Privacy policy
Effective June 2, 2026. Plain-language version below — what we collect, why, and what we don't do with it.
Who we are
Dreams of Buttercream is a home-based custom cookie business operating under a California Cottage Food Operation license in Plumas Lake, California. The business is owner-operated and has no physical storefront. Contact for any reason goes through our contact form.
What this policy covers
This policy describes how we handle personal information collected through our website, dreamsofbuttercream.com, and through email correspondence that arises from it.
What we collect, and why
From the contact form
When you fill out our contact form, we collect your name, email address, the event date you mention, your message text, and up to five photos you attach. The form submission is delivered to our inbox by email so we can reply about your order.
From the review form
When you submit a review, we collect your name, star rating, review text, and an optional “occasion” field (e.g., “baby shower”). Approved reviews are displayed publicly on our site under the name you provide.
Automatically, from every visit
Like any web server, ours records standard request information for each visit: IP address, the page requested, browser / operating system identifier, and a timestamp. We use this to run the site, diagnose problems, and detect abuse. We do not link this information to your identity unless you also send us a form submission.
Anti-spam memory
To stop bots and repeat spam, we briefly store the email address of contact-form submissions in memory for about one hour, so the same address can't blast the form repeatedly. The record is cleared automatically and is never persisted to disk.
Cookies
We set two small functional cookies, both HttpOnly (not readable from JavaScript) and used only by our own server:
dob_theme_preview— 30 minutes — remembers a holiday-theme preview if you visited a preview URL.dob_flash— 10 seconds — carries a one-time confirmation message between two pages.
We do not use analytics cookies, advertising cookies, social-media tracking pixels, or any third-party trackers.
How long we keep it
- Contact form submissions live in our iCloud inbox until manually deleted — typically once the conversation has concluded.
- Reviews are stored until manually removed by us. You can ask for yours to be removed at any time (see below).
- Server logs are kept locally on our server and are recycled by the container runtime; we don't archive them off-host.
- Cookies expire as listed above.
- Anti-spam memory clears about an hour after submission, or whenever the server restarts.
Third-party services that touch your data
A small site like ours leans on a handful of third parties to deliver pages, fonts, and email. Each of these sees a slice of your visit, and each has their own privacy practices outside of our control:
- Cloudflare — sits in front of our site and provides bot detection (Turnstile). Cloudflare sees your IP address and basic browser characteristics for every visit. See their privacy policy.
- Apple iCloud Mail — delivers contact-form messages to our inbox. Apple sees your message content (it's an email). See Apple's privacy policy.
- Google Fonts — serves the typefaces our site uses. Google logs the IP address of each visitor who fetches a font. See Google's privacy policy.
What we don't do
- We do not sell your personal information. Not for cash, not for "valuable consideration," not for anything.
- We do not share your personal information with advertisers, brokers, or marketing partners.
- We do not run analytics, ad networks, retargeting, or behavioral advertising.
- We do not build mailing lists or marketing audiences. We do not send newsletters or promotional email.
- We do not combine what you give us with information from other sources.
- We do not knowingly collect any of the "sensitive personal information" categories defined by California law (Social Security numbers, precise geolocation, biometric data, account credentials, etc.).
Children's privacy
Our site is not directed to children under 13. We do not knowingly collect personal information from children. If we learn that a submission came from someone under 13, we'll delete it. If you believe a child has submitted information to us, please email us so we can take care of it.
Your California privacy rights
California residents have specific rights under the California Consumer Privacy Act (CCPA) as updated by the California Privacy Rights Act (CPRA). Many of these rights apply by law only to larger businesses, but we honor all of them voluntarily, regardless of size:
- The right to know what personal information we have collected about you, where we got it, why we collected it, and who (if anyone) we shared it with.
- The right to delete the personal information we hold about you, subject to a few narrow exceptions allowed by law.
- The right to correct inaccurate personal information we hold about you.
- The right to opt out of sale or sharing — we don't sell or share personal information, so there's nothing to opt out of, but the right exists.
- The right to limit use of sensitive personal information — we don't collect sensitive personal information, so again, nothing to limit.
- The right to non-discrimination — we won't deny you cookies (the edible kind), charge you more, or give you a worse experience for exercising any of these rights.
We also recognize Global Privacy Control (GPC) signals as a valid opt-out request, even though we have nothing to opt out of selling.
How to make a privacy request
Use our contact form and mention “Privacy request” in your message, along with which of the rights above you'd like to exercise. Please include enough information for us to find what you're asking about — usually the name or email address you used when you first contacted us.
To protect you, we'll verify your identity (typically by replying to the same email address on file) before sharing anything or making changes. We'll respond within 45 days, which is the standard CCPA window.
Authorized agents: you may designate someone else to make a request on your behalf. We'll need written authorization from you and we'll verify their identity as well as yours.
Changes to this policy
If we change how we handle information, we'll update this page and bump the “Effective” date at the top. Significant changes will be noted clearly so a returning visitor can see what's new.
Questions
Use our contact form. A real human reads every message.