1. Introduction and Scope
Sellvy, Inc. ("Sellvy," "we," "us," or "our"), a Delaware corporation with its principal office at 131 Continental Dr, Suite 305, Newark, DE 19713, United States, is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at sellvy.io (the "Platform"), including any subdomains, mobile applications, APIs, or associated services.
This Privacy Policy applies to all users of the Platform, including Sellers who create storefronts and list products, Buyers who purchase products through Seller storefronts, and visitors who browse the Platform without creating an account. By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Privacy Policy, you must discontinue use of the Platform immediately.
This Privacy Policy should be read in conjunction with our Terms of Service and Cookie Policy, which are incorporated herein by reference.
3. How We Collect Information
3.1 Directly from You
We collect information that you voluntarily provide when you create an account, set up a Storefront, configure payment settings, submit a support request, complete a survey, or otherwise interact with the Platform.
3.2 Automatically Through Technology
When you access the Platform, we automatically collect technical and usage data through cookies, server logs, and similar technologies. For detailed information about the cookies and tracking technologies we use, please refer to our Cookie Policy.
3.3 From Third Parties
We may receive information about you from third-party sources, including:
- Stripe, Inc.: Connected account verification status, payout information, and transaction data necessary for payment processing through Stripe Connect.
- Authentication Providers: If you use social login or single sign-on (SSO) features, we receive basic profile information (name, email, avatar) from the authentication provider.
- Blockchain Networks: Publicly available transaction data from Bitcoin, Ethereum, Litecoin, Dogecoin, and other blockchain networks for SellvyPay payment verification.
- Fraud Prevention Services: Risk scores and fraud indicators from payment processors and security service providers.
4. Legal Basis for Processing
For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions where the GDPR or equivalent data protection legislation applies, we process your personal data under the following legal bases as defined in Article 6 of the GDPR:
- Performance of Contract (Article 6(1)(b)): Processing is necessary for the performance of the contract between you and Sellvy, including creating and managing your account, processing transactions, providing customer support, and delivering the services described in our Terms of Service.
- Legitimate Interests (Article 6(1)(f)): Processing is necessary for our legitimate interests, including improving and optimizing the Platform, preventing fraud and abuse, ensuring network and information security, analyzing Platform usage, and conducting direct marketing (where permitted). We have conducted balancing tests to ensure our legitimate interests do not override your fundamental rights and freedoms.
- Consent (Article 6(1)(a)): Where required by law, we obtain your explicit consent before processing your personal data for specific purposes, such as sending marketing communications or placing non-essential cookies. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
- Legal Obligation (Article 6(1)(c)): Processing is necessary for compliance with a legal obligation to which Sellvy is subject, including tax reporting requirements, responding to lawful government requests, and complying with anti-money laundering regulations.
5. How We Use Your Information
We use the information we collect for the following purposes:
- Service Delivery: To create and manage your account, operate your Storefront, process transactions, deliver purchased products, and provide the core functionality of the Platform.
- Payment Processing: To facilitate payment transactions between Sellers and Buyers through Stripe Connect, SellvyPay, and other supported payment methods, including calculating and collecting Platform Fees.
- Communication: To send transactional emails (order confirmations, delivery notifications, password resets, account alerts), respond to support requests, and, with your consent, send marketing communications about Platform features, updates, and promotions.
- Security and Fraud Prevention: To detect, investigate, and prevent fraudulent transactions, unauthorized access, and other malicious activity; to verify user identity; and to enforce our Terms of Service.
- Platform Improvement: To analyze usage patterns, diagnose technical issues, conduct A/B testing, develop new features, and improve the overall performance and user experience of the Platform.
- Analytics and Reporting: To generate aggregated, de-identified analytics and reports about Platform usage, transaction volumes, and other metrics for internal business purposes.
- Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests, including tax reporting, anti-money laundering obligations, and responding to subpoenas or court orders.
- Business Operations: To manage our business operations, including billing, accounting, auditing, and corporate governance.
