THE REBEL GHOST HAT COMPANY

Effective Date: May 28, 2026

Last Updated: May 28, 2026

Website:www.rebelghosthc.com

Please Read This Policy Carefully

This   Privacy Policy describes how The Rebel Ghost Hat Company collects, uses, and   protects the personal information you share with us when you visit our   website or use our services. By accessing or using www.rebelghosthc.com, you   acknowledge that you have read and understood this policy. If you have   questions or concerns, please contact us at info@rebelghosthc.com  before using the site.

The Rebel Ghost Hat Company ("we," "us," or "our") is a small hat retailer based in Lynchburg, Virginia. We operate our online store and business services through our website located at www.rebelghosthc.com.

We are committed to protecting your privacy and handling your personal information responsibly, transparently, and in compliance with applicable law — including but not limited to the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA); the Virginia Consumer Data Protection Act (VCDPA); and the General Data Protection Regulation (GDPR) for visitors from the European Economic Area (EEA) or United Kingdom.

This Privacy Policy applies to all personal information collected through:

● Our website at www.rebelghosthc.com and all associated web pages;

● Our online store, order forms, and checkout processes;

● Our customer service communications (email, phone, and contact forms);

● Our marketing and newsletter communications; and

● Any other services we provide in connection with the above.

This policy does not apply to third-party websites, applications, or services that may be linked to from our site. We encourage you to review the privacy policies of any third-party services you visit.

We collect personal information in several ways, depending on how you interact with us. Below is a detailed description of each category of information we may collect.

When you interact with us voluntarily, you may provide:

● Contact form submissions: Your name, email address, phone number, and the content of your message when you reach out through our website contact form.

● Newsletter signup: Your name and email address when you subscribe to receive marketing communications from us.

● Account registration: If you create an account on our website, we collect your name, email address, and any profile information you choose to provide.

● Custom order forms and user uploads: When you submit a custom order, you may provide design files, images, or other creative assets. We also collect the details of your custom order request (sizing, style preferences, personalization instructions, etc.).

● Appointment scheduling: If you schedule a consultation or appointment with us, we collect your name, contact details, preferred date and time, and any relevant notes you provide.

Payment card transactions on our website are processed by GoDaddy Payments, a third-party payment processor. We do not store, transmit, or have access to your full payment card number, CVV, or complete payment credentials.

For our own order records, we retain only the following payment-related details:

● Billing name;

● Billing address; and

● The last four digits of the payment card used.

Please review GoDaddy Payments' privacy policy for information about how they handle your payment data.

When you place an order with us, we collect and maintain records that include:

● Items purchased, quantities, and prices;

● Shipping name and delivery address;

● Order status and fulfillment history; and

● Communications related to your order.

When you visit our website, certain information is collected automatically through cookies, web beacons, tracking pixels, and similar technologies. This may include:

● IP address and approximate geographic location derived from it;

● Browser type and version;

● Device type and operating system;

● Pages visited on our site and time spent on each page;

● The URL of the website that referred you to our site; and

● Date and time of your visit.

This data is primarily used to analyze site traffic, improve user experience, and support advertising efforts. Please see Section 4 (Cookies and Tracking Technologies) for more detail.

We do not intentionally collect sensitive personal information as defined under the California Privacy Rights Act (CPRA) or similar statutes, including:

● Social Security numbers or government-issued identification numbers;

● Precise geolocation data;

● Racial or ethnic origin, religious beliefs, or union membership;

● Health or medical information; or

● Financial account numbers beyond the limited payment record described in Section 2.2.

If you believe you have inadvertently submitted sensitive information to us, please contact us immediately at info@rebelghosthc.com so we may address it promptly.

We use the personal information we collect for the following purposes:

● Order fulfillment and processing: To process your purchases, coordinate shipping, and manage returns or exchanges.

● Customer service and communication: To respond to your inquiries, resolve issues, and provide support related to your orders or account.

● Marketing and promotional communications: To send you newsletters, promotional offers, and updates about new products or services. You may opt out of marketing emails at any time by clicking the "unsubscribe" link in any email or by contacting us directly. Opting out of marketing communications will not affect transactional communications related to your orders.

● Website analytics and performance: To understand how visitors use our website, identify areas for improvement, and enhance user experience.

● Advertising and retargeting: To display relevant advertisements to you on third-party platforms and to measure the effectiveness of our advertising campaigns. This may involve sharing certain data with advertising platforms such as Meta and Google Ads (see Section 5).

● Fraud prevention and security: To detect, investigate, and prevent fraudulent transactions, unauthorized access, and other illegal or harmful activity.

● Appointment scheduling: To coordinate consultations and appointments you have requested with us.

● Legal compliance: To meet our obligations under applicable federal, state, and local laws, including record-keeping, tax reporting, and responding to lawful government requests.

