🍁 Tax-Free Native Cigarettes ·
📦 Free Shipping Over $199

Privacy Policy

Privacy Policy · Effective April 28, 2026

Privacy Policy.

Plain-language privacy policy. What we collect, why we collect it, who we share it with (and don’t), and what rights you have under PIPEDA and Quebec Law 25. No tracking pixels, no data resale, no surveillance advertising. Just the information needed to ship your order.

Contact Privacy Officer →
Terms of Service →

Last Updated: April 28, 2026 · Applies to all data collected on or after this date · Privacy questions? Contact us
At a Glance

The short version.

Eight things to know in 30 seconds. Detailed policy below.

📦
Only what’s needed to shipName, address, email, age confirmation. That’s the core data set.

🚫
We don’t sell your dataNot to advertisers, data brokers, or anyone else. Not for any price.

🇨🇦
PIPEDA + Quebec Law 25Compliant with federal and Quebec privacy frameworks.

🏦
No banking info storedInterac e-Transfer keeps payment credentials at your bank, never with us.

📧
Email opt-in onlyCASL-compliant. Unsubscribe in one click, honored within hours.

🍪
Minimal cookiesCart session, basic analytics. No retargeting pixels, no cross-site tracking.

🔒
SSL/TLS everywhereHTTPS on all pages. Industry-standard encryption in transit and at rest.

⚖️
Your rights protectedAccess, correct, delete. PIPEDA and Quebec Law 25 rights honored.

What We Collect

The data we actually have.

Two categories: information you give us directly during checkout or sign-up, and information collected automatically when you visit the site.

Information you provide

  • Full name for shipping and age verification
  • Shipping address for Canada Post delivery
  • Email address for order updates and tracking
  • Phone number (optional, for shipping-related contact)
  • Age confirmation (declaration that you meet legal smoking age)
  • Order history (products purchased, dates, amounts)

Information collected automatically

  • IP address and approximate geographic location
  • Browser type and device information
  • Pages visited and time spent on each page
  • Click behaviour (which links and buttons you interact with)
  • Referral source (which website or search engine sent you here)
  • Cookies (cart session, preferences, anonymized analytics)

What we don’t collect

The list of things we deliberately do not collect is sometimes more important than what we do. We do not collect or store:

  • Banking information. Interac e-Transfer routes payment through your bank’s secure system. We see only the email address that paid and the amount, never your account number, banking credentials, or financial institution details.
  • Government ID details. Age verification at delivery is performed by Canada Post carriers via visual ID inspection. The ID details are not transmitted to us, photographed, or stored anywhere.
  • Credit card information. We don’t accept credit card payments, so we never collect card numbers, expiry dates, or CVV codes.
  • Social Insurance Numbers, dates of birth, or other government identifiers. None of these are collected.
  • Cross-site browsing data. We don’t run retargeting pixels (Meta, Google Ads, TikTok) that track you across other websites.
  • Health information. We do not collect, store, or process any health-related personal information.

How We Use Your Information

Why we have your data.

Every piece of information we collect serves a specific purpose. Here’s the complete list.

Order fulfillment (the main reason)

  • Process your order through our system
  • Confirm receipt of your Interac e-Transfer payment
  • Pack and ship your order via Canada Post
  • Verify legal smoking age at checkout and delivery
  • Send you order confirmation, shipping notification, and tracking number emails
  • Respond to your customer service inquiries

Marketing communications (only if you opt in)

If you sign up for the Smokers Lounge newsletter or check the marketing opt-in box at checkout, we send you:

  • The $20-off welcome code (one time)
  • Restock notifications when previously sold-out products are back in stock
  • Occasional promotional offers (typically 1-2 emails per month)
  • Subscriber-only deals not available to non-subscribers

You can unsubscribe at any time using the link in any email. Unsubscribes are honored within hours, well within the CASL-required 10-business-day window. Your data is retained per the data retention rules below, but no further marketing emails are sent.

