Skip to main content

Privacy Policy

Last Updated: February 18, 2026

1. Introduction and Controller Identity

This Privacy Policy explains how Children Shop Canada Ltd. ("we," "us," or "our") collects, uses, shares, and protects your personal data when you visit childrenshopcanada.ca (the "Site") or interact with our services. We are the data controller responsible for the processing of your personal information.

Data Controller: Children Shop Canada Ltd.
Registered Address: 220 Yonge Street, Suite 400, Toronto, ON M5B 2H1, Canada
Contact Email: [email protected]
Effective Date: February 18, 2026

By using the Site, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please discontinue use of the Site immediately.

2. Personal Data We Collect

We collect the following categories of personal data depending on how you interact with our Site:

  • Identity and Contact Data: Full name, email address, phone number, shipping and billing addresses as provided through forms, checkout, or account registration.
  • Order and Transaction Data: Products purchased, order history, payment confirmation details, and shipping preferences. We do not store full credit card numbers on our servers.
  • Form Content: Messages, enquiries, product questions, and any other information you submit via our contact form or customer support channels.
  • Technical Data: IP address, browser type and version, device type and operating system, preferred language, time zone setting, and screen resolution.
  • Usage Data: Pages visited, time spent on each page, referral source, click paths, search queries entered on the Site, and navigation patterns.
  • Cookies and Identifiers: Cookie IDs, session identifiers, and advertising identifiers as described in Section 4 and our Cookie Policy.
  • Conversion Event Data: Actions such as form submissions, completed purchases, and newsletter sign-ups, used to measure the effectiveness of our advertising.

We do not collect special-category data (health, religion, political views, biometric data), financial account details (bank account numbers, full card numbers), or government-issued identification numbers unless specifically required to process a return or comply with a legal obligation.

3. Why We Process and Legal Basis

We process your personal data for the following purposes and under the corresponding legal bases (where GDPR applies to visitors from the EEA/UK):

  • Order Fulfilment and Contact Forms: To process your orders, respond to enquiries, and manage your account. Legal basis: Article 6(1)(b) — performance of a contract, and Article 6(1)(a) — consent where applicable.
  • Analytics: To understand how visitors use the Site, identify popular products and pages, and improve the user experience. Legal basis: Article 6(1)(a) — consent (analytics cookies activate only after explicit consent).
  • Marketing and Remarketing: To deliver relevant advertisements, build custom and lookalike audiences, and attribute conversions to advertising campaigns. Legal basis: Article 6(1)(a) — consent (marketing cookies activate only after explicit consent).
  • Security and Fraud Prevention: To protect the Site against malicious activity, spam, unauthorized access, and payment fraud. Legal basis: Article 6(1)(f) — legitimate interest in maintaining a secure platform.
  • Legal and Tax Compliance: To comply with applicable Canadian tax law, consumer protection regulations, and other legal obligations. Legal basis: Article 6(1)(c) — legal obligation.

Automated Decision-Making (Article 22): We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.

4. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our Site. These fall into three categories, which are described in detail in our Cookie Policy:

Essential Cookies (no consent required, always active):

  • _site_session — maintains your browsing session. First-party. Retention: session.
  • cookie_consent — records your cookie preference choices. First-party. Retention: 12 months.

Analytics Cookies (consent required):

  • _ga — Google Analytics 4 user identifier. Third-party. Retention: 2 years.
  • _ga_XXXXXXXXXX — GA4 session state (10-character GA4 measurement ID). Third-party. Retention: 2 years.

Google Analytics 4 is configured with IP anonymization enabled. Data retention is set to 14 months.

Marketing Cookies (consent required):

  • _gcl_au — Google Ads conversion linker. Third-party. Retention: 90 days.
  • _fbp — Meta Pixel browser identifier. Third-party. Retention: 90 days.
  • _fbc — Meta Pixel click identifier (set when a click ID is present). Third-party. Retention: 90 days.

Beyond cookies, we may use pixel tags (gtag.js, Meta Pixel), server-side event transmission via Meta Conversion API or Google Server-Side Tag Manager (using hashed identifiers), and device identifiers derived from IP address and User-Agent combinations.

