storefront.js
Log inStart for free

Legal

Privacy Policy

Last updated: 2026-05-05

This Privacy Policy describes how storefront.js ("we", "us", or "our") collects, uses, and shares information when you use our hosted commerce platform, our APIs, our dashboards, and the websites we operate at storefrontjs.com and related subdomains (collectively, the "Service").

Who this policy is for

We host two distinct relationships:

  • Merchants who use our platform to operate their online stores. We process Merchant data as a service provider so the platform can run.
  • Shoppers who interact with a Merchant's storefront. The Merchant is the controller of Shopper data; we are the processor. Shoppers should consult the Merchant's own privacy policy for the rights that apply to their transactions.

Information we collect

Information you provide directly

  • Account information: name, email address, password (hashed), and optional profile details when you sign up for a Merchant account.
  • OAuth identifiers: when you choose to sign in with Google, Apple, or GitHub, we receive a unique provider id, your verified email address, and the basic profile fields the provider returns. We do not receive your provider password.
  • Store configuration: catalogue, shipping settings, integrations, email templates, and other content you create through our APIs or admin dashboard.
  • Billing information: company name, address, and the last four digits of payment instruments. Full card numbers are tokenized by our payment processor and never stored on our systems.
  • Communications: messages you send us through support channels.

Information we collect automatically

  • Usage telemetry: API request volumes, error rates, and performance counters used to operate, secure, and improve the Service.
  • Device and connection information: IP address, user agent, and similar metadata required to route requests and mitigate abuse.
  • Cookies and similar technologies: strictly necessary cookies for session management and CSRF protection, and optional cookies for theme preferences. We do not use cross-site advertising cookies.

Information about Shoppers, on behalf of Merchants

When a Shopper checks out on a Merchant's storefront, we process the following on the Merchant's behalf: contact email, shipping and billing addresses, items ordered, payment status, and order history. We process this information solely to fulfil the Merchant's instructions.

How we use information

  • To operate, maintain, and secure the Service.
  • To authenticate users and prevent fraudulent access.
  • To send transactional emails — order confirmations, password resets, security alerts, and similar account messages.
  • To debug, audit, and improve the platform's reliability and performance.
  • To comply with legal obligations.

How we share information

We do not sell personal information. We share information only with:

  • Service providers who run components of the platform under our direction, including payment processors, infrastructure hosts, email delivery providers, and analytics tooling. Each is contractually bound to handle information under terms consistent with this policy.
  • Merchants, where data is generated as part of a Shopper's transaction with that Merchant.
  • Authorities, when required by valid legal process or to protect the rights, safety, or property of users, the public, or storefront.js.
  • Successors in the event of a merger, acquisition, or asset transfer, subject to confidentiality commitments.

Data retention

We retain account and transactional records for as long as your account is active and for a reasonable period afterwards to comply with tax, accounting, and audit obligations. You may request deletion of your account at any time; some data may be retained in encrypted backups or as legally required.

Your rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal information, and to withdraw consent or restrict processing. To exercise any of these rights, contact us at privacy@storefrontjs.com.

International transfers

We operate from the United States and may process information in other countries where our service providers are located. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) to protect international transfers.

Security

We protect information using a combination of encryption in transit, encryption at rest for sensitive fields, scoped access controls, and audit logging. No system is perfectly secure; if you believe your account has been compromised, please notify us immediately at security@storefrontjs.com.

Children

The Service is not directed to children under 13 (or the equivalent minimum age in the user's jurisdiction). We do not knowingly collect personal information from children.

Changes to this policy

We may update this Privacy Policy as the Service evolves. We will revise the "Last updated" date above when we do, and for material changes we will provide notice through the Service or via email.

Contact

Questions about this policy can be sent to privacy@storefrontjs.com.