Site operation and improvement

  • Maintain your shopping cart between page visits
  • Remember your preferences (language, currency display)
  • Analyze aggregated, anonymized site usage to improve performance and content
  • Detect and prevent fraud or abuse
  • Maintain site security and uptime

Legal compliance

  • Maintain financial records as required by Canadian tax law (typically 7 years)
  • Respond to lawful government requests when legally required
  • Enforce our terms of service and policies

Who We Share With

Who else sees your data.

We share limited information with specific service providers required to fulfill orders. The list is short and exact.

Shipping carriers

Canada Post receives your name, shipping address, phone number (if provided), and parcel weight/dimensions to deliver your order. Canada Post is a Canadian Crown corporation operating under federal privacy oversight. We do not share order contents (specific products) with the carrier.

Email service provider

We use a Canadian or US-based email service provider (currently Aweber, headquartered in Pennsylvania, USA) to send transactional and marketing emails. Your email address and name are shared with this provider for that specific purpose. Aweber operates under standard data protection contractual frameworks. The fact that some processing happens in the US is acknowledged here for Quebec Law 25 compliance.

Analytics providers

We use Google Analytics or equivalent to understand aggregated site usage patterns. The data shared is anonymized: IP addresses are truncated, no personally identifying information is sent, no cross-site profiles are built. You can opt out of Google Analytics tracking via Google’s opt-out browser add-on if preferred.

Hosting and infrastructure

Our website runs on commercial hosting infrastructure with content delivery via Cloudflare. These providers process technical data (IP addresses, browser headers) as part of normal web operations. They do not receive personal information beyond what’s transmitted in normal HTTP requests.

Legal authorities (only when legally required)

We may share information with law enforcement, regulatory agencies, or courts when legally compelled to do so via court order, search warrant, or other valid legal process. We do not voluntarily share customer data with authorities outside of valid legal compulsion. We notify customers of legal requests affecting them where legally permissible.

What we explicitly don’t do: Sell, rent, or trade your personal information to data brokers, advertisers, or any third party for commercial purposes. Not for any amount of money. This is core to how we operate, not a marketing claim.

Cookies

What our cookies do.

Our site uses three categories of cookies:

Essential cookies (required)

These keep your shopping cart from emptying when you navigate between pages, maintain your logged-in session if you have an account, and remember security tokens that prevent fraudulent submissions. Disabling these breaks the checkout. We cannot operate the site without them.

Functional cookies (optional, useful)

These remember your preferences (language, currency display, age confirmation status so you don’t have to re-confirm on every visit). Disabling these makes the site less convenient but doesn’t break anything.

Analytics cookies (optional, anonymized)

These let us understand which pages are popular, where visitors leave the site, and what content needs improvement. Data is aggregated and anonymized. Disable them via your browser settings or by opting out of Google Analytics specifically.

What we don’t use: Retargeting pixels (Meta Pixel, Google Ads, TikTok pixel, etc.), cross-site tracking cookies, advertising network identifiers, fingerprinting techniques, or any cookie that tracks you across other websites for advertising purposes.

Your Rights

What you can do with your data.

Under PIPEDA (Personal Information Protection and Electronic Documents Act) and Quebec Law 25, you have specific rights regarding personal information we hold about you.

Right to access your data

Request a copy of all personal information we have about you. We respond within 30 days at no cost (PIPEDA standard).

Right to correction

Request correction of inaccurate or outdated information. Update typically processed within 7 business days.

Right to deletion

Request deletion of your personal information, subject to legal retention requirements (e.g., 7-year financial record retention under Canadian tax law).

Right to withdraw consent

Withdraw consent for marketing communications at any time. Unsubscribe link in every marketing email or contact us directly.

Right to portability (Quebec Law 25)

Quebec residents may request a structured, commonly used data export of their personal information for transfer to another service. Available since September 2024.

