Last updated: 2026-05-13
Plain-English summary: We collect what we need to run the service, store it securely, and never sell it. We share data only with the processors required to make ShopCart work (Stripe for payments, Cloudflare for hosting, marketplaces you've explicitly connected). You can export or delete your data at any time.
To create your account: name, email, password (hashed with argon2id), country. To process payments: business details required by Stripe Connect Express (legal entity, tax ID, bank details — held by Stripe, not us). To run the service: every model, image, file, customer record, order, and message you create or receive through ShopCart.
Automatically collected: IP address, browser user agent, pages visited, timestamps. Used for security (rate limiting, fraud detection) and product analytics (which pages get used). Retained for 90 days unless tied to a specific audit-log event.
To run the service. To send you important account, security, and billing notifications. To offer support when you ask. To compute pooled-data benchmarks — in aggregate only, never identifying you to other users.
We do not: sell your data, use it to train AI models, share buyer email lists with marketplaces, or run third-party ad networks on the dashboard.
We do not have advertising partners. We do not run trackers from Facebook, Google Ads, or LinkedIn on the dashboard.
Primary database: US-East (Virginia), AWS RDS. Files: Cloudflare R2 with global edge cache. Backups: AWS S3 in a separate region, encrypted at rest. We're working on EU residency for European customers; contact privacy@shop.3dshawn.com if this is required for your business.
Active account: as long as your account exists. Cancelled account: 90-day grace period for export, then purged. Transactional records (invoices, tax filings): 7 years per US tax law. Aggregated, anonymized analytics: indefinite (no longer tied to you).
You can: export all your data (Settings → Data export), delete your account and trigger purge, opt out of pooled-data analytics, request a copy of every audit-log entry tied to your account. EU/UK users have additional GDPR rights (access, rectification, erasure, portability, restriction, objection) — email privacy@shop.3dshawn.com to exercise them.
Encryption in transit (TLS 1.3) and at rest (AES-256). Password hashing with argon2id. Optional 2FA (TOTP). Audit log on every admin action. Role-based access on team accounts. Regular penetration testing. SOC 2 Type II audit underway for 2026.
We use first-party session cookies to keep you signed in, remember your sidebar-collapsed preference, and prevent cross-site request forgery. We don't run third-party advertising cookies. The buyer-facing storefront pages use a small cookie to attribute A/B-test bucketing — this is cleared when the test ends.
ShopCart is not for users under 16. If you believe a child has created an account, email privacy@shop.3dshawn.com and we'll investigate within 7 days.
Privacy questions, data requests, GDPR requests: privacy@shop.3dshawn.com. Security disclosures: security@shop.3dshawn.com.
This Privacy Policy is a starting template. Before going live with paid customers (especially in the EU/UK), have it reviewed by a privacy attorney.