Privacy Policy
Last updated: 1/12/2026
Introduction
This Privacy Policy ("Privacy Policy") describes the data protection practices of Spotbrands Group, Inc. dba Cottonball and its affiliates, (collectively, "Cottonball," "we," "our," or "us"), including when you visit Cottonball’s website that links to this Privacy Policy (our "Website"); or otherwise provide data to Cottonball. We refer to the Website, and other services provided by Cottonball together in this Privacy Policy as the "Service." This Privacy Policy is incorporated into the Cottonball Terms of Service ("Terms"). All capitalized terms used in this Privacy Policy but not defined herein have the meanings assigned to them in the Terms.
PLEASE READ THIS PRIVACY POLICY CAREFULLY TO UNDERSTAND HOW WE HANDLE YOUR INFORMATION. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, PLEASE DO NOT USE the Service.
This Privacy Policy contains the following sections:
Limitations on Use by Minors
Protected Information
Collection of Personal Information
Information You Provide to Us
Information We Collect Automatically
Information We Create or Generate
Information We Obtain from Third Party Sources
Cookies, Mobile IDs and Similar Technologies
Use of Personal Information
Disclosure of Personal Information
How We Share and Disclose Your Personal Information
Choice and Control of Personal Information
Jurisdictional Issues
California Privacy Rights
Miscellaneous
Retention of Information
Revisions to this Privacy Policy
Contacting Us
Limitations on Use by Minors
The Service is intended for individuals 18 years of age or older. We do not knowingly collect personal information from children under 13 years of age, and the Service is not directed to children under 13. If we become aware that we have collected personal information from a child under 13, we will take reasonable steps to delete it. If you believe we have collected information from a child under 13, please contact us at privacy@cottonball.com.
Protected Information
When you set up an account with Cottonball, you are creating a direct customer relationship with Cottonball that enables you to access and/or utilize the various functions of the Platform and the Service as a user. As part of that relationship, you provide information to Cottonball, including but not limited to, your name, email address, shipping address, phone number and certain transactional information, which we do not consider to be "protected information" or "medical information."
However, in using certain components of the Service, you may provide certain health or medical information that may be protected under applicable laws. Cottonball is not a "covered entity" under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and its related regulations and amendments from time to time (collectively, "HIPAA"). One or more of the Pharmacies or Medical Groups (as defined in our Terms) may or may not be a "covered entity" or "business associate" under HIPAA, and Cottonball may in some cases be a "business associate" of a Pharmacy or Medical Group. It is important to note that HIPAA does not necessarily apply to an entity or person simply because there is health information involved, and HIPAA may not apply to your transactions or communications with Cottonball, the Medical Groups, the Providers, or the Pharmacies. To the extent Cottonball is deemed a "business associate" however, and solely in its role as a business associate, Cottonball may be subject to certain provisions of HIPAA with respect to "protected information," as defined under HIPAA, that you provide to Cottonball, the Medical Groups or the Providers ("PHI"). In addition, any medical or health information that you provide that is subject to specific protections under applicable state laws (collectively, with PHI, "Protected Information"), will be used and disclosed only in accordance with such applicable laws. However, any information that does not constitute Protected Information under applicable laws may be used or disclosed in any manner permitted under this Privacy Policy. Protected Information does not include information that has been de-identified in accordance with applicable laws. The Medical Groups and Providers have adopted a Notice of Privacy Practices that describes how they use and disclose Protected Information. By accessing or using any part of the Service, you acknowledge receipt of the Notice of Privacy Practices from your Medical Group and Provider(s).
By accessing or using any part of the Service, you understand that any information that you submit to Cottonball that is not intended and used solely for the provision of diagnosis and treatment by the Medical Group and Providers, or prescription fulfillment by the Pharmacies, is not considered Protected Information. For purposes of clarity, information you provide to Cottonball in order to register and set up an account on the Platform, including name, date of birth, username, email address, shipping address, and phone number, are not considered Protected Information.
