Privacy policy

Privacy Policy — SomniFix for Professionals

Last updated: May 20, 2026

SomniFix International LLC ("SomniFix," "we," "us," or "our") operates the SomniFix for Professionals wholesale store at pros.somnifix.com, including all related content, features, products, and services (collectively, the "Services"). The Services are offered exclusively to businesses, healthcare professionals, and authorized resellers, and are not intended for consumer use.

This Privacy Policy describes how we collect, use, disclose, and protect personal information when you visit, use, or transact through the Services or otherwise communicate with us. If there is a conflict between our Terms of Service and this Privacy Policy, this Privacy Policy controls with respect to the collection, processing, and disclosure of personal information.

For the purpose of applicable data protection laws (including the EU GDPR, UK GDPR, CCPA/CPRA, and analogous US state privacy laws), SomniFix International LLC is the data controller of personal information collected through the Services. Our registered address is 5425 Wisconsin Avenue, Suite 600, Chevy Chase, MD, 20815, United States.

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.


1. Personal Information We Collect

We collect or process the following categories of personal information, depending on how you interact with the Services and where you are located:

a) Contact and identifier information — name, business name, billing address, shipping address, work email, work phone number.

b) Business and credentialing information — company name, employer identification number (EIN), resale or tax-exemption certificates, business license details, and, where applicable, healthcare professional credentials (e.g., NPI number, professional license number, practice affiliation).

c) Account information — username, hashed password credentials, security questions, account preferences, role within your organization, and authorized purchaser designations.

d) Financial and transaction information — payment card details (processed through Shopify Payments and tokenized — we do not store full card numbers), invoice details, purchase history, returns, exchanges, cancellations, and credit terms (where extended). We do not perform consumer credit checks.

e) Communications — content of inquiries to wholesale support, sales conversations, and feedback you provide.

f) Device and technical information — IP address, browser type and version, operating system, device identifiers, time-zone setting, and referring URL.

g) Usage information — pages viewed, products viewed, items added to cart, navigation patterns, session duration, and interaction with on-site features.

We do not knowingly collect special category personal data (e.g., health data of identified individuals) through the Services. The Services are operated B2B; any patient-level data your practice processes is your responsibility under applicable healthcare privacy laws (e.g., HIPAA in the United States), and we ask that you not transmit it to us through the Services.

2. Sources of Personal Information

We collect personal information from:

  • Directly from you when you create an account, place an order, request a quote, or contact us.
  • Automatically through the Services via cookies, pixels, and similar technologies (see Section 9).
  • From our service providers (e.g., Shopify, payment processors, fulfillment partners, customer support tools) as part of providing the Services.
  • From business and marketing partners including data enrichment providers and advertising platforms.

3. How We Use Your Personal Information and the Legal Basis for Processing

We use personal information for the purposes listed below. Where the GDPR or UK GDPR applies, the legal basis for each purpose is specified.

Provide the Services — process orders, fulfill shipments, manage your account, process payments and returns, provide customer support, and authenticate access. Legal basis: Performance of a contract (Art. 6(1)(b)).

Communicate with you — respond to inquiries, send order confirmations and shipping notices, deliver account and service notifications. Legal basis: Performance of a contract (Art. 6(1)(b)) and our legitimate interest (Art. 6(1)(f)) in operating our business.

Marketing and promotional communications — send wholesale marketing emails, new-product announcements, account-management outreach, and promotional offers. Legal basis: Consent (Art. 6(1)(a)) where required, or our legitimate interest (Art. 6(1)(f)) in marketing to existing business customers. You may unsubscribe at any time using the link in our emails.

Security and fraud prevention — detect, investigate, and prevent fraudulent or malicious activity; secure the Services; protect against unauthorized access. Legal basis: Legitimate interest (Art. 6(1)(f)) in protecting our business and customers, and compliance with legal obligations (Art. 6(1)(c)).

Improve and develop the Services — analyze how the Services are used, evaluate the effectiveness of marketing, and improve features and user experience. Legal basis: Legitimate interest (Art. 6(1)(f)) in operating and improving our business.

