Privacy Policy

The exact data depends on how you choose to interact with the storefront:

• Signal username (account holders only) — used by the store operator to coordinate orders. Only visible to the operator and to you.
• Referral source(account holders only) — a single dropdown choice (e.g. "friend," "Telegram") so the store can understand where customers come from.
• Account number — a random identifier issued at signup. The only credential you need to log back in. Replaces email + password.
• IP address — logged at signup and on each order, if the store operator has enabled IP collection. Automatically purged when your order is fulfilled or cancelled. Operators can disable IP collection entirely or set custom retention windows.
• Order history — what you ordered, when, and the total. Kept for accounting purposes but stripped of all identifying metadata once the order is fulfilled.
• Payment data— see the "Payment data" section below for the per-method breakdown.

Guest checkout (where enabled) collects noneof the above except a temporary order record and an optional IP. The full guest record is automatically deleted after the store's configured retention period (default: 30 days).

• Your real name
• Your email address
• Your phone number
• Your physical address (unless you volunteer it for shipping coordination)
• Your date of birth
• Browsing history or behavioral profiles
• Cross-site tracking via cookies, pixels, fingerprinting, or device IDs
• Conversation content from Signal (Signal is end-to-end encrypted; we never see it)
• Third-party tracking cookies, advertising IDs, or analytics scripts
• Anything that could be sold, shared with advertisers, or licensed to data brokers

The data retained per payment method is intentionally minimal:

• Signal coordination — nothing. The order record stores no payment method or amount metadata beyond the order total.
• Wire transfer — only the fact that wire was selected. Wire instructions and confirmations happen entirely over Signal.
• Credit card— handled entirely by Stripe, Inc. Card numbers, CVCs, and expiry dates never touch the storefront server. We retain only Stripe's payment intent ID for reconciliation.
• Cryptocurrency (Bitcoin, ETH, Base, Polygon, Arbitrum) — the transaction hash and your sending wallet address are stored temporarily. The wallet address is automatically purged when the order is fulfilled or cancelled. The transaction itself remains on the public blockchain regardless of our actions.
• Monero — a payment ID is stored for reconciliation. Monero transactions are inherently private at the protocol level — neither we nor anyone else can link the payment to your real identity.
• Zcash — for shielded (z-addr / unified) payments, only a payment ID is stored and the transaction is protocol-level private. For transparent (t-addr) payments, the transaction is public on the Zcash blockchain like Bitcoin.

We collect aggregate, anonymous statistics about catalog browsing: total page views, approximate unique visitors per day, and search terms used. This data is stored only as daily totals — there is no row in any table that says "visitor X viewed product Y at time Z." We literally can't tell you who looked at what.

Unique visitor estimation uses a random session token cookie that expires when you close your browser. It carries no identifying information and isn't linked to your account.

Each store operator configures their own retention policy:

• Order IP addresses — automatically purged when orders are fulfilled or cancelled (default behavior, applies to every store).
• Account IP addresses — configurable retention period, default 90 days. After expiry, the IP is set to null.
• Crypto wallet addresses — purged on order close, same as IPs.
• Guest orders — fully deleted after the retention period (default 30 days).
• Fulfilled orders — optionally auto-deleted after a configurable period. By default, the order record is kept indefinitely for accounting, but stripped of all identifying metadata.
• Anonymous analytics — daily totals only, retained indefinitely (no individual visitor data exists to delete).

Automatic purges run daily. Store operators can also trigger an immediate manual purge from their admin panel.

Each store operator can optionally enable a "dead man's switch" — if they stop logging in for a configured number of days, the platform automatically wipes all customer data (orders, accounts, subscribers, broadcasts) and optionally deactivates the store entirely. Products and store settings are preserved.

This means: if a store operator disappears, your data goes with them. You don't need to chase them down to invoke a deletion request — it happens automatically.

Some stores are reachable only via a private, unguessable URL that can be rotated by the operator on demand or on a schedule. If your link stops working, it means the operator rotated it — request a new one from the channel they originally shared it through.

The private URL itself contains no information about you. It's a shared secret, not an identifier.

We use first-party cookies only. There are exactly five:

• account_number — keeps you logged in as an account holder. HttpOnly, expires after 30 days.
• guest_session — temporary token for anonymous checkout, expires in 24 hours.
• browse_auth / checkout_auth— remember that you've entered the monthly access password. Expire after 30 days.
• store_access— remembers a private URL token so you don't need to re-enter the full link on every page.
• session (analytics) — random token for anonymous unique-visitor estimation. Contains no personal data. Expires when you close your browser.

No third-party tracking cookies. No fingerprinting. No cross-site tracking. We do not use Google Analytics, Facebook Pixel, or any equivalent.

The site relies on a small number of third-party services. Each handles a specific, narrow function:

• Supabase — database and image storage. Hosted on infrastructure the store operator controls.
• Vercel — site hosting. Receives request logs but never order content.
• Stripe — credit card processing (only when you pay by card). Subject to Stripe's privacy policy.
• CoinGecko — cryptocurrency price data. No personal data is sent — we just ask for current exchange rates.
• Email / WhatsApp / Telegram / Signal providers — only relevant if you opt into broadcasts as a subscriber. Contact details for the channel(s) you choose are stored in the store's subscriber list.

No data is shared with advertisers, data brokers, retargeting networks, or analytics companies. The platform has no business relationship with any of those.

You can exercise all of these at any time from your privacy dashboard:

• View — see exactly what data is stored about you, in plain English.
• Export — download all your data as JSON.
• Delete — permanently remove your account. Order records are kept for accounting (the store operator needs them for tax purposes) but are stripped of all identifying information.

For guest orders, deletion happens automatically on the retention schedule — there is nothing for you to request.

For GDPR / CCPA / other data protection law requests beyond what the dashboard covers, contact the store operator over Signal.

The platform is not directed at children under 13 (or under 16 in jurisdictions where that is the relevant age). We don't knowingly collect data from minors. If you are a parent or guardian and believe your child has placed an order, contact the store operator over Signal and they'll delete it.

Storefronts are operated by independent merchants who may be based anywhere. Data lives where the store operator hosts their database (typically Supabase in the United States or Europe). If this matters to you for regulatory or jurisdictional reasons, ask the store operator where their database is hosted before placing an order.

We may update this policy as the platform evolves. The "Last updated" date at the top reflects the most recent change. Material changes will be reflected in the changelog of any hosted version. Continued use of the site after a change means you accept the updated policy.

For questions about privacy, data, or this policy specifically, contact the store operator over Signal. There is intentionally no support email or web form — Signal is the channel and end-to-end encryption is the point.

See also: Terms of Service.