Who we are
MessyBunMade is a creator brand operated in connection with TikTok @MessyBun.Made (Amanda). The public website is hosted on Cloudflare Pages. This policy applies to personal information processed in connection with the website and brand communications described below.
Scope
This policy covers messybunmade.com (including preview and production hostnames such as
*.pages.dev used for deployment review) and information you choose to send us
through channels we control. It does not control TikTok’s own platform privacy practices—those
are governed by TikTok’s policies when you use that service.
Important operational note (current state): At this time, the only ways to intentionally submit personal information to Amanda / MessyBunMade through channels we operate are:
- the Contact page on this website; and
- messages or interactions you initiate on TikTok with @MessyBun.Made.
We do not currently operate newsletter signups, account registration for the public site, paid checkout on this domain, or third-party advertising pixels on this site. If that changes, we will update this policy and any required notices or consent mechanisms before collecting new categories of data for those purposes.
Information we collect
Information you provide
- Contact form submissions — such as your name, email address, message content, and any other details you choose to include.
- TikTok communications — information you share when you message or interact with @MessyBun.Made on TikTok (subject to TikTok’s platform terms and your privacy settings).
Information collected automatically
- Technical and log data — when you visit the site, our hosting and security providers (currently Cloudflare) may process IP address, approximate location derived from IP, browser type, device/OS information, referrer URL, pages requested, timestamps, and similar diagnostic or security signals. This is typical of CDN/hosting delivery and DDoS protection.
- Cookies and similar technologies — see Cookies and similar technologies.
We do not intentionally collect sensitive personal information categories (as defined under CCPA/CPRA) through the public site, and we ask that you not include sensitive data (such as government IDs, health details, or financial account numbers) in contact messages.
How you can contact Amanda
For brand questions and personal messages intended for Amanda, use only:
- Contact page on messybunmade.com; or
- TikTok @MessyBun.Made.
Privacy rights requests (access, deletion, etc.) should use the Privacy contact methods below so we can verify and track your request appropriately.
Cookies and similar technologies
Cookies are small text files stored on your device. Similar technologies include local storage, pixels, and server logs that can recognize a browser or session.
What we use today
- Strictly necessary / operational — technologies required to deliver the site securely (for example Cloudflare security, load balancing, and basic request handling). These are not used by us for cross-site advertising.
- Preference or functional cookies — we do not currently set first-party analytics or marketing cookies for advertising. If we introduce non-essential cookies (analytics, personalization, or advertising), we will provide clear notice and obtain consent where required (including under GDPR/ePrivacy-style rules for EEA/UK visitors).
- Admin authentication cookies — when Admin is protected by Cloudflare Zero Trust Access, Cloudflare and/or the identity provider (Microsoft Entra ID) may set authentication session cookies for authorized administrators only. Those cookies are not used for public advertising.
Your cookie choices
- Use your browser settings to block or delete cookies.
- Where we deploy a cookie banner or preference center in the future, you can change non-essential cookie choices there.
- Blocking strictly necessary cookies may prevent parts of the site (especially Admin login) from working.
California and some other jurisdictions require disclosure of online tracking. We do not respond to every browser “Do Not Track” signal in a uniform industry way (there is no single standard), but we honor Global Privacy Control (GPC) signals as an opt-out of sale/sharing where those concepts apply and where we process data that would constitute a sale or share. See Your choices.
How we use information
We use personal information to:
- Respond to contact messages and brand inquiries;
- Operate, secure, and troubleshoot the website and Admin tools;
- Comply with law, enforce terms, and protect rights, safety, and security;
- Improve content and user experience based on aggregate or de-identified insights where available.
GDPR legal bases (when GDPR applies): performance of a request you initiate (responding to contact), legitimate interests (site security, basic operations, fraud prevention) balanced against your rights, and consent where we rely on consent (for example non-essential cookies if introduced). You may withdraw consent at any time without affecting prior lawful processing.
Sharing and service providers
We do not sell your personal information for money. We also do not currently share personal information for cross-context behavioral advertising as those terms are used under CCPA/CPRA.
We use service providers (“processors”) that process data on our behalf, which may include:
- Cloudflare — hosting (Pages), edge security, DNS/CDN-related processing;
- Email delivery providers (for example Resend, when the contact form backend is enabled) — to deliver messages you submit;
- Microsoft Entra ID / Cloudflare Zero Trust — administrator authentication for Admin, not for public visitors.
Providers may only use personal information as needed to perform services for us, subject to contractual and technical controls appropriate to the service. We may also disclose information if required by law, legal process, or to protect vital interests and security.
International transfers
Our infrastructure may process data in the United States and other locations where Cloudflare or other providers operate. If you are in the EEA, UK, or Switzerland, transfers of personal data outside your region (when applicable) rely on appropriate safeguards such as Standard Contractual Clauses or the provider’s approved transfer mechanisms, together with supplementary measures where required.
