Storefront

# Privacy Policy

**Effective:** [DATE]

> **Compliance note for Compliance agent:** This is a starting template. Adapt cookie list to what storefront actually loads (PostHog, Stripe.js, possibly Meta Pixel/CAPI). Do NOT publish without that audit.

## Who we are

[COMPANY_LEGAL_NAME] ("we", "us") operates [DOMAIN]. We are the controller of personal data processed via the Store.

- Postal address: [ADDRESS]
- Email: [SUPPORT_EMAIL]
- Data Protection contact: [DPO_EMAIL]

## What data we collect

| Data category | Purpose | Legal basis (GDPR) | Retention |
|---------------|---------|---------------------|-----------|
| Name, shipping address, phone | Order fulfillment | Contract (Art. 6(1)(b)) | 6 years (accounting law) |
| Email address | Order confirmations, tracking, support | Contract (Art. 6(1)(b)) | 6 years |
| Payment data | Process payment | Contract — processed by Stripe; we keep last 4 digits + brand only | 6 years |
| IP address, user agent, browsing data | Security, fraud prevention, analytics | Legitimate interest (Art. 6(1)(f)) | 90 days |
| Marketing consent (if given) | Promotional emails | Consent (Art. 6(1)(a)) | Until withdrawn |
| Customer support communications | Resolve your enquiries | Legitimate interest | 3 years from last contact |

## Cookies and similar technologies

We use cookies categorized as follows. You set preferences via the cookie banner.

| Category | Examples | Required consent |
|----------|----------|------------------|
| Strictly necessary | Session, CSRF | No (necessary for site to function) |
| Analytics | PostHog (EU region) | Yes |
| Marketing | Meta Pixel + CAPI, Google Ads | Yes |

You can withdraw consent any time by clicking "Cookie settings" in the footer.

## Who we share data with (processors and recipients)

| Recipient | Purpose | Location | Safeguard |
|-----------|---------|----------|-----------|
| Stripe Inc. | Payment processing | US (DPF certified) + EU | Adequacy + SCCs |
| CJ Dropshipping Pte. Ltd. | Order fulfillment (name + shipping address + phone) | Singapore + CN | SCCs |
| Resend | Transactional email | US (DPF certified) | Adequacy + SCCs |
| PostHog Inc. | Analytics (EU region) | EU | EU processing |
| Meta Platforms Ireland | Ad measurement (hashed data via CAPI) | EU + US | DPF + SCCs |
| Hetzner Online GmbH | Hosting infrastructure | DE | EU processing |
| Cloudflare Inc. | CDN + DDoS protection + DNS | Global edge | DPF + SCCs |

We do not sell personal data.

## International transfers

Where data is transferred outside the EEA, we rely on EU Commission adequacy decisions (e.g. EU–US Data Privacy Framework) and/or Standard Contractual Clauses.

## Your rights (GDPR Articles 15–22)

You can request, free of charge:

- Access to your data (Art. 15)
- Rectification (Art. 16)
- Erasure (Art. 17) — subject to legal retention
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Objection (Art. 21)
- Withdraw consent (Art. 7(3))

Send requests to [SUPPORT_EMAIL]. We respond within 30 days.

You may also lodge a complaint with your local supervisory authority. In [COUNTRY] this is [DPA_NAME].

## Automated decision-making

We use automated fraud screening (Stripe Radar) on payments. The result may decline your order. You can request human review by emailing [SUPPORT_EMAIL].

## Children

The Store is not directed at children under 16. We do not knowingly collect their data.

## Changes to this policy

We may update this policy. Material changes will be announced 30 days in advance to registered customers.

---

**Document version:** [VERSION] · Last updated: [DATE]