Privacy Policy
Last updated: April 26, 2026
This Privacy Policy explains what personal data Octavemerch collects, why we collect it, and your rights under the EU General Data Protection Regulation (GDPR). The data controller is the Octavemerch operator. Contact: support@octavemerch.com.
1. Data we collect
| Category | Examples | Why |
|---|---|---|
| Account data | Name, email, password (hashed), role (shopper/creator), email verification status | To create and secure your account |
| Creator profile | Store name, bio, cover photo, public URL slug, creator type | To show your public shop |
| Designs | Uploaded artwork, text, layout, product/colour/size choices, prices | To produce and display your merch |
| Order data | Customer shipping address, items, totals, fulfilment status | To process and ship orders |
| Subscription data | Plan tier and status, upgrade and cancellation timestamps | To bill the Pro plan correctly |
| Technical data | IP address (transient), browser, device, anonymous reCAPTCHA / App Check signals | Security and abuse prevention |
| Marketing preferences | Whether you opted in to product news | So we only email you when you allowed it |
2. Legal bases (GDPR Art. 6)
- Contract - account creation, order processing, subscription billing.
- Legal obligation - tax records, anti-fraud compliance.
- Legitimate interest - service security, abuse prevention, basic analytics.
- Consent - marketing emails (you can withdraw at any time).
3. Service providers (sub-processors)
We share the minimum data needed with the following providers, all bound by contractual data protection terms:
- Google Firebase (Authentication, Firestore, Hosting, Cloud Functions, App Check) - hosts your account, designs, and orders.
- Gelato (third-party print fulfilment processor). Receives order details and shipping addresses to print and ship.
- Stripe (or equivalent) - payment processor for Creator plan subscriptions and customer purchases. We never see or store full card numbers.
- Email delivery - transactional emails (verification, order confirmation) sent via Firebase’s email infrastructure.
4. Cookies & local storage
We use first-party cookies and browser local storage for essential functions: keeping you signed in, remembering your cart, and caching catalog data for performance. We do not use advertising cookies or sell data to advertisers.
5. International transfers
Some sub-processors process data outside the European Economic Area (e.g. Google’s global infrastructure). Where this happens, transfers rely on the European Commission’s Standard Contractual Clauses or equivalent adequacy mechanisms.
6. Data retention
- Account data: kept while your account is active, deleted within 90 days of account deletion (except where retention is legally required, e.g. tax records up to 7 years).
- Order records: retained for accounting and warranty purposes, up to 7 years.
- Marketing consent records: kept for as long as you remain opted in, plus a short audit trail after opt-out.
- Server logs: rotated and deleted within 30 days unless flagged for security investigation.
7. Your GDPR rights
You have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate data;
- Erase your data ("right to be forgotten"), subject to legal retention exceptions;
- Restrict or object to processing;
- Receive a portable copy of your data;
- Withdraw consent for marketing at any time;
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, email support@octavemerch.com. We respond within 30 days.
8. Security
We protect your data with industry-standard measures including TLS-encrypted connections, hashed passwords, Firestore security rules, App Check abuse prevention, server-side rate limiting, and a default-deny policy on unauthenticated writes. No system is 100% secure, but we apply best practices and respond promptly to security reports sent to support@octavemerch.com.
9. Children
Octavemerch is not directed at children under 16. If you become aware that a child has created an account, please contact us and we will delete it.
10. Changes to this Policy
We will notify you by email or in-product banner before any material changes take effect, with at least 14 days’ notice. The current version is always available at this URL.