📍 Available in Maryland
🟢 FREE ESTIMATES & 10% OFF Available in Maryland: DC Metro to Annapolis to Eastern Shore
📞 (877) 710-0001

Privacy Policy

Privacy Policy

Effective date: September 7, 2025
Applies to: Express Bathroom Makeovers (“Company,” “we,” “us,” or “our“)
Websites & apps covered: expressbathroommakeovers.com and any subdomains, and any mobile or web applications that link to this notice (collectively, the “Services“).

Plain‑English summary (not a substitute for the full policy): We collect the information you give us, data about how you use our site, and limited data from partners. We use it to provide the Services, process orders/leads, improve marketing and analytics, and secure our systems. In certain states you may opt out of targeted ads and “selling/sharing” of personal information (defined by state law); we also honor Global Privacy Control (GPC) browser signals. You can access, delete, correct, or port your data and appeal decisions we make about your requests. We don’t knowingly collect data from children under 13.

1) What we collect

We collect personal information in these categories (examples may vary by product and your interactions):

  • Identifiers & contact info (e.g., name, email, phone, postal address, IP address, device IDs, cookie IDs).
  • Commercial information (e.g., orders, quotes, invoices, records of products/services purchased or considered).
  • Internet/usage data (e.g., pages viewed, links clicked, time on page, referring/exit URLs, error logs).
  • Geolocation data (approximate, derived from IP; we do not collect precise GPS unless expressly stated).
  • Inferences drawn from other data (e.g., segments or preferences used for analytics/ads).
  • Payment data (last four or tokenized card info if processed by a PCI‑compliant provider; we do not store full card numbers).
  • Communications you send us (e.g., emails, calls/voicemails, chat transcripts, form submissions).
  • User content (e.g., uploads, design inputs, reviews).
  • Professional data (for B2B contacts, e.g., company, role).

Sensitive data. We do not intentionally collect sensitive data (e.g., SSN, precise geolocation, biometric, health, or children’s data). If a workflow requests such information, we will present a separate notice and obtain any legally required consent.

Sources. Directly from you; automatically from your device/browser; and from service providers/partners that support analytics, advertising, payments, CRM/CS, and security (examples: analytics platforms, ad networks, consent‑management tools, email and SMS providers, payment processors, fraud prevention, customer support/chat, scheduling, and CRM). A current list of key processors is available on request.

2) How we use information (purposes)

  • Provide & improve the Services, including account setup, quotes, orders, fulfillment, customer support, troubleshooting, and service analytics.
  • Marketing & advertising, including first‑party analytics/measurement, and cross‑context behavioral advertising/“targeted advertising” where permitted by law.
  • Security & fraud prevention, abuse detection, debugging, and incident response.
  • Legal, compliance, and recordkeeping, including contracts, taxation, and responding to lawful requests.
  • Consent‑specific purposes when you agree (e.g., subscribe to a newsletter, receive SMS, participate in a survey, or allow non‑essential cookies).

Legal bases (GDPR/UK GDPR). Where GDPR applies, we rely on: contract (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f))—e.g., security, basic analytics, service improvement—consent where required (Art. 6(1)(a)), and legal obligation (Art. 6(1)(c)).

3) Sharing and disclosures

We share personal information with:

  • Service providers/processors under contracts that limit use to our instructions (hosting, cloud, analytics, payments, marketing/email/SMS, CRM, customer support, ads delivery, logistics).
  • Business partners when you choose to interact (e.g., financing, affiliates, dealers, or co‑marketing you request).
  • Authorities or third parties for legal compliance, to protect rights/safety, or in a business transaction (e.g., merger, financing, asset sale).

“Sale,” “Share,” and “Targeted Advertising.” Some state privacy laws define “sell,” “share,” or “targeted advertising” broadly to include sharing identifiers with advertising/analytics partners via cookies or pixels. Where applicable, we treat such activity as a sale/share/targeted advertising and provide opt‑outs.

