Shop
ESC

Popular searches

Privacy Policy

Last updated: April 2026

Who We Are

NonToxicLab is an independent editorial site operated by Lara Voss, based in Ontario, Canada. The site is a sole-proprietorship publication and is the data controller for any personal information processed through nontoxiclab.com. You can reach the publisher at hello@nontoxiclab.com.

Summary in Plain English

  • We do not sell or share your personal information for advertising.
  • We use Google Analytics 4 and Microsoft Clarity to understand site usage. Both load only after you click "Accept" on the cookie banner.
  • If you decline, we still serve you the site, including affiliate links. No analytics scripts run.
  • The site is hosted on Cloudflare Pages, which sees your IP address as part of normal request handling.
  • We do not target ads, do not run a remarketing pixel, and do not have a Meta or TikTok Pixel installed.
  • You can withdraw consent or change your choice at any time using the controls below.

What Data We Collect

We collect the minimum data needed to run the site and understand readership:

  • Analytics data (consent required) - Pages visited, time on page, referring URL, browser type, screen size, country-level location, and anonymous session identifiers. Collected by Google Analytics 4 and Microsoft Clarity. Loaded only after you click "Accept" on the cookie banner.
  • Server logs (legitimate interest, no consent required) - Cloudflare records your IP address, requested URL, timestamp, response code, and user agent for each request. This is standard server-log retention for operating a website. Cloudflare retains logs per its privacy policy.
  • Affiliate click data (no personal data, performance only) - When you click an Amazon or DTC affiliate link, the affiliate partner sets its own cookie. We see only an aggregate event in our analytics if you have consented; we do not see your purchases or any data Amazon collects after you leave our site.
  • Local storage - We store small values in your browser's localStorage: ntl_consent (your consent choice), ntl_geo and ntl_geo_at (your two-letter country code, used to redirect Amazon links to your regional Amazon store so commissions stay attributed correctly), and optional debug flags. These are not transmitted to our server. They live only in your browser.
  • Saved picks - If you click "Save to my plan" on a product, we store the list of products you have saved in your browser's localStorage (key ntl_saved_picks) so you can review it on your My Picks page. The first time you save anything, we ask for your email so we can send your list and our weekly editor's note. If you give us your email, we also keep a copy of your saved list on our server tied to that email address (so the same list is available across devices). You can clear the list from your browser at any time by visiting My Picks and using the Remove buttons, or by clearing your browser's localStorage. To delete your server-side record, email hello@nontoxiclab.com.

We do not collect names, postal addresses, phone numbers, or payment information. We do not run an account system.

Editorial Analytics (Aggregated, No Personal Data)

To decide what to write about next, the publisher uses search performance data sourced from Google Search Console for nontoxiclab.com. Specifically:

  • Search query data - the anonymized search terms people type into Google that show our pages (e.g., "non-toxic mattress for hot sleepers"), aggregated as impressions, clicks, average position, and click-through rate per query and per landing URL.
  • What we use it for - identifying topics our existing articles partially answer so we can write more thorough coverage. We never see who searched, when, from where, or any device or account identifier. Google Search Console only exposes aggregate counts.
  • Where it's stored - on the publisher's local development environment (Lara Voss's workstation), in a private SQLite database. The data never reaches the live site, advertisers, or any third party.
  • Retention - Search Console exposes a rolling 16 months of data. We do not retain copies beyond Google's window.
  • Your role - Google Search Console aggregates data from anonymous searches across the open internet; if you have searched something on Google that surfaced one of our pages, your individual search is not visible to us, only the aggregated count of all such searches.

Cookies and Tracking Technologies

The site uses the following cookies and similar technologies:

  • Strictly necessary (no consent needed) - Cloudflare may set __cf_bm and similar cookies for bot management and security. localStorage values listed above are also strictly necessary for site function (consent state, geo for Amazon link routing).
  • Analytics (consent required) - Google Analytics 4 (_ga, _ga_*) and Microsoft Clarity (_clck, _clsk) cookies. These set only after you click "Accept" on the cookie banner.

You can also delete cookies any time through your browser settings, and you can change your consent choice using the controls in the section below.

How We Use the Data

  • Measure which articles are most read and how readers find them, so we can decide what to write next.
  • Detect bugs, broken links, layout problems, and slow pages.
  • Understand the geographic spread of our readership at country level.
  • Operate the site (serving requests, preventing abuse, attributing affiliate clicks correctly).

We do not use the data to build advertising profiles, run remarketing, train AI models, or sell to data brokers.

Sub-processors and Third-Party Services

The following third parties process data on our behalf, each under their own privacy policy and contractual data-processing terms:

  • Cloudflare, Inc. - Hosting and CDN. Receives all HTTP requests, including IP addresses. Privacy policy.
  • Google LLC (Google Analytics 4) - Aggregate site analytics. IP addresses are masked at collection. Privacy policy. Loaded only with your consent.
  • Microsoft Corporation (Clarity) - Heatmaps and session-replay analytics. Clarity masks form fields and sensitive content by default. Privacy statement. Loaded only with your consent.
  • Amazon Services LLC (Associates Program) - Affiliate link tracking. Amazon sets its own cookies after you click an affiliate link and leave our site. Privacy notice.
  • Pinterest, Inc. - Our Pinterest publishing pipeline interacts only with our own business account. Visitors to nontoxiclab.com are not tracked by Pinterest unless they click through to Pinterest itself. Privacy policy.