Right to object to automated decisions (Quebec Law 25)

Quebec residents may object to decisions made solely by automated processing. Note: we do not currently use automated decision-making for any consequential customer-affecting decisions.

Right to file a complaint

If you believe we’ve handled your personal information improperly, you can file a complaint with the Office of the Privacy Commissioner of Canada, or for Quebec residents, the Commission d’accès à l’information du Québec.

To exercise any of these rights, contact our privacy officer via the contact form. Identity verification may be required to protect against unauthorized data access.

Data Security

How we protect data.

Technical measures

  • SSL/TLS encryption on every page (HTTPS site-wide). All data transmitted between your device and our servers is encrypted in transit.
  • Encrypted database storage for personal information at rest.
  • Access controls restricting internal access to customer data on a need-to-know basis.
  • Cloudflare DDoS and attack mitigation protecting against volumetric attacks and common web exploits.
  • Regular security reviews of our infrastructure and third-party integrations.

Organizational measures

  • Staff training on privacy obligations and data handling procedures.
  • Vendor due diligence on third-party service providers handling customer data.
  • Incident response procedures for suspected breaches or unauthorized access.

Data breach notification

In the event of a confirmed data breach affecting personal information that creates a real risk of significant harm, we will notify affected customers and the Office of the Privacy Commissioner of Canada within 72 hours of confirmation (PIPEDA standard). Notifications include the nature of the breach, the data affected, steps we’ve taken in response, and recommended steps you should take.

Honest limit: No security system is 100% perfect. We take reasonable, industry-standard precautions, but cannot guarantee absolute security against all possible threats. The countermeasures above are designed to make breaches very unlikely and to limit damage if one occurs.

Data Retention

How long we keep data.

Different types of data have different retention periods based on operational need and legal requirement.

  • Order records (transaction history, addresses, products purchased): 7 years, per Canadian tax law requirements for financial records.
  • Marketing email subscribers: until you unsubscribe, plus 30 days to ensure unsubscribe processing is complete across systems.
  • Account information (if you have a customer account): until you request deletion, plus the 7-year retention for any associated order records.
  • Customer service correspondence: 3 years from the date of the last interaction, for service quality and dispute resolution purposes.
  • Anonymized analytics data: indefinitely, since it can no longer be linked to individuals.
  • IP logs and security data: 90 days, then deleted.

When data is no longer required, it is securely deleted from active systems and from backups during the next backup rotation cycle. Records subject to legal hold may be retained longer if required for ongoing legal matters.

Quebec Law 25 Compliance

Specific to Quebec residents.

Quebec’s Act respecting the protection of personal information in the private sector (commonly known as Law 25, fully in force as of September 22, 2024) provides additional protections for Quebec residents.

Quebec-specific commitments

  • Privacy Officer designation: We have designated a privacy officer responsible for Quebec Law 25 compliance, accessible via the contact form with subject line “Privacy Officer.”
  • Privacy impact assessments are conducted before adopting new technology that processes Quebec residents’ personal information.
  • Consent for data transfer outside Quebec is obtained or assessed via privacy impact assessment, particularly relevant for our use of US-based service providers.
  • Right to data portability in a structured, commonly used format is honored upon request.
  • Right to object to automated decisions with significant effect is honored. Note: we do not currently make consequential automated decisions affecting Quebec customers.

For complaints specifically related to Quebec Law 25, you may also contact the Commission d’accès à l’information du Québec directly.

Children’s Privacy

No one underage.

Our website and products are strictly for adults of legal smoking age in their province (19+ in most provinces, 18+ in Quebec and Alberta). We do not knowingly collect personal information from anyone below the legal smoking age in their jurisdiction.

If we become aware that we have collected information from someone underage, we will:

  • Cancel any pending orders immediately
  • Refund any payment received in full
  • Delete the personal information from our systems
  • Where possible, contact a parent or guardian to confirm the situation

If you believe a minor has provided personal information to us, contact us immediately via the contact form and we will investigate and remediate within 24 hours.

