To download a printable pdf version of this Privacy Policy, click here.
Effective Date: September 6, 2024
Table of Contents
General
Data Collected through User Submissions
Data Collected through User Visits and Interactions
Information from Other Third Parties
Use of Data
Retention of Personal Data
Data Security, and Transfers of Data across Jurisdictions
Provision and Disclosure of Data
Your Choices
Jurisdiction-Specific Information and Consumer Rights
Links to Third-Party Websites and Third-Party Features
Children’s Privacy
Changes to this Privacy Policy
Contact Us
1. General
Bombas has developed this Bombas Privacy Policy and Cookie Policy (this “Privacy Policy”) to demonstrate its commitment to protecting the privacy of users of the www.bombas.com website and our other digital properties that contain a link to this Privacy Policy (collectively, our “Site”). This Privacy Policy sets forth how we collect information from users of our Site and how we use that information. In this Privacy Policy, we refer to information that constitutes “personal data” or “personal information” (or another term with a substantially similar definition and obligations) under applicable data protection law as “Personal Data”.
This Privacy Policy is intended to summarize and inform you of our general privacy and data protection practices regarding the collection, use, and disclosure of information when you use our Site, and the choices you have with respect to that information.
Please read this Privacy Policy carefully. Please note that, when used in this Privacy Policy, the term “including” (as well as related terms such as “include” and “includes”) means “including, but not limited to,” and is meant to be inclusive, not exclusive. This Privacy Policy forms part of our Bombas Terms and Conditions of Use (our “Terms and Conditions”). To read our Terms and Conditions, click here.
By accessing our Site, you are consenting to the practices described in this Privacy Policy to the extent permitted by applicable law. This Privacy Policy may change from time to time. Each time you use the Site, the current version of the Privacy Policy will apply. Accordingly, when you use our Site, you should check the “Effective Date” at the top of the Privacy Policy and review any changes since the last version.
We may collect information submitted by users, information received on the basis of users’ visits to, interactions with, and activities on our Site, and other information provided by third-party vendors. We may use various technologies (e.g., “cookies”) on our Site to collect information about your device and about your activities on our Site, including which pages of our Site that you visit. For more information about such technologies, please see the “Data Collected through User Visits, Interactions, and Activities” section below.
Please note that this Privacy Policy does not apply to the Personal Data of members of our California Workforce in their capacity as members of our California Workforce. We make available a separate “Bombas California Human Resources Privacy Policy” to members of our California Workforce in respect of such Personal Data. By “California Workforce”, we mean, collectively, any and all California residents who are one or more of the following (in each case, in their capacity as such): a job applicant to, an employee of, a director of, an officer of, or an independent contractor of Bombas.
2. Data Collected through User Submissions
Information You Provide to Bombas
We collect and store information that you submit to us, including via registration or purchase activities, via email, and via your communications and interactions with our customer support team (including via email and/or a virtual customer support chatbot(s) on our Site). If you identify yourself by sending us an email or include your email address in a communication to our customer support team, we collect and store your email address and any other information you provide in your email or other communication. As described in more detail in the “Use of Data” section below, we use this information for our operational and commercial purposes, including to contact and/or identify you and/or send you information, including marketing information, about our products, in each case to the extent permitted by applicable law. As described in more detail in the “Chatbot Feature and Automated Customer Service Technology” subsection of Section 3 (“Data Collected through User Visits and Interactions”) below, our third-party customer support technology (including chatbot) vendor may also use your customer service-related communications with us (e.g., emails and chatbot messages) to train its automated systems and inform its services that utilize the output of such automated systems.
While using our Site, we may ask you to provide us with certain information, which we may also use for our operational and commercial purposes, including to contact and/or identify you and/or send you information, including marketing information, about our products, in each case to the extent permitted by applicable law. Such information includes:
Email address
First name and last name
Phone number
Address (City, State, Province, ZIP/Postal code, Country)
Third-Party Payment Processing Providers, Financial Information, and Payment “Tokens”
We use one or more third-party payment processing providers in connection with our products and services. If you provide your financial account number (such as credit card number or debit card number) in connection with your payment for our products and/or services, please be aware that: (i) you are providing such financial account number to the applicable third-party payment processing provider (currently, Braintree (if not otherwise elected by you), or Shopify, Shop Pay, Amazon, Afterpay, Stripe or PayPal (if and as elected by you)) (not to Bombas); (ii) Bombas does not access, store, or otherwise process such financial account number; and (iii) the processing of such financial account number and any and all other data required or otherwise collected by such third-party payment processing provider (such as name, email address, phone number, postal address, commercial information, etc.) is subject to the applicable terms, conditions, and policies of such third-party payment processing provider (each of which may be modified from time to time by such third-party payment processing provider). We may receive from, and provide to, the payment processing provider a randomly-generated payment “token” in connection with your Bombas purchases.
3. Data Collected through User Visits and Interactions
Use of Cookies, Pixels, and Similar Technologies
We use cookies, pixels, and similar online technologies to collect information, including to understand visitor activity on our Site and to help improve visitors’ experience while using our Site.
A cookie is a small alphanumeric text file sent by a web server and placed on your computer by your web browser. Cookies can be divided into two different types: session and persistent. Session cookies are typically deleted when you close your browser. Persistent cookies, in contrast, remain stored on your computer after you close your browser until they are deleted either because they expire or you delete them.
Cookies are often used in conjunction with other technologies to understand online behavior. For example, Bombas uses cookies in conjunction with pixels, which are small snippets of code, to associate particular online activities to a browser or device (e.g., to understand that a browser or device has visited a specific page of our Site and/or to understand the total number of unique users that have visited a specific page of our Site).
We use cookies, pixels, and similar technologies for our operational and commercial purposes, including: for customizing your experience and interactions, such as highlighting your recently viewed items, remembering items you may have put in your “Cart”, tracking your activities on our Site, in connection with “Tailored Advertising” (which associates a user’s activity and interest information, demographic information, geographic information, and similar information with a browser cookie or other online identifier in order to provide more useful and relevant advertising), and other customization purposes; for measurement and analytics; and for fraud prevention and detection and other security purposes. Certain types of Tailored Advertising are sometimes called “online behavioral advertising”, “interest-based advertising”, “cross-context behavioral advertising”, or “targeted advertising”.