Collection of Personal Information
The personal information we collect depends on how you interact with us, the services you use, and the choices you make.
We collect information about you from different sources and in various ways when you use the Service, including information you provide directly, information collected automatically, information from third-party data sources, and data we infer or generate from other data.
1. Information You Provide to Us
We collect a variety of information that you provide directly to us. For example, we collect information from you through:
Name and contact information, such as your name, email address, phone number and billing and physical address.
Demographic data, such as your gender, date of birth and zip code.
Payment information, such as your credit card number, financial account information, and other payment details.
Content and files, such as photographs, videos, documents, and other files you upload in connection with the Service. This includes email messages, chat messages (on the website and on any other platform including social media) and other communications you send to us.
During the intake process, you may provide certain categories of information that some state laws classify as “sensitive personal information.” Cottonball collects only the following sensitive categories:
Government identification information, such as an image of your driver’s license or other government-issued ID, for the purpose of verifying your identity and eligibility to receive services.
Gender assigned at birth, as required for clinical assessment and formulation accuracy.
Health-related information, including intake questionnaire responses about your skin concerns, skincare history, and treatment goals, as well as photos of your face (front and side) that you submit for clinical evaluation. These images are used solely to enable Providers to evaluate your skin and determine eligibility for treatment and are not used for biometric identification or for any automated facial recognition.
Account access information, including your username and password.
Contact information, including your email address, phone number, and zip code, which may be used for account communications, shipping, and customer support.
We do not collect or process biometric identifiers (such as faceprints, facial geometry, fingerprints, or voiceprints), racial or ethnic origin, or other categories of sensitive data unless expressly stated above and required to provide the Service.
Protected Information and any health-related information collected in connection with diagnosis, treatment, or prescription fulfillment is handled solely in Cottonball’s capacity as a business associate under HIPAA, and is used and disclosed only as permitted by HIPAA and applicable state laws.
Information we collect automatically. When you use the Service, we collect some information automatically. For example:
Identifiers and device information. When you visit our websites, our web servers automatically log your Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration. As further described in the "Cookies, Mobile IDs, and Similar Technologies" section below, our websites and Services store and retrieve cookie identifiers, mobile IDs, and other data.
Geolocation data. Depending on your device and app settings, we collect geolocation data when you use our online services. If you no longer wish for us and our service providers to collect and use GPS location information, you may disable the location features on your device.
Usage data. We automatically log your activity on our website and connected products, including the URL of the website from which you came to our sites, pages you viewed, how long you spent on a page, access times, and other details about your use of and actions on our website. In some instances, such usage data may be sensitive personal information if it relates to your browsing activity on health-related pages on the Service. For example, we may log the fact that you visited a page that relates to a specific product or treatment available through our site. For more information, refer to the "Cookies, Mobile IDs, and Similar Technologies" section below.
Information we create or generate. We infer new information from other data we collect, including using automated means to generate information about your likely preferences or other characteristics ("inferences"). For example, we infer your general geographic location (such as city, state, and country) based on your IP address.
Information we obtain from third-party sources. We also obtain the types of information described above from third parties. These third-party sources include, for example:
Third-party partners. Third-party applications and services, including social networks you choose to connect with or interact with through our Services.
Co-branding/marketing partners. Partners with which we offer co-branded services or engage in joint marketing activities.
Service providers. Third parties that collect or provide data in connection with work they do on our behalf, for example companies that determine your device’s location based on its IP address.
Publicly available sources. Public sources of information such as open government databases.
2. Cookies, Mobile IDs, and Similar Technologies
We use cookies, web beacons, pixels (also referred to as "pixel tags"), mobile analytics and advertising IDs and similar technologies to operate the website and the Service and to help collect data, including usage data, identifiers and device information.
What are cookies and similar technologies?
Cookies are small text files placed by a website and stored by your browser on your device. A cookie can later be read when your browser connects to a web server in the same domain that placed the cookie. The text in a cookie contains a string of numbers and letters that may uniquely identify your device and can contain other information as well. This allows the web server to recognize your browser over time, each time it connects to that web server. Web beacons are electronic images (also called single-pixel or clear GIFs) that are contained within a website or email. When your browser opens a webpage or email that contains a web beacon, it automatically connects to the web server that hosts the image (typically operated by a third party). This allows that web server to log information about your device and to set and read its own cookies. In the same way, third-party content on our websites (such as embedded videos, plug-ins, or ads) results in your browser connecting to the third-party web server that hosts that content. We also include web beacons in our email messages or newsletters to tell us if you open and act on them.
Mobile analytics and advertising IDs are generated by operating systems for mobile devices (iOS and Android) and can be accessed and used by apps in much the same way that websites access and use cookies. Our apps contain software that enables us and our third-party analytics and advertising partners to access these mobile IDs.
How do we and our partners use cookies and similar technologies?
We use cookies and similar first-party technologies to operate and improve the Service, maintain user sessions, remember preferences, perform analytics, and support security and fraud prevention. We may also use Google Analytics or similar analytics services to understand how users interact with the Service. In addition, when you arrive at our website via an advertisement, we may receive or pass through non-personal campaign or click identifiers (such as click IDs) solely for attribution and measurement purposes. We do not use third-party advertising pixels or similar tracking technologies operated by social media or advertising platforms (such as Meta, TikTok, or X) to transmit health data, Protected Information, or other sensitive personal information, and we do not permit advertising partners to collect such information through the Service.
What controls are available?
There are a range of cookie and related controls available through browsers, mobile operating systems, and elsewhere. See the "Choice and Control of Personal Information" section below for details.
Use of Personal Information
We use the personal information we collect for purposes described in this Privacy Policy or as otherwise disclosed to you, subject to the limitations addressed in the "Protected Information" section above. For example, we use personal information for the following purposes:
Purpose of Use | Categories of Personal Information |
|---|---|
Product and service delivery. To provide and deliver the Service, including troubleshooting, facilitating your movement through the Service, confirming your location, improving, and personalizing those services. | Contact information, demographic data, payment information, content and files, identifiers and device information, geolocation data, usage data, inferences. Sensitive information: government ID, account access information, contents of communications, or health data information. |
Business operations. To operate our business, such as billing, processing your payments, accounting, administering your account, improving our internal operations, securing our systems, detecting fraudulent or illegal activity, verifying your identity, and meeting our legal obligations. Additionally, to protect or enforce Cottonball’s rights and properties. | Contact information, payment information, content and files, device information geolocation data, usage data, inferences. Sensitive information: government ID, account access information, contents of communications, or health data information. |
Product improvement, development, and research. To develop, test, or improve the Service and content, features and/or products or services offered via the Service. Additionally, to identify or create new products or services. Lastly, to analyze traffic and user behavior or activity to and through the Service. | Contact information, demographic data, payment information, content and files, identifiers and device information, geolocation data, usage data, inferences. Sensitive information: government ID, account access information, contents of communications. |
Personalization. To understand you and your preferences to enhance your experience and enjoyment using our Service. | Contact information, demographic data, payment information, content and files, identifiers and device information geolocation data, usage data, inferences. Sensitive information: government ID, account access information, contents of communications. |
Customer support. To provide customer support, fulfill your requests, and respond to your questions. Additionally, to place and track orders for products or services on your behalf. | Contact information, demographic data, payment information, content and files, identifiers and device information geolocation data, usage data, inferences. Sensitive information: government ID, account access information, contents of communications, or health data information. |
Communications. To send you information about Cottonball, the Pharmacies, the Medical Groups, the Providers, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages. Additionally, to communicate with you by letter, email, text, telephone, or other forms of communication, including on behalf of your Provider(s), to facilitate telehealth services. | Contact information, demographic data, payment information, content and files, identifiers and device information geolocation data, usage data, inferences. Sensitive information: government ID, account access information, contents of communications. |
Marketing. To communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our Service and those of our selected partners. | Contact information, demographic data, payment information, content and files, identifiers and device information geolocation data, usage data, sensor data, inferences. Sensitive information: health data information, where permitted by law and only with your required consent, and solely for Cottonball’s first-party communications to you. |
Advertising. To promote and market Cottonball, the Service, and the products and/or services offered via the Service. | Contact information, demographic data, identifiers and device information, geolocation data, usage data, inferences. Sensitive information: health data information, where permitted by law and only with your required consent, and solely for Cottonball’s first-party communications to you. |
Cottonball may use health-related or other sensitive personal information for first-party marketing communications sent directly by Cottonball to existing customers, where required consent has been obtained. Cottonball does not disclose or share health-related or other sensitive personal information with third parties for advertising or targeted advertising purposes.