We will not use your personal information for purposes materially different from those described above without providing prior notice and, where required by law, obtaining your consent.

Our website uses cookies and similar tracking technologies to operate effectively, analyze site usage, and support our marketing efforts. Below is a description of the types of technologies we use and how you can manage them.

● Session cookies: Temporary cookies that expire when you close your browser. These are used to maintain your session while you browse, such as keeping items in your shopping cart.

● Persistent cookies: Cookies that remain on your device for a set period after you close your browser. These help us recognize you on return visits and remember your preferences.

● Analytics cookies: Used to collect information about how visitors use our website, including which pages are visited most frequently and whether visitors encounter error messages. This data is aggregated and used to improve site performance.

● Advertising and retargeting cookies: Used to deliver advertisements relevant to your interests, both on our website and on third-party platforms. These cookies may track your browsing activity across multiple websites to build a profile of your interests.

We may use tracking technologies provided by or associated with the following:

● GoDaddy analytics tools: Used to monitor website traffic and performance within our GoDaddy-hosted environment.

● Advertising platform pixels: We may use tracking pixels from platforms such as Meta (Facebook) and Google Ads to measure ad performance and enable retargeting campaigns.

● Third-party analytics services: Such as Google Analytics, which may collect usage data and set persistent cookies on your device.

You have several options for managing cookies:

● Browser settings: Most web browsers allow you to refuse, delete, or be notified of cookies through your browser's settings or preferences menu. Please refer to your browser's help documentation for instructions.

● Cookie preference center: Where technically available on our website, we will provide a cookie preference tool allowing you to select which categories of cookies to accept.

● Opt-out tools: You may opt out of Google Analytics data collection by using the Google Analytics Opt-out Browser Add-on. For advertising-based cookies, you may use opt-out tools provided by industry organizations such as the Digital Advertising Alliance (DAA) at optout.aboutads.info or the Network Advertising Initiative (NAI) at optout.networkadvertising.org.

Please note that disabling certain cookies may affect the functionality of our website and your ability to complete purchases.

Some browsers offer a "Do Not Track" (DNT) feature that signals to websites that you prefer not to have your online activity tracked. The Rebel Ghost Hat Company currently honors DNT signals to the extent technically feasible. Because there is no uniform industry standard for responding to DNT signals, our response may be limited in scope. We will continue to monitor developments in this area and update our practices accordingly.

We do not sell your personal information for monetary consideration. However, we do share your information with trusted third parties in the following circumstances:

GoDaddy Payments — We share the information necessary to process your payment transactions securely. GoDaddy Payments operates under its own privacy policy and security standards.

We share your name, shipping address, and order details with shipping carriers such as UPS, USPS, FedEx, or similar services in order to fulfill and deliver your orders. These carriers receive only the information necessary to complete delivery.

We share aggregated or pseudonymized usage data with analytics providers such as Google Analytics to help us understand how our website is used and how we can improve it. These providers are contractually prohibited from using your data for their own independent purposes.

We may share certain data — such as email addresses in hashed form, pixel-based behavioral data, or device identifiers — with advertising platforms such as Meta (Facebook/Instagram) and Google Ads for the purpose of targeted advertising, retargeting campaigns, and lookalike audience creation.

Important Notice — Advertising Data Practices

The   Rebel Ghost Hat Company is actively reviewing its data-sharing practices with   advertising platforms to ensure full compliance with applicable privacy laws,   including the CCPA/CPRA and VCDPA. We will update this Privacy Policy as our   practices are clarified or revised. Sharing data with advertising platforms   for the purpose of targeted advertising may constitute "sharing" of   personal information under California law. California residents have the   right to opt out of such sharing. See Section 10 for details.

GoDaddy provides our website hosting and associated infrastructure services. As a result, data transmitted through or stored on our website may pass through GoDaddy's servers and systems. GoDaddy is bound by its own privacy and data security policies.

We may disclose your personal information if we believe in good faith that such disclosure is necessary to:

● Comply with a legal obligation, court order, or government request;

● Enforce our terms of service or other agreements;

● Protect the rights, property, or safety of The Rebel Ghost Hat Company, our customers, or others; or

● Detect, prevent, or address fraud, security breaches, or technical issues.

In the event of a merger, acquisition, reorganization, sale of assets, or similar corporate transaction, your personal information may be transferred as part of that transaction. We will notify you of any such change in ownership that materially affects your rights under this policy.

The Rebel Ghost Hat Company does not sell your personal information in exchange for monetary compensation. However, as noted in Section 5.4, sharing data with advertising platforms for targeted advertising purposes may be considered "sharing" under the CCPA/CPRA. California residents have the right to opt out of this sharing. To exercise this right, please contact us at info@rebelghosthc.com or call 434.423.5575. See Section 10 for full details on your California privacy rights.

