Privacy Policy for {{TENANT_NAME}}

Effective date: {{EFFECTIVE_DATE}}

1. Introduction

{{TENANT_NAME}} ("we," "us," or "our") operates a commerce storefront accessible at {{TENANT_URL}}. This Privacy Policy explains how we collect, use, share, and protect information about you when you visit our store, create an account, place an order, or interact with us through Discord.

By using our storefront you agree to the practices described in this policy. If you do not agree, please do not use the storefront.

2. Information We Collect

We collect the following categories of personal information:

Identifiers

Name, email address, Discord username and user ID, billing and shipping address, and phone number (when provided).
Account credentials such as a session identifier tied to your Discord OAuth login.
IP address and device identifiers collected automatically when you visit the storefront.

Commercial Information

Records of products and services you have purchased, browsed, or considered purchasing.
Order history, transaction amounts, payment method type (but not full card numbers — those go directly to our payment processor), and order status.
Refund and return requests.

Internet or Other Electronic Network Activity

Pages visited, clicks, referral source, browser type, operating system, and time-on-page, collected via server logs and any analytics tools you configure.
Log data associated with Discord interactions (commands invoked, bot responses received) where applicable.

Geolocation Information

Coarse geolocation derived from your IP address for fraud detection and tax calculation purposes.
Shipping address latitude/longitude used to generate shipping rates and labels.

Inferred Preferences

Purchase patterns and browsing history we use to surface relevant products or promotions within your account.

We do not intentionally collect sensitive personal information such as government ID numbers, financial account numbers (other than for transaction processing), health data, or precise real-time geolocation.

3. How We Use Your Information

We use the information we collect to:

Process and fulfill your orders, including payment authorization, tax calculation, shipping label generation, and delivery tracking.
Create and manage your account and authenticate you via Discord OAuth.
Send transactional emails (order confirmation, shipping notification, password reset) through our email service provider.
Detect and prevent fraud, abuse, and unauthorized access.
Comply with legal obligations, including tax reporting and law-enforcement requests.
Improve our storefront based on aggregate usage patterns (we do not use this for individual ad targeting).
Communicate with you about your account or order (not for marketing unless you opt in separately).

We do not sell your personal information to third parties. We share information only as described below.

Service Providers

We share your information with the following service providers solely to operate the storefront:

Stripe — payment processing for credit and debit cards, ACH bank transfers, and subscription billing. Stripe receives your payment method details, billing address, and transaction metadata. Stripe's privacy policy governs their use of this data: https://stripe.com/privacy.
NOWPayments — cryptocurrency payment processing. NOWPayments receives transaction details and a delivery address for the crypto payment. NOWPayments' privacy policy governs their use: https://nowpayments.io/privacy-policy.
TaxJar — automated sales tax calculation and reporting. TaxJar receives your delivery address and order totals to compute applicable tax. TaxJar's privacy policy: https://www.taxjar.com/privacy-policy.
SendGrid (Twilio) — transactional email delivery. SendGrid receives your email address and the content of transactional messages we send you. SendGrid's privacy policy: https://www.twilio.com/en-us/legal/privacy.
EasyPost — shipping label generation and carrier rate retrieval. EasyPost receives your shipping address, package dimensions and weight, and order reference. EasyPost's privacy policy: https://www.easypost.com/privacy.
Discord — account authentication via OAuth 2.0, and the primary commerce surface where you may place orders through bot interactions. Discord receives information about your use of the commerce bot and any data you provide in Discord interactions. Discord's privacy policy: https://discord.com/privacy.

Legal and Safety Disclosures

We may disclose your information when required by law, court order, or government authority, or when we reasonably believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

If we sell or transfer all or a substantial part of our business, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a materially different privacy policy.