We combine data we collect from different sources for these purposes, and to give you a more seamless, consistent, and personalized experience.
Additionally, we may use information about your browsing and other activity on the Platform to promote and market Cottonball, the Service, and the products and/or services offered via the Service, as well as to measure our advertising and marketing efforts. Depending on your activity on the Service, this may include information related to you visiting health-related pages on the Service. In some states, we may be required to obtain your consent prior to using information that constitutes sensitive personal information. While we may use information about your browsing activity on health-related pages, we do not use Protected Information for advertising or marketing.
De-Identified Information. We may de-identify personal information in accordance with applicable law. Where information has been de-identified such that it cannot reasonably be used to identify an individual, we may use or disclose that information for product improvement, analytics, research, or other internal purposes. When we disclose de-identified information to third parties, we require them to agree not to attempt to re-identify the information or combine it with other data in a manner that would re-identify any individual.
Disclosure of Personal Information
We disclose personal information with your consent or as we determine necessary to complete your transactions or provide the services you have requested or authorized. Subject to the limitations described in the “Cookies, Mobile IDs, and Similar Technologies” section above, we may disclose each of the categories of personal information described above, to the types of third parties described below, in connection with the provision of the Service or as otherwise permitted or required by law. For example, we may disclose information about you to:
Service providers. We provide personal information to vendors or agents working on our behalf for the purposes described in this Privacy Policy. For example, companies we’ve hired to provide customer service support or assist in protecting and securing our systems and Services may need access to personal information to provide those functions.
Marketing/Ad Partners. We may provide limited, non-health-related information with advertising and attribution partners solely to measure the effectiveness of our advertising campaigns and to attribute traffic or conversions. For example, when you arrive at our website via an advertisement, we may receive or pass through a non-personal click or campaign identifier (such as a click ID provided by an advertising platform) for attribution and analytics purposes. We do not provide Protected Information, health data, or other sensitive personal information with advertising partners for targeted advertising purposes, and we do not use web-based tracking pixels or similar technologies to transmit health-related information to advertising platforms. Advertising partners do not receive information about your medical conditions, intake responses, or use of telehealth services through the Service.
Financial services & payment processing. When you provide payment data, for example to make a purchase, we will disclose payment and transactional data to banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, analytics, or other related financial services. For more information about such disclosures, please see the “Disclosure of Personal Information” section above.
Affiliates. We enable access to personal information across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access helps us to provide the Service and operate our business.
The Pharmacies, Medical Groups, or their Providers. We facilitate information disclosure between you and the Medical Groups, Pharmacies, Providers, and Labs, as applicable, to enable them to provide services to you via the Service and to collect payment on their behalf.
Corporate transactions. We may disclose personal information as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
Legal and law enforcement. We will access, disclose, and preserve personal information when we believe that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.
Security, safety, and protecting rights. We will disclose personal information if we believe it is necessary to:
protect our customers and others, for example to prevent spam or
attempts to commit fraud, or to help prevent the loss of life or serious
injury of anyone;
operate and maintain the security of our Service, including to prevent or
stop an attack on our computer systems or networks; or
protect the rights or property of ourselves or others, including enforcing
our agreements, terms, and policies.