Not all of the cookies that we use are strictly necessary to access our Site. You may set your browser to refuse all cookies or all third-party cookies or to indicate when a cookie is being set. However, if you do not accept cookies, parts of our Site may function differently and you may not be able to use some portions or features of our Site. For more information about how to manage your cookies and your cookie preferences, please use the “help” menu of your web browser or explore the customer support sections of your web browser. To “opt out” of Tailored Advertising via cookies, please see the “Opt-Out – Right to Withdraw/Revoke Consent” subsection of Section 9 (“Your Choices”) below.
Usage Data
Some of the data we collect consists of passive data concerning your device and how you access and use our Site (“Usage Data”). This Usage Data includes information such as your computer's Internet Protocol (“IP”) address, browser type, and browser version, as well as the pages of our Site that you visit, the times and dates of your visits, the time spent on, and interactions with, those pages, location data, and diagnostic data. You can enable or disable location services when you use our Site at any time, through your device settings. We may use Usage Data to provide, maintain, and improve our Site, products, and services, including to understand visitors’ activities on our Site, to help improve visitors’ experience while using our Site, to strengthen the security of our Site, and to improve the functionality of our Site.
Third-Party Controller Personal Data
We may use the services of third-party vendors (including in connection with our use of cookies, pixels, and similar technologies) that control the collection of Personal Data on our Site (such collected Personal Data, “Third-Party Controller Personal Data”). Such vendors may include Google (including for Google Analytics and Google Advertising), Microsoft (including for Microsoft Clarity analytics and Microsoft Advertising), Pinterest (including for the Pinterest advertising service), and other third parties (including third-party advertising, marketing, and data service companies) that place cookies on our Site (including to monitor and analyze the use of our Site and for Tailored Advertising) and third-party payment processing providers. In addition to our use of Personal Data (including Third Party Controller Personal Data) described in this Privacy Policy, such third-party vendors may use Third Party Controller Personal Data for their own purposes, including: to provide, maintain, improve, and develop their own services; for measurement and analytics; for Tailored Advertising and other customization purposes; and for fraud prevention and detection and other security purposes. To learn more about Google’s processing of information (including information collected on our Site through Google Analytics), please visit https://policies.google.com/technologies/partner-sites; to learn more about Microsoft’s processing of information (including information collected on our Site through Microsoft Clarity), please visit https://privacy.microsoft.com/en-US/privacystatement; and to learn more about
Pinterest’s processing of information (including information collected on our Site through Pinterest’s
advertising service), please visit https://policy.pinterest.com/en/privacy-policy. By using our Site, you are agreeing to data collection, use, and other processing by our third-party vendors (including Google, Microsoft, and Pinterest).
Tailored Advertising
We use third-party services to advertise our products and services to you after you visit our Site. We and our third-party vendors use cookies, pixels, and similar technologies on our Site and in third-party services (including in emails and advertisements and on other digital properties) to collect and process information about your activities across time and services for purposes of associating the different devices you use, and delivering relevant Tailored Advertising and/or other content to you and others on our Site and in third-party services or third-party digital properties after you have left our Site. In addition to the use of such technologies, we may also upload customer lists (including email addresses and/or phone numbers) to third-party vendors, such as Meta and Google, to have customized ads served to people (or people similar to people) who have visited our Site (“Email-Based Advertising” or “Matched Ads”). Email-Based Advertising may be considered a kind of Tailored Advertising.
Chatbot Feature and Automated Customer Service Technology
Our Site includes a chatbot feature that allows you to engage with us directly on our Site. The chatbot is operated by a third-party partner and may collect, store, record, and monitor your communications with us. That information may be shared with our third-party partners in accordance with this Privacy Policy. Our chatbot service provider (currently, Gladly) may also use those communications and other customer service-related communications with us (e.g., emails) to train its automated systems and inform its services that utilize the output of such automated systems; to learn more about Gladly’s processing of information, please visit https://www.gladly.com/privacy-policy/. For purposes of this Privacy Policy, Personal Data included in such customer service-related communications is Third-Party Controller Personal Data.
4. Information from Other Third Parties
We may also receive information about you from third parties, and we may use such information, by itself and/or in combination with information we collect from you, for our operational and commercial purposes, including for marketing and advertising purposes, such as to send you information about our products and services and to engage in advertising, including Tailored Advertising.
5. Use of Data
If and as permitted by applicable law, we use the information we collect and/or receive for our operational and commercial purposes, which may include:
Product, Service, and Contract Fulfillment (including to manage, perform, and administer our contracts)
Customer Support (including to manage and administer our relationships with our customers and potential customers, and to maintain and improve the experiences of our customers and potential customers)
Quality Assurance and Supply Chain Management (including to assist in buying decisions)
Site Performance and Administration (including to measure and analyze the number of visitors to different sections and pages of our Site, to determine how best to enhance the usability and performance of our Site, and to detect and prevent fraud)
Marketing and Advertising (to send marketing information about our products and services to consumers, and to engage in advertising, including Tailored Advertising)
Other Communications with Customers
Internal Financial, Employment, and Administrative Purposes
Compliance with Legal/Regulatory Obligations
6. Retention of Personal Data
Bombas will retain your Personal Data only for as long as is reasonably necessary for the purposes set out in this Privacy Policy. The criteria used to determine the retention periods include: (i) how long the Personal Data is needed to provide our products and services (including in connection with our guarantees) and operate our business; (ii) the type of Personal Data collected; and (iii) whether we have a legal, contractual or similar obligation or need to retain the Personal Data (e.g., in connection with mandatory data retention laws, government orders to preserve data, and/or actual or anticipated legal claims). In accordance with and subject to the above, and subject to any rights you may have under applicable law:
Purchase-Related Data: we may retain indefinitely the Personal Data we may reasonably need in connection with any purchases from Bombas (“Purchase-Related Data”), as we may need it for purposes of our guarantees (such as our lifetime Happiness Guarantee)
Third-Party Controller Personal Data: may be retained by the applicable third party that controls collection in accordance with its own privacy policy
Other Volunteered Personal Data: we may retain indefinitely the other Personal Data that you directly provide to us (such as when you create a Bombas account or sign up for our email, text, or other direct marketing) (“Volunteered Personal Data”); however, without limiting any of your rights under “Jurisdiction-Specific Information and Consumer Rights” below, you may delete your Volunteered Personal Data at any time by emailing us at privacy@bombas.com with “Delete My Volunteered Data” in the subject line or delete your Volunteered Personal Data and other Personal Data by electing “Delete/Erase My Personal Data/Information” via our privacy web form, available by clicking HERE. Please note that, if you submit such a “request to delete”: (i) we may have a reasonable need to retain certain of your Personal Data, including Purchase-Related Data; and (ii) we will not delete the Personal Data that we reasonably need to retain.
