Privacy Policy

Last updated: February 25, 2026

Table of Contents

1. Introduction

MerchForAll ("we," "our," or "the Platform") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, whether as a creator setting up a store, a buyer purchasing merchandise, or a visitor browsing our site.

2. Information We Collect

We collect information in the following categories:

Account Information

  • Email address and name (via Supabase authentication)
  • Store name and configuration for creators
  • Payment information (processed and stored by Stripe, not by us)

Order Information

  • Shipping address for order fulfillment
  • Order history and transaction details
  • Communication related to orders

Automatically Collected Information

  • IP address and browser type
  • Pages visited and interactions with the Platform
  • Device information and operating system
  • Referral URLs and time spent on pages

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Platform
  • Process orders and facilitate fulfillment
  • Process payments and manage creator payouts
  • Send transactional emails (order confirmations, shipping notifications)
  • Provide customer support and respond to inquiries
  • Improve our services and develop new features
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

4. Third-Party Services

We use the following third-party services to operate the Platform. Each has their own privacy policies:

  • Supabase — Authentication and user management
  • Stripe — Payment processing and creator payouts via Stripe Connect
  • Printful — Order fulfillment, printing, and shipping
  • Resend — Transactional email delivery
  • Cloudflare R2 — Image and file storage

We share only the minimum information necessary with each service to fulfill their specific function.

5. Data Sharing

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

  • Fulfillment partners: Shipping addresses are shared with Printful to fulfill orders
  • Payment processors: Payment information is shared with Stripe for transaction processing
  • Legal requirements: When required by law, court order, or government request
  • Safety: To protect the rights, safety, and property of our users and the Platform

6. Creator Store Data

MerchForAll is a multi-tenant platform. Each creator's store data is logically isolated:

  • Each store's products, orders, and customer data are scoped to that store
  • Creators can only access data belonging to their own store
  • Store data is not shared between creators
  • Upon store closure, data is soft-deleted and retained per our data retention policy

7. Cookies & Tracking

We use the following types of cookies:

  • Essential cookies: Session management and authentication (required for the Platform to function)
  • CSRF tokens: Security tokens to prevent cross-site request forgery attacks
  • Analytics cookies: Anonymous usage data to help us improve the Platform

You can control cookie preferences through your browser settings. Note that disabling essential cookies may prevent the Platform from functioning properly.

8. Data Retention

We retain your data as follows:

  • Account data: Retained while your account is active, and for a reasonable period after deletion
  • Order data: Retained for at least 7 years to comply with financial record-keeping requirements
  • Analytics data: Aggregated and anonymized data may be retained indefinitely
  • Uploaded content: Removed upon store closure or account deletion request

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Export: Request your data in a portable, machine-readable format
  • Objection: Object to processing of your data for certain purposes

To exercise any of these rights, please contact us. We will respond to your request within 30 days.

10. Children's Privacy

MerchForAll is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately and we will take steps to delete such information.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your own. Our third-party service providers (Supabase, Stripe, Printful, Cloudflare) operate globally. We ensure that any data transfers comply with applicable data protection laws and that adequate safeguards are in place.

12. Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption of data in transit (HTTPS/TLS)
  • CSRF protection on all state-changing operations
  • Rate limiting to prevent abuse
  • Regular security audits and monitoring
  • Secure authentication via Supabase with session management

While we strive to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

13. Changes to Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform and updating the "Last updated" date. We encourage you to review this policy periodically.

14. Contact Information

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us. We aim to respond to all inquiries within 24 hours.