6. Information Sharing and Disclosure
We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. We may share your information with the following categories of recipients:
6.1 Service Providers
We share information with trusted third-party service providers who perform services on our behalf, subject to contractual obligations of confidentiality and data protection:
- Stripe, Inc. (San Francisco, CA) — Payment processing, connected account management, fraud detection, and financial reporting through Stripe Connect.
- Supabase, Inc. (San Francisco, CA) — Authentication services, database hosting, real-time subscriptions, and cloud storage infrastructure.
- Cloudflare, Inc. (San Francisco, CA) — Content delivery network (CDN), DDoS protection, DNS resolution, and object storage via Cloudflare R2 for file hosting.
- Vercel, Inc. (San Francisco, CA) — Application hosting, serverless function execution, edge network distribution, and performance optimization.
- Resend, Inc. — Transactional email delivery for order confirmations, password resets, account notifications, and other system-generated communications.
6.2 Sellers and Buyers
When a Buyer completes a purchase, we share relevant order information (email address, order details, delivery information) with the applicable Seller to facilitate product delivery and customer support. Conversely, Sellers' storefront information, product listings, and public profile data are visible to Buyers and Platform visitors.
6.3 Legal Requirements
We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with a legal obligation, subpoena, court order, or governmental request; (b) protect and defend the rights or property of Sellvy, Inc.; (c) prevent or investigate possible wrongdoing in connection with the Platform; (d) protect the personal safety of users of the Platform or the public; or (e) protect against legal liability.
6.4 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar corporate transaction involving Sellvy, Inc., your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Platform of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
6.5 Aggregated and De-identified Data
We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you with third parties for research, marketing, analytics, or other business purposes. Such data is not considered personal information under applicable data protection laws.
7. International Data Transfers
Sellvy is based in the United States, and the information we collect is primarily processed and stored in the United States. If you access the Platform from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.
For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States or other countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards, including: (a) Standard Contractual Clauses (SCCs) approved by the European Commission; (b) the data recipient's certification under the EU-US Data Privacy Framework (where applicable); or (c) other lawful transfer mechanisms recognized under applicable data protection law.
Our service providers, including Stripe, Supabase, Cloudflare, Vercel, and Resend, maintain their own data protection programs and may process data in multiple jurisdictions. We ensure that our agreements with these providers include appropriate data transfer safeguards.
8. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. The specific retention period depends on the nature of the data and the purpose of processing:
- Account Data: Retained for the duration of your account and for up to thirty (30) days following account deletion to allow for account recovery.
- Transaction Records: Retained for a minimum of seven (7) years following the transaction date, as required by tax and financial reporting regulations.
- Support Communications: Retained for up to three (3) years from the date of resolution.
- Usage and Technical Data: Retained for up to twenty-four (24) months from collection, after which it is aggregated and anonymized.
- Marketing Consent Records: Retained for the duration of the consent and for up to three (3) years following withdrawal to demonstrate compliance.
When personal data is no longer required for the purposes for which it was collected, we securely delete or anonymize it. In some cases, we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this data indefinitely without further notice.
9. Data Security Measures
We implement and maintain appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:
- Encryption: All data transmitted between your browser and the Platform is encrypted using TLS 1.2 or higher. Sensitive data at rest, including passwords, is encrypted using industry-standard algorithms (bcrypt for passwords, AES-256 for sensitive fields).
- Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. We employ role-based access controls (RBAC) and row-level security (RLS) policies in our database layer.
- Infrastructure Security: Our infrastructure is hosted on Vercel's edge network and Supabase's cloud platform, both of which maintain SOC 2 Type II compliance and implement comprehensive security controls.
- Monitoring and Logging: We maintain audit logs of administrative actions and security-relevant events. Automated monitoring systems alert our team to potential security incidents.
- Incident Response: We maintain a documented incident response plan and will notify affected users and relevant authorities within the timeframes required by applicable law (72 hours under GDPR) in the event of a data breach.
While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data.
10. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) with respect to your personal data:
- Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is being processed.
