Legal

Privacy Policy

Last updated: April 5, 2026  ·  Effective: April 5, 2026

CraftBridge ("we", "us", or "our") operates the CraftBridge marketplace platform, available at craftbridge-d91o.polsia.app and as a Shopify app. This Privacy Policy explains what information we collect, how we use it, and how we protect it.

The short version: We collect only what's necessary to run the marketplace. We don't sell your data. We share order details with suppliers only to fulfill your orders.

1. Information We Collect

Merchant accounts: When you register as a merchant, we collect your business name, email address, and password (stored as a secure hash — we never store plain-text passwords). If you connect your Shopify store, we collect your Shopify store domain and an encrypted OAuth access token.

Supplier (artisan) accounts: When you register as a supplier, we collect your name, email address, password (bcrypt-hashed), and optional profile details such as bio, capacity, and lead time.

Orders: When a merchant places an order, we collect product details, quantity, shipping address, and order notes to facilitate fulfillment.

Shopify store data: If you install CraftBridge from the Shopify App Store, we receive your shop domain and a scoped access token. We use this only to import products into your Shopify catalog at your request. We do not read, modify, or delete any store data beyond the specific product you choose to import.

Usage data: We collect basic analytics (page views, session identifiers) to understand how the platform is used and to improve it. We do not track you across other websites.

2. How We Use Your Data

  • To operate the CraftBridge marketplace and process orders
  • To facilitate product imports into your Shopify store
  • To send transactional emails (order confirmations, welcome messages)
  • To calculate and track supplier earnings and commission splits
  • To detect and prevent fraud or abuse
  • To improve the platform

We do not use your data for advertising, and we do not sell your data to third parties.

3. How We Store and Protect Your Data

All data is stored in a PostgreSQL database hosted on Neon (a secure, cloud-hosted database provider). The database connection uses SSL encryption in transit.

OAuth tokens (Shopify access tokens) are encrypted at rest using AES-256-GCM before storage. The encryption key is stored separately from the database.

Passwords are hashed using bcrypt with 10 rounds. We cannot recover your password — only reset it.

Our servers run on Render, a managed cloud platform with infrastructure-level security controls.

4. Who We Share Data With

We share data only as necessary to provide the service:

  • Suppliers: When a merchant places an order, we share the order details (products, quantity, shipping address) with the relevant supplier to enable fulfillment.
  • Stripe: For payment processing. When you pay for an order, your payment details are handled by Stripe. We do not store card numbers. Stripe's privacy policy is at stripe.com/privacy.
  • Shopify: When you connect your store, data flows between CraftBridge and Shopify as described in Section 1.
  • Infrastructure providers: Render (hosting), Neon (database), and Cloudflare (CDN) process data as part of operating the service.

We do not share, rent, or sell your data to data brokers, advertising networks, or any other third parties.

5. Cookies

We use a single, essential session cookie to keep you logged in. This cookie is:

  • Set only when you log in
  • HttpOnly (not accessible by JavaScript)
  • Secure in production (transmitted only over HTTPS)
  • Set to expire after 30 days of inactivity

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

6. Your Rights (GDPR & CCPA)

Depending on where you live, you may have rights regarding your personal data, including:

  • Access: Request a copy of the data we hold about you
  • Correction: Ask us to correct inaccurate data
  • Deletion: Request deletion of your account and associated data
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to specific uses of your data

To exercise any of these rights, email us at craftbridge@polsia.app. We will respond within 30 days.

To delete your account: Email craftbridge@polsia.app with the subject "Account Deletion Request" and include the email address associated with your account. We will delete your account and associated data within 7 business days.

7. Data Retention

We retain your account data for as long as your account is active. Order records are retained for 7 years to comply with financial record-keeping requirements.

If you delete your account, we remove your personal data within 7 business days. Order records may be retained in anonymized form for financial compliance.

If you uninstall the CraftBridge Shopify app, your Shopify access token is deleted immediately. See our Data Handling page for details.

8. Children's Privacy

CraftBridge is a B2B platform intended for businesses and adults. We do not knowingly collect personal data from children under 16.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top. Continued use of the platform after changes constitutes acceptance of the updated policy.

10. Contact Us

Questions about this Privacy Policy? Contact us: