Effective date: June 26, 2026
This Privacy Policy explains how Capiscana Inc. ("Capiscana", "we", "us", or "our") collects, uses, and shares personal information when you visit tommy-rush.com (the "Site"), join our email list, or buy our digital products. We have written it to be clear and plain. If anything is unclear, email us at studio@tommy-rush.com.
Capiscana Inc. is the controller of the personal information described in this policy, with its principal place of business in California, USA. For purchases of our digital products, Paddle.com Market Limited ("Paddle") acts as Merchant of Record and is the controller of the payment and billing data you provide at checkout, as described in Sections 3 and 5.
This policy covers tommy-rush.com and our digital products and email. Our physical merchandise and the Session Cards deck are sold through a separate Shopify store, which has its own checkout and privacy practices. Third-party sites we link to are governed by their own policies.
We collect your email address and any name you provide when you request our free sampler or join our email list, through our email provider, Klaviyo. When you buy a digital product, the checkout is handled by Paddle, which collects your name, email, billing address, payment details, and tax-related information needed to complete and tax the sale; we receive a record of the purchase (such as your name, email, product, and order details) but we do not receive or store your full payment card number. When you visit the Site, we and our hosting provider may automatically collect technical information such as your IP address, browser type, device information, pages viewed, and timestamps, used to operate, secure, and improve the Site. We also use cookies and similar technologies (see Section 6), and we keep your message and contact details if you email us. We do not intentionally collect special categories of sensitive personal data through the Site.
We use personal information to deliver the free sampler and send marketing and product emails you have signed up for; process, deliver, and support your purchases (through Paddle as Merchant of Record); operate, secure, maintain, and improve the Site and our products; respond to your questions and provide support; comply with our legal, tax, and accounting obligations; and detect, prevent, and address fraud, abuse, or technical issues.
If you are in the EU, UK, or another region where the GDPR or similar laws apply, we rely on consent for sending you marketing emails and the sampler (you can withdraw consent at any time by unsubscribing); performance of a contract, to deliver and support the products you buy; legitimate interests, to secure and improve the Site and products and to understand basic usage, balanced against your rights; and legal obligation, to keep tax, accounting, and transaction records (handled largely by Paddle as Merchant of Record).
We aim to keep tracking minimal. The Site uses a small number of first-party cookies needed for it to function. We also load third-party scripts that may set their own cookies or collect device information, including Paddle.js (on checkout, to process payments securely), Klaviyo (in connection with the email signup form), the Shopify Buy Button (on the merchandise page, to enable purchases of physical products), and Google Fonts (which loads fonts and may receive your IP address as part of serving them). Where required by law, we will ask for your consent before setting non-essential cookies. You can also control cookies through your browser settings. Disabling some cookies may affect how parts of the Site work.
We share personal information only as needed to run the Site and fulfill your requests. Our main providers are Cloudflare (website hosting and content delivery), Klaviyo (email list management and sampler signup), Resend (transactional email used to deliver the sampler), Paddle.com Market Limited (Merchant of Record for purchases: checkout, payment processing, billing, tax, and related customer data), Shopify (separate store for physical merchandise and Session Cards), and Google Fonts (font delivery). Each provider processes information under its own terms and only for the purposes described here. We may also disclose information if required by law, to protect our rights or safety, or in connection with a business transfer. We do not sell your personal information (see Section 10).
We and our providers are based in, or process data in, the United States and other countries, including the United Kingdom and the EU (for example, Paddle). This means your information may be transferred to and processed in countries with different data protection laws than your own. Where we transfer personal data out of the EU or UK, we rely on appropriate safeguards, such as Standard Contractual Clauses or an equivalent mechanism, as required by law.
We keep personal information only as long as we need it. Email list data is kept until you unsubscribe or ask us to delete it, after which we remove or suppress it. Purchase and transaction records are retained by Paddle and by us as needed to provide support and to meet tax and accounting obligations (typically for several years, as required by law). Log and technical data is kept for a shorter period for security and troubleshooting.
Depending on where you live, you may have rights to access the personal information we hold about you; to correct inaccurate information; to delete or erase your information; to receive certain information in a portable format; to object to or restrict certain processing; and to withdraw consent and opt out of marketing at any time. If you are a California resident, you also have rights under the California Consumer Privacy Act (as amended), including the right to know what personal information we collect and how we use and disclose it, the right to delete it, the right to correct it, the right to opt out of the "sale" or "sharing" of personal information, and the right not to be discriminated against for exercising your rights. We do not sell your personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under California law.
To exercise any of these rights, email us at studio@tommy-rush.com. We will respond within the time required by applicable law. We may need to verify your identity before acting on a request. You can unsubscribe from marketing emails at any time using the link in any email. For payment and billing data tied to a purchase, we may direct you to Paddle, since Paddle is the Merchant of Record. If you are in the EU or UK and believe we have not handled your data properly, you have the right to complain to your local data protection authority.
The Site and our products are not directed to children. We do not knowingly collect personal information from anyone under 16 (or under 13 where that is the applicable threshold). If you believe a child has provided us information, please contact us and we will delete it.
We use reasonable technical and organizational measures, and rely on established providers like Cloudflare and Paddle, to help protect personal information. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.
The Site may link to other websites and stores, including our Shopify merch store. We are not responsible for the privacy practices of those sites. Please review their policies.
We may update this Privacy Policy from time to time. When we do, we will post the revised version with a new effective date. If the changes are significant, we will take reasonable steps to let you know.
Questions or requests about your privacy? Email studio@tommy-rush.com.