Privacy Policy

The complete list, period:

• Your email address. Required for login (OTP code goes here) and transactional notifications (order updates, message alerts).
• Your store content(if you're a vendor): store name, slug, products, prices, photos, banners, theme settings. So we can render it to customers.
• Your orders: the items, delivery address, contact phone (optional), notes you write at checkout. So the vendor can fulfill them.
• Your messages: conversations between customers, vendors, and platform support.
• Your crypto wallet address (vendors): so customer payments route to it. Only the public address — we never receive or store private keys.
• Transient server logs: IP address + user-agent for the request you're currently making, for up to 7 days for abuse detection + debugging. Then deleted.

• Government IDs, passports, driver's licenses
• Social Security Numbers, tax IDs
• Real names (unless you choose to add one to an order)
• Date of birth (except an age-gate yes/no for restricted verticals)
• Browsing history beyond your active cart session
• Precise location (we use the ZIP code you enter, nothing more)
• Third-party tracking pixels, advertising cookies, fingerprinting scripts
• Analytics that tie to your identity
• Cross-site profiles, retargeting lists, lookalike audiences

Strictly to operate the platform — render your store, route your orders, deliver your messages, charge your subscription (vendors only).

We never:

• Sell your data to anyone, for any reason
• Share it commercially with brokers, networks, or marketers
• Use it to advertise to you
• Build behavioral profiles or train AI on it
• Run it through KYC, sanctions screening, or credit scoring

Operating a platform requires a few service providers. Here is exactly who and exactly what they see:

• Supabase (database + auth provider) — sees everything stored in our database. We plan to migrate to a self-hosted Postgres on our own infrastructure before public launch.
• Resend (transactional email) — sees the email addresses we send to and the contents of those emails (order confirmations, message notifications). Resend does not retain or process the data for any other purpose.
• Peer(payment processor) — sees the transaction amount and the destination wallet address for customer payments you authorize. They do not see your store's other data.
• OpenStreetMap Nominatim (geocoding) — sees the ZIP codes we look up to estimate delivery distance. No account, no identifier.
• Our hosting provider (FlokiNET, post-launch) — physically hosts the server. They do not have application access to your data.

That is the complete list. We do not use Google Analytics, Meta Pixel, Mixpanel, Segment, Stripe, AWS, Vercel, or any comparable third party.

• Active accounts: for as long as you keep using the platform.
• Deleted accounts:scrubbed within 30 days of your deletion request. Orders that name you are anonymized (your customer record removed, the order line items kept for the vendor's books).
• Server logs: 7 days, then automatically deleted.

From your account page (/account for customers, /portal/account for vendors) you can:

• Download a copy of everything we have on you, as a single JSON export.
• Delete your account. Triggers the 30-day scrub described above.
• Correct something wrong in your profile directly, or email support@plug.delivery for anything we don't expose to a self-serve edit.

• All data encrypted in transit (HTTPS/TLS).
• All data encrypted at rest (Postgres encryption).
• Wallet addresses stored only as public strings — private keys never reach our servers (they live in your wallet software).
• Service-role database access restricted to our application servers; no human reads your data routinely.
• Self-hosted, no US-based cloud-provider dependencies post-launch.

We have not received any government data requests to date. If we do receive one we will:

• Notify the affected user(s) unless legally gagged.
• Provide only the specific data the order legally compels — never broader access, never bulk.
• Publish an annual transparency report of requests received, requests complied with, and requests refused.

Material privacy changes bump the version number (currently v2026-05-26) and trigger a re-acceptance prompt at next login.