Privacy policy.

This policy describes what we collect, why we collect it, and what your rights are. We try to keep it short and free of legalese. If anything is unclear, contact us.

What we collect

• Order information: name, email, shipping address, items ordered, payment confirmation. Required to fulfill orders.
• Account information (if you create one): email, optional name and phone. Stored in our authentication system (Supabase).
• Payment details: handled directly by Stripe (cards) or NowPayments (cryptocurrency). We never see or store your card number or wallet details — the processor gives us a token and a confirmation that you paid.
• Custom design uploads: if you use our /customize page and upload images, those images are stored on our file host and may be reachable by direct URL. They're tied to your build request so we can produce the order.
• Site usage: we don't run third-party analytics or trackers. Your browser stores your cart and saved items locally, on your device.
• Server logs: our hosting provider records request metadata (IP address, user agent, timestamp) for short windows for security, abuse-prevention, and rate-limiting purposes.
• Newsletter: if you sign up, only your email. You can unsubscribe at any time.
• Contact form messages: stored so we can respond.

Why we collect it

• To process and ship your order.
• To send order confirmation, shipping, and delivery emails.
• To respond to questions you send via the contact form.
• To send newsletter emails (only if you signed up).
• To detect and prevent fraud and abuse.

Who we share it with

Only the third-party services we need to run the store. We never sell your data.

• Stripe — to process card payments and handle card details securely.
• NowPayments — to process cryptocurrency payments. They receive the order amount and a callback URL; not your name, address, or email.
• Supabase — our database, authentication, and file-storage provider.
• Resend — to send transactional emails (order confirmations, shipping notifications).
• Vercel — our hosting provider.
• Shipping carriers — to deliver your order. They get the address you provided.

Your rights

You have the right to:

• Access the personal information we hold about you.
• Correct anything that's wrong (you can update your name, phone, and address from your account settings).
• Delete your account and personal data. From your account settings there's a "Delete my account" button — one click, plus a confirmation. Or email us via the contact form with the subject "Delete my data". We retain anonymized order records (no email or shipping address) for tax and accounting compliance.
• Object to processing or restrict it.
• Port your data to another service. Email us for an export.
• Unsubscribe from any marketing emails — every email we send has an unsubscribe link.

Cookies

We don't use third-party tracking cookies. Your browser stores your cart, wishlist, and recently-viewed list locally — they never leave your device until you check out. Sign-in tokens are stored in your browser's local storage so you stay signed in across sessions.

Data security

The site uses HTTPS for every page. Passwords are hashed by Supabase and never stored in plain text. Card data is handled exclusively by Stripe — we never see or store it. Our admin endpoints require a server-side admin key and our database has row-level security policies that prevent users from accessing each other's orders.

How long we keep your data

• Account data: kept until you delete your account. After deletion, your profile, saved addresses, and cart are removed; orders are anonymized (no email or address) but kept for tax records.
• Orders: retained for the period required by tax and accounting law (typically 7 years), in anonymized form after account deletion.
• Custom design uploads: kept while we may need them to fulfill the order; deleted on request.
• Contact-form messages: kept while needed to handle your request, then archived or deleted.
• Newsletter subscribers: kept until you unsubscribe.
• Server / abuse logs: rotated on a short cycle (typically 30–90 days) by our hosting provider.

Children

This site is not directed at children under 13, and we do not knowingly collect information from anyone under 13.

International transfers

Our hosting and database providers may store data in the United States. By using the site, you consent to your information being stored in the US.

Changes to this policy

If we make material changes, we'll update the "last updated" date at the top of this page and, if you have an account, send you an email.

Contact

Questions about this policy or your data? Get in touch.