Privacy policy
Last updated: 11 May 2026
This Privacy Policy describes how BITEBACK ("we," "us," "our") collects, uses, and shares the personal information of visitors to and customers of bitebackdefense.com (the "Site"). It also explains the choices you have about how we use your information.
If you have any questions, contact us at privacy@bitebackdefense.com.
1. Information we collect
When you browse the Site, place an order, or sign up for our email list, we collect the following types of information:
- Account & order information: name, email address, billing and shipping addresses, phone number (if provided), payment information (handled by our payment processor), order history.
- Marketing information: email address (when you sign up for our list or scratch the discount popup), preferences for what content you want to receive.
- Device & browsing information: IP address, browser type, device type, operating system, pages visited, links clicked, time spent on the Site, referring URLs.
- Cookies & similar technologies: small data files stored in your browser to enable Site functionality, remember your cart, and measure performance. See our Cookie Policy for details.
- Review submissions: if you write a review for one of our products, we collect your name, optionally your email (never published), your rating, and the review body. Reviews are moderated before publication.
2. How we use your information
- To process and fulfil your orders, including communicating with you about shipping, returns, and product issues.
- To send marketing emails and SMS (only if you've opted in), including welcome offers, product updates, restocks, and tick-season alerts.
- To improve the Site — understanding which pages are working, where customers get stuck, what products people are interested in.
- To prevent fraud and protect both you and us from unauthorised transactions.
- To comply with applicable laws and respond to lawful requests.
3. Service providers we share information with
We share information with the following service providers (each acting as a data processor on our behalf), who are contractually required to use it only for the purposes we've specified. Each provider's own privacy policy is linked:
- Shopify Inc. — our ecommerce platform. Processes orders, payments, customer accounts, the default newsletter list, and storefront analytics. Personal data may be processed in Canada (Shopify's home jurisdiction) and the United States.
- Shopify Payments / Shop Pay / PayPal / Apple Pay / Google Pay — payment processors that handle credit card and digital wallet transactions on our behalf. We do not store full card numbers.
- Shipping carriers — receive your shipping address (and only your shipping address) to deliver your order.
- Shopify Email — sends transactional emails (order confirmations, shipping notifications, review-request follow-ups) and marketing emails you've opted into.
- Resend — email-delivery infrastructure used by our reviews backend (see below) to send review submission confirmations and review-moderation notifications.
- biteback-reviews — our own first-party reviews system, hosted at reviews.bitebackdefense.com. Stores reviews you submit (name, optional email, rating, body), the moderation status, and a verified-buyer flag. We do not use a third-party review app — your review data stays in our infrastructure.
- FirstTrack — our server-side ad-attribution platform. When enabled, FirstTrack helps us measure which marketing campaigns drive purchases without sharing customer-identifying data with ad platforms beyond what's strictly necessary for measurement. FirstTrack acts as a processor under our control.
- Cloudflare — provides DNS, CDN, bot protection, and (where enabled) email routing for our domain. Processes IP addresses, request metadata, and a subset of HTTP headers for security and performance.
We do not sell your personal information for cash. Some of the analytics and advertising activity above may qualify as "sharing" or "selling" under California's privacy laws — see Section 6 for your opt-out rights.
4. Cookies
The Site uses cookies for essential functionality (cart, checkout, account login), analytics (understanding Site performance), and advertising (measuring ad effectiveness). We respect the Sec-GPC (Global Privacy Control) browser signal — if your browser sends it, we automatically decline analytics and marketing cookies on your behalf without showing the banner.
The first time you visit the Site, our cookie banner asks for your preferences. Your choice is remembered for 13 months (the CPRA renewal window), and is re-prompted if you change country between visits. You can reopen the preferences dialog at any time by clicking "Do Not Sell or Share My Personal Information" in the Site footer.
Full details on every cookie we set — and every third-party that sets one — are in our Cookie Policy.
5. Data retention
We retain your account and order information as long as your account is active and as needed to comply with legal obligations (typically 7 years for tax records). Marketing email lists are retained until you unsubscribe. Reviews remain published unless you request removal. Cookie consent records persist for 13 months from the date of consent.
6. Your privacy rights
Depending on where you live, you may have rights to access, correct, delete, or port your personal information; and to opt out of marketing communications and certain types of data sharing. To exercise these rights, email privacy@bitebackdefense.com from the address associated with your account.
California residents (CCPA / CPRA)
Under California law, you have the right to know what we collect, request deletion, opt out of "sharing" for cross-context behavioural advertising, and not be discriminated against for exercising these rights. To submit a verifiable request or opt out of sharing, email privacy@bitebackdefense.com or click "Do Not Sell or Share My Personal Information" in the Site footer. We honour the Sec-GPC Global Privacy Control signal automatically.
Other U.S. state residents (VCDPA, CTDPA, UCPA, CPA, TDPSA, DPDPA, and others)
Residents of Virginia, Connecticut, Utah, Colorado, Texas, Delaware, Oregon, Iowa, Tennessee, Montana, New Jersey, and similar states have rights to access, correct, delete, port, and opt out of targeted advertising or sale of personal data. To exercise these rights, email privacy@bitebackdefense.com.
European Union, United Kingdom & Switzerland (GDPR / UK GDPR / FADP)
If you access the Site from the EU, UK, Switzerland, or another GDPR-equivalent jurisdiction, you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, as well as to lodge a complaint with your local supervisory authority. Our legal bases are: consent (for non-essential cookies and marketing communications), contract performance (for orders and customer support), and legitimate interest (for fraud prevention and Site security).
Our cookie banner runs in opt-in mode for visitors from these jurisdictions — analytics and marketing cookies are off by default until you explicitly consent. To withdraw consent, reopen the preferences dialog from the footer or email privacy@bitebackdefense.com.
Canada (PIPEDA & Quebec Law 25)
Canadian visitors have the right to access, correct, and withdraw consent for the processing of their personal information. Our cookie banner runs in opt-in mode for Canadian visitors — analytics and marketing cookies are off by default. Quebec residents have additional rights under Law 25, including the right to data portability and the right to be informed of automated decision-making. The "Accept" and "Reject" buttons on our banner are presented with equal visual prominence in compliance with Law 25's dark-pattern prohibition.
Marketing opt-out
Every marketing email contains an unsubscribe link. SMS recipients can reply STOP to opt out at any time.
7. Children
The Site is not directed to children under 13, and we don't knowingly collect personal information from children under 13. If you believe we've inadvertently collected information from a child under 13, contact us and we'll delete it.
8. International transfers
Our Site is operated from the United States, and Shopify (our processor) operates from Canada and the United States. If you access the Site from outside these jurisdictions, your information will be transferred to and processed there, where data protection laws may differ from those in your country. For transfers from the EU, UK, or Switzerland, we rely on standard contractual clauses and equivalent safeguards as enumerated by our processors.
9. Data Protection Officer / Privacy Contact
We don't have a formally appointed Data Protection Officer (DPO) — our team handles privacy matters directly. For all privacy questions, data-subject requests, or to exercise the rights described above, contact:
BITEBACK — Privacy
Email: privacy@bitebackdefense.com
We aim to respond to verifiable requests within 30 days (45 days for complex requests, with notification).
10. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects when changes were last made. Material changes (a new service provider, a new category of processing, a change to your rights) will be communicated by email if you're on our list, or by a notice on the Site.
11. Contact
For privacy questions or to exercise your rights, contact:
BITEBACK
Email: privacy@bitebackdefense.com
This policy reflects our current practices. We recommend reviewing it with qualified counsel before relying on it in any dispute.