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Our general retention practices are as follows:

Data Category

Retention Period

Order records and   transaction data

Up to 7 years, for tax and   legal compliance purposes

Marketing and newsletter   subscription data

Until you opt out or   request deletion

Analytics data (via   third-party platforms)

Per platform defaults —   typically 14 to 26 months

User-uploaded files (custom   order design assets)

Duration of order   fulfillment, then deleted within 90 days unless otherwise required by law

Customer service and   contact records

Up to 3 years from last   interaction, or as required by applicable law

Account information

For the life of your   account, plus a reasonable period following account closure

When your personal information is no longer needed, we will securely delete or anonymize it. If deletion is not immediately feasible (for example, because data is stored in backup archives), we will isolate the data from further processing until deletion is possible.

We take the security of your personal information seriously. We implement industry-standard technical and organizational measures to protect your data from unauthorized access, alteration, disclosure, or destruction, including:

● SSL/TLS encryption: Our website uses Secure Socket Layer (SSL) / Transport Layer Security (TLS) encryption to protect data transmitted between your browser and our server;

● Secure hosting: Our website is hosted on GoDaddy's infrastructure, which maintains its own security standards and certifications; and

● Access controls: We limit access to personal information to employees and service providers who need it to carry out their job functions.

Important disclaimer: No method of transmission over the internet and no method of electronic storage is completely secure. While we use commercially reasonable efforts to protect your information, we cannot guarantee absolute security. You transmit information to us at your own risk.

In the event of a data breach that is likely to result in a risk to your rights or freedoms, we will notify affected individuals and applicable regulatory authorities as required by law and without undue delay.

Our website and services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 years of age. We do not market our products or services to children.

If we discover that we have inadvertently collected personal information from a child under the age of 13 without verifiable parental consent, we will take prompt steps to delete that information from our records.

If you are a parent or legal guardian and believe that your child has provided personal information to us without your consent, please contact us immediately at:

Email: info@rebelghosthc.com

Phone: 434.423.5575

We will investigate and, where confirmed, promptly delete any such information in accordance with the Children's Online Privacy Protection Act (COPPA).

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) and applicable national laws grant you specific rights regarding your personal information. We describe those rights and how to exercise them below.

● Right of Access: You have the right to request a copy of the personal information we hold about you, along with information about how we use it.

● Right to Rectification: You have the right to ask us to correct any inaccurate or incomplete personal information we hold about you.

● Right to Erasure ("Right to be Forgotten"): You have the right to request that we delete your personal information in certain circumstances — for example, when the data is no longer necessary for the purpose for which it was collected.

● Right to Restriction of Processing: You have the right to ask us to temporarily stop processing your personal information in certain situations — for example, while a correction request is being resolved.

● Right to Data Portability: Where processing is based on your consent or on a contract, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transfer it to another controller where technically feasible.

● Right to Object: You have the right to object to our processing of your personal information, including for the purposes of direct marketing. Where you object to direct marketing, we will cease processing for that purpose without requiring you to provide justification.

● Rights Related to Automated Decision-Making and Profiling: You have the right not to be subject to a decision made solely by automated means (including profiling) that produces legal or similarly significant effects concerning you. We do not currently use fully automated decision-making that has such effects, but if this changes, we will notify you and provide appropriate safeguards.

● Right to Withdraw Consent: Where we process your personal information based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal.

● Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). In the EEA, this is your national data protection authority.

We process your personal information under the following legal bases:

● Performance of a contract: Processing necessary to fulfill your orders or provide services you have requested.

● Legitimate interests: Processing for purposes such as fraud prevention, website security, analytics, and direct marketing (subject to your right to object).

● Consent: Processing for purposes such as marketing newsletters, where we have obtained your explicit consent.

● Legal obligation: Processing necessary to comply with applicable laws, such as tax record-keeping requirements.

The Rebel Ghost Hat Company is based in the United States. If you are located in the EEA or UK, your personal information will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction. Where such transfers occur, we will implement appropriate safeguards, such as the European Commission's Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), to ensure your information receives an adequate level of protection.

To exercise any of the rights described above, please contact us using the information in Section 14. We will respond to your request within 30 days, and in complex cases within an extended period not exceeding 90 days (with prior notice).

If you are a resident of California, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you the following rights with respect to your personal information.

● Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the purposes for which it was collected, and the categories of third parties with whom we share it.

● Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (for example, where retention is required for legal compliance or to complete a transaction you initiated).

● Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.

● Right to Opt Out of Sale/Sharing: You have the right to opt out of the sale of your personal information for monetary consideration, and the right to opt out of the sharing of your personal information with third parties for cross-context behavioral advertising (targeted advertising). To exercise this right, contact us at info@rebelghosthc.com or call 434.423.5575.

