1. Information We Collect
Account Information
When you create an account, we collect your name, email address, and profile information. Creator accounts additionally require information for Stripe Connect onboarding, which is processed directly by Stripe.
Payment Information
We do not store credit card numbers or bank account details. All payment processing is handled by Stripe. We store transaction references (order IDs, amounts, status) to display order history and analytics.
Usage Data
We collect anonymized analytics data including page views, widget impressions, and conversion metrics. This data is used to provide dashboard analytics to creators and improve the Platform.
Embedded Widget Data
When a visitor interacts with an embedded souldust widget on a third-party site, we collect the minimum data necessary to process the transaction: items selected, checkout information provided by the buyer, and the referring domain.
2. How We Use Your Information
- To operate and maintain your account and storefront.
- To process transactions between creators and buyers via Stripe.
- To provide order history, analytics, and payout information.
- To generate and serve embedded widgets on third-party sites.
- To communicate account-related updates (order confirmations, security alerts).
- To improve the Platform's performance, reliability, and features.
3. Cookies
We use a minimal set of cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| session | Authentication session | 30 days |
| csrf | Cross-site request forgery protection | Session |
| cf_clearance | Cloudflare security verification | 30 minutes |
We do not use tracking cookies or sell data to advertising networks. Embedded widgets use session storage only for active checkout flows and do not persist data after the browser tab is closed.
4. Third-Party Services
The Platform integrates with the following third-party services that may process your data under their own privacy policies:
- Stripe — Payment processing and creator payouts. Stripe Privacy Policy
- Cloudflare — Hosting, CDN, DDoS protection, and DNS. Cloudflare Privacy Policy
- Neon — Serverless PostgreSQL database hosting. Neon Privacy Policy
5. Data Retention
- Account data is retained for as long as your account is active.
- PII redaction: Personal information associated with fulfilled orders — customer name, phone number, and shipping address — is automatically redacted 30 days after fulfillment. Customer email addresses are retained for order history and customer list features.
- Transaction records: Order records (amounts, dates, status, Stripe references) are retained indefinitely for creator analytics. Complete transaction records including full customer details remain accessible through Stripe for the full 7-year retention period required for tax and accounting compliance.
- Analytics data is aggregated and anonymized after 90 days.
- Upon account deletion, personal data is removed within 30 days. Anonymized analytics data may be retained.
6. Your Rights
You have the right to:
- Access — Request a copy of the personal data we hold about you.
- Correction — Update inaccurate or incomplete personal data.
- Deletion — Request deletion of your account and associated personal data.
- Export — Receive your data in a portable format.
- Objection — Object to processing of your data for specific purposes.
To exercise any of these rights, contact us at the address below. We will respond within 30 days.
7. Data Security
We implement industry-standard security measures including encrypted connections (TLS), secure authentication via Better Auth, and serverless database access through Neon's HTTP driver. Payment credentials are never stored on our servers — all payment processing occurs directly through Stripe's PCI-compliant infrastructure.
Encryption at rest: All data stored in our database — including order records, shipping addresses, customer names, email addresses, and phone numbers — is encrypted at rest using AES-256 encryption provided by our database host (Neon). Neon encrypts all data at the storage level, and backups are also encrypted.
Data retention of PII: Personal information associated with fulfilled orders (customer name, phone number, shipping address) is automatically redacted from our database 30 days after fulfillment. Customer email addresses are retained for order history. Complete transaction records, including full customer details, remain accessible through Stripe's PCI-compliant infrastructure for the 7-year period required for tax and accounting compliance.
8. Children's Privacy
The Platform is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 13, we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a revised effective date. Continued use of the Platform after changes constitutes acceptance.
10. Contact
souldust.xyz is operated by CodeCoded Ltd (company number 11558140), a company registered in England and Wales. Registered office: C/O Glx, 69-75 Thorpe Road, Norwich, England, NR1 1UA. For privacy-related questions or requests, contact us at privacy@souldust.xyz.