merchants and End Consumers — regardless of location, to the extent practicable:

  • Access: You may request a copy of the personal information we hold about you.
  • Correction: You may request that we correct inaccurate or incomplete personal information.
  • Deletion: You may request that we delete your personal information, subject to certain exceptions (e.g., legal compliance, legitimate business needs). End Consumers may request deletion of their account and all associated data, including age verification images.
  • Opt-out of marketing: You may unsubscribe from marketing emails at any time by clicking the "unsubscribe" link in any marketing email or by contacting us directly. End Consumers may opt out of SMS messages by replying STOP or contacting the Merchant or PortalPuff.
  • Data portability: You may request that we provide your personal information in a structured, commonly used, and machine-readable format.
  • Restriction: You may request that we restrict the processing of your personal information under certain circumstances.
  • Objection: You may object to our processing of your personal information where we rely on legitimate interests as the legal basis.

To exercise any of these rights, please contact us at support@portalpuff.com or submit a request through our Help Center. We will respond to your request within thirty (30) days. We may need to verify your identity before processing your request.

If PortalPuff receives a data rights request from an End Consumer that relates to data we process on behalf of a Merchant (in our capacity as a data processor), we will notify the relevant Merchant and assist in responding to the request as required by applicable law.

13. State Privacy Rights

13.1 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information. In addition to the rights listed in Section 12, you have the right to:

  • Know what categories of personal information we have collected about you and the purposes for which it is used
  • Know whether we sell or share your personal information (we do not)
  • Opt out of the sale or sharing of your personal information
  • Not be discriminated against for exercising your privacy rights
  • Limit the use of sensitive personal information to what is necessary to provide the Services

We do not sell or share (as defined by the CCPA/CPRA) your personal information. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA/CPRA.

To submit a CCPA/CPRA request, contact us at support@portalpuff.com. You may also designate an authorized agent to make a request on your behalf.

13.2 Virginia, Colorado, Connecticut, Utah, and Other State Laws

Residents of states with comprehensive privacy laws (including the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, and similar legislation) have rights similar to those described in Sections 12 and 13.1. To exercise your rights under any applicable state privacy law, please contact us at support@portalpuff.com. You may appeal our decision regarding your request by contacting us at the same address.

14. Third-Party Links and Services

Our Site may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to third-party sites. We are not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of any third-party sites you visit.

15. International Data Transfers

Our Site and Services are hosted and operated in the United States. If you access our Site from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country. By using our Site or Services, you consent to the transfer of your information to the United States.

16. SMS and Text Messages

16.1 Messages from PortalPuff

If you provide your phone number and opt in to receiving text messages from PortalPuff, you consent to receiving SMS or MMS messages related to our Services, including promotional messages and transactional updates. Message and data rates may apply. You may opt out of text messages at any time by replying STOP to any message or by contacting us at support@portalpuff.com.

16.2 Messages from Merchants via the Platform

Merchants may use the Services — including the Ten Star Loyalty platform — to send SMS, MMS, or other electronic communications to End Consumers. When Merchants send messages through the Platform, PortalPuff processes End Consumer phone numbers and message content as a data processor on behalf of the Merchant. The Merchant is the sender of these messages and is solely responsible for: (a) obtaining all required consents from End Consumers before sending messages; (b) providing clear opt-in and opt-out mechanisms; (c) honoring opt-out requests; and (d) complying with all applicable laws and regulations governing electronic communications, including the TCPA, CAN-SPAM Act, and applicable A2P messaging and carrier compliance requirements. PortalPuff may suspend a Merchant's messaging capabilities if we reasonably believe their messages violate applicable law or our Terms and Conditions.

17. Email Communications

We may send you the following types of emails:

  • Transactional emails: Confirmations, support responses, order notifications, delivery updates, account notifications, and other messages necessary to provide our Services. These are not marketing communications and cannot be opted out of while you maintain an active relationship with us.
  • Marketing emails: Newsletters, product updates, promotions, and other marketing content. You may opt out at any time by clicking the "unsubscribe" link in any marketing email or by contacting us.

18. User-Generated Content, Merchant Content, and File Uploads

When you upload files through our support ticket system or otherwise submit content to us, you are responsible for ensuring that the content does not violate any third-party rights or applicable laws. We validate uploaded files for security purposes (file type verification, size limits, and content scanning) but do not claim ownership of content you submit. Uploaded files are used solely for the purpose of resolving your support inquiry.

Merchants may upload product listings, images, descriptions, pricing, and other business content through the Services ("Merchant Content"). Merchants retain ownership of their Merchant Content but grant PortalPuff a license to use it as described in our Terms and Conditions. Merchants are solely responsible for ensuring that all Merchant Content is accurate, lawful, and compliant with applicable regulations. PortalPuff reserves the right to remove Merchant Content that we reasonably believe violates applicable law, third-party rights, or our Terms and Conditions.

19. Automated Decision-Making

We use automated systems to detect and block spam, bot submissions, and potentially fraudulent activity. These systems evaluate factors such as submission timing, interaction patterns, content analysis, and IP reputation. We also use automated systems to detect potential fraud or abuse in the Rewards and ambassador programs. If you believe you have been incorrectly flagged or blocked, please contact us at support@portalpuff.com for manual review.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Post the revised policy on our Site
  • Provide prominent notice on our Site or, where appropriate, notify you by email

We encourage you to review this Privacy Policy periodically. Your continued use of our Site or Services after any changes constitutes your acceptance of the updated policy.

21. Governing Law and Dispute Resolution

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict-of-law provisions. Any disputes arising under or related to this Privacy Policy are subject to the dispute resolution and arbitration provisions set forth in our Terms and Conditions.

22. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Portal Puff Inc.
A Delaware Corporation