Privacy Policy

North Lucid ("we," "us," or "our") is committed to protecting the privacy and personal information of our customers and website visitors. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website at northlucid.com, create an account, or make a purchase. This policy is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Law 25 (An Act to modernize legislative provisions as regards the protection of personal information), and other applicable Canadian privacy legislation. By using our Site, you consent to the practices described in this policy.

We collect the following categories of personal information: Information You Provide Directly: • Account registration: name, email address, and password • Orders: shipping address, billing address, phone number • Payment: processed securely through Stripe — we never store your full credit card number, CVV, or expiration date • Communications: messages sent through our contact form, support emails, or chat • Reviews and feedback: product reviews, ratings, and testimonials • Referral program: referral codes and associated activity Information Collected Automatically: • Device information: IP address, browser type and version, operating system • Usage data: pages visited, time spent on pages, click patterns, referring URLs • Cookies and similar technologies: session identifiers, language preferences, cart contents, age verification status • Location data: approximate geographic location derived from IP address (city/province level only)

We use your personal information for the following purposes, each with a lawful basis under PIPEDA: Order Fulfillment (Contractual Necessity): Processing and shipping your orders, sending order confirmations and shipping notifications, managing returns and refunds. Account Management (Contractual Necessity): Creating and maintaining your account, managing your rewards points and referral program, processing your wishlist and saved items. Communications (Consent): Sending promotional emails and newsletters (only with your opt-in consent), notifying you of new products, sales, and special offers. You may unsubscribe at any time. Site Improvement (Legitimate Interest): Analyzing usage patterns to improve our website, personalizing your browsing experience, conducting internal analytics and reporting. Security & Fraud Prevention (Legitimate Interest): Detecting and preventing fraudulent transactions, enforcing our Terms of Service, rate limiting to protect against abuse. Legal Compliance (Legal Obligation): Complying with applicable laws and regulations, responding to lawful requests from law enforcement or government agencies.

We implement comprehensive security measures to protect your personal information: • Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (SSL). Sensitive data at rest is encrypted using AES-256. • Payment Security: All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. Your payment card details are tokenized and never stored on our servers. • Access Controls: Employee access to personal information is restricted on a need-to-know basis with role-based permissions. • Infrastructure: Our servers are hosted on secure, SOC 2 compliant cloud infrastructure with regular security audits. • Rate Limiting: We employ rate limiting on authentication and checkout endpoints to prevent brute-force attacks. • Monitoring: We continuously monitor for suspicious activity and unauthorized access attempts. While we take all reasonable precautions, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your information to the highest practical standard.

We use the following types of cookies and similar technologies: Essential Cookies (Always Active): Session management and authentication, shopping cart functionality, age verification status, language preference (EN/FR). These cookies are necessary for the Site to function and cannot be disabled. Analytics Cookies (With Consent): We use privacy-respecting analytics to understand how visitors interact with our Site. This includes page views, session duration, and navigation patterns. We do not use Google Analytics or other invasive tracking tools. Our analytics do not track individual users across other websites. Functional Cookies: Remembering your preferences (theme, recently viewed products), maintaining your wishlist across sessions. You can manage cookie preferences through your browser settings. Blocking essential cookies may prevent the Site from functioning properly. We do not use advertising cookies or participate in cross-site tracking networks.

We share limited personal information with the following trusted third-party service providers, each bound by contractual obligations to protect your data: • Stripe (Payment Processing): Receives payment card details, billing address, and email for transaction processing. Stripe is PCI-DSS Level 1 certified. Privacy policy: stripe.com/privacy • Canada Post / Shipping Carriers (Order Delivery): Receives shipping name, address, and phone number for package delivery and tracking. • Cloud Infrastructure Provider (Hosting): Our servers process and store data on secure cloud infrastructure located in Canada. • Manus Platform (Authentication): Handles secure user authentication via OAuth. Receives only the minimum information required for login. We do not sell, rent, or trade your personal information to any third party for marketing purposes. We do not share your data with data brokers or advertising networks.

Under PIPEDA and Quebec's Law 25, you have the following rights regarding your personal information: Right of Access: You may request a copy of all personal information we hold about you. We will respond within 30 days of receiving your request. Right of Correction: You may request that we correct any inaccurate or incomplete personal information. You can also update most information directly through your account settings. Right of Deletion: You may request that we delete your personal information, subject to our legal obligations to retain certain records (e.g., transaction records for tax purposes). Right to Withdraw Consent: You may withdraw your consent for marketing communications at any time by clicking the unsubscribe link in any email or contacting us directly. Right to Data Portability: You may request your personal information in a structured, commonly used, machine-readable format. Right to File a Complaint: If you believe your privacy rights have been violated, you may file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, for Quebec residents, the Commission d'accès à l'information du Québec (cai.gouv.qc.ca). To exercise any of these rights, contact our Privacy Officer at privacy@northlucid.com. We will verify your identity before processing any request and respond within 30 calendar days.

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected: • Account information: Retained while your account is active and for 2 years after account deletion to handle potential disputes. • Order and transaction records: Retained for 7 years to comply with Canadian tax and financial reporting requirements. • Marketing preferences: Retained until you withdraw consent or unsubscribe. • Analytics data: Aggregated and anonymized after 26 months. • Support communications: Retained for 3 years after resolution. • Cookies: Session cookies expire when you close your browser. Persistent cookies expire after 12 months. When personal information is no longer needed, we securely delete or anonymize it using industry-standard methods.

Our Site and products are intended exclusively for adults aged 19 and older. We do not knowingly collect personal information from anyone under the age of 19. If we become aware that we have inadvertently collected personal information from a minor, we will take immediate steps to delete that information from our records. If you believe that a minor has provided us with personal information, please contact us immediately at privacy@northlucid.com.