AdaptiveShop

🔒Privacy Policy

Last Updated: November 30, 2025

AdaptiveShop ("we," "us," or "our") operates an e-commerce platform that enables independent merchants to create online storefronts and sell products. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Platform.

This Privacy Policy is designed to comply with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the European Union's General Data Protection Regulation (GDPR).

By using AdaptiveShop, you consent to the data practices described in this policy.

1. Information We Collect

1.1 Information You Provide Directly

For Merchants (Sellers):

  • Email address (for account creation and login)
  • Business name and support email (required before accepting payments)
  • Shipping address (for ship-from location)
  • Phone number (optional, for shipping labels)
  • Payment information via Stripe Connect (Stripe Connect Account ID)
  • Product data (names, descriptions, images, pricing, inventory)
  • Shipping and returns policies
  • Shop customization (logo, branding, colors)
  • Notification preferences

For Customers (Buyers):

  • Name, email address, and phone number (provided at checkout)
  • Shipping address (required for order fulfillment)
  • Payment card information (collected and processed by Stripe; we only store card brand and last 4 digits)
  • Order details (products purchased, quantities, variants)

1.2 Information Collected Automatically

  • IP Address: Collected for analytics, fraud detection, and security purposes
  • Browser and Device Information: User agent, device type, operating system, browser type
  • UTM Parameters: Marketing campaign tracking (utm_source, utm_medium, utm_campaign, utm_term, utm_content)
  • Referrer Information: URL of the site that referred you to AdaptiveShop
  • Page Visit Data: Pages viewed, time spent, navigation patterns
  • Session Cookies: Authentication session cookies (secure, HTTP-only) managed by Supabase Auth

1.3 Information from Third Parties

  • Stripe: Payment processing status, payment method details (card brand, last 4 digits), transaction success/failure events
  • ShipEngine: Shipping rates, tracking information, label generation data
  • Print-on-Demand Providers (Printful, Printify, Gelato, etc.): Order fulfillment status, tracking numbers

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery

  • Create and manage merchant accounts
  • Process orders and payments
  • Facilitate order fulfillment and shipping
  • Send transactional emails (order confirmations, shipping notifications)
  • Provide customer support
  • Enable shop customization and branding

2.2 Analytics and Improvements

  • Analyze platform usage and performance
  • Understand marketing campaign effectiveness (via UTM tracking)
  • Improve product features and user experience
  • Generate merchant analytics (sales, traffic, conversions)

2.3 Security and Fraud Prevention

  • Detect and prevent fraud, spam, and abuse
  • Verify webhook events from third parties
  • Maintain platform security and integrity

2.4 Legal Compliance

  • Comply with legal obligations and regulatory requirements
  • Respond to lawful requests from authorities
  • Enforce our Terms of Service
  • Resolve disputes and protect legal rights

3. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

3.1 With Merchants (For Customer Orders)

When you purchase from a merchant's shop, we share your order information with that merchant, including:

  • Name, email, phone number
  • Shipping address
  • Product details, quantities, variants (SKU, color, size)
  • Payment amount, card brand (not full card number), last 4 digits
  • Order status and fulfillment tracking

Merchants cannot see: other customers' orders, other merchants' data, or your browsing behavior outside their shop.

3.2 With Service Providers

Stripe (Payment Processing):

  • Customer name, email, phone, shipping address
  • Payment card information (processed directly by Stripe; AdaptiveShop never stores full card numbers)
  • Order amount and line item details
  • Stripe handles PCI-DSS compliance for payment card data

Resend (Email Delivery):

  • Customer email addresses (recipients)
  • Merchant support email (reply-to address)
  • Order details included in transactional emails (order confirmations, shipping notifications)

ShipEngine (Shipping & Logistics):

  • Merchant's ship-from address
  • Customer's shipping address
  • Package dimensions and weight
  • Order details for rate quotes and label generation

Print-on-Demand Providers (Printful, Printify, Gelato, Prodigi, FourthWall):

  • Customer shipping address (for product fulfillment)
  • Product design/image URLs
  • Order metadata (order ID, quantity, variant selections)

Supabase (Database & Authentication):

  • All data stored on AdaptiveShop is hosted on Supabase's infrastructure
  • Supabase provides database encryption at rest and secure authentication services

3.3 For Legal Reasons

We may disclose your information if required to do so by law or in response to:

  • Valid legal process (subpoenas, court orders)
  • Requests from government authorities
  • Protection of our rights, property, or safety
  • Investigation of fraud or security issues

3.4 Business Transfers

If AdaptiveShop is acquired, merged, or undergoes a business restructuring, your information may be transferred to the acquiring entity as part of the transaction.

