ToadPlantsToadPlants

Privacy Policy

Last updated: January 2025

1. Introduction

ToadPlants ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our marketplace services.

We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018. By using our services, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Full name
  • Profile image (if provided)

2.2 Shipping Information

When you place an order, we collect:

  • Shipping address (street address, city, county/state, postal code, country)
  • Contact email for order updates

2.3 Payment Information

Payment processing is handled by Stripe. We do not store your credit card details. We only retain:

  • Transaction reference IDs for order tracking
  • Order amounts and currency

2.4 Seller Information

If you register as a seller, we additionally collect:

  • Store name and description
  • Store images
  • Stripe Connect account information for receiving payments

2.5 Guest Checkout Information

If you checkout as a guest (without creating an account), we collect:

  • Email address for order confirmation
  • Shipping address
  • A session identifier stored in your browser

2.6 Automatically Collected Information

When you use our website, we automatically collect:

  • Session identifiers for shopping cart functionality
  • Browser type and device information

3. How We Use Your Information

We use the information we collect to:

  • Process and fulfil your orders
  • Send order confirmations and shipping updates
  • Manage your account and provide customer support
  • Enable sellers to receive payments through Stripe Connect
  • Improve our website and services
  • Prevent fraud and ensure platform security
  • Comply with legal obligations

4. Legal Basis for Processing (GDPR)

Under the UK GDPR and EU GDPR, we process your personal data based on the following legal grounds:

  • Contract: Processing necessary to fulfil orders and provide our services
  • Legitimate Interest: Improving our services, preventing fraud, and ensuring security
  • Legal Obligation: Compliance with tax, accounting, and other legal requirements
  • Consent: Where you have given explicit consent for specific processing activities

5. Third-Party Services

We work with trusted third-party service providers to operate our platform:

5.1 Clerk (Authentication)

We use Clerk for user authentication. When you sign up or log in, Clerk processes your email address, name, and profile information. For more information, see Clerk's Privacy Policy.

5.2 Stripe (Payment Processing)

We use Stripe to process payments. Stripe is a PCI-DSS compliant payment processor. Your payment card details are sent directly to Stripe and are never stored on our servers. For more information, see Stripe's Privacy Policy.

5.3 Google Places API (Address Lookup)

We use Google Places API to provide address autocomplete functionality during checkout. This helps ensure accurate shipping addresses. For more information, see Google's Privacy Policy.

5.4 Convex (Database Hosting)

Our data is stored securely using Convex, a backend-as-a-service platform. For more information, see Convex's Privacy Policy.

6. Cookies and Local Storage

We use local storage (similar to cookies) to:

  • Shopping Cart: We store a session identifier in your browser's local storage to maintain your shopping cart across browsing sessions
  • Authentication: Session tokens to keep you logged in

These are essential for the functionality of our website and cannot be disabled without affecting your ability to use our services.

7. Data Retention

We retain your personal data for as long as necessary to:

  • Account data: Until you request account deletion
  • Order data: For 7 years after the order date for tax and legal compliance
  • Guest session data: For 30 days after the last activity
  • Seller data: Until the seller account is closed, plus any legally required retention period

8. Your Rights

Under the UK GDPR and EU GDPR, you have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data (subject to legal retention requirements)
  • Right to Restrict Processing: Request limitation of how we use your data
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us using the details in Section 10.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit using HTTPS/TLS
  • Secure authentication through Clerk
  • PCI-DSS compliant payment processing through Stripe
  • Regular security reviews and updates
  • Access controls limiting who can access personal data

10. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

Email: contact@arlo.to

You also have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.