● Right to Limit Use of Sensitive Personal Information: The CPRA grants you the right to limit the use and disclosure of sensitive personal information to what is necessary to provide the requested service. As noted in Section 2.5, we do not intentionally collect sensitive personal information as defined under the CPRA.

● Right to Non-Discrimination: We will not discriminate against you for exercising any of your California privacy rights. We will not deny you goods or services, charge you different prices, or provide you with a lower quality of service as a result of a privacy request.

California Residents — Opt-Out Right

The   Rebel Ghost Hat Company does not sell your personal information for money.   However, we may share personal information with advertising platforms for   targeted advertising, which may constitute "sharing" under the   CCPA/CPRA. California residents have the right to opt out of such sharing. To   submit an opt-out request, please email info@rebelghosthc.com or call 434.423.5575.

We recognize and will honor Global Privacy Control (GPC) signals to the extent technically feasible. A GPC signal from your browser will be treated as a request to opt out of the sale or sharing of your personal information for the device and browser from which the signal is sent.

To exercise your rights under the CCPA/CPRA:

● Email: info@rebelghosthc.com (include "California Privacy Request" in the subject line)

● Phone: 434.423.5575

We will acknowledge receipt of your request within 10 business days. We will respond to your request within 45 calendar days. If additional time is needed, we will notify you within the initial 45-day period and may extend our response by an additional 45 days, for a maximum total of 90 days. We may need to verify your identity before processing your request. We will not require you to create an account to submit a request.

As a Virginia-based business, The Rebel Ghost Hat Company acknowledges the rights of Virginia residents under the Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023. If you are a Virginia resident, you have the following rights with respect to your personal data:

● Right to Access:You have the right to confirm whether we are processing your personal data and to access that data.

● Right to Correct:You have the right to correct inaccuracies in your personal data, taking into account the nature of the data and the purposes of processing.

● Right to Delete:You have the right to request deletion of personal data that you have provided to us or that we have collected about you.

● Right to Data Portability:Where technically feasible, you have the right to receive a copy of your personal data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format.

● Right to Opt Out:You have the right to opt out of:

○ Targeted advertising based on your personal data;

○ The sale of your personal data; and

○ Profiling in furtherance of decisions that produce significant legal or similarly significant effects concerning you.

To exercise your rights under the VCDPA, please contact us by:

● Email: info@rebelghosthc.com (include "Virginia Privacy Request" in the subject line)

● Phone: 434.423.5575

We will respond to your authenticated request within 45 days. If reasonably necessary, we may extend this period by an additional 45 days, and we will inform you of the extension and the reason for it within the initial 45-day period.

If we decline to take action on your VCDPA request, we will inform you of our decision and the reasons for it within the applicable response period. You have the right to appeal our decision by contacting us at info@rebelghosthc.com and indicating that you wish to appeal. We will respond to your appeal within 60 days. If we uphold our denial upon appeal, you may contact the Virginia Attorney General's Office to submit a complaint at: www.oag.state.va.us.

Our website may contain links to third-party websites, social media platforms, or other online services that are not owned or controlled by The Rebel Ghost Hat Company. These links are provided for your convenience and information.

We are not responsible for the privacy practices, content, or security of any third-party websites or services. The inclusion of a link on our website does not imply our endorsement of that third party or its privacy practices. We encourage you to:

● Review the privacy policy of every website you visit;

● Exercise caution when providing personal information to third-party sites; and

● Be aware that third-party sites may collect information from you independently of us.

This Privacy Policy applies solely to information collected by The Rebel Ghost Hat Company through our website and services.

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our business practices, legal requirements, or technology. When we make changes, we will:

● Post the revised policy on this page with an updated "Last Updated" date at the top;

● For material changes that significantly affect your rights or our use of your personal information, provide prominent notice on our website homepage or send a notification to the email address associated with your account or subscription; and

● Where required by applicable law, obtain your consent before implementing material changes.

Your continued use of our website or services following the posting of a revised Privacy Policy constitutes your acknowledgment and acceptance of the updated terms. If you do not agree with the changes, you should discontinue use of our website and may request deletion of your personal information as described in this policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to reach out to us. We are committed to addressing your inquiries in a timely and transparent manner.

The Rebel Ghost Hat Company

1000 Misty Mountain Rd, Unit 410

Lynchburg, VA 24502

Email: info@rebelghosthc.com

Phone: 434.423.5575

Website: www.rebelghosthc.com

We aim to respond to all privacy-related inquiries within 10 business days. For formal privacy rights requests (such as those described in Sections 9, 10, and 11), response timelines are governed by applicable law as described in those sections.

Privacy Policy — The Rebel Ghost Hat Company | www.rebelghosthc.com | Effective: May 28, 2026

1000 Misty Mountain Rd, Unit 410, Lynchburg, VA 24502 | info@rebelghosthc.com | 434.423.5575