Other Personal Data: we retain Personal Data other than Purchase-Related Data, Third-Party Controller Data, or Other Volunteered Personal Data for as long we reasonably need it (including to strengthen the security of our Site, or if we are legally obligated to retain such data) before it is erased, de-identified, or aggregated.
7. Data Security, and Transfers of Data across Jurisdictions
Data security is important to us, but please keep in mind that no method of electronic storage or transmission (including over the Internet) is 100% secure. While we strive to use reasonable and appropriate means to protect information, we cannot guarantee its absolute security. We do and will take reasonable and appropriate steps designed to ensure that your data is treated securely and in accordance with this Privacy Policy.
Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction, in jurisdictions where the data protection laws may differ than those from your jurisdiction. However, we will not transfer your Personal Data to an organization or a country unless there are adequate controls in place, including with respect to the security of your Personal Data.
If you are located outside of the United States and provide information to us, please note that such information, including Personal Data, may be sent to, and processed in, the United States and/or other countries. By providing us with your Personal Data, you consent to such transfers to and subsequent processing in such countries (including the United States), which your country may not consider to provide for adequate privacy protections. You may withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before such withdrawal.
8. Provision and Disclosure of Data
General
We may provide or make available your information to service providers that perform certain services on our behalf. These services may include: fulfilling orders; processing payments; providing customer service (including through a virtual customer support chatbot(s) on our Site) and marketing assistance; performing business and sales analyses; providing, maintaining, and improving our Site functionality and features offered through our Site; and providing advertising and marketing services (including delivering Tailored Advertising and email marketing campaigns, and analyzing and improving the effectiveness of our advertising and marketing). These service providers may have access to Personal Data needed to perform services on our behalf and, subject to certain exceptions (including as described in the “Third-Party Controller Personal Data” and “Chatbot Feature and Automated Customer Service Technology” subsections of Section 3 (“Data Collected through User Visits and Interactions”) above), are generally not permitted to disclose or use non-aggregated Personal Data for any other purposes. We may also provide or make available your information to Bombas affiliates. In addition, to the extent permitted by applicable law, we may provide or make available your information to third-party advertising, marketing, and data service companies in connection with our use of their commercial data provision, enrichment, verification, analytics, marketing and advertising products and services.
Disclosure for Law Enforcement or Legal Requirements
Under certain circumstances, Bombas may be required to disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency). Bombas will disclose your information in the good faith belief that such action is necessary to:
To comply with a legal obligation
To protect and defend the rights or property of Bombas
To prevent or investigate possible wrongdoing in connection with our Site
To protect the personal safety of users of our Site or the public
To protect against legal liability
Transfer of Data in the Event of Acquisition
In the event that another company acquires all or a majority of the assets of our business through a consolidation, merger, equity purchase, asset purchase, corporate reorganization, or other transaction, we reserve the right to transfer all information that is in our possession or under our control to the acquiring party.
9. Your Choices
Unsubscribe – Right to Withdraw/Revoke Consent
If you no longer want us to contact you or send you marketing and promotional communications by email, text, postal mail and/or telephone: (i) you may unsubscribe (a) from receiving our marketing and promotional emails by following the unsubscribe link in such marketing and promotional emails and/or (b) from receiving our text message marketing by replying STOP (or CANCEL, UNSUBSCRIBE, END, or QUIT) to any such text message marketing; and (ii) you may unsubscribe from other marketing and promotional communications by emailing us at privacy@bombas.com or as otherwise may be expressly specified in such marketing and promotional materials.
Opt-Out – Right to Withdraw/Revoke Consent
You may refuse or remove persistent targeting cookies by:
“Opting out” of “interest-based advertising”/“online behavioral advertising”/Tailored Advertising via third-party advertising cookies at the following websites:
youronlinechoices.com (by clicking the “Your ad choices” link after selecting the appropriate country)
Adjusting your browser settings to refuse or remove cookies.
Please note that you need to configure each browser on each device that you use if you wish to opt-out or block some or all cookies for that browser. If you buy a new device, upgrade or change web browsers or delete your opt-out cookies, you will need to perform the applicable opt-out process again. In order for opt-out processes to work, your browser must be set to accept third-party cookies. Additional information about cookies is available at https://youradchoices.com/choices-faq and www.youronlinechoices.com (by clicking the “Frequently Asked Questions”/“FAQs” link after selecting the appropriate country).
You may also elect not to receive or to receive (depending on the mobile device operating system) “interest-based advertising”/“online behavioral advertising”/Tailored Advertising in mobile application environments via the privacy settings on your mobile device and as otherwise made available by the applicable mobile device operating system.
In addition, you may opt-out of Email-Based Advertising by emailing us at privacy@bombas.com, and specifying in your email that you wish to opt-out of Email-Based Advertising.
Please note that: (i) there may be a slight delay between your unsubscribe or opt-out election and the processing of such election; and (ii) we are not responsible for third parties’ failure to comply with, or delay in complying with, unsubscribe and/or opt-out elections.
You may also opt-out of specific services of third-party vendors that control the collection of Third-Party Controller Personal Data on our Site via the personalization settings of such third-party vendor. However, please note that such specific opt-out functionality (i) may not be offered by each of those third-party vendors and (ii) if offered, is limited to the services of the applicable third-party vendor.