Retention
We keep personal information only as long as needed for the purposes described in this policy, including legal, accounting, or security requirements. Contact messages are retained for a reasonable period to complete the conversation and for legitimate record-keeping, then deleted or de-identified when no longer needed. Server logs are retained according to our providers’ defaults and our operational needs (typically short- to medium-term for security and debugging).
Security
We use reasonable administrative, technical, and organizational measures appropriate to the risk, including HTTPS, least-privilege access for Admin, and provider security features. No method of transmission or storage is 100% secure; please use the contact form judiciously and avoid sending highly sensitive information.
Your rights under the GDPR
If you are in the European Economic Area, United Kingdom, or another jurisdiction where the General Data Protection Regulation (GDPR) or UK GDPR applies, you may have the right to:
- Access — obtain confirmation and a copy of personal data we process about you;
- Rectification — correct inaccurate personal data;
- Erasure — request deletion in certain circumstances;
- Restriction — request restriction of processing in certain circumstances;
- Portability — receive certain data in a structured, commonly used format;
- Object — object to processing based on legitimate interests or to direct marketing;
- Withdraw consent — where processing is based on consent;
- Lodge a complaint — with your local supervisory authority (for example in the EEA, the authority in your country of residence; for the UK, the ICO).
To exercise GDPR rights, see Privacy contact. We may need to verify your identity before fulfilling a request. We will respond within the timeframes required by applicable law (generally within one month under GDPR, extendable where permitted).
California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, “CCPA/CPRA”) may provide rights regarding personal information, subject to applicability thresholds and exceptions. Categories of personal information we may collect are described above (identifiers such as name and email if you contact us; internet / network activity such as IP and logs via hosting; and inferences we do not currently create for advertising profiles).
California residents may have the right to:
- Know / access the categories and specific pieces of personal information we collected;
- Delete personal information, subject to exceptions;
- Correct inaccurate personal information;
- Opt out of sale or sharing of personal information (including for cross-context behavioral advertising);
- Limit use and disclosure of sensitive personal information where applicable;
- Non-discrimination for exercising CCPA/CPRA rights;
- Appeal a refusal to take action on a request where required by applicable law.
Sale / sharing: We do not sell personal information for monetary consideration. We do not currently share personal information for cross-context behavioral advertising. If that changes, we will provide a “Do Not Sell or Share My Personal Information” mechanism and honor opt-out preference signals such as GPC as required.
Shine the Light / other California notices: We do not disclose personal information to third parties for their own direct marketing based on a site visit alone in the manner addressed by California Civil Code §1798.83 beyond what is described in this policy. For metrics, contact us as below.
Authorized agents may submit requests where permitted; we may require proof of authorization and identity verification. Submit CCPA/CPRA requests via Privacy contact.
Other US state privacy rights
As of 2026, many US states have comprehensive consumer privacy laws in effect (for example Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others, in addition to California). These laws generally provide residents with rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising, sale of personal data, and certain profiling, subject to each law’s scope and thresholds.
If you are a resident of a state with such a law and it applies to us, we will honor applicable rights requests in accordance with that law. Use Privacy contact and specify your state of residence. We will not discriminate against you for exercising privacy rights. Where a state law requires an appeal process after a denial, we will provide appeal instructions in our response.
Universal opt-out mechanisms: Where required, we treat recognized opt-out preference signals (including Global Privacy Control) as a valid request to opt out of sale / sharing / targeted advertising for that browser or device, to the extent those processing activities occur.
Children’s privacy
The site is not directed to children under 13 (or under 16 where relevant under GDPR). We do not knowingly collect personal information from children under 13. If you believe a child provided personal information, contact us and we will take appropriate steps to delete it. We do not have actual knowledge that we sell or share personal information of consumers under 16.
Your choices (DNT, GPC, marketing)
- Contact us only when you want — use Contact or TikTok; we do not require an account to browse public pages.
- Global Privacy Control (GPC) — where legally required and technically feasible, we honor GPC as an opt-out of sale/sharing/targeted advertising if we engage in those activities.
- Do Not Track (DNT) — browsers may send DNT signals; because there is no uniform standard, our practices are described in this policy rather than a single DNT response.
- Marketing — we do not currently send marketing emails from this site. If we introduce them, we will provide unsubscribe options compliant with CAN-SPAM and applicable laws.
Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the “Last updated” date. Material changes may be highlighted on the site or communicated by other appropriate means. Continued use of the site after an update constitutes notice of the revised policy to the extent permitted by law; where consent is required for new processing, we will request it.
Privacy contact
For privacy questions or to exercise your rights under GDPR, CCPA/CPRA, or other applicable laws:
- Prefer the website Contact page and include “Privacy request” in the subject or first line of your message; or
- Message TikTok @MessyBun.Made with “Privacy request” so we can route it appropriately.
We may request additional information to verify your identity and, for authorized agents, proof of authority. If we deny a request in whole or in part, we will explain the reasons and any appeal rights required by law.
This policy is provided for transparency and compliance orientation for MessyBunMade’s website. It is not formal legal advice. Thresholds under CCPA/CPRA and other US state laws may mean some obligations apply only when statutory criteria are met; we still aim to honor reasonable privacy requests consistent with this policy.