Effective Date: June 17, 2025
Last Updated: June 17, 2025

1. Introduction

This Privacy Policy (“Policy”) is issued by Old World Timber, LLC, a limited liability company duly organized and existing under the laws of the Commonwealth of Kentucky, United States of America (“Old World Timber,” “we,” “us,” or “our”). Our principal place of business is located in Kentucky, and we operate in accordance with applicable federal and state privacy legislation.

This Policy outlines the manner in which Old World Timber collects, uses, discloses, processes, and protects personal information obtained from users (“you” or “your”) of our website located at oldworldtimber.com (the “Site”), as well as through digital interactions, advertising tools, and service-related communications.

This Policy is developed in compliance with relevant data privacy laws, including but not limited to:

California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), codified at Cal. Civ. Code § 1798.100 et seq.
Children’s Online Privacy Protection Act of 1998 (COPPA), codified at 15 U.S.C. §§ 6501–6506
Federal Trade Commission Act (FTC Act), specifically Section 5 (15 U.S.C. § 45) regarding unfair or deceptive acts or practices
General Data Protection Regulation (EU) 2016/679 (GDPR), for future readiness and to guide best practices internationally — EU Regulation 2016/679

While we are currently focused on operations within the United States, we recognize that our digital presence is global in nature. As such, we strive to implement and maintain privacy practices that adhere to internationally accepted standards, even when not strictly required under current jurisdiction.

By using this Site, submitting information to us, or engaging with our marketing platforms (including but not limited to Google Ads, Meta Ads, HubSpot CRM, and analytics tools such as GA4), you acknowledge and agree to the terms of this Policy. If you do not agree with the data practices described herein, you should discontinue use of our services.

This Privacy Policy is incorporated into our Terms of Use and is applicable regardless of whether you access our Site via desktop, mobile device, or other platform or technology.

For the purposes of this Policy, “personal information” means any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined under applicable law, including Cal. Civ. Code § 1798.140(o).

2. What Data We Collect

We collect various types of personal and non-personal information from and about users of our website and services. This collection is carried out in accordance with applicable privacy laws, including the California Consumer Privacy Act of 2018 (as amended by the CPRA) and the European Union’s General Data Protection Regulation (GDPR), where applicable.

We categorize the data we collect as follows:

1. Personal Identifiers (Cal. Civ. Code § 1798.140(v)(1)(A)): Includes your full name, email address, phone number, and company or business affiliation (as submitted via forms integrated with our CRM provider, HubSpot).
2. Internet or Other Electronic Network Activity Information (Cal. Civ. Code § 1798.140(v)(1)(F)): Includes browsing history, clickstream data, search queries, pages viewed, time spent on pages, interactions with elements on the website (e.g., buttons, forms), referring/exit pages, and timestamps of activity. These are captured through tools such as Google Analytics 4 (GA4), server-side tracking mechanisms, and session recording tools (if applicable).
3. Technical and Device Data: Includes device type, operating system, browser type and version, screen resolution, IP address (anonymized when feasible), mobile device ID, geographic region (at the city or state level), language preference, and other device-specific information automatically collected through cookies and similar technologies.
4. Commercial Information (Cal. Civ. Code § 1798.140(v)(1)(B)): Includes records of products or services considered, requested, or obtained through the website (such as download requests, contact forms, or quote requests), though we do not currently process payment or financial data on the website.
5. Online Identifiers (Cal. Civ. Code § 1798.140(v)(1)(D)): Includes cookies, hashed email addresses (where used in marketing platforms), pixel tags, advertising IDs (such as Facebook ID or Google Click ID), and similar persistent identifiers.
6. Inferred Data (Cal. Civ. Code § 1798.140(v)(1)(K)): Information derived from profiling and analytics that may be used to create user segments, interests, or lookalike audiences. This data may be generated automatically by analytics and advertising platforms.
7. Behavioral and Marketing Data: Includes user interactions with ads (impressions, clicks, conversion events), retargeting history, and campaign attribution data collected via platforms such as:
- Meta (Facebook/Instagram Pixel)
- Google Ads (including remarketing tags)
- HubSpot CRM and marketing workflows
8. Communication Data: Includes the content of messages submitted via contact forms, email correspondences, and any other interactions initiated by users that may contain voluntarily provided personal information.

We do not knowingly collect:

Social Security Numbers
Driver’s license numbers or government-issued IDs
Financial or payment information (e.g., credit card or bank details)
Biometric or sensitive health data
Data revealing racial or ethnic origin, religious or philosophical beliefs, or sexual orientation, unless explicitly provided and legally permissible

In compliance with the GDPR Article 5 and CCPA/CPRA principles, we ensure that all personal information collected is:

Collected for specific, explicit, and legitimate purposes
Limited to what is necessary in relation to the purposes
Processed lawfully, fairly, and in a transparent manner

If you wish to know specifically what personal information we have collected about you, please refer to Section 7: User Rights.

