Privacy Policy

• We do not sell your personal information. Ever. Not to advertisers, not to data brokers, not to anyone.
• Marketing is opt-in only. If you receive a marketing email or SMS from us, it is because you asked to.
• We collect what we need to run the concierge. Account details, your collection, your messages with us, payment confirmation tokens, and standard device/usage logs.
• Your rights are real. You can request a copy, a correction, or deletion at any time by emailing privacy@ringstoday.com.

This Privacy Policy describes how RingsToday (“we”, “us”, “our”), operating from State of Utah, Utah County, collects and uses personal information when you visit our website, message the concierge, or place an order. We are the controller of the personal information you give us.

We collect only what we need to run the concierge service.

• Account & identity. Name, email address, phone number, and authentication tokens managed by our auth provider (Clerk).
• Collection content. The diamonds and settings you save, the share-link recipient’s first name and phone if you choose to send one, and any photos or notes you upload.
• Messages. The content of iMessage / SMS / email exchanges between you and the concierge, including delivery and read receipts where supported.
• Order & transaction. Shipping address, IGI report numbers tied to your stone, fabrication choices, and the payment-processor confirmation token. We do not store full payment card numbers.
• Device & usage. IP address, browser, operating system, referring page, and pages viewed. Used for security, debugging, and aggregate analytics.
• Cookies & similar. Strictly necessary cookies for authentication and session continuity, and limited first-party analytics. We do not run third-party advertising trackers.

• To create your account, run the curator/budget flow, and assemble your private collection.
• To process orders, fabricate the ring, and ship it insured.
• To communicate with you about your collection, your order, and your messages with the concierge.
• To send you marketing communications only if you opted in, and only until you opt out.
• To prevent fraud, abuse, and unlawful use of the Service.
• To meet legal, tax, accounting, and regulatory obligations.
• To improve the Service through aggregate, de-identified analytics.

For visitors covered by GDPR, UK GDPR, or similar regimes, our legal bases are: performance of a contract (running the concierge), consent (marketing, optional uploads), legitimate interest (fraud prevention, security, service improvement), and legal obligation (tax, regulatory).

We do not sell personal information for money or other valuable consideration, and we do not “share” personal information for cross-context behavioral advertising (as those terms are defined in the California Consumer Privacy Act, as amended by the California Privacy Rights Act). We have not done so in the previous twelve months and have no plans to start.

We have not knowingly disclosed personal information about minors under 16 for sale or sharing.

We share personal information only with vetted processors that help us deliver the Service, under contracts that limit them to our instructions. The current list:

• Clerk — authentication, session, and account management.
• Loop Message — outbound iMessage / SMS delivery and reply ingestion. See the SMS & iMessage Terms for the messaging program details.
• Google Cloud Storage — storage of stone reference photos and uploaded inspiration images.
• Replit — hosting and the AI integrations proxy that fronts our LLM provider(s) for the assistive features described in the AI Usage Disclosure.
• Payment processor — tokenized card processing. We never receive your full card number.
• Insured carrier — FedEx or USPS Priority Mail Express, depending on destination, for insured delivery of finished rings.
• Compliance & tax providers — for sales-tax calculation and remittance.

We may also share information when required by law (subpoena, court order, regulatory demand) or to protect rights, safety, or property. Where lawful, we will notify you first.

We use first-party cookies that are strictly necessary for sign in, session security, and saving your collection. We use limited first-party analytics to understand which pages are useful. We do not run third-party advertising or retargeting cookies and we do not embed social-network “like” or “share” buttons that load tracking scripts.

You can disable non-essential cookies through your browser settings. Disabling strictly necessary cookies will prevent sign in.

You will not receive marketing email or SMS from us unless you checked the dedicated “send me concierge updates” opt-in. Transactional messages (order confirmation, shipping, replies in an active concierge thread, password reset) do not require opt-in and will be sent regardless.

Every marketing email contains a one-click unsubscribe link. SMS marketing supports the STOP keyword described in the SMS & iMessage Terms.

• Account & collection. While your account is active and for up to 24 months after closure, then deleted or de-identified.
• Order records. 7 years to satisfy U.S. tax and consumer-protection record-keeping requirements.
• Messages. Up to 24 months after the last message in the thread, or longer if a dispute is open.
• Marketing opt-in proof. For the life of the opt-in plus 5 years after revocation, to demonstrate consent if challenged.
• Server logs. 30–90 days for routine operations; up to 1 year for security investigations.

We use TLS in transit, encryption at rest where supported by our providers, role-based access controls, audit logging, and regular dependency and code-review scans. No system is perfectly secure; we will notify affected individuals and regulators of a confirmed breach as required by law.

Subject to verification of your identity, you have the right to:

• Know what personal information we hold about you and how we use it.
• Access a copy of that information in a portable format.
• Correct inaccurate information.
• Delete personal information, subject to legal exceptions (for example, completed-order tax records).
• Opt out of sale or share — not applicable here because we do neither.
• Limit use of sensitive personal information — we do not use sensitive personal information for inferences and do not need a separate limit setting.
• Withdraw consent for marketing or optional features at any time.
• Non-discrimination. We will not deny service, charge a different price, or provide a different level of quality because you exercised a right.
• Authorized agent. You may use an authorized agent to submit a request; we will verify the agent’s authority and your identity.
• Appeal. If we deny a request, you may appeal by replying to our denial email; we will respond within 45 days.

Submit a request to privacy@ringstoday.com. We will respond within 45 days, or 30 days for residents of Virginia, Colorado, Connecticut, and other states with shorter statutory deadlines.

The Service is not directed to children under 18 and we do not knowingly collect personal information from anyone under 18. If we learn we have, we will delete the information promptly. Parents or guardians who believe a minor has used the Service may contact us at privacy@ringstoday.com.

The Service is operated from the United States and is intended for U.S. residents. If you access the Service from outside the U.S., you understand and consent to your information being processed in the U.S.

We may update this Policy. The “Effective” date at the top of the page reflects the most recent meaningful change. We will email account holders for material changes.

Privacy questions, rights requests, or complaints: privacy@ringstoday.com. Mailing address available upon request.