Comply with legal obligations — meet tax, accounting, regulatory, and reporting obligations; respond to lawful requests from authorities; enforce our Terms of Service. Legal basis: Legal obligation (Art. 6(1)(c)) and legitimate interest (Art. 6(1)(f)).

We do not engage in automated decision-making that produces legal or similarly significant effects on you (such as automated credit decisioning or profiling-based account termination).

4. How We Disclose Personal Information

We disclose personal information in the following circumstances:

  • With Shopify, which hosts the Services and processes data on our behalf to operate the storefront, checkout, payments, and analytics.
  • With service providers and processors that perform functions on our behalf, including payment processing (Shopify Payments, Stripe), shipping carriers (UPS, FedEx, DHL), fulfillment (Shipstation), email and SMS communication, customer support, cloud storage, and data analytics. These parties are contractually bound to use personal information only as directed by us and consistent with applicable law.
  • With business and marketing partners to deliver advertising and measure marketing performance. You may opt out of these uses here.
  • With our corporate affiliates within the SomniFix corporate group.
  • In connection with a business transaction such as a merger, acquisition, financing, reorganization, or sale of assets.
  • To comply with legal obligations or respond to lawful requests from courts, regulators, or law enforcement.
  • To enforce or protect our rights, the Services, our users, or others.
  • With your direction or consent, including when you ask us to share information with a third party.

4.1 Categories of Personal Information Disclosed (CCPA / State Law Disclosure)

In the preceding 12 months, we have disclosed the following categories of personal information for business purposes:

Category Disclosed To
Identifiers (name, address, email, phone) Shopify, shipping carriers, fulfillment providers, email service providers
Commercial information (transactions, products purchased) Shopify, payment processors, analytics providers
Internet/network activity (browsing, device info) Shopify, analytics providers, advertising partners
Financial information (payment tokens, transaction details) Shopify Payments, Stripe
Professional or employment information (business name, role, credentials) Shopify, CRM provider

 

We share identifiers and internet/network activity with advertising partners for cross-context behavioral advertising. We do not sell personal information in exchange for monetary consideration. You may opt out of sharing here.

4.2 Sensitive Personal Information (CCPA / CPRA)

The following categories of personal information may be considered "Sensitive Personal Information" under California law: account log-in credentials and financial account information. We use this information only as necessary to provide the Services and as otherwise permitted by the CCPA — we do not use it to infer characteristics about you. You have the right to limit our use of Sensitive Personal Information; however, because we use it only for purposes the CCPA permits without restriction, no further limitation is currently required.

5. Cookies and Tracking Technologies

The Services use cookies, pixels, local storage, and similar technologies for essential functionality, analytics, and (where consent is provided) advertising. A full description of the cookies we use is available in our Cookie Policy.

If you are visiting from the EU, UK, or another jurisdiction requiring consent for non-essential cookies, you will be presented with a cookie banner on your first visit. You may withdraw or change your consent at any time via the "Cookie Preferences" link in our website footer.

6. Retention of Personal Information

We retain personal information only as long as necessary for the purposes described in this Privacy Policy or as required by law. Specific retention periods include:

  • Account information — for the duration of your account, plus 24 months after account closure.
  • Transaction and invoice records — 7 years following the transaction, to meet US tax and accounting requirements.
  • Customer support communications — 3 years following resolution.
  • Marketing data and preferences — until you unsubscribe or withdraw consent, plus 6 months for suppression-list maintenance.
  • Cookies and device data — as specified per cookie in our Cookie Policy.
  • Legal hold data — for the duration of the relevant legal, regulatory, or investigative matter.

After the applicable retention period, we either delete the information or de-identify it so that it can no longer be associated with you.

7. Security

We maintain technical, administrative, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (TLS), restricted access controls, and reliance on PCI-DSS-compliant payment processors. No system is perfectly secure, however, and we cannot guarantee absolute security. Please notify us immediately at privacy@somnifix.com if you believe your account has been compromised.

