Privacy Policy

This Privacy Policy describes how PrivateCheckout.App (“Private Checkout,” “we,” “us,” or “our”) collects, uses, discloses, and protects information in connection with the Private Checkout service offered at privatecheckout.app (the “Service”).

Private Checkout provides a privacy-preserving checkout layer for online merchants. When a customer pays through Private Checkout, the merchant receives a paid order and a prepaid shipping label — never the customer's name, email address, or shipping address. The customer's personal information is encrypted before it is stored, and the encryption key is held only by Private Checkout. This Policy explains how that works in detail.

If you do not agree with this Policy, please do not use the Service.

1. Who this Policy applies to

This Policy applies to three categories of individuals:

• Merchants — businesses that sign up for a Private Checkout account to accept payments through our service.
• Customers — individuals who purchase goods or services from a Merchant via the Private Checkout flow.
• Visitors — anyone who visits our marketing site at privatecheckout.app without completing a purchase or creating an account.

2. Information we collect

2.1 Information Merchants provide

• Account information: name, email address, password (stored as a bcrypt hash), and business name.
• Stripe Connect identifiers: when a Merchant connects a Stripe account, we receive an account identifier (e.g. acct_…) and capability flags from Stripe. We do not receive the Merchant's tax ID, government ID, or bank account number — those go directly to Stripe.
• Shipping origin information: a ship-from address, contact email, and contact phone number used to print return labels.
• Product information: product names, descriptions, prices, and weights configured by the Merchant.

2.2 Information Customers provide at checkout

• Shipping details: full name, email address, and shipping address (street, city, state, postal code, country).
• Payment information: card number, expiry, and CVC are submitted directly to Stripe through Stripe Elements. These card fields never reach Private Checkout's servers; we receive only the resulting Stripe payment identifier and basic charge metadata (amount, currency, status).

All Customer shipping details (name, email, address) are encrypted using AES-256-GCM with a per-record initialization vector before they are written to our database. The encryption key is held only by Private Checkout's platform and is never shared with the Merchant. Decryption occurs in-process only when needed to generate a shipping label, deliver an order receipt, or service a customer support request.

2.3 Information collected automatically

• Log data: IP address, browser type and version, operating system, referring page, pages viewed, and timestamps.
• Cookies: a single first-party authentication cookie (HTTP-only, Secure, SameSite=Lax) used to maintain a logged-in session. We do not use third-party advertising or analytics cookies.

2.4 Information from third parties

• Stripe: payment status, charge amounts, refund status, dispute notifications.
• Shippo: tracking numbers, shipping label URLs, and carrier-status webhooks for orders.

3. How we use information

We use the information described in Section 2 to:

• process payments, including authorizing charges, computing platform fees, and disbursing destination transfers via Stripe Connect;
• generate shipping labels and tracking information through our shipping subprocessor;
• send order confirmations and shipping notifications to Customers via Stripe-issued receipts and our transactional email subprocessor;
• maintain Merchant accounts, Customer accounts, and admin functions;
• detect, prevent, and investigate fraud, abuse, and security incidents;
• comply with legal obligations, respond to lawful requests, and enforce our Terms of Service;
• improve the Service, including analyzing aggregated usage patterns to fix bugs and prioritize features;
• communicate operational changes, security advisories, and other service-related notices to Merchants.

We do not sell personal information. We do not use Customer personal information to target advertising. We do not share Customer personal information with the Merchant who sold them the goods.

4. How we secure information

• Encryption at rest: Customer name, email address, and shipping address are encrypted with AES-256-GCM using a 12-byte random initialization vector per record. The ciphertext is stored alongside the authentication tag; tampering invalidates decryption.
• Encryption in transit: all connections to and from Private Checkout use TLS 1.2 or higher.
• Single-tenant key custody: the encryption key referenced above is held only by Private Checkout's production environment. It is not exposed to Merchants, not embedded in any shipped client code, and not transmitted to subprocessors.
• Password hashing: account passwords are stored as bcrypt hashes with a per-password salt. Plaintext passwords are never written to logs or persistent storage.
• Webhook authentication: payment webhooks are verified using the signing secret issued by Stripe before any downstream action is taken.
• Access control: production database access is limited to a small set of operational personnel and is logged.

No system can guarantee perfect security. We will notify affected users of a security incident in accordance with applicable law, including U.S. state data-breach notification statutes.

5. How we share information

We share information only with the parties below, and only to the extent necessary for the described purpose.

