Privacy Policy
This page describes Shopless platform-level policies and responsibilities.
Platform Privacy Policy (Shopless)
Effective date: February 18, 2026
1. Scope. This policy describes how Shopless collects and processes personal data when operating the platform, including merchant accounts, support channels, security controls, and system analytics.
2. Definitions.
- "Controller", "Processor", and "Personal Data" have meanings given by applicable data protection law.
- "Merchant Data" means account and business data submitted by Merchants.
- "End-Customer Data" means transaction data processed on behalf of Merchants.
3. Processing roles.
- For Merchant Data used in account administration, billing, security, and legal compliance, Shopless acts as Controller.
- For End-Customer Data submitted by Merchants, Shopless generally acts as Processor under Merchant instructions.
4. Categories of data. Shopless may process account identifiers, authentication data, billing metadata, support communications, device and usage logs, risk signals, and transaction event metadata required for service functionality.
5. Legal bases. Processing is based on contract performance, legitimate interests (security, abuse prevention, service reliability), legal obligations, and consent where required by law.
6. Purpose limitation. Data is used to provide services, maintain availability, prevent fraud, investigate abuse, respond to lawful requests, and improve operational quality.
7. Data sharing. Shopless may share data with infrastructure providers, payment and risk partners, support vendors, professional advisors, and authorities where legally required. Data sharing is subject to contractual and confidentiality controls.
8. International transfers. Where cross-border transfers occur, Shopless applies recognized transfer mechanisms, including Standard Contractual Clauses where required.
9. Data Processing Addendum (DPA). Merchant processing terms are governed by the Shopless DPA. Current DPA reference: [[DPA_URL]].
10. Subprocessors. Shopless uses subprocessors for hosting, analytics, support, and security functions. Current subprocessor list: [[SUBPROCESSORS_URL]].
11. Retention. Data is retained only as long as necessary for service delivery, contractual obligations, dispute handling, auditability, tax/accounting duties, and legal compliance.
12. Security. Shopless applies technical and organizational measures, including access controls, encryption in transit, environment segregation, logging, and incident response procedures. No system can be guaranteed as absolutely secure.
13. Data subject rights. Eligible individuals may request access, correction, deletion, restriction, portability, or objection rights, subject to legal exceptions and identity verification.
14. Merchant responsibilities. Merchants remain responsible for storefront privacy disclosures, consent collection where required, lawful instructions, and handling end-customer rights requests for Merchant-controlled processing.
15. Regulatory contacts.
- Privacy inquiries: privacy@shopless.vip
- EU representative (if applicable): [[EU_REP_CONTACT]]
- UK representative (if applicable): [[UK_REP_CONTACT]]
16. Complaints. Where required by law, individuals may lodge complaints with their local data protection authority.
17. Updates. This policy may be updated periodically. Material changes will be reflected through the effective date above.