Preview Coffee Co.
Template — review with counsel before publishing. These documents are a starting point that covers common SaaS / commerce requirements (Stripe Connect platform, GDPR/CCPA basics). Have a lawyer tailor them to your entity, jurisdiction, and product before going live.

Privacy Policy

Effective 2026-05-17

This Privacy Policy describes how Preview Coffee Co. (“we”, “us”) collects, uses, discloses, and protects personal information when you use our website, admin, or storefronts powered by our platform.

1. Information we collect

From merchants

  • Account info: name, email, business name, billing address, payment method.
  • Identity / KYC: when you enable payments, Stripe collects legal name, address, date of birth, last four of SSN/EIN, bank account, and supporting documents. We don't store these directly — they live in your Stripe Connect account.
  • Usage data: pages visited, features used, AI prompts, error logs, IP, browser.

From shoppers (acting as a processor on behalf of merchants)

  • Order info: name, shipping/billing address, email, phone, items purchased, totals.
  • Payment info: handled by Stripe; we receive only a token, brand, and last four.
  • Browsing data: session cookies, cart contents, pages viewed on the storefront.

2. How we use information

  • To provide, operate, and improve the Service.
  • To process payments and prevent fraud.
  • To send transactional email (receipts, password resets, order updates).
  • To send service announcements; marketing email only with your consent.
  • To comply with legal obligations and enforce our Terms.

3. How we share information

  • Service providers: Stripe (payments), Resend (email), Cloudflare/Vercel (hosting + CDN), Anthropic/Google (AI), Sentry (error monitoring). They process data on our behalf under contract.
  • Merchants: shopper personal data is shared with the merchant operating the storefront — they're the controller for that data.
  • Legal: when required by law, court order, or to protect rights/safety.
  • Business transfers: as part of a merger, sale, or financing, subject to notice.

We don't sell personal data.

4. Cookies and similar tech

We use strictly necessary cookies (session, cart) and, with your consent where required, analytics cookies. You can disable cookies in your browser, but parts of the Service won't work without session cookies.

5. Data retention

We retain account data for the life of your account and for up to 7 years after termination for tax/audit purposes. Shopper data is retained per the merchant's instructions and applicable law. Backups are pruned within 90 days.

6. Security

We use industry-standard practices: TLS for data in transit, encryption at rest for sensitive fields, audit logging, least-privilege access, and regular vulnerability scanning. Card data is handled in SAQ-A scope — it never touches our servers.

7. Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to processing or withdraw consent. You can exercise these by emailing privacy@example.com. For data we hold as a processor on behalf of a merchant, contact the merchant directly.

8. International transfers

We may transfer data to the United States and other countries. For EEA/UK transfers we rely on Standard Contractual Clauses and equivalent safeguards.

9. Children

The Service is not directed to children under 16, and we don't knowingly collect their personal data.

10. Changes

We'll update this policy and post the new effective date. Material changes will be flagged via email or in-product banner.

11. Contact

privacy@example.com