Privacy policy
Effective date: (to be set on Shopify launch day) Last updated: 2026-06-16
Pre-launch (waitlist) note: the online store is not yet open. Until it opens, the only personal information we collect is the email address you enter on the waitlist form, your consent status and timestamp, and standard site-analytics data. Sections that describe order, payment, and shipping data apply once the store opens in or around July 2026.
1. Who we are
NUCLEORA SKINCARE INC. ("NUCLEORA", "we", "us") is a British Columbia corporation, 2155 Emerson St, Abbotsford, BC V2T 3H8, Canada.
Our Privacy Officer (required under Quebec Law 25, s. 3.1) can be reached at privacy@nucleoraskin.com. We respond to privacy requests within 30 days.
2. What personal information we collect
At the waitlist stage (now):
- Email address, consent status, consent timestamp, and source (UTM).
- Site-usage data (IP address, pages viewed, browser/device type) — collected only after you accept the cookie banner.
At store launch (additional):
- Identity and contact: name, shipping and billing address, phone (if provided).
- Order data: products ordered, order history, payment method type. We do not store full card numbers — payment is processed directly by Shopify Payments or Stripe.
- Communications: emails, support messages, and adverse-event reports sent to safety@nucleoraskin.com.
- Marketing preferences: email opt-in/opt-out status.
We do not knowingly collect personal information from individuals under 16.
3. Why we collect it
- To fulfil orders and provide customer support.
- To send transactional emails (order confirmation, shipping updates).
- To send marketing emails — only with your express consent, which you can withdraw at any time.
- To respond to adverse-event and product-complaint reports and fulfil our record-keeping obligations under Health Canada's cosmetic regulations.
- To detect and prevent fraud and maintain site security.
- To understand how the site is used and improve it — only with your consent for analytics cookies.
We do not sell or rent your personal information. We do not use it for any purpose beyond those listed here.
4. Legal bases (PIPEDA / Quebec Law 25)
| Purpose | Basis |
|---|---|
| Fulfil an order | Performance of contract |
| Transactional emails | Performance of contract |
| Marketing emails | Your express consent |
| Analytics and advertising cookies | Your express consent |
| Fraud prevention and site security | Legitimate interest |
| Adverse-event and regulatory records | Legal obligation |
5. Cookies and consent
- Essential cookies (cart, session, security): always active; no consent required.
- Analytics cookies (Shopify Analytics; Google Analytics GA4 at store launch): off by default; activated only after you click Accept on the cookie banner.
- Advertising pixels (Meta Pixel, TikTok Pixel — post-launch only): off by default; activated only after you click Accept.
Quebec residents: our consent banner presents Accept and Decline with equal prominence on the first layer, as required by Law 25. Non-essential cookies are off until you actively choose Accept. Declining has no effect on the page.
You can change your cookie choice at any time by reopening the consent banner.
6. Third-party processors
All processors are bound by a data-processing agreement with NUCLEORA.
| Processor | Purpose | Data location |
|---|---|---|
| Shopify | Site hosting (now); e-commerce, payments, checkout (at store launch) | Canada / US |
| Klaviyo | Email marketing and waitlist management | US |
| Google (GA4) | Site analytics — consent-gated | US |
| Meta / TikTok | Advertising pixels — consent-gated; post-launch only | US |
| Stripe | Fallback payment processing — post-launch only | US / Canada |
| Canada Post / DHL / FedEx / UPS | Order fulfilment and shipping — post-launch only | Canada / international |
| CMP provider (consent management) | Cookie consent capture and audit log | Canada / US |
This list will be updated when the store opens if the processor stack changes.
7. International transfers
Several processors store or process data in the United States. We rely on contractual safeguards — data-processing agreements incorporating standard contractual protections — to govern those transfers. Each transfer is disclosed in the processor table above.
Quebec residents: as required by Law 25 s. 17, cross-border transfers of personal information are limited to what is necessary, governed by data-processing agreements, and assessed in our internal Privacy Impact Assessment (on file).
8. Retention
| Data | Retention period |
|---|---|
| Marketing subscriber data | Until consent is withdrawn; then deleted |
| Order records | 6 years from order date (CRA requirement) |
| GST/HST and provincial tax records | 6 years (federal) / 5 years BC PST |
| Adverse-event and complaint records | 6 years minimum (Health Canada) |
| Site-analytics data | 26 months (GA4 default), or shorter if we adjust the setting |
| Consent records (CASL) | 3 years from the last commercial electronic message |
When the retention period ends, or when you request deletion (see §9), we delete or de-identify your personal information.
9. Your rights
Under PIPEDA and Quebec Law 25, you have the right to:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete information.
- Withdraw consent to marketing at any time (unsubscribe link in every email, or email us).
- Request deletion of personal information we are not required by law to retain.
- Data portability — receive your information in a structured, commonly used format (Law 25).
- File a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the Commission d'accès à l'information du Québec (cai.gouv.qc.ca).
To exercise any of these rights, contact: privacy@nucleoraskin.com
We respond within 30 days.
10. Security
We use industry-standard measures: encrypted transmission (TLS) to and from the site, encryption at rest at the processor level, and role-based access controls. No customer personal information is stored on personal devices or in this domain's source-code repository.
We maintain a confidentiality-incident register as required by Law 25. If a breach creates a risk of serious injury to you, we will notify the Commission d'accès à l'information and affected individuals without unreasonable delay.
11. Children
This site is not directed at children. We do not knowingly collect personal information from individuals under 16. If you believe we have inadvertently collected such information, please contact privacy@nucleoraskin.com and we will delete it promptly.
12. Changes to this policy
We update this policy when our practices change. The "Last updated" date at the top reflects the most recent revision. If we make a material change after the store is live, we will notify active subscribers by email before the change takes effect.
13. Contact
Privacy Officer: privacy@nucleoraskin.com General inquiries: hello@nucleoraskin.com Adverse events / product safety: safety@nucleoraskin.com
NUCLEORA SKINCARE INC. 2155 Emerson St, Abbotsford, BC V2T 3H8, Canada