Privacy Policy
Last updated: February 2026
1. Introduction
OnlineStuffed ("we", "our", or "us") is a marketplace for digital assets. We respect your privacy and are committed to protecting your personal data. This policy explains what data we collect, how we use it, and your rights.
2. Data We Collect
Account Data: Email address, display name, username, avatar, bio, website, social links.
Financial Data: Transaction amounts, order history, seller payout details. Payment card details are processed directly by Stripe and never stored on our servers.
Product Data: Product listings, uploaded files, cover images, descriptions.
Usage Data: Pages visited, search queries, download history, activity log entries.
Device Data: IP address, browser type, device type, operating system — collected for security and fraud prevention.
3. How We Use Your Data
- Facilitate marketplace transactions (purchases, payouts)
- Process payments via Stripe and send transaction receipts
- Verify seller identity and prevent fraud
- Send transactional emails (receipts, account notifications)
- Enforce download limits and refund policies
- Improve our platform and user experience
- Comply with legal obligations (tax reporting, financial regulations)
4. Third-Party Data Processors
We share data with the following services to operate the platform:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Payment details, transaction data, seller identity |
| Supabase (AWS us-east-1) | Database & authentication | All account data, orders, products |
| Cloudflare R2 | File storage (CDN) | Uploaded product files and images |
| Resend | Transactional email | Email address, email content |
| Vercel | Hosting & CDN | IP addresses, request logs (auto-purged) |
We do not sell your personal data to any third party.
5. Data Retention
- Account data: Retained while your account is active. Upon deletion, your profile is anonymized.
- Financial records: Orders and transactions retained for 7 years (legal/tax requirements).
- Activity logs (non-financial): Automatically purged after 12 months.
- Download logs: Retained for 24 months for abuse detection.
- Uploaded files: Removed when a product is deleted by the seller.
6. Your Rights (GDPR / CCPA)
You have the right to:
- Access your data: Export all your personal data in machine-readable JSON format via your account settings or the
/api/gdpr/exportendpoint. - Correct your data: Update your profile information at any time.
- Delete your data: Request account deletion. Your profile will be anonymized. Financial records are retained per legal requirements.
- Data portability: Your data export includes profile, orders, products, and activity history in JSON format.
- Object to processing: Contact us to object to non-essential data processing.
- Withdraw consent: You may withdraw consent for non-essential processing at any time by contacting us.
7. Cookies & Local Storage
We use httpOnly session cookies for authentication. These are essential cookies required for the platform to function and cannot be opted out of.
We do not use tracking cookies, advertising cookies, or third-party analytics that track individual users across websites.
8. Security
We implement industry-standard security measures including:
- Row-level security (RLS) on all database tables
- Encrypted data in transit (TLS/HTTPS)
- Encrypted data at rest (AES-256)
- httpOnly cookies to prevent XSS session hijacking
- Rate limiting on all API endpoints
- Webhook signature verification for payment events
- Time-limited signed URLs for file downloads (no permanent access tokens)
- Admin audit logging for all system actions
9. International Transfers
Your data may be processed in the United States (AWS us-east-1 via Supabase, Cloudflare's global network, Vercel). For EU users, we rely on Standard Contractual Clauses (SCCs) as the legal basis for data transfers.
10. Children
Our platform is not intended for individuals under the age of 16. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this privacy policy from time to time. Significant changes will be communicated via email to registered users. Continued use of the platform after changes constitutes acceptance of the updated policy.
12. Contact
For privacy-related inquiries, data export requests, or to exercise your rights:
Email: privacy@onlinestuffed.com