StoreKin
Log inGet started

Privacy Policy

Last updated: April 2026

1. Data Controller

StoreKin acts as the data controller for personal data collected through the Platform. For data processed on behalf of Merchants (e.g., customer order data),StoreKin acts as a data processor, and the Merchant is the data controller.

2. Data We Collect

Account Data

When you create an account, we collect your name, email address, and password (stored as a secure hash). We also store your store name, URL slug, and selected subscription tier.

Payment Data

Payment information is collected and processed directly by Stripe. We store Stripe customer IDs, subscription IDs, and Connect account IDs but never store raw card numbers, CVVs, or bank account details.

Order Data

When customers place orders, we collect their email address, shipping address, and order details (products, quantities, totals). This data is processed on behalf of the Merchant.

Usage Data

We collect technical data including IP addresses, browser type, pages visited, and timestamps for security, analytics, and service improvement purposes.

3. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Platform services, manage subscriptions, and process orders.
  • Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, and service improvement.
  • Legal obligation (Art. 6(1)(c)): Tax records, fraud prevention obligations, and compliance with applicable laws.
  • Consent (Art. 6(1)(a)): Marketing communications and optional analytics cookies, where applicable.

4. How We Use Your Data

  • Provide and maintain the Platform
  • Process subscriptions and payments
  • Send transactional emails (order confirmations, shipping notifications)
  • Provide customer support
  • Detect and prevent fraud and abuse
  • Improve the Platform through aggregated analytics
  • Comply with legal obligations

5. Data Sharing

We share personal data only with:

  • Stripe — Payment processing (as a sub-processor). See Stripe's Privacy Policy.
  • Resend — Transactional email delivery (as a sub-processor).
  • Vercel — Platform hosting and CDN (as a sub-processor).
  • Merchants — Customer order data is shared with the relevant Merchant to fulfill orders.

We do not sell personal data. We do not share data with advertisers or data brokers.

6. Data Retention

  • Account data: retained while your account is active, deleted within 30 days of account closure
  • Order data: retained for 7 years for tax and legal compliance
  • Usage logs: retained for 90 days
  • Payment records: retained as required by financial regulations

7. Your Rights (GDPR Art. 15-22)

As a data subject in the EU/EEA, you have the right to:

  • Access — Request a copy of your personal data (Art. 15)
  • Rectification — Correct inaccurate or incomplete data (Art. 16)
  • Erasure — Request deletion of your data ("right to be forgotten") (Art. 17)
  • Restrict processing — Limit how we use your data (Art. 18)
  • Data portability — Receive your data in a structured, machine-readable format (Art. 20)
  • Object — Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent — Where processing is based on consent, withdraw at any time

To exercise these rights, contact us at privacy@artisancommerce.com. We will respond within 30 days.

8. International Transfers

Your data may be transferred to and processed in countries outside the EU/EEA. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Cookies

We use essential cookies for authentication and session management. These are strictly necessary for the Platform to function and do not require consent. We do not currently use advertising or tracking cookies. If we introduce optional analytics cookies in the future, we will update this policy and request your consent.

10. Security

We implement appropriate technical and organizational measures to protect your data, including encrypted connections (TLS), hashed passwords (bcrypt), secure session management, and regular security reviews. Despite these measures, no system is completely secure, and we cannot guarantee absolute security.

11. Children's Privacy

The Platform is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Platform. The "Last updated" date indicates the most recent revision.

13. Contact and Data Protection

For privacy-related questions or to exercise your rights, contact our Data Protection team:

You also have the right to lodge a complaint with your local data protection supervisory authority.