anyshop.io Privacy Policy
Status: draft. Not yet published.
Effective: TBD (with platform launch).
Last updated: 2026-05-11.
Companion documents: TERMS.md, AUP.md.
0. Plain-English summary
This policy describes what we do with personal data on anyshop.io. The short version:
- Sellers are our direct customers. We collect what we need to run their account, take their subscription payment, and keep their store working.
- Buyers purchase from sellers' stores. The seller is the data controller for buyer data; we are the processor running the infrastructure.
- We don't sell personal data, ever. We don't share it with advertisers. We don't train AI on customer data without explicit permission.
- We use a defined list of processors (Clerk, Neon, Stripe, Postmark, Sentry, PostHog, Cloudflare, Vercel). They are listed in §6.
- You can ask us to access, correct, export, or delete your personal data. We respond within 30 days.
If you've read the Terms (TERMS.md) you've already seen §6 "Your data." This document goes deeper for legal compliance (GDPR, UK GDPR, CCPA).
1. Who is responsible
For seller account data (the people who run stores on anyshop.io):
- Data controller: anyshop.io ([Legal Entity TBD], [jurisdiction TBD]).
- Contact: privacy@anyshop.io
- EU representative: [TBD if we have EU sellers and no EU establishment]
For buyer data (the people who buy from sellers' stores):
- Data controller: the seller (the operator of the store the buyer purchased from).
- Data processor: anyshop.io. We process buyer data only on the seller's instructions and for the purposes described in this policy and our Data Processing Addendum (DPA — referenced in TERMS.md and available on request).
This distinction matters legally. If you are a buyer who has a privacy question, your primary point of contact is the seller you purchased from. We will assist where the seller cannot or where the request relates to our infrastructure.
2. What we collect
2.1 Seller account data
When you create a seller account, we collect:
| Data | Why | Source |
|---|---|---|
| Email address | Account identity, account recovery, transactional emails | You |
| Username, display name | Account identity | You |
| Authentication tokens (via Clerk) | Logging you in securely | You / Clerk |
| Connected OAuth accounts (Google, Discord) if used | Logging you in | You / OAuth provider |
| 2FA secret / passkey | Account security | You |
| Subscription billing info (last 4 of card, billing address) | Charging you for the subscription | Stripe |
| Shop slug, custom domain, branding | Operating your store | You |
| Refund policy, support contact, tax info | Showing buyers what to expect, calculating tax | You |
| Connected payment-provider account IDs (Stripe Connect, PayPal, BTCPay) | Routing buyer payments to your account | You / PSP |
| Team members and their permissions | Letting you delegate access | You |
| IP addresses, user agents, session metadata | Security, fraud detection, audit log | Automatic |
| Audit log of your actions | Compliance, security, dispute resolution | Automatic |
2.2 Buyer data (processed on behalf of the seller)
When a buyer purchases from a store, we (acting as processor for the seller) handle:
| Data | Why | Source |
|---|---|---|
| Buyer email | Order delivery, customer-portal access, support | Buyer at checkout |
| Order details (product, price, quantity, time) | Fulfillment, the seller's records | Buyer + system |
| Custom fields the seller collects (e.g. Discord username, gamer tag) | The product type required it | Buyer at checkout |
| IP address and country | Fraud detection, geo-restrictions, tax | Automatic |
| User agent and device fingerprint signals | Fraud detection | Automatic |
| Payment metadata (provider, last-4, status) — never the full PAN | Order record. The PAN itself stays at the PSP. | PSP |
| Magic-link tokens for customer portal | Buyer login | We generate, send via Postmark |
| Wallet / store-credit balance | If the seller offers store credit | System |
| Communication with the seller via support tickets | Order resolution | Buyer / seller |
We do not receive or store full payment card numbers. That data stays with Stripe / PayPal / BTCPay.
2.3 Visitor data (no account, just browsing)
If you visit a storefront without logging in or buying anything, we collect a minimum:
| Data | Why |
|---|---|
| IP address, country | Fraud / abuse detection, geo features (the seller's geo block list) |
| User agent | Compatibility, fraud detection |
| Anonymized analytics events (page views, button clicks) | The seller's analytics; aggregated traffic to anyshop.io |
We do not drop advertising cookies. We do not run an ad network. We do not feed analytics to Facebook, Google Ads, or similar.
3. Why we collect it (legal bases under GDPR)
Under GDPR and similar regimes, we need a lawful basis for every kind of processing. Ours:
| Purpose | Basis |
|---|---|
| Operating the platform and providing the service you signed up for | Contract |
| Charging the subscription | Contract |
| Fraud detection, security, abuse prevention | Legitimate interest |
| Audit log + compliance with our AUP | Legal obligation + legitimate interest |
| Marketing emails about platform updates (sellers) | Legitimate interest (with easy opt-out) |
| Marketing emails to buyers from sellers | The seller's responsibility; seller's lawful basis |
| Cookies strictly necessary for the platform to work | Strictly necessary (no consent banner required) |
| Optional analytics | Consent (banner shown when required) |
| Responding to law enforcement | Legal obligation |
4. Cookies and similar technologies
We use a minimum of cookies. Categories:
| Category | What | Required consent? |
|---|---|---|
| Strictly necessary | Session, CSRF, cart, Clerk auth | No (essential for the service) |
| Functional | Theme preference, language | No (you set them yourself) |
| Security | Cloudflare Turnstile, rate-limit tokens | No |
| Analytics | PostHog, Vercel Analytics | Yes — banner shown to EU/UK visitors |
Where consent is required, we honor "Reject all" without nagging.