Pinterest Integration

NonToxicLab operates an automated Pinterest publishing pipeline that posts original editorial content from our own site to our own Pinterest business account (@nontoxiclab) using the Pinterest API under Pinterest's Developer and API Terms.

Our Pinterest integration only posts content to our own NonToxicLab Pinterest account, does not post on behalf of any other user, does not collect or store personal data about Pinterest users who view, save, or click our pins, and reads aggregate analytics (impressions, saves, clicks) only for our own published pins. If you interact with our pins on Pinterest, your activity is governed by Pinterest's own Privacy Policy, not ours.

Email Subscriptions

If you subscribe to our email list (when offered), we store your email address with our email service provider for the sole purpose of sending the newsletter you signed up for. You can unsubscribe at any time using the link in any email or by writing to hello@nontoxiclab.com. We do not sell, rent, or share email addresses for marketing.

Data Retention

  • Google Analytics 4: user-level data retained 14 months from collection (Google's standard maximum), then aggregated.
  • Microsoft Clarity: session recordings retained per Microsoft's defaults (currently up to 90 days for individual sessions, then aggregated).
  • Cloudflare access logs: retained per Cloudflare's defaults (typically 7 to 30 days for free-tier hosting).
  • Email-list addresses: retained until you unsubscribe or request deletion.
  • localStorage values in your browser: persist until you clear them or change your consent choice.

Your Rights Under GDPR (EU and UK Visitors)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights regarding personal data we process about you:

  • Right of access - Request a copy of any personal data we hold about you.
  • Right to rectification - Ask us to correct inaccurate data.
  • Right to erasure ("right to be forgotten") - Ask us to delete your data.
  • Right to restrict processing - Ask us to pause processing.
  • Right to data portability - Receive your data in a machine-readable format.
  • Right to object - Object to processing based on legitimate interest.
  • Right to withdraw consent - Change your analytics consent at any time using the controls above.
  • Right to lodge a complaint - Contact your national data protection authority (in the UK, the Information Commissioner's Office).

To exercise any of these rights, email hello@nontoxiclab.com. We respond within 30 days.

Our legal basis for processing analytics data is your consent (Article 6(1)(a) GDPR). Our legal basis for processing server logs and operating the site is legitimate interest (Article 6(1)(f)).

Your Rights Under California Privacy Law (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect about you, delete it, correct it, opt out of "sale" or "sharing" (we do not sell or share personal information for cross-context behavioral advertising, but you can confirm this opt-out via the link below), and limit the use of sensitive personal information (we do not collect any).

To exercise your California privacy rights, visit Your Privacy Choices or email hello@nontoxiclab.com. We honor verified requests within 45 days.

We do not discriminate against users who exercise their privacy rights.

Children's Privacy (COPPA)

NonToxicLab is intended for adult readers (parents, caregivers, and homeowners) and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us at hello@nontoxiclab.com and we will delete it.

International Data Transfers

NonToxicLab is operated from Canada. Our hosting provider (Cloudflare) and analytics providers (Google, Microsoft) are US-based and may store or process data in the United States and other countries. For visitors in the EEA, UK, or Switzerland, we rely on the providers' Standard Contractual Clauses and equivalent safeguards under Article 46 GDPR. Canada is recognized by the European Commission as providing an adequate level of data protection (Decision 2002/2/EC).

Affiliate Tracking

When you click an affiliate link, you are redirected through a tracking URL operated by Amazon Associates or the relevant DTC partner. The partner sets a cookie attributing the referral to NonToxicLab. We see only aggregate click events through Google Analytics if you have consented; we do not see your purchases, what you bought, or any data the partner collects after you leave our site. See our Affiliate Disclosure.

Third-Party Links

The site contains links to external websites including product pages, manufacturer sites, and research sources. We are not responsible for the privacy practices of these external sites. Please review their privacy policies before providing any information.

Security

We use HTTPS site-wide (TLS 1.2+), Cloudflare DDoS protection, and security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy). We do not store passwords or payment information because we do not run an account system. No method of transmission over the internet is 100% secure; if we discover a security incident affecting reader data, we will notify affected users without undue delay.

Changes to This Policy

We may update this privacy policy as our practices change or as the law evolves. The "Last updated" date at the top reflects the most recent revision. Material changes will be flagged at the top of this page for at least 30 days.

Contact

For privacy questions, data subject requests, or to exercise any right described above, email hello@nontoxiclab.com.

The information on NonToxicLab is for educational purposes only and is not intended as medical advice. Always consult a qualified healthcare provider for personal health decisions.