• Stripe, Inc. — payment processing and Connect payouts. Stripe acts as a payment processor and merchant of record for funds flow. See stripe.com/privacy.
• Shippo (Goshippo, Inc.) — shipping label generation and tracking. Customer name, address, and email are transmitted to Shippo to print labels and trigger carrier handoff. See goshippo.com/privacy.
• Resend — transactional email (password resets, account notifications). See resend.com/legal/privacy-policy.
• Vercel, Inc. — application hosting and edge delivery. Server logs and HTTP requests are processed by Vercel. See vercel.com/legal/privacy-policy.
• Neon, Inc. — managed PostgreSQL hosting in the United States (us-east-1). All Service data, including encrypted Customer fields, is stored on Neon. See neon.tech/privacy-policy.
• Cloudflare, Inc. — DNS and registrar services for our domain.
• Legal and regulatory authorities — when required by subpoena, court order, or other lawful process; or to investigate fraud, security incidents, or violations of our Terms of Service.
• Successors — in the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify Merchants of any such transfer.

Each subprocessor listed above is bound by a data-processing agreement (where required) limiting its use of your information to the services it provides to Private Checkout.

6. Information we do not share with Merchants

Private Checkout's core privacy contract is that the Merchant does not receive Customer personal information. Specifically, when a Customer purchases through Private Checkout, the Merchant's dashboard and database access include:

• order identifier, status, and timestamps;
• product line items, quantities, and prices;
• subtotal, the Private Checkout fee, the Merchant rebate, and the Merchant payout;
• shipping label URL and tracking number;
• encrypted ciphertext for the Customer's name, email, and address (which the Merchant cannot decrypt because the Merchant does not hold the key).

The Merchant does not receive the Customer's plaintext name, email address, shipping address, IP address, or payment-method details.

7. Data retention

• Order records: retained for the life of the Merchant account plus seven (7) years thereafter, to satisfy U.S. tax-recordkeeping and chargeback-defense obligations. Encrypted Customer fields remain encrypted throughout.
• Customer accounts: retained until the Customer requests deletion or four (4) years of inactivity, whichever comes first.
• Merchant accounts: retained until the Merchant requests deletion or terminates the agreement; certain Merchant records may be retained longer where required by law or to defend against pending claims.
• Server and application logs: retained for ninety (90) days, then deleted or anonymized.
• Webhook event records: retained for ninety (90) days for idempotency and replay-debugging purposes.

8. Your rights

8.1 Rights of U.S. residents (CCPA / CPRA / state privacy laws)

Depending on your state of residence, you may have the right to:

• know what categories of personal information we have collected about you and how it is used and shared;
• access a copy of the personal information we hold about you;
• correct inaccurate personal information;
• delete personal information, subject to legal retention obligations;
• opt out of sale or sharing of personal information for cross-context behavioral advertising — Private Checkout does not sell or share personal information for advertising purposes;
• limit use of sensitive personal information — we do not use sensitive personal information for purposes that require such a limitation;
• be free from retaliation for exercising these rights.

8.2 Rights of EU/UK/EEA residents (GDPR / UK GDPR)

If the GDPR applies to you, you have the right to access, rectify, erase, port, restrict processing of, or object to the processing of your personal data, and to lodge a complaint with your local supervisory authority. The legal bases on which we process personal data are: contract performance (operating the Service); legitimate interests (security, fraud prevention, service improvement); consent (where you provide it); and legal obligation.

8.3 How to exercise your rights

To exercise any of these rights, email privacy@privatecheckout.app from the email address associated with your account. We will verify your request and respond within forty-five (45) days, or such shorter period as required by applicable law. We may decline a request that cannot be reasonably verified or that conflicts with our legal obligations.

9. Cookies and similar technologies

We use only the cookies necessary to operate the Service:

• Authentication session — a first-party, HTTP-only, Secure cookie that maintains your logged-in state for up to thirty (30) days.

We do not set third-party advertising cookies, do not embed marketing pixels, and do not use cross-site tracking technologies on the marketing site at privatecheckout.app.

10. International data transfers

Private Checkout's production infrastructure is located in the United States. If you access the Service from outside the United States, your information will be transferred to, processed in, and stored in the United States. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms approved by the European Commission and the UK Information Commissioner's Office.

11. Children's privacy

The Service is not directed to children under the age of 13 (or under 16 in the EEA / UK), and we do not knowingly collect personal information from such children. If you believe a child has provided us with personal information, contact privacy@privatecheckout.app and we will promptly delete it.

12. Changes to this Policy

We may update this Policy from time to time. The effective date at the top of this page reflects the most recent revision. For material changes, we will provide reasonable advance notice — such as posting a banner on the Service or emailing the address on file — before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

13. Contact us

For privacy-related questions, requests, or complaints:

• Email: privacy@privatecheckout.app
• Mailing address: [BUSINESS MAILING ADDRESS]

For the purposes of GDPR / UK GDPR, the data controller is PrivateCheckout.App, located at [BUSINESS MAILING ADDRESS].