10. Jurisdiction-Specific Information and Consumer Rights
U.S. State Privacy Laws
Consumer Rights
If you are an individual who is a resident of a U.S. state with an effective general privacy law (such as California under the California Consumer Privacy Act, including as amended by the California Privacy Rights Act (as amended, “CCPA”)) (each such law, a “State Privacy Law”), you have some or all of the following rights with respect to your Personal Data, as set forth in the applicable State Privacy Law:
Right to Know/Access. You have the right to request that we disclose to you, following your verifiable/authenticated request:
The categories of Personal Data we have collected (about you
The categories of sources from which the Personal Data is collected
The business or commercial purpose for collecting, selling, or (under CCPA) “sharing” Personal Data
The categories of third parties with which we disclose Personal Data
The specific pieces of Personal Data we have collected about you
The categories of Personal Data about you that we disclosed for a “business purpose”
If we sell or (under CCPA) “share” your Personal Data:
The categories of Personal Data that we sold or (under CCPA) shared about you
The categories of third parties to which your Personal Data was sold or (under CCPA) shared, by category or categories of Personal Data for each category of third parties to which the Personal Data was sold or (under CCPA) shared
Right to Delete. You have the right to request that we delete, following your verifiable/authenticated request, the specific pieces of Personal Data we have collected about you.
Right to Correct. You have the right to request that we correct, following your verifiable/authenticated request, any inaccurate Personal Data that we have collected about you.
Right to Data Portability. You have the right to request that we provide you, following your verifiable/authenticated request, with a copy of the Personal Data about you that we process by automated means in a portable and, to the extent technically feasible, readily usable format that allows you to transmit it to another party.
Rights to “Opt-Out”. Based on your applicable State Privacy Law, you may have some or all of the following rights:
To direct us not to “sell” (as defined by the applicable State Privacy Law) or (under CCPA) “share” your Personal Data
To opt out of “targeted advertising” (as defined by the applicable State Privacy Law), which is a type of Tailored Advertising
These State Privacy Law “opt-out” rights are different from the right to “opt out” of “interest-based advertising”/“online behavioral advertising”/Tailored Advertising described above in this Privacy Policy under the header “User Choice – Opt-Out – Right to Withdraw/Revoke Consent”. (If you would like to opt-out of our Tailored Advertising, please refer to that section of this Privacy Policy.)
Please note that: (i) we do not process your sensitive Personal Data without your consent, unless permitted by applicable law, and we do not collect, use, or disclose your sensitive Personal Data for any purpose that would require us under any State Privacy Law (such as CCPA) to offer a right to limit the use and disclosure of such sensitive Personal Data; and (ii) we do not engage in “profiling” (as defined by applicable State Privacy Laws) in furtherance of “decisions that produce legal or similarly significant effects concerning consumers” (as defined by applicable State Privacy Law).
Right to Non-Discrimination. We may not discriminate against you because you exercise any of your rights under your applicable State Privacy Law, including by:
Denying goods or services to you
Charging you different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties
Providing a different level or quality of goods or services to you
Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services
Please note the following:
The process we currently use to verify or authenticate “requests to know / access”, “requests to delete”, “requests to correct”, and “requests for data portability” requires you to provide your email address, your postal address, and information about your Bombas purchase history.
We currently use the same process to comply with both a verified or authenticated “request to know / access” and a verified or authenticated “request for data portability”.
If you submit a “request to delete”, we may have a reasonable need to retain certain of your Personal Data, including for purposes of Bombas’s guarantees (such as our lifetime Happiness Guarantee) and for certain other limited purposes permitted by the applicable State Privacy Law. Therefore, if you submit a “request to delete”, we will not delete the Personal Data that we reasonably need to retain.
Methods of Submitting State Privacy Law Requests
How to Exercise Your “Right to Know/Access”, “Right to Delete”, “Right to Correct”, and “Right to Data Portability”
If you are a resident of a U.S. state with an effective State Privacy Law, you may submit requests under that State Privacy Law to exercise your “right to know/access”, your “right to delete”, your “right to correct”, and/or your “right to data portability” via either of the following methods:
By web form, available by clicking HERE
By toll-free telephone, to: 1-888-914-9661, PIN: 688703
Please note that if we notify you that we were unable to verify/authenticate your “request to know/access”, “request to delete”, “request to correct”, or “request for data portability”, you may appeal our determination by emailing us at privacy@bombas.com and indicating why you disagree with our determination (including by providing additional information to support your request).
How to Exercise Your “Right to Opt-Out”
If you are a resident of a U.S. state with an effective State Privacy Law, you may exercise your State Privacy Law “right(s) to opt-out” via the following method(s):
By web form, available by clicking HERE
Via the Global Privacy Control user-enabled universal opt-out mechanism, if and when such a universal opt-out mechanism is legally required as a method of opting out by the applicable State Privacy Law. (For more information regarding Global Privacy Control, please visit the Global Privacy Control website: https://globalprivacycontrol.org/.)
Please note that if you exercise your State Privacy Law “right(s) to opt-out” via Global Privacy Control, we will process that election to the extent technically feasible. However, if we receive such an opt-out signal, it may not be technically feasible for us to associate the applicable browser/device ID with your other Personal Data (e.g., your email address). To ensure that your State Privacy Law opt-out election extends to Personal Data other than your browser/device ID, please submit such State Privacy Law opt-out requests via our web form.
We will maintain records of consumer requests made under State Privacy Laws and how we responded to those requests in accordance with those State Privacy Laws.
Authorized Agents
If you are a resident of a U.S. state with an effective State Privacy Law, if and as required by that State Privacy Law, you may use an “authorized agent” to submit requests to exercise your “right to know”, your “right to delete”, your “right to correct”, your “right to data portability”, and/or your State Privacy Law “right(s) to opt-out” (as applicable) on your behalf under that State Privacy Law. Your authorized agent will need to provide us with a copy of a written permission that is signed by you and indicates that you have provided such authorization.