Third party analytics and advertising companies also collect personal information through our website and apps including identifiers and device information (such as cookie IDs, device IDs, and IP address), geolocation data, usage data, and inferences based on and associated with that data, as described in the “Cookies” section of this Privacy Policy. These third-party vendors may combine this data across multiple sites to improve analytics for their own purpose and others. For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses information at www.google.com/policies/privacy/partners
Other third-party analytics and advertising providers we use on our websites include, for example:
Company/Service | Purpose(s) | Privacy Notices | Manage Settings (opt-out) |
|---|---|---|---|
Google (DoubleClick) | Advertising, analytics | ||
X (formerly Twitter) Advertising | Advertising | ||
Google Analytics | Analytics; site performance; attribution | ||
TikTok Advertising | Advertising; attribution and campaign performance measurement |
Advertising partners listed above receive limited, non-health-related information (such as click or campaign identifiers) for attribution and measurement only, and do not receive Protected Information or health data.
Some of the data disclosures to these third parties may be considered a "sale" or "sharing" of personal information as defined under the laws of California and other U.S. states. Please see the "Choice and Control" and "California Privacy Rights" sections below for more details.
Please note that some aspects of the Service also include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide personal information to any of those third parties, or allow us to share personal information with them, that information is governed by their privacy statements.
Finally, we may disclose de-identified information in accordance with applicable law.
How We Share and Disclose Your Information
We may share your information for our business purposes in the following ways:
Affiliates and Subsidiaries. We may enable access to personal information across any subsidiaries, affiliates and related companies, for example where we share common data systems or where access helps us to provide our Services and operate our business.
The Pharmacies, Medical Groups or their Providers. We facilitate information disclosure between you and the Pharmacies, the Medical Groups or their Providers, as applicable, to enable them to provide services to you via the Service including pharmacy services, upon your request.
Service Providers. We provide personal information to vendors or agents working on our behalf for the purposes described in this Privacy Policy. They provide a variety of services to us, including billing, content/service enhancements, sales, marketing, advertising, analytics, research, customer service, shipping and fulfillment, data storage, IT and security, fraud prevention, payment processing, and auditing, consulting, and legal services. These entities may also include health care organizations, pharmacies, and other third parties we use to support our business or in connection with the administration and support of the Service.
Marketing/Ad Partners. We may share limited, non-health-related information with advertising and attribution partners solely to measure the effectiveness of our advertising campaigns and to attribute traffic or conversions. For example, when you arrive at our website via an advertisement, we may receive or pass through a non-personal click or campaign identifier (such as a click ID provided by an advertising platform) for attribution and analytics purposes. We do not share Protected Information, health data, or other sensitive personal information with advertising partners for targeted advertising purposes, and we do not use web-based tracking pixels or similar technologies to transmit health-related information to advertising platforms. Advertising partners do not receive information about your medical conditions, intake responses, or use of telehealth services through the Service.
Financial Services & Payment Processing. When you provide payment data, for example to make a purchase, we will disclose payment and transactional data to banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, analytics or other related financial services.
Corporate Transactions. We may disclose personal information as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
Legal and Law Enforcement. We will access, disclose, and preserve personal information when we believe that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.
Security, Safety, and Protecting Rights. We will disclose personal information if we believe it is necessary to:
protect our customers and others, for example to prevent spam or attempts to commit fraud, or help prevent the loss of life or serious injury to anyone;
operate and maintain the security of our Service, including to prevent or stop an attack on our computer systems or networks; or
protect the rights or property of Cottonball or others, including enforcing our agreements, terms and policies.
Choice and Control of Personal Information
We provide a variety of ways for you to control the personal information we hold about you, including choices about how we use that data. In some jurisdictions, these controls and choices may be enforceable as rights under applicable law.
