Privacy Policy

This Privacy Policy applies to information collected through the Portal and related communications (email, phone). It does not apply to third-party websites or services linked from the Portal. By using the Portal, you agree to the practices described in this Policy.

We collect the following categories of personal information:

• Identity Information: Full name, company name
• Contact Information: Email address, phone number, business address
• Account Credentials: Email address and hashed password (see Section 6)
• Order Information: Items ordered, quantities, prices, requested pickup dates, payment method preference
• Tax Information: Tax-exempt status, California Resale Certificate (if applicable)
• Communications: Emails and messages you send to us
• Usage Data: Browser type, IP address, pages visited, and actions taken in the Portal (collected automatically via server logs)

We do not collect, store, or process payment card numbers, bank account numbers, or other sensitive financial data through the Portal. Payments are handled via separately issued invoices. We do not collect Social Security numbers or government-issued ID numbers through the Portal.

We use the information we collect to:

• Process and fulfill your wholesale orders
• Communicate with you about orders, invoices, and account status
• Verify your identity and business eligibility
• Apply appropriate pricing tiers and payment terms
• Verify tax-exempt status in conjunction with your resale certificate
• Improve the Portal and our services
• Comply with legal and regulatory obligations
• Protect against fraud and unauthorized access

We process your personal information on the following legal bases: (a) Contract — to fulfill your orders and account agreement; (b) Legitimate Interest — to operate and improve our services, prevent fraud, and communicate with you; (c) Legal Obligation — to comply with applicable tax, financial, and business laws; and (d) Consent — where you have expressly provided it (e.g., marketing communications, if offered).

Your account password is never stored in plain text. We use bcrypt, an industry-standard one-way cryptographic hashing algorithm with a work factor of 12, to hash all passwords before storage. This means we cannot retrieve or read your password — even internally. If you forget your password, you must reset it via the password reset flow. We strongly recommend using a unique, strong password for your account.

Your information is stored on servers located in the United States. We implement reasonable administrative, technical, and physical safeguards to protect your personal information from unauthorized access, disclosure, alteration, or destruction. These measures include secure server infrastructure, encrypted password storage, and access controls. However, no security system is impenetrable, and we cannot guarantee absolute security of your data.

We retain your personal information for as long as your account is active, or as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Order records are typically retained for seven (7) years for tax and business compliance purposes. You may request deletion of your account data subject to the exceptions described in Section 15.

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We may share your information with:

• Service Providers: Third-party vendors who assist with email delivery, hosting, or other operational functions, bound by confidentiality obligations
• Legal and Regulatory Authorities: Where required by law, court order, or government request
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to you
• Professional Advisors: Attorneys, accountants, and auditors under confidentiality obligations

By creating an account or placing an order, you consent to receive transactional emails related to your account and orders (e.g., order confirmations, invoices, account approval notices). We may also send operational updates. If we offer marketing communications in the future, we will obtain your separate consent and provide opt-out options.

The Portal uses session cookies necessary for authentication and maintaining your login session. We do not currently use third-party advertising cookies or tracking pixels. You may disable cookies in your browser settings, but this may prevent some Portal features from functioning properly.

The Portal is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us at weborder@westerncactus.com and we will delete it.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale: We do not sell personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at weborder@westerncactus.com with "California Privacy Request" in the subject line. We will respond within 45 days as required by law. Please note that certain information may be retained for legal compliance or legitimate business purposes even if a deletion request is honored.

Much of the information we collect is in the context of a business-to-business (B2B) relationship. Certain CCPA protections apply primarily to consumer data. Information collected strictly in the context of your role as a business representative purchasing for your company may be subject to different treatment under applicable law.

You may access, update, or correct your account information by logging into the Portal. To request account deletion, contact us at weborder@westerncactus.com. Please note that we may retain certain records after account deletion as required by law or for legitimate business purposes (e.g., tax records, order history).

The Portal may contain links to third-party websites. We are not responsible for the privacy practices of any third-party sites and encourage you to review their privacy policies before providing any personal information.

In the event of a data breach that is likely to result in harm to your rights or freedoms, we will notify you in accordance with applicable law, including California law. Notification will be provided via email to the address associated with your account and/or by posting a notice on the Portal.

The Portal is operated in the United States and intended for users in the United States. If you access the Portal from outside the U.S., your information may be transferred to and processed in the U.S., where privacy laws may differ from those in your country.

The Portal does not currently respond to "Do Not Track" signals from browsers, as there is no industry-standard protocol for such signals. We do not track users across third-party websites.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, WESTERN CACTUS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING FROM ANY UNAUTHORIZED ACCESS TO OR USE OF YOUR PERSONAL INFORMATION, OR FROM ANY DATA BREACH, EXCEPT TO THE EXTENT SUCH LIABILITY CANNOT BE EXCLUDED UNDER APPLICABLE LAW.

This Privacy Policy is governed by the laws of the State of California. Any disputes arising under this Policy shall be subject to the exclusive jurisdiction of the courts located in San Diego County, California.

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the effective date at the top of this page and, where practical, by sending an email notification. Continued use of the Portal after changes take effect constitutes your acceptance of the updated Policy.

Western Cactus Enterprises, Inc. is the data controller responsible for your personal information collected through the Portal. We determine the purposes and means of processing your personal data as described in this Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Western Cactus Enterprises, Inc. — Privacy Inquiries
1860 Monte Vista Dr., Vista CA 92084
Email: weborder@westerncactus.com

By using the Portal, you acknowledge that you have read and understood this Privacy Policy and agree to our collection, use, and sharing of your information as described herein.