1. Introduction
This Privacy Policy explains how Skin-Stash ("we", "us") processes limited user and operational data in connection with purchasing, fulfillment coordination, account services and support. We apply a data minimization approach: only what is required to provide, secure and improve the service is retained.
Policy version: 1.0 • Effective date: 2025-09-01
2. Data We Collect
Account Data
Username (local), email (for login & support), session/consent flags stored client-side (localStorage). No plaintext passwords are transmitted beyond initial local mock demo environment (if any).
Transaction Context
Order references (GL-REF codes), selected product metadata, quantity, price displayed. Full payment processing details are not handled here (demo context) and would be delegated to a PCI-compliant provider in production.
Operational / Performance
Anonymous aggregated load timings, error event counts & feature engagement metrics (only if analytics/performance consent granted).
Support Communications
Message content you submit through the contact form, associated GL-SUP reference and optionally GL-REF order code for faster resolution.
Security / Abuse Signals
Rate-limit counters, anomaly flags or hashed tokens (non-identifying) used to mitigate abuse (always on; see cookies page).
Automatically Received Technical Data
Browser type, approximate locale, basic device category and referrer path (not full chain) — trimmed and aggregated where possible.
What We Explicitly Avoid
- No cross-site behavioral tracking
- No third-party advertising pixels
- No invasive fingerprinting scripts
- No sale of personal data
3. Legal Bases (If Applicable Under GDPR)
- Contract: Fulfilling requested orders & services.
- Legitimate Interest: Security, fraud prevention, service optimization.
- Consent: Performance / analytics & any optional marketing insights.
- Legal Obligation: Potential retention of minimal transactional logs if required by law (not active in demo).
4. How We Use Data
- Provide core site functionality (cart, login state, fulfillment reference)
- Respond to support & escalation requests
- Improve load speed & reliability (if consented)
- Detect abuse & maintain service integrity
- Generate anonymized statistical summaries
5. Retention
Session & preference values remain in client storage until cleared or expired (preferences up to 12 months). Support references retained while issue active. Aggregated technical metrics stored only in summarized non-identifying form. Security tokens rotate quickly (5–60 minutes).
You may clear local data anytime via browser storage tools & adjust non-essential categories on the cookies page.
6. Security
- Minimal local-only session markers
- No plaintext password re-display
- Scoped internal reference codes (GL-REF, GL-SUP)
- Abuse detection & throttling tokens
- Segregation of optional analytics data
8. International Transfers
Infrastructure or CDN nodes may geographically distribute cached static assets. Any future personal data routing would use safeguards (e.g., SCCs) where required.
9. Your Rights (Contextual)
- Access – Obtain a summary of stored data
- Rectification – Correct inaccurate account info
- Deletion – Request erasure (within lawful allowances)
- Restriction – Limit certain processing categories
- Portability – Structured export (where feasible)
- Objection – Opt-out of optional metrics/analytics
- Withdraw Consent – Adjust at /cookies
10. Children
This service is not directed to individuals under the minimum digital consent age in their jurisdiction. We do not knowingly collect data from such users. Contact us if you believe unintended data was provided.
11. Changes
Material changes will be announced via an in-site banner or support notice. Minor clarifications update silently with this version date.
12. Contact
Questions or rights requests:
- Email: privacy@skin-stash.example
- Support Portal: /contact
- Abuse Reporting: abuse@skin-stash.example