3. How We Collect Data

We collect personal and non-personal data through a combination of direct interactions and automated technologies. The methods used comply with applicable privacy regulations, including the California Consumer Privacy Act (CCPA/CPRA) and the European Union General Data Protection Regulation (GDPR).

1. Directly from You:
We collect data you voluntarily provide when:
- Submitting forms on our website (e.g., “Contact Us,” “Request a Quote,” or newsletter sign-ups)
- Communicating with us via email or phone
- Participating in surveys, promotions, or events
- Requesting support, customer service, or other interactions initiated by you
This collection aligns with Article 13 of the GDPR, which mandates disclosure when data is obtained directly from data subjects.
2. Automatically Through Technology:
We use various technologies to automatically collect information when you interact with our website, including:
- Cookies: Small data files stored on your device to track user preferences, session information, and authentication status. Cookies may be first-party (set by us) or third-party (e.g., set by Google or Meta).
- Server-Side Tracking: Server logs capture information such as IP address, browser type, user agent, and interaction events (e.g., form completions), processed in our backend infrastructure.
- Advertising Pixels: Snippets of code embedded in our pages to track ad performance and user behavior. Examples include:
  - Meta (Facebook) Pixel
  - Google Ads Remarketing Tag
  - LinkedIn Insight Tag (if used)
- Analytics Tools: We use Google Analytics 4 (GA4), which utilizes event-based tracking, IP anonymization, and enhanced measurement tools to understand user behavior.
These tools may collect data in accordance with user consent where required by law. We honor browser-level privacy controls, such as Do Not Track (DNT) and Global Privacy Control (GPC) signals, to the extent required under California law.
3. From Third-Party Sources:
We may receive data from third-party sources that have a lawful basis to share your data with us, including:
- CRM providers and marketing platforms (e.g., HubSpot)
- Advertising partners (e.g., Google Ads, Meta)
- Business intelligence or lead enrichment tools (if applicable)
We only use such data when the third party confirms they have obtained your information in compliance with applicable data protection laws.

All data collection activities are conducted in accordance with:

GDPR Article 6: Lawfulness of Processing
CCPA/CPRA Section 1798.100 et seq.
Best practices outlined by the Federal Trade Commission (FTC)

For details on the types of technologies we use, including how to manage or opt out of cookies and pixels, please refer to Section 6: Cookies and Tracking Technologies.

4. Use of Collected Data

We use the personal and non-personal data we collect for the following business and commercial purposes, in accordance with applicable privacy laws such as the California Consumer Privacy Act (CCPA/CPRA) and the General Data Protection Regulation (GDPR).

1. To Provide and Improve Our Products and Services:
To fulfill requests, respond to inquiries, deliver customer support, provide quotes, and offer personalized content or recommendations. This includes internal operations such as troubleshooting, data analysis, research, and testing.
2. To Personalize Your Website Experience:
We use behavioral and technical data to customize your interaction with our website based on pages you’ve visited, devices used, and engagement history. This may include showing relevant content, auto-filling forms, or adjusting layout preferences.
3. To Run Marketing Campaigns:
Includes targeted advertising through third-party platforms (such as Google Ads, Meta/Facebook), retargeting users across the web, and building lookalike audiences. We may also send you marketing communications via email, subject to consent requirements under GDPR Article 6(1)(a) or legitimate interest under Article 6(1)(f), where applicable.
4. To Respond to Customer Inquiries:
If you contact us via our website, phone, or email, we use your information to respond to your inquiries, provide requested documentation or quotes, and assist with any issues or complaints. This is necessary for performance of a contract or pre-contractual measures (GDPR Article 6(1)(b)).
5. To Measure and Improve Website Performance:
We use analytics tools (such as Google Analytics 4) and server-side tracking to understand user behavior, track conversions, test changes, and enhance usability. We rely on anonymized or pseudonymized data where possible, consistent with privacy-by-design principles in GDPR Article 25.
6. To Comply with Legal Obligations:
We may use your data to comply with applicable laws, lawful requests, court orders, subpoenas, or other legal processes, as permitted under GDPR Article 6(1)(c) and Cal. Civ. Code §1798.145.
7. To Protect Our Legal Rights and Prevent Misuse:
We may process data to detect, investigate, and prevent fraudulent, unauthorized, or illegal activity. This includes maintaining the security of our website and systems and enforcing our Terms of Use.

Under the CCPA/CPRA, the purposes listed above may be considered both “business purposes” and “commercial purposes” as defined in Cal. Civ. Code §1798.140(e) and (f).