Access, portability, correction, and deletion. If you wish to access, copy, download, correct, or delete personal information about you that we hold, please email us at privacy@cottonball.com. If you are unable to access, copy, correct, or delete certain personal information we have via those means, you can send us a request by using contact methods described at the bottom of this Privacy Policy.
Communications preferences. You can choose whether to receive promotional communications from us by email or SMS. If you receive promotional email or SMS messages from us and would like to stop, you can do so by following the directions in that message or by contacting us as described in the “Contacting Us” section below. These choices do not apply to certain informational communications including surveys and mandatory service communications.
Targeted advertising. There are certain browser and platform controls that may be available to you in order to opt-out from or otherwise control targeted advertising as described below. You can use the opt-out controls offered by the organizations our advertising partners may participate in, which you can access at:
You can use the other cookie or mobile ID controls described below.
These choices are specific to the device or browser you are using. If you access our Services from other devices or browsers, you will need to take these actions from those systems to ensure your choices apply to the data collected when you use those systems.
Right to Opt-Out of Sale/Sharing/Targeted Advertising.
Some state laws give you the right to opt-out of the “sale” or “sharing” of your personal information or the use of your personal information for targeted advertising. Cottonball provides a unified mechanism to exercise these rights. To opt out, please visit “Do Not Sell My Personal Information” at the bottom of our website or enable a browser that sends a Global Privacy Control (GPC) signal, which we honor as a valid request to opt-out of sale/sharing/targeted advertising.
Browser or platform controls.
Cookie controls. Most web browsers are set to accept cookies by default. If you prefer, you can go to your browser settings to learn how to delete or reject cookies. If you choose to delete or reject cookies, this could affect certain features or services of our website. If you choose to delete cookies, settings and preferences controlled by those cookies, including advertising preferences, may be deleted and may need to be recreated.
Global Privacy Control. Some browsers and browser extensions support the “Global Privacy Control” (GPC) or similar controls that can send a signal to the websites you visit indicating your choice to opt-out from certain types of data processing, including data sales and/or targeted advertising, as specified by applicable law. When we detect such a signal, we honor your choices indicated by a GPC setting or similar control that is recognized by regulation or otherwise widely acknowledged as a valid opt-out preference signal.
Do Not Track. Some browsers include a “Do Not Track” (DNT) setting that can send a signal to the websites you visit indicating you do not wish to be tracked. Unlike the GPC described above, there is not a common understanding of how to interpret the DNT signal; therefore, our websites do not respond to browser DNT
signals.
Mobile advertising ID controls. iOS and Android operating systems provide options to limit tracking and/or reset the advertising IDs.
Email web beacons. Most email clients have settings that allow you to prevent the automatic downloading of images, including web beacons, which prevents the automatic connection to the web servers that host those images.
Except for the automated controls described above, if you send us a request to exercise your rights or these choices, to the extent permitted by applicable law, we may decline requests in certain cases. For example, we may decline requests where granting the request would be prohibited by law, could adversely affect the privacy or other rights of another person, would reveal a trade secret or other confidential information, or would interfere with a legal or business obligation that requires retention or use of the data. Further, we may decline a request where we are unable to authenticate you as the person to whom the data relates, the request is unreasonable or excessive, or where otherwise permitted by applicable law. If you receive a response from us informing you that we have declined your request, in whole or in part, you may appeal that decision by submitting your appeal using the contact method described at the bottom of this Privacy Policy.
Finally, please note that this Privacy Policy applies to your "personal information,". To understand our information practices and your rights specific to "medical information" and "information," visit: https://cottonball.com/legal/consumer-health-data
Jurisdictional Issues
The Service may only be used within certain states within the United States as described in our Terms of Service. Accordingly, this Privacy Policy, and our collection, use, and disclosure of information about you, is governed by U.S. law.