5. Cookies, Logs, and Tracking Technologies

We use the following tracking technologies:

Authentication cookie (ledgerline_auth): an HttpOnly, Secure, signed session cookie set when you log in. It contains only a session identifier and expires when you log out or after a configurable inactivity period. It is strictly necessary for the storefront to function.
Server logs: our hosting infrastructure records IP addresses, request paths, response codes, and timestamps for security and debugging purposes. Logs are retained for a limited period (see Section 6).
Analytics: if you configure a third-party analytics service on your storefront, that service may set its own cookies. See your Cookie Policy or our cookie-policy.md for details.

We do not use cross-site tracking, behavioral ad-targeting pixels, or fingerprinting scripts.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services, resolve disputes, enforce our agreements, and comply with legal obligations. Specifically:

Order records and transaction data: retained for at least 7 years to comply with tax and accounting requirements.
Account data: retained for the life of your account, plus a reasonable period after account deletion to allow for dispute resolution.
Server logs: typically 30–90 days.
Payment method data: we do not store card numbers or bank account details. They are handled directly by Stripe or NOWPayments.

You may request deletion of your account and associated data; see Section 7.

7. Your Rights

California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, as well as the sources, purposes, and third parties with whom we share it.
Right to Delete: You may request that we delete personal information we collected from you, subject to certain exceptions (e.g., completing a transaction, legal obligations).
Right to Correct: You may request that we correct inaccurate personal information we hold about you.
Right to Opt-Out of Sale or Sharing: We do not sell or share personal information as defined under the CCPA. If this changes, we will provide an opt-out mechanism.
Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To exercise your rights, contact us at {{TENANT_EMAIL}}. We will respond within 45 days (extendable by an additional 45 days with notice).

If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights:

Right of Access: Request a copy of the personal data we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete data.
Right to Erasure ("right to be forgotten"): Request deletion of your personal data under certain circumstances.
Right to Restriction of Processing: Request that we restrict how we use your data in certain circumstances.
Right to Data Portability: Receive your personal data in a structured, machine-readable format and transmit it to another controller.
Right to Object: Object to processing based on legitimate interests or for direct marketing.
Right to Lodge a Complaint: You have the right to complain to your local supervisory authority (e.g., the ICO in the UK, or the relevant data protection authority in your EU member state).

Our legal basis for processing your data is primarily contract performance (to fulfill your orders) and legitimate interests (fraud prevention, security). Where we rely on consent, you may withdraw it at any time.

Other Jurisdictions

If you are located outside California, the EU, EEA, or UK and have questions about your privacy rights, please contact us at {{TENANT_EMAIL}}.

8. Children's Privacy

Our storefront is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, please contact us immediately at {{TENANT_EMAIL}} and we will delete it promptly.

9. International Data Transfers

We are based in {{TENANT_JURISDICTION}}. If you access our storefront from outside the United States, your information will be transferred to, stored in, and processed in the United States and in other countries where our service providers operate. For transfers from the EU, EEA, or UK, we rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms where required.

10. Security

We use industry-standard technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These include HTTPS encryption for data in transit, HttpOnly signed session cookies, and access controls on our infrastructure. However, no internet transmission or electronic storage method is 100% secure, and we cannot guarantee absolute security.

11. Third-Party Links

Our storefront or Discord bot may include links to third-party websites or services. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party services you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the Effective Date at the top of this page. For material changes, we will notify you by email (if we have your address) or by a prominent notice on the storefront. Your continued use of the storefront after changes take effect constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions, requests, or complaints about this Privacy Policy or how we handle your data, please contact us:

{{TENANT_NAME}} Email: {{TENANT_EMAIL}} Mailing address: {{TENANT_PHYSICAL_ADDRESS}}

1. Introduction​

2. Information We Collect​

3. How We Use Your Information​

4. How We Share Your Information​

5. Cookies, Logs, and Tracking Technologies​

6. Data Retention​

7. Your Rights​

California Residents (CCPA/CPRA)​

EU, EEA, and UK Residents (GDPR / UK GDPR)​

Other Jurisdictions​

8. Children's Privacy​

9. International Data Transfers​

10. Security​

11. Third-Party Links​

12. Changes to This Privacy Policy​

13. Contact Us​