Skip to content
nontoxicnook
SearchLog in

Privacy Policy

Last updated

Last updated: June 5, 2026. Effective: June 5, 2026.

This Privacy Policy explains how nontoxicnook ("we," "us," "our") collects, uses, discloses, and protects information when you visit nontoxicnook.com (the "Site") or interact with us. By using the Site you agree to the practices described here. If you do not agree, please discontinue use of the Site.

1. Who we are

nontoxicnook is an independent editorial publication that vets home and baby products against published non-toxic criteria. We do not sell, ship, or fulfill products. Every product page links out to a third-party brand or retailer; any purchase you make is governed by that merchant's terms and privacy practices, not ours.

The data controller for purposes of EU/UK GDPR is the operator of nontoxicnook.com. To exercise rights or send a privacy request, contact privacy@nontoxicnook.com.

2. Information we collect

We collect the minimum information needed to operate the Site, fulfill your requests, measure aggregate usage, and meet legal obligations.

2a. Information you provide directly

  • Account information — when you create an account, we collect your email address, a hashed password (we never store the plain-text password), display name, and optional profile details.
  • Favorites — products you save to your account are stored against your user ID so they appear when you log in on another device.
  • Contact form submissions — your name, email, and message content are stored when you submit the contact form, and forwarded to our team inbox.
  • Email correspondence — if you email us directly, we retain the message and our reply.

2b. Information collected automatically

  • Usage analytics — when you consent to analytics cookies, Google Analytics 4 records pages viewed, time on page, referrer, approximate location (country/region), device type, browser, and similar non-identifying metrics. IP addresses are anonymized by Google before storage.
  • Server logs — our hosting providers record request metadata (timestamp, URL path, response status, user agent, IP address) for security and operational monitoring. These logs are kept for a short period and then discarded.
  • Affiliate click metadata — when you click an outbound affiliate link, we record an anonymized click event consisting of the product and merchant clicked, timestamp, a one-way SHA-256 hash of your IP address (we do not store the raw IP), and your user agent. The hash lets us deduplicate clicks for fraud and rate-limit purposes without identifying you.
  • Bot filtering — we discard requests that match known crawler user agents before any analytics are recorded.

2c. Cookies and similar technologies

See the Cookie Policy for the full list, lifetimes, and your controls. Briefly:

  • Strictly necessary cookies are set without consent (session token for logged-in users, your consent choice itself, security and rate-limit signals).
  • Analytics cookies are set only after you click "Accept" in the consent banner. You can change your choice at any time.

We do not use cookies for advertising, retargeting, or cross-site behavioral profiling.

2d. Information from third parties

When you click an affiliate link, the destination merchant may set its own cookies or attribute the visit to nontoxicnook through an affiliate network (such as impact.com). The merchant — not nontoxicnook — controls and is responsible for those cookies and any subsequent purchase data. Affiliate networks may share aggregate, non-identifying performance reports with us (e.g., number of clicks, conversion counts, commission earned).

3. How we use information

We use the information described above to:

  • Provide and maintain the Site, including authentication, saved favorites, and search.
  • Respond to your inquiries, support requests, and corrections.
  • Measure aggregate usage so we can improve content and navigation.
  • Detect, prevent, and investigate fraud, abuse, security incidents, and violations of our Terms.
  • Comply with legal obligations, enforce our agreements, and protect our rights and those of our users.

We do not sell or rent your personal information. We do not use it to build advertising profiles or to make automated decisions that produce legal or similarly significant effects.

Where GDPR or UK GDPR applies, we rely on the following bases:

  • Consent — analytics cookies and any marketing email you opt into. You may withdraw consent at any time.
  • Contract performance — operating your account, processing favorites, responding to support tickets.
  • Legitimate interests — securing the Site against abuse, measuring aggregate performance with privacy-preserving methods, hashing IPs for click deduplication. We balance these interests against your rights and will not rely on them where they are overridden.
  • Legal obligation — responding to lawful requests from competent authorities and retaining records as required by tax, accounting, or affiliate-network audit rules.

5. How we share information

We share personal information only as described below:

  • Service providers (data processors). We use vetted vendors to host the Site, process payments, send transactional email, store data, and measure usage. These providers handle data only on our instructions and under written contracts. Current sub-processors include:
    • Vercel — site and API hosting (United States).
    • MongoDB Atlas — primary database (United States region).
    • Google Analytics (Google LLC) — anonymized usage analytics, only when you consent.
    • Resend — transactional email (account verification, password reset).
    • Cloudflare R2 — image and asset storage.
    • impact.com (and similar affiliate networks) — outbound click attribution.
  • Affiliate merchants. When you click an outbound link, you are directed to a third-party merchant. We share only the click event metadata required for attribution (network identifier and product reference). The merchant's own privacy policy governs anything that happens on their site.
  • Legal and safety disclosures. We may disclose information if we believe in good faith that disclosure is necessary to comply with a law, regulation, subpoena, court order, or governmental request; to enforce our Terms; to protect the rights, safety, or property of nontoxicnook, our users, or the public; or to investigate fraud or abuse.
  • Business transfers. If nontoxicnook is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will require the recipient to honor the commitments in this Privacy Policy or provide notice and choice to affected users.