5. Consent for EEA and UK Visitors

Users in the European Economic Area and the United Kingdom receive a consent notice under GDPR and UK GDPR upon their first visit. Marketing and analytics cookies activate only after explicit, informed, freely given consent in accordance with Article 6(1)(a). Your consent choice is recorded in the cookie_consent browser cookie, which persists for 12 months.

You may withdraw consent at any time by clicking "Manage Cookie Preferences" in the footer of any page, or by clearing your browser cookies. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

6. Sharing With Advertising and Service Partners

We share personal data with the following categories of third-party service providers, only to the extent necessary for the stated purposes:

  • Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, Remarketing): cookie identifiers, usage data, conversion events, and remarketing audience lists. Google's privacy policy: policies.google.com/privacy
  • Meta Platforms, Inc. (Meta Pixel, Custom Audiences, Lookalike Audiences, Conversion API): page views, conversion events, audience membership, and hashed identifiers. Meta's privacy policy: facebook.com/privacy/policy
  • Cloudflare, Inc. (CDN and Security): IP-based threat detection and performance optimization. Cloudflare's privacy policy: cloudflare.com/privacypolicy
  • Payment Processors: PCI-DSS compliant payment processors handle card transactions. We do not store full credit card numbers on our servers.
  • Shipping Partners: Canadian shipping carriers receive name, address, and phone number necessary to deliver your order.

We do not sell personal data. These providers may not use Site data for their own independent commercial purposes beyond the services they provide to us.

7. International Transfers

Some of the third-party providers listed above are headquartered in the United States or other countries outside the European Economic Area and the United Kingdom. When your personal data is transferred outside the EEA/UK, we rely on the following safeguards:

  • EU-US Data Privacy Framework (primary mechanism, in effect since July 2023)
  • UK Extension to the Data Privacy Framework
  • Swiss-US Data Privacy Framework
  • Standard Contractual Clauses (EU Commission Decision 2021/914) as a fallback mechanism
  • UK International Data Transfer Agreement (IDTA) as a fallback for UK transfers

8. Data Retention

We retain personal data only as long as necessary for the purpose it was collected or as required by law:

  • Contact form submissions: 2 years from last interaction
  • Order and transaction records: 7 years (Canadian tax retention requirements under the Income Tax Act)
  • Analytics data: 14 months (GA4 data retention setting)
  • Marketing cookies: Per individual cookie lifetime (see Section 4)
  • Email correspondence: Duration of the customer relationship plus 1 year
  • Server logs: 90 days
  • Cookie consent records: 3 years (for audit and compliance purposes)
  • Account data: Until you request deletion, or 3 years of inactivity

9. Your Rights Under GDPR and UK GDPR

If you are located in the European Economic Area or the United Kingdom, you have the following rights regarding your personal data:

  • Right of Access (Article 15): Obtain confirmation of whether we process your data and request a copy.
  • Right to Rectification (Article 16): Correct inaccurate or incomplete personal data.
  • Right to Erasure (Article 17): Request deletion of your personal data, subject to legal retention obligations.
  • Right to Restriction of Processing (Article 18): Restrict how we use your data in certain circumstances.
  • Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent (Article 7(3)): Withdraw previously given consent at any time without affecting prior lawful processing.
  • Right to Lodge a Complaint (Article 77): File a complaint with your local supervisory authority.

To exercise any of these rights, email us at [email protected] with the subject line "Privacy Rights Request." We will respond within 30 days, extendable by 60 days for complex or multiple requests. We may ask you to verify your identity before processing the request.

Lead Supervisory Authorities: UK — Information Commissioner's Office (ico.org.uk). EU — European Data Protection Board (edpb.europa.eu). Germany — BfDI (bfdi.bund.de). France — CNIL (cnil.fr).

10. Canadian Privacy Rights (PIPEDA)

As a Canadian business, Children Shop Canada Ltd. complies with the Personal Information Protection and Electronic Documents Act (PIPEDA). Under PIPEDA, you have the right to:

  • Know what personal information we hold about you and how it is used.
  • Request correction of inaccurate personal information.
  • Withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.
  • File a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca).

