Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, password (encrypted with bcrypt)
• Profile Information: Bio, website, social media links (optional)
• Merchant Information: Business name, store details, payment information
• Communications: Support tickets, emails, feedback

1.2 Automatically Collected Information

• Device Information: IP address (hashed), browser type, device type
• Usage Data: Pages visited, clicks, time spent (anonymized)
• Cookies: Essential cookies only (authentication, preferences)

1.3 Payment Information

We do NOT store payment card information. All payments are processed securely through Stripe. We only store:

• Stripe customer ID (tokenized)
• Stripe Connect account ID (for payouts)
• Transaction metadata (amounts, dates)

2. How We Use Your Information

• Provide Services: Account management, product listings, transactions
• Communications: Order confirmations, security alerts, important updates
• Improvement: Analytics (anonymized), bug fixes, feature development
• Security: Fraud prevention, spam detection, abuse prevention
• Legal Compliance: Tax reporting, legal requests, dispute resolution

3. Data Sharing & Third Parties

Service Providers (Data Processors)

• Stripe: Payment processing and payouts (PCI-DSS compliant)
• Resend: Transactional email delivery only
• Cloudflare: CDN and DDoS protection (encrypted traffic)
• AWS/Database Hosting: Secure data storage (encrypted at rest)

All service providers have signed Data Processing Agreements (DPAs) and comply with GDPR Article 28 requirements.

When Required by Law

We may disclose information if legally required (court order, subpoena, government request) or to protect rights, safety, and security.

4. Data Security

• Encryption: TLS 1.3 in transit, AES-256 at rest
• Password Security: Bcrypt hashing with salt (minimum 10 rounds)
• Two-Factor Authentication: Optional email-based OTP
• Access Controls: Role-based permissions, least privilege principle
• IP Hashing: Never store raw IP addresses (SHA-256 hashed)
• Regular Audits: Security reviews, penetration testing, vulnerability scans
• Incident Response: 72-hour breach notification (GDPR compliant)

5. Your Privacy Rights

GDPR Rights (EU Residents)

• Right to Access: Request a copy of your data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Delete your account and data
• Right to Portability: Export your data in JSON format
• Right to Object: Opt-out of marketing (already opt-in only)
• Right to Restrict Processing: Limit how we use your data

CCPA Rights (California Residents)

• Right to know what data we collect
• Right to delete your data
• Right to opt-out of "sale" (we don't sell data)
• Right to non-discrimination

6. Data Retention

• Active Accounts: Retained while account is active
• Deleted Accounts: 30-day grace period, then permanent deletion
• Transaction Records: 7 years (tax/legal requirements)
• Logs & Analytics: 90 days maximum (anonymized after 30 days)
• Support Tickets: 2 years

7. Cookies & Tracking

Essential Cookies Only

We only use essential cookies required for the platform to function:

• Authentication: __Secure-next-auth.session-token (7 days)
• CSRF Protection: __Host-next-auth.csrf-token (session)
• Preferences: Theme, language settings (1 year)

We do NOT use: Marketing cookies, tracking pixels, third-party analytics, or advertising cookies.

8. Children's Privacy

ShopMall is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has provided us information, contact us immediately for deletion.

9. International Transfers

Data is stored on servers in the United States. For EU users, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Your data is protected with the same safeguards regardless of location.

10. Changes to This Policy

We may update this policy to reflect legal, operational, or security changes. Material changes will be notified via email 30 days in advance. Continued use after changes constitutes acceptance.

11. Contact Us