T2Shop
Sign inGet started

Legal

Privacy Policy

Last updated:

Overview

T2Shop ("we", "our", or "us") operates a multi-tenant commerce infrastructure platform. This Privacy Policy explains what personal data we collect when you use T2Shop, how we use it, and what rights you have over it. By using T2Shop you agree to the practices described here.

Data We Collect

  • Account data. Name and email address provided during registration. Passwords are hashed with bcrypt and never stored in plain text.

  • Store & product data. Store names, domains, trusted origins, product catalogues, variant details, and stock levels that you create inside the platform.

  • Order & transaction data. Order IDs, line items, quantities, statuses, and timestamps. Payment instrument details are processed exclusively by Stripe — we never store raw card numbers or CVVs.

  • API credentials. API keys are hashed on creation and can only be viewed once. We store only the prefix and hash for identification.

  • Usage data. HTTP request logs (method, path, status code, latency) for debugging and abuse prevention. Logs are retained for 30 days.

  • Cookies. A session cookie for authenticated dashboard sessions. No third-party advertising or tracking cookies are used.

How We Use Your Data

  • Service delivery. Authenticating your sessions, processing API requests, and routing payments through your connected Stripe Express account.

  • Communications. Transactional emails (email verification, password reset, order notifications). We do not send marketing email without explicit opt-in.

  • Security & fraud prevention. Request rate limiting, anomaly detection, and enforcement of trusted origin rules.

  • Product improvement. Aggregated, anonymised usage metrics to understand which features are used most. No individual profiling.

Third-Party Services

  • Stripe. Payment processing and Stripe Express onboarding are handled by Stripe, Inc. Stripe's privacy policy governs all data shared with them. We pass the minimum required data (amount, currency, metadata) to create PaymentIntents.

  • Infrastructure providers. We host T2Shop on cloud infrastructure providers bound by data processing agreements. Data is stored in the EU / US depending on deployment region.

Data Retention

Account data is retained for the lifetime of your account. Deleting your account removes your personal information within 30 days, subject to legal obligations (e.g. financial records we are required to retain for 7 years). Anonymised aggregate statistics may be kept indefinitely.

Your Rights

Depending on your jurisdiction you may have the right to access, correct, port, or delete your personal data. To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

Security

We use TLS in transit, AES-256 at rest for sensitive fields, bcrypt for passwords, and hashed storage for API keys. Access to production data is restricted to authorised personnel and audited. Despite these measures no system is perfectly secure — please notify us immediately at [email protected] if you discover a vulnerability.

Changes to This Policy

We will notify registered users by email at least 14 days before any material change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.

Contact

T2Shop · [email protected] · For legal enquiries please include "Privacy Policy" in the subject line.