Legal
Privacy Policy
Last updated 2026-05-30. This Privacy Policy explains how MN Generation Inc. ("MN Generation", "we", "us", "our") collects, uses, stores, shares and protects your personal information when you visit mngeneration.com, use our mobile apps, or interact with us in any way. We comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and all other applicable US state and federal privacy laws.
1. Who we are (data controller)
The data controller responsible for your personal information is MN Generation Inc., registered in Delaware, United States. For all privacy matters, including requests to exercise your rights, contact us at [email protected].
For EU residents, our representative under Article 27 GDPR can be reached at the same address. We do not currently appoint a Data Protection Officer because we do not meet the GDPR threshold for mandatory appointment, but our privacy team handles all enquiries within 30 days.
2. Information we collect
We collect the following categories of personal information:
| Category | Examples | Source |
|---|---|---|
| Identity & contact | Name, email, phone, billing & shipping address | Provided by you at account, checkout, or contact form |
| Order & transaction | Items purchased, order total, currency, order history, returns | Generated when you place an order |
| Payment | Last 4 digits of card, card brand, payment status (we never see full PAN, CVV, or PIN) | Captured by Stripe and returned to us as a token |
| Account credentials | Email, hashed password, login timestamps | Provided by you when you create an account |
| Device & technical | IP address, user agent, device type, language, time zone, screen size | Automatically collected when you visit the site |
| Usage & analytics | Pages viewed, products clicked, search queries, time on page, referrer | Self-hosted Umami analytics (no Google), first-party cookies |
| Marketing preferences | Email opt-in status, abandoned-cart triggers | Provided by you, or inferred from on-site behaviour |
| Support communications | Emails, chat transcripts, attached photos | Provided by you when you contact customer service |
We do not knowingly collect special-category data (health, biometric, genetic, racial, religious, sexual orientation, political opinions) and ask that you do not submit such information to us.
3. How we use your information (purposes & legal basis)
We process your personal information for the following purposes. For users in the EU/UK, the legal basis under GDPR Article 6 is shown in brackets.
- Fulfilling your orders — processing payment, shipping, returns, customer service (Art. 6(1)(b) — contract).
- Account management — authentication, password recovery, order history (Art. 6(1)(b) — contract).
- Fraud prevention & security — detecting unusual payment patterns, blocking abuse (Art. 6(1)(f) — legitimate interest in protecting our business and customers).
- Site analytics — understanding aggregate usage to improve UX and performance (Art. 6(1)(f) — legitimate interest; EU/UK visitors are given a cookie banner choice).
- Marketing emails & abandoned-cart reminders — sent only with your explicit opt-in (Art. 6(1)(a) — consent). You can withdraw consent at any time via the unsubscribe link.
- Legal compliance — tax records, accounting, responding to lawful requests (Art. 6(1)(c) — legal obligation).
4. Who we share your information with
We share personal information only with the following categories of recipients, and only to the extent necessary for the purpose:
| Recipient | Purpose | Location |
|---|---|---|
| Stripe Inc. | Payment processing (PCI-DSS Level 1) | United States |
| Shipping carriers (UPS, USPS, FedEx, DHL, regional) | Delivering your order | Global, depending on destination |
| Email service provider (Postmark / SendGrid) | Transactional and marketing emails | United States |
| Cloudflare Inc. | CDN, DDoS protection, WAF (IP & request logs) | Global |
| Hosting provider (BitLaunch / Hetzner) | Server infrastructure for the website | United States / European Union |
| Self-hosted Umami | First-party analytics (no third-party trackers) | On our own infrastructure |
| Professional advisors | Lawyers, accountants, auditors (under confidentiality) | United States |
| Law enforcement | Only in response to a lawful subpoena, court order or warrant | As required |
We do not sell or rent your personal information to third parties, and we do not share it for cross-context behavioural advertising. Under the CCPA/CPRA, this means we do not “sell” or “share” your information as those terms are defined in California law.
5. International data transfers
We are headquartered in the United States and our primary servers and subprocessors (including Stripe) are located in the United States. When we transfer personal information from the European Economic Area, the United Kingdom or Switzerland to the United States or any other country that has not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) (Decision 2021/914) and supplementary measures including encryption in transit and at rest, access logging, and contractual restrictions on subprocessor access.
A copy of the relevant SCCs is available on request from [email protected].
6. How long we keep your information
| Data category | Retention period | Reason |
|---|---|---|
| Order & transaction records | 7 years | US tax law (IRS) and accounting standards |
| Account data (if active) | Until you close the account + 90 days | To support your ongoing relationship with us |
| Account data (if inactive) | 3 years from last login, then deleted | Data minimisation |
| Marketing consent records | As long as opt-in is active + 3 years | Proof of consent under GDPR |
| Support tickets & chat transcripts | 2 years | Quality assurance & dispute defence |
| Server access logs (incl. IP) | 30 days, then aggregated | Security & abuse detection |
| Analytics data (Umami) | 13 months | Trend analysis without long-term tracking |
7. Your rights
Subject to the laws applicable to you, you have the following rights in relation to your personal information:
- Access — request a copy of the personal information we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure (“right to be forgotten”) — ask us to delete your data, subject to retention obligations above.
- Restriction of processing — ask us to pause certain processing while a dispute is resolved.
- Portability — receive your data in a structured, machine-readable format and/or have it transmitted to another controller.
- Object — object to processing based on legitimate interest, including marketing.
- Withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal.
- CCPA/CPRA-specific (California) — right to know, right to delete, right to correct, right to opt out of sale or sharing (we do neither), right to limit use of sensitive personal information (we collect none), and right to non-discrimination for exercising any of these rights.
- Complain — lodge a complaint with your supervisory authority. EU residents: your local Data Protection Authority. UK: the Information Commissioner's Office (ico.org.uk). California: the California Privacy Protection Agency (cppa.ca.gov).
To exercise any of these rights, email [email protected] from the address associated with your account. We respond within 30 days (45 days under CCPA, extendable by 45 more for complex requests). We do not charge a fee unless the request is manifestly unfounded or excessive.
8. Security
We protect your information using TLS 1.2+ in transit, AES-256 at rest, hashed and salted passwords (Argon2id), least-privilege access controls, automated dependency scanning and a Web Application Firewall in front of all customer-facing endpoints. Payment card data is never stored on our servers — Stripe handles tokenisation in their PCI-DSS Level 1 environment.
If we ever become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and notify you directly without undue delay if the risk is high.
9. Cookies & tracking
We use first-party cookies for cart persistence, login session, and self-hosted analytics (Umami). We do not use Google Analytics, Meta Pixel, TikTok Pixel or any third-party advertising trackers. See our full Cookie Policy for the complete list, the categories, and how to opt out.
10. Children
Our services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe we have collected information from a child, contact us and we will delete it without delay.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified to you by email (where you have provided one) and via a banner on the site for at least 30 days. The date at the top of this page always reflects the latest version.
12. Contact
For any privacy question or to exercise any of your rights, email [email protected]. For non-privacy matters (orders, returns, shipping), use [email protected] or the contact page.