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects, as defined under GDPR Article 22.

5. How We Share Data

We do not sell your personal information in the traditional sense. However, we may disclose or share your data with third parties for specific business or legal purposes as outlined below. These practices are conducted in accordance with applicable data protection laws, including the California Consumer Privacy Act (CCPA/CPRA) and the General Data Protection Regulation (GDPR).

1. With Service Providers:
We share personal and technical data with trusted third-party vendors who assist us in operating our website, providing services, and fulfilling business functions. These include:
- HubSpot: Customer Relationship Management (CRM), email marketing, and form tracking
- Google: Google Analytics 4, Google Ads, Tag Manager
- Meta (Facebook): Facebook Pixel and ad delivery services
These service providers are bound by contracts to process personal data only on our behalf and under our instructions, consistent with GDPR Article 28 (data processor obligations) and CCPA §1798.140(v) (service provider definitions).
2. With Advertising Platforms:
We may share hashed identifiers or behavioral data with advertising networks such as Google Ads, Meta (Facebook/Instagram), and LinkedIn for the following purposes:
- Creating and targeting audiences
- Delivering customized advertisements
- Measuring ad campaign performance
This type of sharing may be considered a “sale” or “sharing” of data under the California Privacy Rights Act (CPRA) unless you have opted out. You may opt out at any time by visiting our Contact page.
3. For Legal Compliance and Safety:
We may disclose your personal data when required to do so by applicable laws or legal processes, such as subpoenas or court orders, or to:
- Protect our rights, safety, and property
- Prevent fraud or misuse of our website
- Comply with government investigations or regulatory obligations
This is permitted under GDPR Article 6(1)(c) and CCPA §1798.145(a).
4. In the Event of a Business Transfer:
If we are involved in a merger, acquisition, asset sale, or other business transaction, your data may be transferred as part of that process. In such cases, we will take reasonable steps to ensure your privacy rights continue to be protected.

We do not permit our service providers or partners to use your personal data for their own purposes and require them to process it in accordance with applicable privacy laws and only for specified business purposes.

6. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance user experience, analyze performance, and deliver targeted advertisements. These technologies include both client-side (browser-based) and server-side tracking mechanisms.

Types of Tracking Technologies We Use

Client-Side Tracking: Cookies, JavaScript tags, and browser storage technologies set by tools such as:
- Google Analytics 4 (GA4): to measure traffic, user behavior, and conversions
- Facebook Pixel: to track ad effectiveness and enable remarketing
- HubSpot: for lead tracking and session analysis
These are considered personal data under GDPR Recital 30 and may require prior user consent.
Server-Side Tracking: We collect behavioral and technical data on our backend (e.g., via HTTP headers, request logs, or APIs) to supplement or replace cookie-based tracking. This method:
- Enhances privacy by avoiding third-party cookies
- Improves data accuracy and security
- Is designed to comply with browser restrictions and privacy regulations

Categories of Cookies We Use

Strictly Necessary: Required for the basic functionality of the site (e.g., form security, session management)
Performance/Analytics: To collect anonymized data on site usage and improve performance
Functional: To remember user choices and preferences
Marketing/Advertising: To deliver relevant ads and track campaign effectiveness

Legal Basis for Use of Cookies

Where required, we obtain your consent to place cookies via our cookie banner in accordance with:

GDPR Article 6(1)(a) – Consent
GDPR Article 7 – Conditions for consent
CPRA §1798.135 – Opt-out of targeted advertising / cross-context behavioral ads

For strictly necessary cookies, consent is not required but users are informed via our banner in accordance with ePrivacy and EU Directive 2002/58/EC (ePrivacy Directive).

Your Choices and Opt-Out Options

You can control or disable cookies via your browser settings or opt out of specific trackers using the tools below:

Do Not Track (DNT) Signals

Some browsers offer a “Do Not Track” (DNT) signal. We currently do not respond to DNT signals due to a lack of universal standards, but we respect opt-out preferences where supported by applicable law.

Cookie Policy

For more detailed information about specific cookies, their duration, and purpose, please refer to our full Cookie Policy.

7. Your Rights

California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), California residents are entitled to the following rights with respect to their personal information, as defined in Cal. Civ. Code §1798.100–1798.199:

Right to Know: Request disclosure of the categories and specific pieces of personal data we collect, use, disclose, or “share.”
Right to Delete: Request deletion of personal data, subject to certain exceptions.
Right to Opt-Out: Opt out of the sale or sharing of personal information for cross-context behavioral advertising.
Right to Correct: Request correction of inaccurate personal information we maintain about you.
Right to Limit Use of Sensitive Personal Information: Request restrictions on the use of sensitive personal data (if collected).
Right Not to Be Discriminated Against: You will not receive discriminatory treatment for exercising your privacy rights.