Personal Data
We collect (and during the last 12 months have collected) the following categories of Personal Data, from the following categories of sources, and for the following business or commercial purposes to the extent permitted by applicable law:
Category of Personal Data: Identifiers (such as a real name, postal address, email address, an online identifier, or an internet protocol address)
Categories of Sources: We receive such information directly from consumers (such as when they complete a purchase on our Site) and/or from third-party vendors (such as vendors that use cookies, pixels, and other similar online technologies on our Site and in third-party services (including in emails and advertisements) and third-party data providers)
Business/Commercial Purposes: For our operational and commercial purposes, including: (i) managing, performing, and administering our contracts and relationships with consumers, (ii) sending information (including marketing information about our products) to consumers, and (iii) engaging in marketing and advertising (including “targeted advertising” (under applicable State Privacy Law) and other Tailored Advertising), and “selling” (under applicable State Privacy Law) such Personal Data to, and/or “sharing” (under CCPA) such Personal Data with, advertising, marketing, and data service companies (in connection with our use of their commercial data provision, enrichment, verification, analytics, marketing and advertising products and services)
Category of Personal Data: Characteristics of protected classifications under California or federal law (such as gender and age)
Categories of Sources: We receive such information from third-party vendors, including vendors that perform analytics and Tailored Advertising services for us and third-party data providers
Business/Commercial Purposes: For our operational and commercial purposes, including engaging in marketing and advertising (including “targeted advertising” (under applicable State Privacy Law) and other Tailored Advertising) and/or “selling” (under applicable State Privacy Law) such Personal Data to, and/or “sharing” (under CCPA) such Personal Data with, advertising, marketing, and data service companies (in connection with our use of their commercial data provision, enrichment, verification, analytics, marketing and advertising products and services)
Category of Personal Data: Commercial information (such as records of the products a consumer purchased)
Categories of Sources: We receive such information directly from consumers (based on the purchase activities of those consumers on our Site) and/or from third-party vendors (such as third-party data providers)
Business/Commercial Purposes: For our operational and commercial purposes, including: (i) managing our supply chain (including with respect to buying decisions; (ii) managing, performing, and administering our contracts and relationships with consumers; (iii) engaging in marketing and advertising, including “targeted advertising” (under applicable State Privacy Law) and other Tailored Advertising; and/or “selling” (under applicable State Privacy Law) such Personal Data to, and/or “sharing” (under CCPA) such Personal Data with, advertising, marketing, and data service companies (in connection with our use of their commercial data provision, enrichment, verification, analytics, marketing and advertising products and services)
Category of Personal Data: Internet or other electronic network activity information (such as browsing history, search history, and information regarding interactions with our Site and our advertising)
Categories of Sources: We receive such information from third-party vendors, including ad platforms and vendors that use cookies, pixels, and other similar online technologies on our Site and in third-party services (including in emails and advertisements)
Business/Commercial Purposes: For our operational and commercial purposes,
including (i) managing our supply chain (including with respect to buying decisions), and (ii) engaging in advertising and marketing, including “targeted advertising” (under applicable State Privacy Law) and other Tailored Advertising, and/or selling (under applicable State Privacy Law) such Personal Data to, and/or “sharing” (under CCPA) such Personal Data with, advertising, marketing, and data service companies (in connection with our use of their commercial data provision, enrichment, verification, analytics, marketing and advertising products and services)
Category of Personal Data: Audio, electronic, visual, thermal, olfactory, or similar information
Categories of Sources: We receive such information (which may include a photo or a video) directly from consumers when they provide it to us
Business/Commercial Purposes: For our operational and commercial purposes, including engaging in advertising and marketing (including “targeted advertising” (under applicable State Privacy Law) and other Tailored Advertising)
Category of Personal Data: Inferences (drawn from any of the other categories of Personal Data) to create a profile about a consumer reflecting, for example, a consumer’s product preferences
Categories of Sources: We receive such information from third-party vendors, including vendors that perform analytics and remarketing services for us
Business/Commercial Purposes: For our operational and commercial purposes, including to engage in “targeted advertising” (under applicable State Privacy Law) and other Tailored Advertising
We also collect and process (and during the last 12 months have collected and processed) logins and passwords directly from consumers for their Bombas accounts, and each such account login, in combination with the applicable password, may be considered “sensitive” Personal Data under certain State Privacy Laws (such as CCPA). We also may collect and process (and during the last 12 months may have collected and processed) other sensitive Personal Data if consumers voluntarily provided such information to us in a communication (such as an email or via our customer service chatbot) (“Volunteered Sensitive Data”). We do not process your sensitive Personal Data without your consent, unless permitted by applicable law, and we do not knowingly collect, use, or disclose your sensitive Personal Data for any purpose that would require us under any State Privacy Law (such as CCPA) to offer a right to limit the use and disclosure of such sensitive Personal Data. We also do not use your Personal Data to create a profile in furtherance of “decisions that produce legal or similarly significant effects concerning a consumer” (as defined by applicable State Privacy Law). In addition, we do not knowingly collect Personal Data from children without the consent of the child’s parent or guardian. (For more information, please see the “Children’s Privacy” section below.)
Disclosure of Personal Data
“Disclosures for a Business Purpose”: We disclose (and during the last 12 months have disclosed) each of the above categories of Personal Data for a “business purpose” (as defined by CCPA) with our authorized service providers that perform certain services on our behalf, including fulfillment, shipping, and handling providers, payment processing providers, data analytics providers, technology service providers (including our customer support technology (including chatbot) vendor), and advertising and marketing service providers. These services may include fulfilling orders, processing credit card payments, providing customer service (including through a virtual customer support chatbot(s) on our Site) and marketing assistance, performing business and sales analysis, supporting our Site functionality and supporting other features offered through our Site, and providing advertising and marketing services (including delivering marketing campaigns and analyzing and improving the effectiveness of our advertising and marketing).
