Privacy Policy

This privacy policy has been compiled to better serve those who are concerned with how their 'Personally Identifiable Information' (PII) is being used online. PII, as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Please read our privacy policy carefully to get a clear understanding of how we collect, use, protect, or otherwise handle your Personally Identifiable Information in accordance with our website.

AGE VERIFICATION AND COMPLIANCE

Plain Jane is committed to responsible distribution of hemp-derived products and compliance with federal and state regulations. All customers must verify they are 21 years of age or older before accessing our website or purchasing products.

What Information We Collect for Age Verification

When you verify your age on our website, we collect and store the following information:

  • Date of Birth: We collect your full date of birth to calculate your age. Your complete date of birth is cryptographically hashed (converted to a secure, irreversible code) and never stored in readable format. Only your birth year is stored in readable form for age analytics.
  • State of Residence: We collect your state of residence to ensure compliance with state-specific hemp regulations and shipping restrictions.
  • IP Address: We record your IP address at the time of age verification for fraud prevention and legal compliance purposes.
  • Device Information: We collect your device type, browser information, screen resolution, and other technical details to create a browser fingerprint for fraud detection and security purposes.
  • Consent Record: We record the timestamp of your verification, your explicit consent confirmation, and which version of our Terms of Use and Privacy Policy you agreed to at the time of verification.
  • Verification Integrity Data: We create cryptographic hashes (secure digital signatures) of your verification data to ensure it cannot be tampered with, providing legal protection for both you and Plain Jane.

How We Use Age Verification Information

We use your age verification information to:

  • Verify you meet the minimum age requirement (21 years or older) to purchase hemp products as required by federal and state law.
  • Comply with federal and state hemp, CBD, and cannabis regulations.
  • Prevent underage access to age-restricted products.
  • Detect and prevent fraudulent verification attempts and protect against identity theft.
  • Respond to regulatory inquiries from state attorneys general, federal agencies, or law enforcement.
  • Maintain audit records demonstrating our compliance efforts and due diligence.
  • Improve our verification process and user experience.

Legal Basis for Age Verification Processing

We process age verification data under the following legal bases:

  • Legal Obligation: Federal and state laws require age verification for hemp product sales.
  • Legitimate Interest: We have a legitimate business interest in preventing underage sales and maintaining regulatory compliance.
  • Contract Necessity: Age verification is necessary to fulfill our contract with you, as we cannot legally sell to individuals under 21 years of age.

How We Store Age Verification Data

Your age verification information is stored in multiple locations to ensure both user convenience and legal compliance:

  • Browser Storage: A verification flag is stored in your browser's local storage for 7 days to prevent repeated verification requests during return visits. This data remains on your device only and can be cleared by clearing your browser data.
  • Cookies: We store an "age_verified" cookie (expires in 7 days) and a "customer_state" cookie (expires in 30 days) to remember your verification status and state selection.
  • Order Records: When you place an order, your age verification data is attached to your order record as "order attributes" in our Shopify system. This includes your verification timestamp, state, birth year (not full date of birth), cryptographic hashes, IP address, and consent confirmation.
  • Denial Logs: If you are denied access (for example, if you are under 21 years old), we log the denial attempt including timestamp, state, calculated age (if provided), and IP address in a secure external database (Google Sheets) for compliance auditing and fraud detection.

Age Verification Data Security

We take the security of your age verification data seriously:

  • Your actual date of birth is never stored in plaintext or readable format. It is cryptographically hashed using SHA-256 encryption, which is a one-way process that cannot be reversed.
  • We create integrity hashes that act as tamper-evident seals on your verification records, making it impossible to modify the data without detection.
  • All data transmission between your browser and our servers uses TLS/SSL encryption.
  • Access to verification logs and order data is restricted to authorized compliance personnel only.
  • We regularly audit our security practices to ensure the protection of your data.

Age Verification Data Retention

Age verification data is retained as follows:

  • Browser Verification: 7 days (or until you clear your browser data).
  • Order Verification Data: Retained with your order record for 7 years per tax, accounting, and legal compliance requirements under federal and state law.
  • Denial Logs: Retained for 3 years for regulatory compliance, fraud prevention, and to demonstrate due diligence to regulatory authorities.

How We Share Age Verification Data

We do not sell or share your age verification data with third parties for marketing purposes. We may share age verification data only in these limited circumstances:

  • Legal Compliance: We may disclose verification records to law enforcement agencies, regulatory authorities, or state attorneys general if legally required by subpoena, court order, or regulatory investigation.
  • Service Providers: We use ipify.org (a third-party service) to determine IP addresses for fraud prevention. We use Google Sheets for denial logging. These services receive only the limited technical data necessary to perform their functions and do not have access to your full verification records.
  • Business Transfers: If Plain Jane is acquired, merged with another company, or undergoes a business transfer, verification data may transfer to the new entity as part of our business records. The new entity will be required to honor this privacy policy.