5. How we use the data
We use personal data for:
- Running the platform — authentication, storefront rendering, checkout, delivery, dashboard
- Charging the subscription — Stripe Billing on our own account
- Operating fraud / abuse controls — velocity rules, blocklists, Turnstile, audit trail
- Customer support — answering tickets, debugging issues
- Transactional communication — receipt emails, magic-link logins, dispute notifications
- Product analytics — understanding how the platform is used, so we can improve it
- Legal compliance — responding to court orders, sanctions screening, tax reporting
We do not use personal data for:
- Selling to third parties
- Advertising (we run no ads)
- Training AI models without explicit consent (and even then, never on identifiable customer or buyer data)
- Profiling for decisions that significantly affect anyone — sellers see all the inputs to enforcement actions and can appeal them
6. Processors and third-party services
The following companies process personal data on our behalf. Each has a signed DPA with us where applicable.
| Processor | What they handle | Location | Notes |
|---|---|---|---|
| Vercel | Hosting, compute, edge, blob storage | US, EU | Vercel Pro DPA in place |
| Neon | Postgres database | EU (Frankfurt region preferred) | Marketplace DPA |
| Clerk | Seller authentication | US | DPA in place |
| Stripe | Subscription billing (us) + Connect (seller) + Stripe Tax | Global | Their DPA |
| PayPal | Optional buyer payments to sellers | Global | Connected by the seller; PayPal is the controller for that flow |
| BTCPay Server | Optional crypto payments to sellers | Self-hosted | Non-custodial; we never touch crypto |
| Postmark (ActiveCampaign) | Transactional email | US | DPA in place |
| Sentry | Error monitoring | EU (EU data residency selected) | DPA in place |
| PostHog | Product analytics (subject to consent) | EU (EU Cloud) | DPA in place |
| Cloudflare | DDoS protection, Turnstile (bot detection) | Global edge | DPA + SCCs |
International transfers from the EU/UK rely on Standard Contractual Clauses plus, where relevant, the EU–US Data Privacy Framework.
We do not add a new processor that handles personal data without updating this list and giving sellers reasonable notice.
7. Retention
We retain personal data only as long as needed:
| Data category | Retention |
|---|---|
| Active seller account data | While the account is active |
| Audit log | 7 years (industry standard for fraud / dispute defense) |
| Order records | 7 years (tax / accounting law in most jurisdictions) |
| Buyer email + order metadata after the seller's account is terminated | 90 days post-termination, then deleted |
| Customer portal session data | 30 days idle |
| Marketing engagement (open / click) | 24 months |
| Logs (security, application) | 90 days, then aggregated |
| Backup copies | 35 days rolling |
| Anonymized analytics | Indefinitely |
If you delete your account, we delete operational data within 90 days, retain audit and order records as required by tax / fraud law, and delete those at the end of their retention window.
8. Your rights
Depending on your jurisdiction, you may have rights to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data (subject to legal retention obligations)
- Export your data in a portable format (one-click export already in the product for sellers)
- Object to processing based on legitimate interests
- Restrict processing in certain cases
- Withdraw consent at any time
- Lodge a complaint with your data protection authority (in the EU, your national DPA; in the UK, the ICO; in California, the AG)
- Opt out of "sale" or "sharing" (CCPA) — N/A because we do not sell or share personal data as defined
Send requests to privacy@anyshop.io from the email associated with your account. We respond within 30 days (extendable to 60 in complex cases, with notice).
For buyer data, contact the seller you purchased from in the first instance. If they cannot help, we will assist as the processor.
9. Children's data
anyshop.io is not intended for users under 18 (or the age of majority in your jurisdiction, whichever is higher). We do not knowingly collect data from children. If we learn we have collected data from a child, we delete it. If you believe a child's data is on our platform, email privacy@anyshop.io.
10. International transfers
We are headquartered in [TBD] and process data in the EU and US (Vercel, Stripe, Clerk, etc.). For transfers out of the EU/UK, we rely on:
- Standard Contractual Clauses (SCCs) under the EU 2021 set
- EU–US Data Privacy Framework where the recipient is certified
- Adequacy decisions where applicable
If you'd like a copy of the SCCs we use with a particular processor, email privacy@anyshop.io.
11. Security
We protect data with:
- TLS everywhere
- Encryption at rest for sensitive fields (license keys, PSP credentials, API key hashes)
- Strict CSP, nonce-based script policy
- 2FA + WebAuthn for sellers
- Role-based access controls internally
- Audit logging on all admin actions
- Sentry-monitored error pipeline
- Annual security review (post-V1)
If we suffer a breach that affects personal data, we will notify affected users and regulators within 72 hours of becoming aware, as GDPR requires.
12. Changes to this policy
We may update this Privacy Policy. When we do:
- We publish the new version with an updated "Last updated" date
- We email sellers at least 30 days before material changes take effect
- We maintain a changelog at
anyshop.io/privacy/changelog
For non-material changes (typos, clarifications), we update the policy without separate notice.
13. Contact
- Privacy questions and rights requests: privacy@anyshop.io
- Data Protection Officer: [TBD — appoint if processing scale triggers GDPR DPO requirement]
- Legal notices: legal@anyshop.io
- Mailing address: [TBD]
Open items before publication
- Confirm legal entity name and jurisdiction; complete §1 and §10
- Decide whether to appoint a DPO at launch (we likely should once we scale past ~250 sellers)
- Sign DPAs with all processors before live data flows
- Decide EU representative if no EU establishment
- Cookie banner implementation aligned with this policy's §4
- Lawyer review in the chosen jurisdiction