Legal
Privacy Policy
Last Updated: March 30, 2026 · Session Cards™ by Tommy Rush
1. Who We Are
Tommy Rush Enterprises ("we," "us," "our," or "Company") operates the website at session-cards.com and sells Session Cards™, a physical card product for songwriters and music producers. Our business address is Sherman Oaks, California, USA. Contact: support@session-cards.com.
2. What We Collect
We collect personal data in the following ways:
- Email address — when you sign up for our email list or complete a purchase
- Shipping and billing information — name, address, phone number, collected only for order fulfillment
- Payment information — processed by Shopify; we do not store credit card numbers
- Usage and analytics data — IP address, device type, browser, pages visited, time on site (via Google Analytics 4)
- Advertising data — page views and conversion events tracked via Meta Pixel (Facebook/Instagram) for ad performance measurement; anonymized before use in ad targeting
- Email marketing data — email address, subscription status, and email engagement metrics (opens, clicks) processed by Klaviyo for marketing communications
- Testimonials and reviews — if you voluntarily submit a testimonial or review
3. Legal Basis for Processing (GDPR / CCPA)
We process personal data based on the following legal grounds:
- Contract: Fulfilling your order, processing payment, and providing customer support
- Consent: Optional marketing emails and use of testimonials (you may withdraw at any time)
- Legitimate interest: Analytics, site performance, and fraud prevention
- Legal obligation: Tax records, consumer protection compliance, and dispute resolution
4. How We Use Your Data
- Process and fulfill your order (via QPMN, our printing and fulfillment partner)
- Send transactional emails (order confirmation, shipping notification, support replies)
- Send marketing emails — only with your explicit opt-in consent
- Measure website performance via Google Analytics 4
- Measure advertising performance via Meta Pixel
- Manage email subscriptions and deliver marketing emails via Klaviyo
- Prevent fraud and enforce our Terms of Service
- Comply with legal obligations (tax records, consumer protection law)
5. Email Marketing & Consent
We add you to our marketing email list only if you explicitly consent via a checkbox on our website or at checkout. Every marketing email includes an unsubscribe link. You may withdraw consent at any time by clicking "Unsubscribe" or emailing support@session-cards.com.
We comply with the CAN-SPAM Act. All marketing emails include our physical mailing address and a working opt-out mechanism honored within 10 business days.
6. Third-Party Data Sharing
We do not sell your personal data. We share it only with the following service providers:
- Shopify — payment processing, order management, and storefront. Shopify is PCI-DSS compliant and subject to its own Privacy Policy.
- QPMN (QP Group) — printing and fulfillment. Receives only your name and shipping address for delivery purposes.
- Google Analytics 4 — anonymous usage tracking. IP addresses are anonymized. Subject to Google's Privacy Policy. You may opt out via the Google Analytics opt-out browser extension.
- Meta (Facebook / Instagram) — the Meta Pixel is installed on this site to measure ad performance. Meta receives anonymized event data (page views, conversions). Subject to Meta's Privacy Policy. You may opt out of Meta ad tracking via Facebook Ad Preferences.
- Klaviyo — email marketing platform. Receives your email address when you subscribe. Subject to Klaviyo's Privacy Policy. You may opt out via the unsubscribe link in any email.
- Legal requirement — if required by law enforcement, court order, or to enforce our legal rights.
7. Cookies
session-cards.com uses the following cookies:
- Functional / session cookies — temporary, required for site functionality (e.g., shopping cart). Deleted when you close your browser.
- Analytics cookies (Google Analytics 4) — track anonymous usage patterns. Expire after 24 months.
- Advertising cookies (Meta Pixel) — measure ad performance. Subject to Meta's cookie controls.
All visitors will see a cookie consent banner before any analytics or advertising cookies are set. You may withdraw consent at any time by clearing your cookies or using your browser's privacy settings.
8. Data Retention
We retain personal data for the following periods:
- Order and financial records — 7 years (required for tax and accounting compliance)
- Customer support inquiries — until the issue is resolved
- Marketing email list — until you unsubscribe
- Analytics data — 26 months (Google Analytics default)
If you request deletion of your personal data, we will remove it within 30 days except where legal retention is required (e.g., tax records).
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Right to access — request a copy of the data we hold about you
- Right to correction — request we correct inaccurate or incomplete data
- Right to deletion — request we delete your data (subject to legal retention obligations)
- Right to opt-out — withdraw marketing consent or restrict processing
- Right to data portability — request your data in a portable format
- Right not to be discriminated against — exercising your privacy rights will not affect your ability to purchase or receive support
- Right to lodge a complaint — EU and UK residents may lodge a complaint with their national Data Protection Authority (e.g., the ICO in the UK)
To exercise any of these rights, email support@session-cards.com with the subject line "Privacy Rights Request." We will respond within 30 days.
10. Your Privacy Choices — Do Not Sell or Share My Personal Information
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you have the right to opt out of the "sharing" of your personal information for cross-context behavioral advertising. While we do not sell personal data for money, the use of analytics and advertising cookies (Google Analytics, Meta Pixel) may constitute "sharing" under CPRA.
To opt out:
- Click "Decline" on the cookie consent banner when you visit the site
- Clear your browser cookies to reset your consent choice and decline again
- Email support@session-cards.com with "Do Not Share My Data" in the subject line
We will honor your request within 15 business days. Opting out will not affect your ability to browse or purchase from this site.
11. California Residents — Additional Rights (CCPA / CPRA)
California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to know what personal information we collect, use, disclose, or sell
- Right to delete personal information (with exceptions)
- Right to opt out of the sale or sharing of personal information — we do not sell personal data. To opt out of data sharing with analytics and advertising partners (Google Analytics, Meta Pixel), decline cookies via the consent banner or email support@session-cards.com with "Do Not Share My Data" in the subject line.
- Right to limit use of sensitive personal information
- Right to non-discrimination for exercising CCPA/CPRA rights
To exercise California rights, email support@session-cards.com with "California Privacy Request" in the subject line.
12. International Data Transfers
Our services are operated in the United States. If you are located in the EU, UK, or any other jurisdiction with data transfer restrictions, your data may be transferred to and processed in the US. Such transfers are made pursuant to legal mechanisms compliant with GDPR and UK GDPR, including Standard Contractual Clauses where applicable (via Shopify and Google's data processing agreements).
13. Security
We implement industry-standard security measures including SSL/TLS encryption for all data in transit and secure payment processing via Shopify's PCI-DSS compliant infrastructure. However, no internet transmission is 100% secure. You are responsible for keeping your account credentials confidential.
In the event of a data breach that affects your personal data, we will notify you within 72 hours (or as required by applicable law) via the email address on file.
14. Children's Privacy
Session Cards™ is intended for adults (producers, songwriters, and music professionals). We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided personal data, we will delete it immediately. If you believe a child's data has been submitted to us, please email support@session-cards.com.
15. Changes to This Policy
We may update this Privacy Policy at any time. Material changes will be posted on this page with an updated "Last Updated" date and, for existing customers, communicated by email. Your continued use of the site after changes are posted constitutes your acceptance of the updated policy.
Summary: We collect only what we need to run this business. We don't sell your data. We use Google Analytics and Meta Pixel for performance measurement, and Klaviyo for email marketing. You can opt out of tracking via the cookie consent banner, unsubscribe from emails at any time, request deletion, or ask any questions at support@session-cards.com.
16. Contact Us
Questions about this Privacy Policy or your personal data?
Tommy Rush Enterprises
Sherman Oaks, California, USA
Email: support@session-cards.com
Website: session-cards.com