We collect and use personal information only with your knowledge and consent, or as permitted by law. We limit collection to what is necessary for the identified purposes and protect personal information using appropriate security safeguards.

11. Children's Privacy

While Children Shop Canada sells products for children, our Site is directed at parents, guardians, and adult caregivers — not at children directly. We do not knowingly collect personal data from individuals under the age of 16 without verifiable parental consent. If we become aware that we have inadvertently collected personal data from a child under 16 without appropriate consent, we will delete that information promptly. If you believe a child has provided us with personal data, please contact us at [email protected] so we can take appropriate action.

For US visitors, we comply with the Children's Online Privacy Protection Act (COPPA). We do not direct marketing to children under 13, and our lead forms and account registration are intended for adults only.

12. Do Not Track

This website does not respond to Do Not Track (DNT) browser signals. Third-party providers may have their own DNT handling policies, which are governed by their respective privacy policies linked in Section 6.

13. Account and Data Deletion

You may request deletion of your account and associated personal data at any time by emailing [email protected] with the subject line "Data Deletion Request." We will complete the deletion within 30 days of verifying your identity. Certain data may be retained where required by Canadian tax law (typically 7 years for transaction records) or other applicable legislation, but will be securely isolated and not used for any other purpose.

14. Business Transfers

In the event of a merger, acquisition, asset sale, corporate restructuring, financing, or insolvency, personal data may be transferred to a successor entity as part of the transaction. We will notify users via a prominent notice on the Site if the transfer materially changes how your personal data is used. The acquiring entity will be bound by the commitments made in this Privacy Policy until it provides you with a new or updated policy and, where required, obtains your consent for any new processing.

15. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights regarding your personal information.

Categories Disclosed in the Past 12 Months:

  • Identifiers (name, email, IP address, device identifiers) → disclosed to service providers and advertising partners
  • Internet / Network Activity (browsing history, search queries, interaction data) → disclosed to analytics and advertising providers
  • Inferences (interests, preferences, browsing patterns) → disclosed to advertising partners for targeted advertising
  • Commercial Information (purchase history, products viewed) → disclosed to service providers for order fulfilment and customer support

We do not sell personal information as defined by CCPA. We do share data for cross-context behavioral advertising; California residents may opt out via our cookie preferences panel accessible through "Manage Cookie Preferences" in the site footer.

Your Rights: Right to Know, Right to Delete, Right to Correct, Right to Opt-Out of sale/sharing, and Right to Non-Discrimination. To submit a request, email [email protected] with the subject line "California Privacy Request." Identity verification is required. Authorized agents must provide written proof of authorization.

16. Virginia Residents (VCDPA)

Virginia residents have the following rights under the Virginia Consumer Data Protection Act: Access, Correct, Delete, Data Portability, and Opt-Out of targeted advertising. To submit a request, email us with the subject line "Virginia Privacy Request." We do not sell personal data or engage in profiling producing legal or similarly significant effects.

Appeals: If we refuse your request, you may appeal by emailing with the subject line "Appeal of Refusal — Privacy Request." We will respond within 60 days. If the appeal is unresolved, you may contact the Virginia Attorney General.

17. Nevada Residents

Nevada residents may submit a verified opt-out request by emailing [email protected] with the subject line "Nevada Do Not Sell Request." We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

18. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include SSL/TLS encryption for all data in transit, PCI-DSS compliant payment processing through third-party processors, access controls limiting employee access to personal data on a need-to-know basis, regular security assessments of our infrastructure, and encrypted backups stored in Canadian data centres. While we take commercially reasonable steps to protect your data, no method of transmission over the Internet or method of electronic storage is completely secure.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. Material changes will be announced via a prominent banner on the homepage at least 14 days before the changes take effect. The "Last Updated" date at the top of this page will be refreshed with every revision. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

20. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For privacy-specific enquiries, please use the subject line "Privacy Enquiry" in your email to help us route your request to the appropriate team member. We aim to respond within 5 business days for general enquiries and within 30 days for formal rights requests.