“Sales”, “Sharing”, and Use for “Targeted Advertising”: We “sell” (as defined by applicable State Privacy Law), “share” (as defined by CCPA), and/or use for “targeted advertising” (as defined by applicable State Privacy Law) (and during the last 12 months have sold, shared, and/or used for targeted advertising) each of the above categories of Personal Data (other than data that may be considered “sensitive” Personal Data) to/with advertising, marketing, and data service companies in connection with our, their, and their respective customers’ marketing, advertising, and other business and commercial activities (in connection with our use and/or their provision of their advertising and marketing services and their commercial data provision, enrichment, verification, and analytics products and services). We also may be considered to sell or share: (i) each of the above categories of Personal Data (other than “Audio, electronic, visual, thermal, olfactory, or similar information”, “Inferences”, and data that may be considered “sensitive” Personal Data) to/with payment service processing providers in connection with our use of their services (for more information on our use of such services, please see the “Third-Party Payment Processing Providers, Financial Information, and Payment “Tokens”” subsection of Section 2 (“Data Collected through User Submissions”) above); and (ii) each of the above categories of Personal Data (including Volunteered Sensitive Data) to our third-party customer support technology (including chatbot) vendor, which may use such Personal Data to train its automated systems and inform its services that utilize the output of such automated systems. Without required affirmative authorization, we do not knowingly “sell” (as defined by the applicable State Privacy Law) or “share” (as defined by CCPA) the Personal Data of individuals under the age of 16 or use such Personal Data for “targeted advertising” (as defined by the applicable State Privacy Law). If you are a resident of a U.S. state with an effective State Privacy Law, you have the right, at any time, to direct us under such State Privacy Law not to “sell” (as defined by the applicable State Privacy Law) your Personal Data, “share” (as defined by CCPA) your Personal Data, and/or use your Personal Data for “targeted advertising”, as set forth in the applicable State Privacy Law. You may exercise such “Rights to Opt-Out” by (i) clicking the link below, which takes you to the web form listed above under the header “Jurisdiction-Specific Information – United States – Methods of Submitting Requests” (and available by clicking HERE), or (ii) if and when a universal opt-out mechanism is legally required as a method of opting out by the applicable State Privacy Law, via the Global Privacy Control user-enabled universal opt-out mechanism.
California
Response to "Do Not Track" Signals
We do not support browser “Do Not Track” (DNT) signals, and do not change any of our data collection or use practices when we receive such signals. “Do Not Track” is a preference you can set in your web browser. We will continue to evaluate potential responses to “Do Not Track” signals in light of industry developments or legal changes.
However, while we do not support “Do Not Track” signals, we do honor opt-out signals received from Global Privacy Control or any other California-certified user-enabled universal opt-out mechanism as the applicable user’s election to opt-out of the sale and/or sharing (each, as defined by CCPA) of their Personal Data, to the extent technically feasible.
We are committed to honoring your privacy choices. For more information, please see the “Your Choices” section above and the subsections above in this “Jurisdiction-Specific Information and Consumer Rights” section.
Your California Privacy Rights under “Shine the Light”
California’s “Shine The Light” law permits certain individuals who are California residents to annually request and obtain information free of charge about what Personal Data is disclosed to third parties for direct marketing purposes in the preceding calendar year. We do not distribute your Personal Data to outside parties for their direct marketing without your consent, except as provided for in this Privacy Policy.
For more information, please email us at privacy@bombas.com, with “California Shine the Light Privacy Request” in the subject line, and your full name, email address, postal address and specific services you have used in the body of your email.
Notice of Financial Incentives
We may offer various financial incentives, such as discounts or other benefits to customers from time to time. In some cases, there may be additional terms and conditions applicable to a financial incentive, which we will present to you when you sign up for the financial incentive.
For example, when you create a Bombas account, we provide you with free shipping for products purchased on the Site. During the account creation process and when you use your Bombas account thereafter, we collect Personal Data from you, such as identifiers (like your name, email address or phone number), commercial information (like purchase history and product preferences), inferences drawn about your preferences and other categories of your Personal Data. We may use this Personal Data to tailor your experience on our Site and our communications to you based on products and services we think may be of interest to you, and for measurement and analytics. We believe that the benefits you receive from creating and using a Bombas account, including our offer of free shipping, are reasonably related to the value of your Personal Data. You can create a Bombas account and opt into this financial incentive by following the applicable sign-up or participation instructions on our Site or in our marketing and promotional messages. You can opt-out at any time by contacting us at privacy@bombas.com to delete your account.
Washington
To read our Washington Health Data Privacy Policy, which describes our privacy practices regarding the collection, use, and sharing of “consumer health data” of Washington state “consumers” under the Washington My Health My Data Act and the choices such consumers have with respect to that information, please click HERE.
European Economic Area, Switzerland, United Kingdom, and Brazil.
Legal Bases (GDPR and LGPD)
The EU General Data Protection Regulation (GDPR) requires a “legal basis” for processing “personal data” (as defined by GDPR) of European Economic Area (which includes, for purposes of this Privacy Policy, Switzerland and the United Kingdom) (“EEA”) data subjects, and the Brazilian General Data Protection Law (LGPD) requires a "legal basis" for processing "personal data" (as defined by LGPD) of Brazil data subjects. If you are an EEA or Brazil data subject, Bombas’s legal basis for collecting, using, and disclosing the “personal data” described in this Privacy Policy will depend on the personal data we collect, the specific context in which we collect it, and the specific purposes for which we collect and use it, including as follows:
Purpose: To respond to requests and questions, including about our products
Legal Basis(es), if and to the extent applicable in the EEA or Brazil (with respect to “personal data” of EEA or Brazil data subjects, respectively): Such responses may be necessary to manage and perform our contracts (including our Terms and Conditions) with the applicable data subject or to take steps at the request of the data subject prior to entering into a contract. In addition, we have a legitimate interest in managing our relationships with our customers and potential customers and to ensure that we are effective and efficient as we can be and that we optimize the experience and satisfaction of our customers.
Purpose: To provide customer support
Legal Basis(es), if and to the extent applicable in the EEA or Brazil (with respect to “personal data” of EEA or Brazil data subjects, respectively): Such support may be necessary to manage and perform our contracts (including our Terms and Conditions) with the applicable data subject or to take steps at the request of the data subject prior to entering into a contract.
In addition, we have a legitimate interest in providing customer support and in optimizing the experience and satisfaction of our customers.
With your consent, if required by applicable law.
Purpose: To provide goods and services to our customers, and otherwise to perform our contracts with our customers
Legal Basis(es), if and to the extent applicable in the EEA or Brazil (with respect to “personal data” of EEA or Brazil data subjects, respectively): To manage and perform our contracts (including our Terms and Conditions) with the applicable data subject
Purpose: To maintain, administer, improve, and customize our Site, products, and services
Legal Basis(es), if and to the extent applicable in the EEA or Brazil (with respect to “personal data” of EEA or Brazil data subjects, respectively): We have a legitimate interest in maintaining and improving the quality and efficiency of the products and services offered to our customers and potential customers, and in optimizing the experience and satisfaction of our customers.