4. Data Security

We implement industry-standard security measures to protect your personal information:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS
  • Encryption at Rest: Data stored in our database is encrypted at rest via Supabase
  • Row Level Security (RLS): Database access is restricted so merchants can only access their own data
  • Secure Authentication: Passwordless magic link login via Supabase Auth
  • PCI-DSS Compliance: Payment card data is processed and stored by Stripe, not by AdaptiveShop
  • Webhook Verification: All third-party webhooks are cryptographically verified before processing
  • Environment Variable Protection: API keys and secrets are stored securely and never exposed to clients

Important: No method of transmission over the internet is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

5. Your Privacy Rights

5.1 Rights Under GDPR (European Users)

If you are located in the European Economic Area (EEA), you have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data (subject to legal retention requirements)
  • Right to Data Portability: Request your data in a machine-readable format
  • Right to Restrict Processing: Request that we limit how we use your data
  • Right to Object: Object to certain types of data processing
  • Right to Withdraw Consent: Withdraw consent for data processing at any time
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

5.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights:

  • Right to Know: Request disclosure of what personal information we collect, use, and share
  • Right to Delete: Request deletion of your personal information (subject to exceptions)
  • Right to Opt-Out of Sale: We do NOT sell your personal information, so no opt-out is necessary
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Limit Use of Sensitive Personal Information: Request limits on use of sensitive data (if applicable)

5.3 Account Deletion (30-Day Grace Period)

Merchants can delete their accounts at any time. Upon requesting account deletion:

  • Your account enters a 30-day grace period
  • You will receive an email notification confirming the deletion request
  • During the grace period, your account is paused but data is preserved
  • You can reactivate your account at any time during the 30 days by logging in
  • After 30 days, your account and all associated data (orders, products, analytics) are permanently deleted

5.4 How to Exercise Your Rights

To exercise any of the rights listed above, contact us at:

Email: [email protected]

We will respond to your request within 30 days (GDPR) or 45 days (CCPA). We may require identity verification before fulfilling your request.

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

Specific Retention Periods:

  • Account Data (Merchants): Retained until account deletion (then 30-day grace period)
  • Order Data (Customers): Retained indefinitely for tax, accounting, and legal compliance purposes, unless deletion is requested
  • Email Logs: Retained for 1 year for compliance and debugging
  • Analytics Data (Page Visits, UTM, IP): Retained for 1 year, then anonymized or deleted
  • Shipping Rate Quotes: Automatically deleted after 24 hours
  • Session Cookies: Expire when you log out or session ends

After the retention period expires, we will securely delete or anonymize your personal information.

7. International Data Transfers

AdaptiveShop is based in the United States. If you are located outside the U.S., your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

Third-Party Service Locations:

  • Supabase (Database): Data stored in U.S.-based data centers
  • Stripe: Operates globally with data centers in the U.S. and Europe
  • Resend: Email service provider (check their data processing locations)
  • ShipEngine: U.S.-based shipping API provider

For GDPR compliance, we rely on Standard Contractual Clauses (SCCs) and other approved transfer mechanisms when transferring data from the EEA to countries without adequacy decisions.

By using AdaptiveShop, you consent to the transfer of your information to the United States and other jurisdictions as described.

8. Cookies and Tracking Technologies

AdaptiveShop uses minimal cookies and does NOT use third-party advertising or tracking cookies.

8.1 Cookies We Use

  • Authentication Cookies: Secure, HTTP-only session cookies managed by Supabase Auth (essential for login functionality)
  • Local Storage: Minimal use for temporary data (e.g., pending terms acceptance during login)

8.2 What We Do NOT Use

  • Third-party analytics cookies (Google Analytics, Mixpanel, etc.)
  • Advertising cookies or pixels
  • Cross-site tracking cookies
  • Social media tracking pixels

8.3 Tracking Without Cookies

We collect analytics data server-side without cookies:

  • UTM parameters from URLs (marketing campaign tracking)
  • Referrer information (which site referred you)
  • IP addresses (for geographic analytics and fraud detection)
  • User agent strings (browser and device information)

9. Children's Privacy

AdaptiveShop is not intended for use by individuals under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children.

If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at [email protected].

10. California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal information to third parties for direct marketing purposes.

AdaptiveShop does NOT share your personal information with third parties for their direct marketing purposes.

11. Do Not Track Signals

Some browsers support a "Do Not Track" (DNT) feature. AdaptiveShop does not currently respond to DNT signals because we do not use third-party tracking cookies or advertising networks. Our analytics data collection is minimal and server-side only.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

When we make material changes:

  • We will update the "Last Updated" date at the top of this policy
  • We may notify you via email or a prominent notice on the Platform
  • Continued use of AdaptiveShop after changes constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

AdaptiveShop
Email: [email protected]
Website: https://adaptiveshop.ai

For GDPR-related inquiries or to exercise your rights as an EEA resident:
Email: [email protected]
Subject Line: "GDPR Privacy Request"

For CCPA-related inquiries or to exercise your rights as a California resident:
Email: [email protected]
Subject Line: "CCPA Privacy Request"

14. Summary of Key Points

  • We do NOT sell your personal information
  • We use minimal cookies (only authentication, no tracking)
  • Payment data is handled by Stripe (PCI-DSS compliant; we never store full card numbers)
  • You can delete your account with a 30-day grace period for reactivation
  • Merchants only see their own customers' data (enforced by database security)
  • We share data only with essential service providers (Stripe, Resend, ShipEngine, POD providers)
  • California and GDPR rights are fully supported (access, deletion, portability, correction)
  • Data retention periods are clearly defined (1 year for analytics, indefinite for orders unless deletion requested)