4) Cookies, analytics, ads & your choices

We use cookies and similar technologies:

  • Strictly necessary: site functionality, security, fraud prevention.
  • Preferences & performance: remembering settings, improving speed/reliability.
  • Analytics: measuring usage and improving content.
  • Advertising: measuring campaigns; showing relevant offers on other sites/apps.

Your controls:

  • Use our Cookie Settings link (footer) to accept/decline non‑essential cookies at any time.
  • Set your browser to send a Global Privacy Control (GPC) signal—we treat qualifying signals as a valid opt‑out of sale/share/targeted advertising where required.
  • Opt out of interest‑based ads from participating companies at industry pages (e.g., NAI/DAA/EDAA); these do not override legal rights.

5) State‑specific rights (US)

Depending on where you live (e.g., CA, CO, CT, VA, UT, and—as it comes into force—MD), you may have some or all of these rights:

  • Access/know the categories and specific pieces of personal information we have collected.
  • Delete personal information.
  • Correct inaccurate personal information.
  • Portability of certain information.
  • Opt out of (a) sale/share of personal information and (b) targeted advertising; and (c) profiling in furtherance of decisions with legal/similar significant effects (where applicable).
  • Limit the use/disclosure of sensitive personal information (California).
  • Appeal our decision if we decline to act on your request (VA/CO/CT and others).

How to exercise your rights:

  • Submit a request at: [rights request webform URL] or email [privacy@yourcompany.com] or call [toll‑free number, if applicable].
  • For opt‑outs, use Do Not Sell or Share My Personal Information and Opt Out of Targeted Ads links in the footer, or enable GPC in your browser.
  • We will verify your identity and respond within the timeframe required by law. Authorized agents may submit requests as permitted by law.

Notice at collection (California). We provide a just‑in‑time “Notice at Collection” describing categories of data, purposes, retention periods, and whether we sell/share personal information, with links to opt‑out and this policy.

6) GDPR/UK GDPR rights (when applicable)

If you are in the EEA/UK, you have rights to access, rectify, erase, restrict, object (including to direct marketing), and data portability, and to withdraw consent without affecting prior processing. You may lodge a complaint with your local supervisory authority. Our EU/UK representative (if required) and contact details appear below.

7) Retention

We keep personal information only as long as needed for the purposes above, including legal, accounting, or reporting requirements. Typical retention ranges:

  • Customer/account records: 7–10 years (tax/legal).
  • Leads/marketing records: 24–36 months from last interaction (or as required by law).
  • Analytics/advertising identifiers: 12–24 months (or as configured via our consent tool).
    We delete or de‑identify data when no longer needed.

8) Children

Our Services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child provided us data, contact us to delete it. (If we ever offer features directed to children, we will comply with parental consent requirements first.)

9) Communications: email & SMS

  • Email (CAN‑SPAM): We include an unsubscribe link and our physical address in each commercial email and honor opt‑out requests within required timelines.
  • SMS/Calls (TCPA): We obtain the prior express written consent required for marketing texts/robocalls and provide clear opt‑out instructions (e.g., reply STOP). Consent is not a condition of purchase.

10) Security

We use administrative, technical, and physical safeguards appropriate to the risk (e.g., encryption in transit, access controls, least‑privilege, and vendor due diligence). No method is 100% secure; please use strong, unique passwords and protect your devices.

11) International transfers

If we transfer personal information outside your region (e.g., from the EEA/UK to the US), we rely on appropriate safeguards (e.g., Standard Contractual Clauses or equivalent) and supplement as needed.

12) Changes to this policy

We will update this policy from time to time. Changes take effect upon posting unless otherwise stated. Material changes will be highlighted or notified to you when required by law.

13) Contact us

Express Bathroom Makeovers
Attn: Privacy
Email: privacy@expressbathroommakeovers.com
Mailing address: 100 N. Talbot Street, St. Michaels, MD 21663
Phone: [contact number]

EEA/UK representative (if required): [rep name/email/postal address].
Data Protection Officer (if designated): [name/email].