Consumer Health Data. Certain state laws, including those in Washington and Nevada, regulate “consumer health data” and provide consumers with additional rights regarding such data. Cottonball maintains a separate Consumer Health Data Privacy Policy that describes our collection, use, disclosure, and retention of consumer health data, as well as the rights available to residents of those states. To the extent you provide consumer health data to Cottonball, that information is handled in accordance with our Consumer Health Data Privacy Policy, which supplements this Privacy Policy. You may review that policy here:
California Privacy Rights
If you are a California resident and the processing of personal information about you is subject to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) (collectively, the “CCPA”), you have certain rights with respect to that information.
Notice at Collection. At or before the time of collection, you have a right to receive notice of our practices, including the categories of personal information and sensitive personal information to be collected, the purposes for which such information is collected or used, whether such information is sold or shared, and how long such information is retained. You can find those details in this Privacy Policy by clicking on the above links.
Right to Know. You have a right to request that we disclose to you the personal information we have collected about you. You also have a right to request additional information about our collection, use, disclosure, or sale of such personal information. Note that we have provided much of this information in this Privacy Policy. You may make such a "request to know" by emailing us at privacy@cottonball.com.
Rights to Request Correction or Deletion. You also have rights to request that we correct inaccurate personal information and that we delete personal information under certain circumstances, subject to a number of exceptions. To make a request to correct or delete, email us at privacy@cottonball.com.
Right to Opt-Out / "Do Not Sell or Share My Personal Information". You have a right to opt-out from future "sales" or "sharing" of personal information as those terms are defined by the CCPA.
Note that the CCPA defines "sell," "share," and "personal information" very broadly, and some of our data sharing described in this Privacy Policy may be considered a "sale" or "sharing" under those definitions. In particular, we let advertising and analytics providers collect identifiers (IP addresses, cookie IDs, and mobile IDs), activity data (browsing, clicks, app usage, non-product identifying transaction data), device data, and geolocation data through our sites and apps when you use our Services, but do not “sell” or “share” any other types of personal information. If you do not wish for us or our partners to "sell" or "share" personal information relating to your visits to our sites for advertising purposes, you can make your request by emailing us at privacy@cottonball.com or using a Global Privacy Control. If you opt-out using these choices, we will not share or make available such personal information in ways that are considered a "sale" or "sharing" under the CCPA. However, we will continue to make available to our partners (acting as our service providers) some personal information to help us perform advertising-related functions. Further, using these choices will not opt you out of the use of previously “sold” or “shared” personal information or stop all interest-based advertising.
We do not knowingly sell or share the personal information of minors under 16 years of age.
Right to Limit Use and Disclosure of Sensitive Personal Information. You have a right to limit our use of sensitive personal information for any purposes other than to provide the services or goods you request or as otherwise permitted by law.
To opt-out from such additional purposes, please visit "Your Privacy Choices" on the bottom of our webpage or use the Global Privacy Control described in the "Choice and Control" section of this Privacy Policy.
You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under the CCPA. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.
Further, to provide, correct, or delete specific pieces of personal information we will need to verify your identity to the degree of certainty required by law. We will verify your request by asking you to send it from the email address associated with your account or requiring you to provide information necessary to verify your account. This security measure is in place to ensure that Personal Information is not disclosed to any person who has no right to receive it.
No Fee (Usually) Required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). But we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Right to Withdraw Consent
In the limited circumstances where you may have provided your consent to the collection, processing, or transfer of your personal information for a specific purpose, you have the right to withdraw your consent to that specific processing at any time. In most cases, a way to withdraw consent should be readily apparent; for example, you can opt out of marketing emails by unsubscribing or can change your cookie settings at any time. Any questions or requests to withdraw consent that are not apparent should be directed to privacy@cottonball.com. Once we have received notification that you have withdrawn their consent, we will no longer process your information for the purpose or purposes to which you originally agreed, unless we have another legitimate basis under the law for doing so.
Finally, you have a right to not be discriminated against for exercising these rights set out in the CCPA.