8. Your Rights and Choices

Depending on where you reside, you may have some or all of the following rights with respect to personal information we hold about you:

  • Right to access the personal information we hold about you.
  • Right to correct inaccurate or incomplete personal information.
  • Right to delete your personal information, subject to exceptions (e.g., where retention is required by law).
  • Right to portability — receive a copy of your personal information in a structured, machine-readable format.
  • Right to opt out of sale, sharing, or targeted advertising — exercisable here. We honor Global Privacy Control (GPC) signals as an opt-out request for the relevant browser and, where we can associate the signal with your account, for your account as well.
  • Right to limit use of Sensitive Personal Information (California).
  • Right to non-discrimination for exercising your privacy rights.

If you are located in the European Economic Area or the United Kingdom, you additionally have the right to:

  • Object to processing based on legitimate interest or for direct marketing purposes.
  • Restrict processing in certain circumstances.
  • Withdraw consent at any time where processing is based on consent (without affecting the lawfulness of prior processing).
  • Lodge a complaint with your local data protection supervisory authority. For EEA authorities, see the EDPB members list. For the UK, see the ICO.

To exercise any of these rights, contact us at privacy@somnifix.com or use the request form at pros.somnifix.com/pages/data-rights-request. We will respond within the timeframe required by applicable law (generally 30–45 days). We may need to verify your identity before processing your request, and you may designate an authorized agent acting on your behalf with appropriate proof of authorization.

9. EU and UK Representatives

[ACTION REQUIRED — APPOINT REPRESENTATIVES BEFORE PUBLISHING] Under Article 27 of the EU GDPR and Article 27 of the UK GDPR, SomniFix is required to appoint designated representatives in the EU and the UK because we offer goods to data subjects in those regions without being established there. This is a legal requirement, not optional. Common providers include VeraSafe, EDPO, DataRep, and Prighter (typical cost: $500–$2,500/year per region). Once appointed, replace this block with the names and addresses provided by your representative service.

For data subjects in the European Union and European Economic Area, our EU representative is: [EU Representative Name, Address, Contact Email — TO BE APPOINTED]

For data subjects in the United Kingdom, our UK representative is: [UK Representative Name, Address, Contact Email — TO BE APPOINTED]

10. International Transfers

We are based in the United States, and personal information you provide will be transferred to, stored in, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws different from those in your country of residence.

Where we transfer personal information from the EEA or UK to a country that has not received an adequacy decision from the relevant authority, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented by additional technical and organizational measures where necessary.

11. Relationship with Shopify

The Services are hosted by Shopify Inc., which processes personal information on our behalf to provide and improve the Services. In addition, Shopify uses certain personal information collected across its merchant network — including from your interactions with our store — to provide enhanced features (e.g., fraud detection, accelerated checkout, personalized advertising). For these purposes, Shopify acts as an independent controller and is responsible for honoring your rights with respect to that processing. To learn more and exercise rights related to Shopify's processing, see the Shopify Consumer Privacy Policy and Shopify Privacy Portal.

12. Third-Party Websites and Links

The Services may contain links to third-party websites and platforms not operated by us. We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy policies before providing any personal information.

13. Children's Data

The Services are intended for business customers and authorized professionals, not children. We do not knowingly collect personal information from individuals under 16, and we do not sell or share the personal information of anyone we know to be under 16. If you believe a child has provided us with personal information, contact us at privacy@somnifix.com and we will delete it.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will post the revised Privacy Policy here, update the "Last updated" date, and where required by law, provide additional notice or seek consent.

15. Contact Us

For questions about this Privacy Policy, our privacy practices, or to exercise any of your rights:

Email: privacy@somnifix.com Mail: SomniFix International LLC, Attn: Privacy, 5425 Wisconsin Avenue, Suite 600, Chevy Chase, MD 20815, United States

For the purpose of applicable data protection laws, the data controller of your personal information is SomniFix International LLC.