You may exercise these rights by contacting us via:

Email: [email protected]
Phone: (859) 955-8363
Address: 1195 Versailles Rd Lexington, KY 40508

We will respond to verifiable consumer requests within the timeframes required by law (typically 45 days). We may require you to verify your identity before processing your request.

European Union Residents (GDPR – Anticipated)

While our services currently target users in the United States, we are committed to aligning with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) in the event of global expansion. Under the GDPR, individuals in the EU/EEA would be entitled to the following rights:

Right to Access (Art. 15): Obtain a copy of your personal data and details about how it is processed.
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
Right to Restriction (Art. 18): Request restriction of data processing under certain conditions.
Right to Object (Art. 21): Object to processing for direct marketing or on legitimate interest grounds.
Right to Data Portability (Art. 20): Receive your data in a structured, commonly used format to transmit to another controller.
Right to Lodge a Complaint: File a complaint with a data protection authority (DPA) in your country.

Should we begin offering services to EU/EEA residents, we will update this policy to provide GDPR-specific request mechanisms.

8. Data Security Measures

We take reasonable and appropriate technical and organizational security measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction. These measures are designed to meet industry standards and, where applicable, align with requirements under GDPR Article 32 and the FTC’s “Start with Security” guidelines.

HTTPS Encryption: All traffic to and from our site is encrypted using TLS (HTTPS).
Data Encryption: Personal data is encrypted in transit and, where applicable, at rest using secure protocols and cryptographic techniques.
Access Controls: Access to personal data is restricted to authorized personnel only and governed by authentication and role-based controls.
Data Center Security: Hosting is provided by trusted third parties that maintain industry-standard security certifications (e.g., ISO 27001, SOC 2).
Regular Audits: We conduct periodic reviews and risk assessments to ensure our security measures remain effective.

While no method of transmission or storage is 100% secure, we follow best practices to reduce risk and mitigate potential threats. If we become aware of a security breach affecting your data, we will notify you as required by law.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, or as required by applicable law, including tax, accounting, or regulatory compliance obligations. Retention periods vary by data type and usage:

Form Submissions (via HubSpot): Retained for up to 3 years from the date of last user interaction, unless a longer retention period is required to comply with legal obligations or resolve disputes.
Tracking Data (GA4, Facebook Pixel, server-side analytics): Typically retained for up to 26 months, consistent with standard retention policies for analytics platforms. Some anonymized data may be kept for aggregated reporting.
CRM Entries: Retained as long as a contact remains active (e.g., subscribed, engaged) and for a reasonable archival period (up to 3 additional years) after inactivity, unless deletion is requested under privacy rights.

We periodically review our data retention schedules to ensure that personal data is not kept longer than necessary. Users may request earlier deletion of their personal data where applicable under laws such as CCPA or GDPR Article 17.

10. Third-Party Links and Services

Our website may contain links to third-party websites, platforms, or services that are not operated or controlled by Old World Timber. These may include links to partner sites, social media platforms, external blogs, or third-party service providers.

Please note that we are not responsible for the privacy practices, content, or data security of those third-party entities. If you choose to visit these external sites, we encourage you to review their privacy policies and terms of service before submitting any personal data.

Use of third-party platforms (such as YouTube, Facebook, Instagram, etc.) is subject to each platform’s own privacy policy and data handling practices.

11. Children’s Privacy

In accordance with the Children’s Online Privacy Protection Act (COPPA), our services are not directed to, and we do not knowingly collect or solicit personal data from, children under the age of 13.

If we become aware that we have inadvertently collected personal data from a child under 13 without verified parental consent, we will delete such information promptly from our records and systems.

Parents or legal guardians who believe that their child has provided personal data to us without their consent may contact us at [email protected] to request data removal.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please contact us at:

Privacy Officer
Old World Timber, LLC

Email: [email protected]
Phone: (859) 955-8363
Address: 1195 Versailles Rd Lexington, KY 40508

If you are contacting us to exercise your privacy rights under applicable law (e.g., CCPA, GDPR), please clearly specify the nature of your request and include sufficient information for us to verify your identity. We will respond within the timeframes required by law.

13. Updates to This Policy

We reserve the right to update or amend this Privacy Policy at any time in response to changes in our business practices, applicable laws, technologies, or regulatory requirements.

When we make material changes to this Privacy Policy, we will:

Update the “Effective Date” at the top of this document.
Provide notice on our website or by other appropriate communication channels.

We encourage you to review this page periodically to stay informed about how we protect your personal data. Your continued use of our website and services after any update constitutes acceptance of the revised Privacy Policy.