Pillowbears

Privacy policy

How we handle your data.

Last updated · 5 June 2026

Pillowbears collects only the data we need to send you the book, write to you, and run a small business. We don't sell it. We don't profile you. We keep it for as long as we need it and not longer.

Who we are

Pillowbears is the brand. The data controller is Black & Red Ltd, a company registered in Malta (company number C 62523, VAT number MT21557236). Registered address: Numbered Pixels Management, The Fort, Level 3, Hardrocks Business Park, Burmarrad Road, Naxxar NXR 6345, Malta. You can reach us any time at hello@pillowbears.com.

What we collect

  • Email and pre-orders. Your email address, taken at checkout, and, if you add the foil name, your child's first name.
  • Orders. Shipping address, billing address, the child's name to foil-stamp on the cover if you add it, any gift message you ask us to write, and the payment confirmation from our processor.
  • Web analytics. With your consent: page views, country, device class, and on-page behaviour (heatmaps and session replay), so we can see what works. None of this loads until you accept.
  • Ad attribution. With your consent: if you arrive from a Meta (Facebook/Instagram) ad, we record which ads lead to orders, both in your browser (the Meta Pixel) and from our server (the Conversions API). When we send your email to Meta to match a conversion, it is hashed first. We never send your raw email.

What we don't collect

  • We do not collect any personal data about your child beyond their first name (if you choose to give it) and the words you write into the book. The book is yours, kept locally; we never see what you've written.
  • We do not sell or rent any personal data to anyone, for any purpose.

Cookies and analytics

We ask before we set anything. When you first visit, a banner lets you accept or decline. If you decline, none of the tools below load and no analytics or advertising cookies are set. You can change your mind at any time.

If you accept, we load:

  • Google Analytics 4, to understand which pages people find useful and where the site is reaching them from. GA4 sets a small number of first-party cookies (typically _ga and ga*).
  • Microsoft Clarity, for heatmaps and session replay, so we can see where the page confuses people. Clarity sets its own cookies and records on-page interactions in an anonymised form.
  • The Meta Pixel, which sets the _fbp and _fbc cookies and lets us measure and retarget Meta (Facebook/Instagram) ads.

Separately, our server reports conversions to Meta through the Conversions API. Where this includes your email, it is hashed before it is sent. This server reporting respects the same consent choice.

How we use it

  • To send you the welcome email, occasional updates about the first edition, and (if you purchase) order confirmations and shipping notifications.
  • To process and ship your order.
  • To improve the website and measure whether our ads are working.

Who we share it with

  • Resend: email service. Processes your email address and any opt-in metadata to send the welcome, order, and recovery emails.
  • Stripe: payment processor. Processes your card / SEPA / Apple Pay data. We never see your card number.
  • Our printer and fulfilment partner: receives your shipping address and the name to foil-stamp.
  • Cloudflare: site hosting and CDN. Receives standard server logs.
  • Google Analytics and Microsoft Clarity: with your consent, receive page-view, event, and anonymised behaviour data so we can see what's working.
  • Meta: with your consent, ad measurement and retargeting. Any email sent for conversion matching is hashed first, not raw.

Your rights (EU)

Under GDPR you have the right to access, correct, export, or delete the personal data we hold about you. Write to hello@pillowbears.com and we'll respond within 30 days. You can also unsubscribe from any email we send by clicking the link at the bottom of it.

Retention

Email signups are kept until you ask us to delete them or unsubscribe. Order records are kept for as long as tax and consumer-protection law requires (typically seven years in the EU).

Changes

We'll update this page when our practices change, and we'll note the date at the top. For meaningful changes affecting opted-in users, we'll write to you first.