- Right to Rectification (Article 16): You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
- Right to Erasure (Article 17): You have the right to request that we delete your personal data, subject to certain exceptions (such as data retained for legal compliance).
- Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
- Right to Restriction of Processing (Article 18): You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
- Right to Object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
- Right to Withdraw Consent (Article 7(3)): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
- Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.
To exercise any of these rights, please contact our Data Protection Officer at dpo@sellvy.io. We will respond to your request within thirty (30) days, as required by GDPR. In exceptional circumstances, we may extend this period by up to sixty (60) additional days, with prior notice to you. We do not charge a fee for responding to valid requests, unless a request is manifestly unfounded or excessive.
11. Your Rights Under CCPA
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which that information is collected, our business or commercial purpose for collecting the information, and the categories of third parties with whom we share the information.
- Right to Delete: You have the right to request that we delete any personal information we have collected from you, subject to certain exceptions.
- Right to Opt-Out of Sale or Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information. As stated in this Privacy Policy, we do not sell your personal information to third parties for monetary consideration. However, certain data-sharing activities for targeted advertising purposes may constitute a "sale" or "share" under the CCPA/CPRA.
- Right to Correct: You have the right to request that we correct any inaccurate personal information we maintain about you.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices, provide a different level of quality, or suggest that you may receive a different price or quality of goods or services for exercising your rights.
To exercise your rights under the CCPA, you may submit a verifiable consumer request by contacting us at privacy@sellvy.io or through your account settings. We will verify your identity before processing your request. We will respond to verified requests within forty-five (45) days, with the possibility of a forty-five (45) day extension upon notice.
In the twelve (12) months preceding the last update of this Privacy Policy, we have not sold personal information (as defined by the CCPA) of any consumer for monetary consideration.
12. Children's Privacy
The Platform is not directed to children under the age of sixteen (16), and we do not knowingly collect personal information from children under 16. If you are under 16, you may not create an account or use the Platform. If we become aware that we have collected personal information from a child under 16 without verification of parental consent, we will take steps to promptly delete such information from our servers.
If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us at privacy@sellvy.io so that we can take the necessary actions. Where required by applicable law (such as GDPR Article 8), we will obtain verifiable parental consent before processing personal data of children between 13 and 16 years of age.
13. Cookies and Tracking
We use cookies and similar tracking technologies (such as web beacons, pixels, and local storage) to collect and store certain information when you use the Platform. Cookies are small data files that are placed on your device when you visit a website.
We use both session cookies (which expire when you close your browser) and persistent cookies (which remain on your device for a set period or until you delete them). We also use first-party cookies (set by Sellvy) and third-party cookies (set by our service providers, including Stripe for payment fraud prevention and Supabase for authentication).
For comprehensive information about the specific cookies we use, their purposes, and how to manage them, please refer to our Cookie Policy.
14. Third-Party Links
The Platform may contain links to third-party websites, services, or content that are not owned or controlled by Sellvy. This includes links to Seller Storefronts, external product resources, payment processor portals, and social media platforms. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party websites or services.
We strongly advise you to review the privacy policy of every website you visit. When you click on a third-party link, you are subject to that third party's terms and privacy policy. This Privacy Policy does not apply to any information you provide to or that is collected by any third party.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by: (a) updating the "Last updated" date at the top of this page; (b) posting a prominent notice on the Platform; and (c) sending an email to the address associated with your account (for registered users).
We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the updated Privacy Policy, you must stop using the Platform and may request deletion of your account and personal data.
16. Data Protection Officer
Sellvy has appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with applicable data protection laws. If you have any questions or concerns about our data processing practices, wish to exercise your data protection rights, or want to make a complaint about how we handle your personal data, you may contact our DPO at:
Data Protection Officer
Sellvy, Inc.
131 Continental Dr, Suite 305
Newark, DE 19713
United States
Email: dpo@sellvy.io
Our DPO will respond to all legitimate requests within thirty (30) days and will make every effort to resolve any concerns you raise regarding the processing of your personal data.