Age verification is performed at checkout (declaration) and again at delivery (Canada Post signature with ID check). The system is designed not to fail. See our Age Verification Policy for full details.

Common Privacy Questions

FAQ.

Will my employer or family find out I bought tobacco?

Not from us. The shipping label uses a neutral return address, the box is plain and unmarked, the email confirmation has no tobacco-related branding in the subject line. We don’t share your purchase information with anyone outside of the service providers required to ship your order. The most common way someone might find out is if they see the parcel arrive in person, but the parcel itself reveals nothing about its contents.

Do you keep my credit card on file for next time?

We don’t accept credit cards at all. Visa, Mastercard, and Amex prohibit tobacco transactions on their networks. Every order requires a fresh Interac e-Transfer through your bank. We have a record of which email address paid (for refund purposes) and the amount, but no banking credentials are ever in our possession.

Can I order without creating an account?

Yes. Guest checkout is available. We still need name, address, and email to ship and contact you, but you don’t need to create a persistent account if you don’t want one. Guest orders generate the same order record (retained per the data retention rules) but no logged-in account profile.

If I unsubscribe from marketing, do you delete my data?

No. Unsubscribe stops marketing emails specifically. Order records are retained per the 7-year financial record requirement under Canadian tax law. If you want all your data deleted (subject to legal retention rules), submit a deletion request via the contact form. Order records will be deleted at the end of the legal retention period.

Will the government see my purchase history?

Only if a valid legal process compels disclosure (court order, search warrant, valid investigation under specific legal authority). We do not voluntarily share customer purchase information with government agencies. Routine tax filings include aggregate sales data, not individual customer identification. We comply with lawful requests but do not exceed legal requirements.

Are you tracking me with retargeting ads?

No. We do not run retargeting pixels (Meta, Google Ads, TikTok, or any others). If you visit our site and then see a tobacco-related ad somewhere else, it’s not from us. We’ve made a deliberate choice not to deploy cross-site tracking infrastructure on this site.

What happens to my data if you go out of business?

In the event of business closure or sale, customer data would be handled per PIPEDA and Quebec Law 25 requirements. Sale of the business would require either continuation of the same privacy commitments under new ownership, or notification to customers and an opportunity to delete data before transfer. Closure would result in secure deletion of data not subject to legal retention.

Can you confirm you don’t sell my data?

Confirmed. We do not sell, rent, or trade personal information to data brokers, advertisers, marketing companies, or any commercial third party for any purpose. Not for $1, not for $1 million. This isn’t a marketing claim, it’s how we operate. If this commitment ever changes (it won’t), we would notify customers and provide an opportunity to delete data before any change took effect.

How do I file a complaint about how you handled my data?

First, contact our privacy officer via the contact form with subject line “Privacy Complaint.” We respond within 5 business days and aim to resolve internally. If you’re not satisfied, you can escalate to the Office of the Privacy Commissioner of Canada, or for Quebec residents, the Commission d’accès à l’information du Québec.

Where is my data physically stored?

Primary databases are hosted in Canada. Some service providers (email, analytics) operate from US-based infrastructure. Where US processing occurs, we ensure contractual data protection commitments are in place. For Quebec residents, this cross-border processing is acknowledged for Law 25 transparency. If you require Canadian-only data residency, contact us before placing an order to discuss alternatives.

Privacy Questions?

Real Privacy Officer.

Privacy concerns are taken seriously. Privacy-specific inquiries answered within 5 business days. For data access, correction, or deletion requests, identity verification may be required to protect against unauthorized data access.

Contact Privacy Officer →
Privacy Commissioner →

Effective date: April 28, 2026 · This policy supersedes all previous privacy policies. We may update this policy with reasonable notice. Material changes will be communicated via email to active customers and posted at the top of this page.

See related policies: Shipping · Refunds · Age Verification · Terms