With your consent, if required by applicable law
Purpose: The day-to-day running and management of our business and the products and services offered to customers
Legal Basis(es), if and to the extent applicable in the EEA or Brazil (with respect to “personal data” of EEA or Brazil data subjects, respectively): We have a legitimate interest in managing our business, including for operational purposes, such as supply chain management (including with respect to buying decisions) and financial, employment, and administrative decision-making
Purpose: For fraud prevention and detection and other security purposes
Legal Basis(es), if and to the extent applicable in the EEA or Brazil (with respect to “personal data” of EEA or Brazil data subjects, respectively): We have a legitimate interest in preventing and detecting fraud, especially in connection with our Site and our products and services
Purpose: In response to diligence investigation inquiries by third parties that are evaluating the prospect of acquiring all or part of our business, assets, or equity, or that succeed us in carrying on our business
Legal Basis(es), if and to the extent applicable in the EEA or Brazil (with respect to “personal data” of EEA or Brazil data subjects, respectively): We have a legitimate interest in managing our business, including for operational, financial, employment, and administrative purposes.
Purpose: To enforce or defend our rights
Legal Basis(es), if and to the extent applicable in the EEA or Brazil (with respect to “personal data” of EEA or Brazil data subjects, respectively): To manage and perform our contracts (including our Terms and Conditions) with the applicable data subject and, if applicable, to comply with our legal or regulatory obligations
Purpose: To investigate, manage, and resolve complaints and claims
Legal Basis(es), if and to the extent applicable in the EEA or Brazil (with respect to “personal data” of EEA or Brazil data subjects, respectively): To manage and perform our contracts (including our Terms and Conditions) with the applicable data subject and, if applicable, to comply with our legal or regulatory obligations
Purpose: To investigate, manage, and resolve regulatory matters, investigations, and claims
Legal Basis(es), if and to the extent applicable in the EEA or Brazil (with respect to “personal data” of EEA or Brazil data subjects, respectively): To comply with our legal or regulatory obligations
Purpose: To provide or make available data to police, law enforcement, tax authorities or other government agencies where we have a legal obligation and to comply with applicable laws, regulations or codes of practice
Legal Basis(es), if and to the extent applicable in the EEA or Brazil (with respect to “personal data” of EEA or Brazil data subjects, respectively): To comply with our legal or regulatory obligations
Purpose: To allow you to participate in interactive features of our Site when you choose to do so
Legal Basis(es), if and to the extent applicable in the EEA or Brazil (with respect to “personal data” of EEA or Brazil data subjects, respectively): With your consent, if required by applicable law
Purpose: For marketing and advertising, including Tailored Advertising
Legal Basis(es), if and to the extent applicable in the EEA or Brazil (with respect to “personal data” of EEA or Brazil data subjects, respectively): respectively): With your consent, if required by applicable law. If you no longer wish to consent to Tailored Advertising, you can withdraw your consent at any time (please see the “Opt-Out – Right to Withdraw/Revoke Consent” subsection of Section 9 (“Your Choices”) above).
If you wish to stop receiving marketing communications from us, you can unsubscribe by following the unsubscribe link in our marketing and promotional emails or the instructions provided in any other communication we send (please see the “Unsubscribe – Right to Withdraw/Revoke Consent” subsection of Section 9 (“Your Choices”) above).
Your Rights under GDPR
If you are an EEA data subject and certain requirements are fulfilled, you have the following data protection rights, as set forth in GDPR:
Right of Access. You have the right to access your personal data.
Right to Erase. You have the right to have us erase your personal data.
Right to Data Portability. You have the right to be provided with a copy of your personal data in a structured, machine-readable and commonly used format (or have this transferred to a third party).
If you wish to exercise your “Right of Access”, “Right to Erase”, or “Right to Data Portability”, please visit our web form or email us at EuropePrivacy@bombas.com. Please note that: (i) we may ask you to verify your identity before responding to such requests; and (ii) the process we currently use to comply with a verified exercise of the “right to data portability” is the same as the process we currently use to comply with a verified exercise of the “right of access”.
Right of Rectification. You have the right to have your personal data rectified / updated if that information is inaccurate or incomplete.
Right to Object. You have the right to object to our processing of your personal data carried out for our legitimate reasons and/or for direct marketing, including profiling that is related to such direct marketing.
Right of Restriction. You have the right to request that we restrict the processing of your personal data (i.e., we would need to secure and retain the personal data for your benefit but not otherwise use it).
If you wish to exercise one of the above-mentioned rights, please send us your request via email to: EuropePrivacy@bombas.com. Please note that we may ask you to verify your identity before responding to such requests.
Right to Withdraw/Revoke Consent. You also have the right to withdraw your consent at any time where Bombas relied on your consent to process your personal data.
If you wish to exercise such right with respect to “interest-based advertising”/“online behavioral advertising”, you can do so through the applicable mechanisms set forth in the “Opt-Out – Right to Withdraw/Revoke Consent” subsection of Section 9 (“Your
Choices”) above.
If you wish to exercise such right with respect to the advertising and marketing we communicate by email, postal mail, or telephone, you can do so through the applicable mechanisms set forth in the “Unsubscribe – Right to Withdraw/Revoke Consent” subsection of Section 9 (“Your Choices”) above.
You also have the right to complain to a data protection authority about our collection and use of your personal data. We would, however, appreciate the opportunity to address your concerns before you approach a data protection authority, and would welcome you directing an inquiry first to us at: EuropePrivacy@bombas.com.
GDPR Joint Controllers
Third-party vendors that control the collection of Third-Party Controller Personal Data of EEA data subjects on our Site may be considered “joint controllers” under GDPR and, therefore, responsible for enabling the rights of EEA data subjects under GDPR with respect to applicable Third-Party Controller Personal Data stored by such third-party vendors. For more information about Third-Party Controller Personal Data, please see the “Third-Party Controller Personal Data” subsection of Section 3 (“Data Collected through User Visits and Interactions”) above. For information about the contact details of each such third-party vendor and, if applicable, its GDPR representative and/or data protection officer, please see their privacy policy.
Your Rights under LGPD
If you are a Brazil data subject and certain requirements are fulfilled, you have the following data protection rights, as set forth in LGPD:
Right of Access. You have the right to access your personal data.