Additionally, under California Civil Code section 1798.83, also known as the "Shine the Light" law, California residents who have provided personal information to a business with which the individual has established a business relationship for personal, family, or household purposes ("California Customers") may request information about whether the business has disclosed personal information to any third parties for the third parties’ direct marketing purposes.
Please be aware that we do not disclose personal information to any third parties for their direct marketing purposes as defined by this law. California Customers may request further information about our compliance with this law by emailing privacy@cottonball.com. Please note that businesses are required to respond to one request per California Customer each year and may not be required to respond to requests made by means other than through the designated email address.
Miscellaneous
No service, organization, website, or storage of personal information is completely secure. Although we strive to use reasonable physical, technical, and administrative measures to protect information from unauthorized access, use, disclosure, alteration, and destruction, we do not guarantee that your personal information is entirely secure. You are responsible for the security and confidentiality of your account password, and you are responsible for any and all use of your account. To help us protect personal information, we request that you use a strong password and never share your password with anyone or use the same password with other sites or accounts. If you have reason to believe that the security of your account has been compromised, please notify us immediately in accordance with the "Contacting Us" section below.
When using the Service, you may choose not to provide us with certain information, but this may limit the features you are able to use or may prevent you from using the Service all together. You may also choose to opt out of receiving certain communications (e.g., newsletters, promotions) by emailing us your preference. Please note that even if you opt out, we may still send you Service-related communications.
Retention of Your Information
We retain personal information for no longer than is reasonably necessary to fulfill the purposes for which it was collected, including to provide the Service, comply with legal and contractual obligations, resolve disputes, protect our rights, and maintain business records. Different categories of information may be retained for different periods depending on the nature of the information, how it is used, and the legal requirements that apply to it.
Protected Information / PHI. Health-related information that we create or receive in our capacity as a business associate of the Medical Group or Providers is retained and disposed of in accordance with HIPAA and applicable state medical-record retention laws. This may include retention for a period required by state professional regulations (which commonly range from six to ten years), or longer if necessary to comply with legal obligations or at the direction of the Medical Group.
Account and Transaction Information. Information related to your account, identity verification, purchases, or subscriptions is retained for as long as your account is active and for a reasonable period thereafter to comply with tax, accounting, fraud-prevention, or legal requirements.
Communications and Customer Support Records. Emails, chat logs, and other communications may be retained as necessary to provide the Service, maintain service quality, document transactions, comply with legal obligations, and detect or prevent fraud or abuse.
Marketing and Website Usage Data. Information collected for analytics, personalization, or marketing is retained for the period necessary to fulfill those purposes, unless a longer period is required to comply with law or internal audit, security, or fraud-prevention requirements. Marketing and analytics information is de-identified or deleted when no longer needed.
De-Identified Information. Where data has been de-identified in accordance with applicable law, we may retain and use that information without time limitation, and we contractually prohibit recipients of de-identified information from attempting to re-identify the data.
We apply industry-standard safeguards to securely retain and dispose of personal information and take reasonable steps to delete or de-identify information once the applicable retention period expires, unless a longer retention period is required or permitted by law (for example, in connection with litigation holds, regulatory obligations, or to enforce our agreements).
Revisions to Our Privacy Policy
We reserve the right to change this Privacy Policy at any time to reflect changes in the law, our data collection and use practices, the features of our Services, or advances in technology. We will make the revised Privacy Policy accessible through the Service, so you should review it periodically. The date this Privacy Policy was last revised is identified at the top of the document. You are responsible for periodically monitoring and reviewing any updates to the Privacy Policy. If we make a material change to the Privacy Policy, we will provide you with appropriate notice in accordance with legal requirements. Your continued use of our Website after such amendments (and notice, where applicable) will be deemed your acknowledgment of these changes to this Privacy Policy.
Contacting Us
If you have any questions about this Privacy Policy or Cottonball's privacy practices, please contact us at:
Spotbrands Group, Inc. 1266 E Main St, Suite 700R Stamford, CT, 06902
Phone: 888.706.5650
Email: privacy@cottonball.com