Hand-trimmed,
cold-cured.

Nature's Care — premium THCa hemp, federally compliant. Small-batch. Every batch independently lab-tested.

Nature's Care
Last updated May 2026

Privacy policy.

The short version: we collect what we need to ship orders, process payments, and stay 21+ compliant. We don't sell data. You can see what we have on you, export it, or delete your account anytime — buttons on your account page.

The 30-second summary

  • We store your name, contact info, addresses, and order history.
  • We do not store your card number, expiration date, or CVV. Card data goes from your browser straight to Authorize.net — never touches our servers.
  • We share data with the partners who actually fulfill your order: shipping carriers, payment processor, email/SMS senders. Nothing else.
  • We don't sell data. We don't trade it. We don't use it to retarget you on Facebook.
  • You can self-serve at /account/privacy: see what's stored, export it as JSON, or request account deletion.

Exactly what we store

For full transparency, here's every field type we keep in our database for a customer:

Account & contact

  • Email address (login + transactional)
  • First and last name
  • Phone number (optional; required for SMS order updates)
  • Date of birth (one-time, used to confirm 21+ at signup; we don't display or reshare it)
  • Hashed password (we never see your plaintext password)
  • Account-creation date, last-login date

Addresses

  • Every shipping and billing address you add (line 1, line 2, city, state, ZIP, country, optional phone)
  • A frozen snapshot of the shipping/billing address used on each order — kept even if you later delete the address book entry, so the order record stays complete (legal requirement for hemp shipments)

Payment cards (the safe parts only)

When you choose "Save this card for future orders," we store:

  • Brand: Visa / Mastercard / Amex / Discover
  • Last 4 digits: ****4242
  • Expiration month + year (for "card expires soon" UI hints)
  • An opaque token from Authorize.net (their vault ID — we use it to charge the card on repeat purchases, but cannot read the card number from it)

We do not store: the full card number, the CVV, the cardholder name as it appears on the card, the magnetic stripe data, or any field that would let us — or a hacker who got our database — reconstruct the card.

This is enforced by our integration: card data is encrypted in your browser by Authorize.net's Accept.js and sent directly to their PCI-DSS-vault. We get back an opaque nonce, charge with it, and store only the vault handle.

Orders

  • Order number, items purchased, prices paid, discounts applied
  • Fulfillment method (curbside / delivery / shipping)
  • Tracking carrier + number, when applicable
  • Status history (paid → processing → shipped → delivered, with timestamps)
  • Loyalty points earned and redeemed
  • Any customer notes you left at checkout

Marketing preferences

  • Email opt-in / opt-out (default: opt-out)
  • SMS opt-in / opt-out (default: opt-out)
  • STOP-keyword opt-out: when you reply STOP to any SMS, we permanently flag your phone and never message it again — for any reason

Technical

  • IP address of orders placed (fraud + chargeback investigation only)
  • Browser/device fingerprint (rough — for "is this the same customer signing in from a new device")
  • Cart contents (so your cart survives across sessions)

Who we share it with

We share the minimum necessary data with these third parties to fulfill orders. We have data-processing agreements (or equivalent contractual commitments) with each:

  • Authorize.net (CyberSource / Visa) — payment processing. Receives your name + billing address + card data (which never touched us in the first place).
  • USPS — shipping. Receives your shipping address + order weight class.
  • Resend — transactional email delivery. Receives your email address + the email body.
  • Sakari — SMS delivery for order updates and (with your opt-in) marketing. Receives your phone number + the message text.
  • Vercel — application hosting. Standard cloud-infrastructure access; sees data in transit but does not retain copies.
  • Supabase — database hosting (Postgres on AWS). Data at rest is encrypted; access is logged.
  • PostHog — anonymous product analytics. Sees pseudonymized events ("a logged-in user added an item to cart"), not personal data.

We do not sell, rent, or trade your data. We do not give it to advertisers, data brokers, or analytics platforms for cross-site tracking. The CCPA "Do Not Sell" right is honored automatically because there's nothing to sell.

How long we keep it

  • Orders: 7 years (IRS + state sales-tax audit window).
  • Account profile: until you request deletion, then 30 days, then purged.
  • STOP-keyword opt-out list: indefinitely (TCPA compliance — we must be able to prove you opted out).
  • Cart contents: 90 days since last activity, then purged.
  • Login/security audit log: 1 year.

Cookies

We use first-party cookies for cart persistence, session login, age verification, and feature flags. We do not use third-party tracking cookies, advertising pixels, or cross-site tracking. Your activity on buds.fun stays on buds.fun.

Your rights — and how to exercise them

You have the right to know what we have on you, get a copy, correct it, and delete it. To exercise any of these:

  • See what we have: sign in and visit /account/privacy. You'll see a complete summary of the data on file.
  • Export your data: same page — tap "Export my data" and we'll deliver a JSON file you can download. Includes orders, addresses, opt-ins, the works.
  • Correct your data: edit it directly in the relevant account section (addresses, contact info, notification preferences).
  • Delete your account: tap "Delete my account" on the privacy page. We confirm via email, then permanently purge your profile (except records we're legally required to keep — see retention above).
  • Stop SMS marketing: reply STOP to any of our messages. Instant. We can't unsend the STOP — it's permanent until you opt back in.

California (CCPA), Virginia (VCDPA), Colorado (CPA), and Connecticut (CTDPA) residents have additional state-level rights. We honor them for any U.S. resident regardless of state — it's simpler than treating customers differently by ZIP. EU/UK residents covered under GDPR/UK GDPR receive the same treatment plus 30-day response windows for DSR requests.

Children

This site is 21+ only. We do not knowingly collect data from anyone under 21 — and the age gate at signup blocks underage accounts. If you believe a minor has registered, contact us and we'll purge the account immediately.

Changes to this policy

If we make material changes (new sub-processors, new categories of data collected, different retention windows), we'll notify account holders by email at least 30 days before the change takes effect. Cosmetic edits (typos, clarification, link updates) we'll log here without a separate notice.

Contact

Questions, complaints, or DSR requests via mail:

Privacy Officer
Nature's Care, LLC
2425 Beatties Ford Road
Charlotte, NC 28216
(704) 893-5000
hello@buds.fun (subject: "Privacy Request")

We respond to DSR requests within 30 days. Anything urgent (suspected breach, unauthorized access to your account), email directly with "URGENT" in the subject.