Right of Deletion. You have the right to have us delete your personal data.
Right to Data Portability. You have the right to be provided with a copy of your personal data in a structured, machine-readable and commonly used format (or have this transferred to a third party).
If you wish to exercise your “Right of Access”, “Right of Deletion”, or “Right to Data Portability”, please visit our web form or email us at BrazilPrivacy@bombas.com. Please note that: (i) we may ask you to verify your identity before responding to such requests; and (ii) the process we currently use to comply with a verified exercise of the “right to data portability” is the same as the process we currently use to comply with a verified exercise of the “right of access”.
Right of Confirmation. You have the right to have us confirm the existence of our processing of your personal data.
Right of Correction. You have the right to have your personal data corrected if that information is incomplete, inaccurate, or out-of-date.
Right to Deny Consent. You have the right to deny consent to the processing of your personal data for which we rely on your consent as a legal basis, and to information about the consequences of such denial. For more information, please see the “Unsubscribe – Right to Withdraw/Revoke Consent” and “Opt-Out – Right to Withdraw/Revoke Consent” subsections of Section 9 (“Your Choices”) above, and the above “Legal Bases (GDPR and LGPD)” subsection of this section.
Right to Know about Data Sharing. You have the right to know about the entities with which we have shared your personal data. For more information, please see the “Provision and Disclosure of Data” section above.
If you wish to exercise one of the above-mentioned rights, please send us your request via email to: BrazilPrivacy@bombas.com. Please note that we may ask you to verify your identity before responding to such requests.
Right to Withdraw/Revoke Consent. You also have the right to revoke your consent at any time where Bombas relied on your consent to process your personal data.
If you wish to exercise such right with respect to “interest-based advertising”/“online behavioral advertising”/Tailored Advertising, you can do so through the mechanisms set forth in the “Your Choices – Opt-Out – Right to Withdraw/Revoke Consent” section above.
If you wish to exercise such right with respect to the advertising and marketing we communicate by email, postal mail, or telephone, you can do so through the mechanisms set forth in “Your Choices – Unsubscribe – Right to Withdraw/Revoke Consent” section above.
11. Links to Third-Party Websites and Third-Party Features
There are a number of places on our Site where you may click on a link to access another party’s website that does not operate under this Privacy Policy. For example, if you click on an advertisement or a search result on our Site, you may be taken to a third-party website that we have no ownership or control. These third-party websites may independently solicit and collect from you and in some instances provide us with information about your activities on those websites. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
We may allow you to connect our Site to a third-party service or offer portions of our Site through a third-party service (“Third Party Features”). If you use a Third Party Feature, both we and the applicable third party may have access to and use information associated with your use of the Third Party Feature, and you should carefully review the third party’s privacy policy and terms of use. Some examples of Third Party Features include the following:
Liking, Sharing, and Logging-In. We may embed a pixel or other technology on our Site that allows you to “like” or “share” content on, or log in to your Bombas account through, third-party services, including social networks such as Facebook, Instagram, Pinterest, and X. If you choose to engage with such a third-party service through our Site, we may collect any information you have authorized the third-party service to provide to us (such as your user ID, billing information, public profile information, email address, birthday, friends list, and other account and profile data). Likewise, if you choose to engage with such a third-party service through our Site or visit our Site while logged in to that third-party service on your device or through our Site, the third party may receive information about your activities on our Site and be able to associate that information with information the third party already has about you.
Content on Social Networks; Hashtags. We may offer our content on social networks such as a Facebook, Instagram, Pinterest, and X. Any information you provide to us when you engage with our content (such as through our brand page or via our chatbot on Facebook Messenger) is treated in accordance with this Privacy Policy. Also, if you publicly reference our Site on a third-party service (e.g., by using a hashtag associated with Bombas in a tweet or post), we may use your reference on or in connection with our Site.
Customer Support Chatbot. We utilize a virtual chatbot(s) on our Site for customer support purposes. That chatbot(s) is provided by a vendor that provides us with such chatbot(s) and associated products and/or services. That vendor has access to communications and underlying information (including your Personal Data) in and/or from such chatbot(s) both to perform services on our behalf and for its own purposes, but is generally not permitted to disclose or use non-aggregated Personal Data for any purposes other than (i) performing services on our behalf and (ii) training its automated systems and informing its services that utilize the output of such automated systems. For more information about such chatbot(s), please see the “Chatbot Feature and Automated Customer Service Technology” subsection of Section 3 (“Data Collected through User Visits and Interactions”) above.
12. Children's Privacy
Our Site is not intended for children, and we do not sell products for purchase by children (as defined by applicable law). We sell children's products for purchase by adults. If you are under 18, you may use our Services only with the involvement and permission of a parent or guardian. We do not knowingly collect Personal Data from children without the consent of the child’s parent or guardian. If you are a parent or guardian and you believe that your child has provided us with Personal Data without your consent, please contact us. (Please see the “Contact Us” section below.) If we become aware that we have collected Personal Data from children without verification of parental consent, we will take steps to remove that Personal Data from our servers.
13. Changes to this Privacy Policy
We may update our Privacy Policy from time to time. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page. We will let you know via a prominent notice on our Site, and we will update the "Effective Date" at the top of this Privacy Policy.
14. Contact Us
If you have any questions about this Privacy Policy or our privacy practices, or if you would like to contact our data protection representative, please feel free to contact us by email to privacy@bombas.com, by phone (1-800-314-0980), or by postal mail to the following address: Bombas LLC, 881 Broadway, 2nd Floor, New York, NY 10003, USA. With respect to the EEA personal data we collect and the Brazil personal data we collect, Bombas is the controller responsible for such personal data. As the controller, we determine the purposes for which and the manner in which such personal data are, or are to be, processed with respect to our Site. If you are an EEA data subject and have any questions or concerns about our privacy policies or practices, please feel free to email us at EuropePrivacy@bombas.com. If you are a Brazil data subject and have any questions or concerns about our privacy policies or practices, please feel free to email us at BrazilPrivacy@bombas.com. If you experience difficulty in accessing any part of our services or this Privacy Policy, please feel free to call us at 1-800-314-0980 or to email us at hello@bombas.com.