Required links and footer items (place these on every page)

  • Privacy Policy (this page)
  • Cookie Settings (opens your consent manager)
  • Do Not Sell or Share My Personal Information (CPRA)
  • Opt Out of Targeted Advertising (CO/CT/VA/etc.)
  • Accessibility and Terms of Use
  • (Optional) “Opt-Out Preference Signal Honored” badge when a valid signal is processed.

Appendix A — Example “Notice at Collection” (California)

Categories collected: identifiers; commercial information; internet/usage data; geolocation (approximate); inferences.
Sensitive PI: not collected (unless expressly stated with separate consent/notice).
Purposes: provide services, customer service, security/fraud, analytics, marketing/advertising, compliance.
Retention: see Section 7.
Sell/Share: Yes, we may “sell” or “share” identifiers for cross‑context behavioral advertising as defined by law.
Opt‑out: Use footer links or enable GPC.
Your rights: access, delete, correct, portability, limit use of sensitive PI (if applicable).
Contacts: privacy@expressbathroommakeovers.com, [toll‑free number].

Appendix B — Cookie & tracking table (example)

CategoryExamplesWho sets itLifespanOpt‑out/consent
Necessarysession_id, csrf_tokenFirst‑partySessionAlways on
Analytics_ga*, _gid, heatmap id[Analytics Provider]13 moRequire consent in EU/UK; opt‑out in US via settings
Advertising_fbp, _gcl_au, _tt_enable_cookie[Ad Network]3–24 moRequire consent in EU/UK; provide state law opt‑outs; honor GPC
Functionallocale, remember_meFirst‑party12 moConsent where required

Keep this table updated in your CMP and link it here.

Appendix C — State‑by‑state addendum (short form)

  • California (CCPA/CPRA): Provide Notice at Collection; rights to know/delete/correct/opt‑out of sale/share; right to limit sensitive PI; honor GPC; contract terms for service providers.
  • Colorado (CPA): Provide clear privacy notice; honor Universal Opt‑Out Mechanisms (including GPC) for targeted ads/sales; offer appeal process for consumer requests.
  • Connecticut (CTDPA): Similar to CO; honor universal opt‑out by Jan 1, 2025; rights and appeal process.
  • Virginia (VCDPA): Access/correct/delete/portability; targeted advertising opt‑out; sensitive data opt‑in; appeals.
  • Utah (UCPA): Access/delete/portability; opt‑out of targeted ads/sale; no appeal requirement.
  • Maryland (MODPA): Effective Oct 1, 2025 (applies to processing after Apr 1, 2026); stricter limits on data minimization; sensitive data restrictions; advertising/sale opt‑outs.

If you operate internationally, include an EEA/UK addendum summarizing GDPR rights and the legal bases relied upon.

Appendix D — Email & SMS consent language (examples)

  • Email marketing consent (checkbox text): “Yes, send me emails about products and offers. You can unsubscribe at any time. See our Privacy Policy.”
  • SMS marketing consent: “By entering your mobile number and clicking Subscribe, you agree to receive recurring marketing text messages (e.g., cart reminders) from [Company] at the number provided. Consent is not a condition of purchase. Msg & data rates may apply. Msg frequency varies. Reply STOP to opt out, HELP for help. See Terms & Privacy.”

Implementation checklist (internal)

  1. Install a consent‑management platform (CMP) to show a Cookie Settings banner and log consent; enable GPC/UOOM handling.
  2. Add footer links: Privacy Policy, Cookie Settings, Do Not Sell or Share, Opt Out of Targeted Ads.
  3. Configure a rights request webform with identity verification and appeals workflow.
  4. Update contracts/DPAs with key vendors (analytics, ads, CRM, email/SMS, payments).
  5. Train staff on responding to requests within statutory timelines.
  6. Keep an internal data map and retention schedule aligned to Section 7.
  7. Review this policy at least annually and whenever practices change.