Your Rights Regarding Age Verification Data

Depending on your location (particularly if you are a California resident under CCPA or a resident of another state with privacy laws), you may have the following rights:

  • Right to Access: You may request a copy of the age verification data we hold about you.
  • Right to Correction: If verification data is inaccurate, you may request correction. However, please note that tampering with or falsifying verification data may violate our Terms of Service and applicable laws.
  • Right to Deletion: You may request deletion of your verification data after the legal retention period expires (7 years for order data, 3 years for denial logs).
  • Right to Object: You may object to the processing of your verification data, though this may prevent you from using our website and purchasing products.
  • Right to Data Portability: You may request a copy of your verification data in a structured, machine-readable format.

To exercise these rights, contact us at privacy@plainjane.com with "Age Verification Data Request" in the subject line.

Failed Verification Logging

If you are denied access to our site (for example, if you are under 21 years old, do not select a state, or do not provide consent), we log the following information for compliance and fraud prevention purposes:

  • Timestamp of denial
  • Reason for denial (e.g., "underage," "no state selected," "no consent")
  • State selected (if provided)
  • Calculated age (if date of birth was entered)
  • IP address
  • Browser and device information (user agent string)
  • URL where denial occurred

This logging helps us:

  • Detect patterns of fraudulent access attempts or bot activity.
  • Demonstrate due diligence and good faith compliance efforts to regulators.
  • Identify and fix technical issues with our age verification system.
  • Analyze trends in underage access attempts to improve our protections.

Age Verification Cookies

Our age verification system uses the following cookies:

  • age_verified: Stores your verification status (true/false). Expires in 7 days. This prevents you from having to verify your age on every visit.
  • customer_state: Stores your selected state for shipping and compliance purposes. Expires in 30 days.

You can delete these cookies at any time through your browser settings. However, if you delete these cookies, you will need to verify your age again on your next visit to our website.

Children's Privacy and Age Verification

Plain Jane does not knowingly collect information from individuals under 21 years of age. Our age verification system is specifically designed to prevent access by minors. If we discover we have inadvertently collected information from someone under 21, we will delete it immediately. Parents or guardians who believe their child has accessed our site should contact us immediately at privacy@plainjane.com.

Changes to Age Verification Practices

We may update our age verification practices from time to time to comply with new regulations, improve security, or enhance user experience. When we make material changes to our age verification process, we will update the "consent_text_version" stored in our system and notify users through a notice on our website or via email (if we have your email address). Your continued use of our website after such changes constitutes acceptance of the updated practices.

Questions About Age Verification

If you have questions about our age verification practices, wish to exercise your privacy rights, or have concerns about your verification data, please contact:

Plain Jane Privacy Team
Email: privacy@plainjane.com
Subject Line: "Age Verification Inquiry"

For legal or compliance inquiries from regulatory agencies, please contact:
Email: legal@plainjane.com

What personal information do we collect from the people who visit our blog, website, or app?

When ordering or registering on our site, as appropriate, you may be asked to enter your name, email address, mailing address, phone number, credit card information or other details to help you with your experience. Additionally, to comply with federal and state law, we collect age verification information including your date of birth (stored as a cryptographic hash), state of residence, and IP address when you first visit our website. For complete details about age verification data collection, please see the "Age Verification and Compliance" section above.

When do we collect information?

We collect information from you when you first visit our site (age verification), when you register on our site, place an order, subscribe to a newsletter, or enter information on our site. Age verification occurs before you can browse our products and is required by federal and state hemp regulations.

How do we use your information?

We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:

  • To personalize users’ experience and to allow us to deliver the type of content and product offerings in which you are most interested.
  • To improve our website in order to better serve you.
  • To allow us to better serve you in responding to your customer service requests.
  • To administer a contest, promotion, survey, or other site feature.
  • To quickly process your transactions.
  • To verify you are 21 years of age or older as required by law.
  • To comply with federal and state hemp and CBD regulations.
  • To prevent underage access to age-restricted products.
  • To maintain compliance audit records for regulatory authorities.

How do we protect visitor information?

Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to our site as safe as possible. We use regular “Malware Scanning”. We proudly use and support an active SSL certificate.

 

Do we use ‘cookies’?

Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you allow) that enable the site’s or service provider’s systems to recognize your browser and capture and remember certain information. For instance, we use cookies to help us remember and process the items in your shopping cart. They are also used to help us understand your preferences based on previous or current site activity, which enables us to provide you with improved services. We also use cookies to help us compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future.

We use cookies to:

  • Help remember and process the items in the shopping cart.
  • Understand and save users’ preferences for future visits.
  • Keep track of advertisements.
  • Compile aggregate data about site traffic and site interactions in order to offer better site experiences and tools in the future. We may also use trusted third-party services that track this information on our behalf.
  • Remember your age verification status for 7 days to prevent repeated verification (age_verified cookie).
  • Store your selected state for compliance with state-specific regulations (customer_state cookie, expires in 30 days).

You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser (like Internet Explorer) settings. Each browser is a little different, so look at your browser’s Help menu to learn the correct way to modify your cookies.

If you disable cookies, some website features will be disabled, including Webpage efficiency; however, ordering capabilities are not affected.

Third Party Disclosure

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information unless we provide you with advance notice. This does not include website hosting partners and other parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. For age verification purposes, we use ipify.org (for IP address lookup) and Google Sheets (for denial logging), which receive only limited technical data necessary for their functions. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others' rights, property, or safety. This includes disclosure to regulatory authorities such as state attorneys general or federal agencies if legally required.

However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.

Third-party links

We do not include or offer third-party products or services on our website.

Google

Google’s advertising requirements can be summed up by Google’s Advertising Principles. They are put in place to provide a positive experience for users. To review these policies, please go to Google Support.

We use Google AdSense Advertising on our website. As a third-party vendor, Google uses cookies to serve ads on our site. Google’s use of DART cookies enables it to serve ads to our users based on their visits to websites. Users may opt out of the use of DART cookies by visiting the ads and their network privacy policies.

We have implemented the following:

  • Remarketing with Google AdSense
  • Google Display Network Impression Reporting
  • Demographics and Interests Reporting


We and third-party vendors, e.g., Google, use first and third-party cookies or other third-party identifiers to compile data regarding user interactions with ad impressions and other ad service functions relating to our website. Examples of such cookies are Google Analytics and DoubleClick.

Opting Out

Users can set preferences for how Google advertises to you using the Google Ad Settings page. Alternatively, you can opt out by visiting the Network Advertising Initiative opt-out page or permanently using the Google Analytics opt-out browser add-on.

California Online Privacy Protection Act

CalOPPA is the first state law in the nation to require commercial websites and online services to post a privacy policy. The law’s reach stretches well beyond California to require a person or company in the United States who operates websites that collect personally identifiable information from California consumers to post a conspicuous privacy policy on its website stating exactly the information being collected, those individuals with whom it is being shared, and to comply with this policy. For more information, please visit:

Consumer Federation of California Education Foundation

According to CalOPPA, we agree to the following:

Users can visit our site anonymously. Once this privacy policy is created, we will add a link to it on our home page, or at a minimum on the first significant page after entering our website.

Our Privacy Policy link includes the word ‘Privacy’, and can be easily found on the page specified above.

Users will be notified of any privacy policy changes on our Privacy Policy Page. 


Users can change their personal information:

By logging in to their account


How does our site handle “do not track” signals?

We don’t honor “do not track” signals and do not track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place. We don’t honor them because it is not compatible with Google Analytics.


Does our site allow third-party behavioral tracking?

It’s also important to note that we allow third-party behavioral tracking.

COPPA (Children Online Privacy Protection Act)

When it comes to the collection of personal information from children under 13, the Children’s Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, the nation’s consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children’s privacy and safety online.

We do not market to children under 21 years of age. In fact, our website requires age verification before access, and we actively prevent individuals under 21 from accessing our site or purchasing our products. Our age verification system is designed to comply with federal and state hemp regulations that prohibit sales to minors. If we discover that someone under 21 has accessed our site or provided us with information, we will delete that information immediately and block further access.

Fair Information Practices

The Fair Information Practices Principles form the backbone of privacy law in the United States, and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.

In order to be in line with Fair Information Practices, we will take the following responsive action should a data breach occur:

We will notify the users via email.

We also agree to the individual redress principle, which requires individuals to have a right to pursue legally enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or a government agency to investigate and/or prosecute non-compliance by data processors.

CAN-SPAM Act

The CAN-SPAM Act is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out tough penalties for violations.

We collect your email address in order to:
To be in accordance with CANSPAM, we agree to the following:

If at any time you would like to unsubscribe from receiving future emails, you can email us at hi@plainjane.com and we will promptly remove you from ALL correspondence.