We do not share personal information with third parties for their own direct marketing.

6. International data transfers

nontoxicnook is operated from the United States and our service providers store data primarily in the United States. If you access the Site from outside the United States, your information will be transferred to, stored in, and processed in the United States and other jurisdictions where our providers operate. Where required, we rely on appropriate safeguards (such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and additional supplementary measures) to legitimize transfers from the EEA, UK, or Switzerland.

7. Data retention

We retain information for only as long as needed for the purposes described, then delete or anonymize it.

  • Account data — for the life of your account, plus a short tail (up to 30 days) after deletion for backup hygiene.
  • Favorites — until you remove them or delete your account.
  • Contact form submissions — typically up to 24 months, then archived or deleted.
  • Anonymized click events — up to 24 months for reporting and fraud analysis.
  • Server logs — typically up to 30 days.
  • Analytics aggregates — Google Analytics retains user-level data for 14 months by default; reporting aggregates may persist longer in non-identifying form.

We may retain information for longer where required by law or to defend legal claims.

8. Your rights

Depending on where you live, you may have some or all of the following rights:

  • Access the personal information we hold about you.
  • Correct information that is inaccurate or incomplete.
  • Delete your information, subject to limited exceptions (for example, where we must keep it to comply with a legal obligation or defend a legal claim).
  • Restrict or object to certain processing, including processing based on legitimate interests.
  • Portability — receive a copy of your information in a structured, machine-readable format.
  • Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

8a. EEA, UK, and Switzerland

You may exercise the rights listed above and lodge a complaint with your supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu. UK residents may contact the ICO at ico.org.uk.

8b. California (CCPA / CPRA)

California residents have the right to:

  • Know what categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.
  • Delete personal information we have collected, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Limit use of sensitive personal information — we do not use or disclose sensitive personal information for purposes beyond those permitted without an opt-in under the CPRA.
  • Opt out of sale or sharing. nontoxicnook does not "sell" personal information for money and does not "share" it for cross-context behavioral advertising as defined by the CPRA. We honor the Global Privacy Control (GPC) signal when transmitted by your browser.
  • Non-discrimination. We will not deny you services, charge different prices, or provide a different level of quality because you exercised any of your CCPA rights.

In the prior 12 months, we have collected the following categories of personal information: identifiers (email, hashed IP), commercial information (favorites, click events), internet/network activity (pages viewed, referrer), and inferences derived from those — collected from you directly and automatically as described in Section 2.

8c. Other US state privacy laws

If you reside in a US state with comprehensive privacy legislation (including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and others as they take effect), you have rights substantially similar to those described above, including the right to access, delete, correct, opt out of targeted advertising and sale of personal data, and appeal denied requests. nontoxicnook does not engage in targeted advertising or sale of personal data.

8d. How to exercise rights

Send your request to privacy@nontoxicnook.com from the email associated with your account, or use the contact form. We will respond within the timeframes required by applicable law (generally 30–45 days, extendable once for complex requests with notice to you). We may need to verify your identity before fulfilling a request. You may also designate an authorized agent to make a request on your behalf, subject to verification.

9. Children's privacy

The Site is not directed to children. We do not knowingly collect personal information from children under 16 (or the equivalent age of digital consent in your jurisdiction). If you believe a child has provided personal information to us, contact privacy@nontoxicnook.com and we will delete it.

10. Do Not Track and Global Privacy Control

Modern browsers send a variety of preference signals. nontoxicnook treats the Global Privacy Control (GPC) signal as a valid opt-out of sale/sharing for California residents. Because there is no consistent industry standard for the legacy "Do Not Track" header, we do not separately respond to it; our cookie consent banner is the primary control for analytics.

11. Security

We implement administrative, technical, and physical safeguards designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include encryption in transit (HTTPS/TLS on all pages), encryption at rest in our database, hashed passwords, hashed IPs for click logging, role-gated administrative access, and routine review of access logs.

No method of transmission or storage over the internet is 100% secure. While we work to protect your information, we cannot guarantee absolute security and provide no warranty against unauthorized access.

If a security incident affects your personal information, we will notify you and any required regulator within the timeframes required by applicable law.

The Site links extensively to third-party brands, retailers, and references. We are not responsible for the privacy practices or content of those sites. Review the privacy policy of any site you visit before providing personal information.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, provide additional notice (for example, an in-app banner or email to registered users). Your continued use of the Site after a change indicates acceptance of the updated policy.

14. Contact us

For privacy questions, complaints, or to exercise any right described above:

We use cookies to understand how readers use the site. You can accept all or reject non-essential cookies — your reading experience won't change either way.