Privacy Policy

This is the most important clause. The platform involves three independent controllers depending on the data:

1.1 The Operator (J J Cunningham) is the controller for:

• Vendor account data — name, business name, email, password hash, subscription state, subdomain slug, custom domain (if used), notification email, store profile.
• Vendor billing data — Stripe subscription IDs, invoice numbers, billing email, plan tier, trial state.
• Vendor support requests sent to the Operator's own support inbox.
• Marketing-site visitor data on the apex (shoppa.uk) and our limited site-wide analytics.
• Platform-wide security and audit logs (failed logins, IP throttle hits, rate-limit events).

1.2 The Vendor is the controller for:

• Customer accounts created on the Vendor's Storefront, including the Customer's name, email, password hash, addresses, phone number, order history, dispute history, product reviews, messages with the Vendor and the Vendor's notes on the Customer.

The Operator processes that data on the Vendor's behalf, in the capacity of a processor under Article 28 UK GDPR. The Vendor sets the purposes (running their shop, communicating with their customers, retaining business records). The Operator only acts on the Vendor's documented instructions and on its own legal obligations as the platform operator.

If you are a Customer who wants to exercise your data-protection rights in respect of an account on a Vendor's Storefront, you should ordinarily contact that Vendor directly using the contact details on their Storefront. If you can't reach them or your request is denied without good reason, you can contact us at [email protected] and we will assist.

1.3 Stripe is the controller for:

• Your payment-card data (PAN, CVC, expiry). Stripe collects this directly using their hosted Elements components; the Operator's servers never see, log or store it.
• Payment-fraud signals, 3-D Secure interactions and chargeback workflows.

Stripe processes this data under Stripe's own Privacy Policy .

1.4 AliExpress and CJ Dropshipping are controllers for:

• Their fulfilment systems' record of orders the Vendor has placed with them on a Customer's behalf, including the Customer's name and shipping address (which they require to ship the goods).

Where a Vendor uses these dropship channels, the Vendor (as seller) shares the necessary delivery data with the supplier; the supplier processes it under their own privacy notice.

This section covers data we control (Vendor account, billing, platform-wide visitors). For data the Vendor controls — Customer accounts on a Storefront — see section 3.

2.1 Vendor application and account

• Identity — full name, business name, UK geographical address, email, phone, password hash. Lawful basis: contract (Article 6(1)(b)).
• Approval data — vendor application notes, approval / rejection record, prohibited-products acknowledgement timestamp and IP. Lawful basis: legitimate interest in operating a compliant platform (6(1)(f)).
• Storefront branding — store name, slug, avatar, banner image, store bio, accent colour. Lawful basis: contract.
• Connected-account credentials — Stripe publishable key (clear text) and Stripe secret key (encrypted at rest with AES-256-GCM under a key the Operator does not transmit). Webhook signing secret, also encrypted. AliExpress/CJ OAuth tokens, encrypted. Lawful basis: contract.
• Subscription state — tier, status, trial end, current period end, platform Stripe customer ID and subscription ID. Lawful basis: contract.

2.2 Marketing-site visitors

• Standard server log fields (IP, user agent, referrer, timestamp, requested URL). Lawful basis: legitimate interest in security and operability.
• If you opt in to a contact form, the contents of your submission. Lawful basis: consent.

2.3 Security and audit

• Failed login attempts, rate-limit hits, blacklisted IP hits, anti-spam classifications. Lawful basis: legitimate interest in protecting the platform from abuse, with appropriate safeguards.

We do not buy personal data from data brokers, and we do not use cookie-based behavioural advertising on the Platform.

When you create an account on a Vendor's Storefront, place an order, post a review, message the Vendor or contact their support, the data goes to the Vendor as controller. The Operator's software stores and transmits that data on the Vendor's behalf.

Specifically, on a Vendor's Storefront the Vendor collects:

• Customer account data — name, email, password hash, phone (where required for delivery).
• Customer addresses — billing address (collected by Stripe) and shipping address (collected at checkout).
• Order data — items, quantities, prices, shipping selections, order status, tracking numbers.
• Customer-Vendor communications — messages, support tickets, dispute exchanges, reviews.
• Refund and cancellation history.

The Vendor is required by section 12 of our Terms to handle this data in accordance with the UK GDPR. As the processor for that data, the Operator:

• Acts only on the Vendor's instructions (the choices they make in the platform's settings + the requirements of the Operator's software to function).
• Imposes confidentiality on personnel who can access the data.
• Implements the security measures set out in section 6.
• Notifies the Vendor without undue delay of any personal data breach affecting their data.
• Returns or deletes the data on the Vendor's instruction, subject to applicable legal retention obligations.
• Does not engage sub-processors without notice; current sub-processors are listed in section 7.

Customers exercising rights against the Vendor's data should contact the Vendor in the first instance. The Operator will forward such requests on receipt and assist the Vendor in responding within statutory time limits.

• Contract (6(1)(b)) — for processing necessary to perform the Subscription with a Vendor or the order contract between Customer and Vendor.
• Legitimate interest (6(1)(f)) — for fraud prevention, security, abuse-detection logs and non-tracking analytics.
• Legal obligation (6(1)(c)) — for tax records, accounting records, response to lawful regulator requests.
• Consent (6(1)(a)) — for optional marketing communications (Vendor- or Operator-side). Withdraw at any time.

We use only strictly-necessary cookies and equivalent local storage to make the platform work:

• Session cookie (DROPSHIP_SESS) — keeps you logged in. HttpOnly, Secure, SameSite=Lax. Scoped to the host that issued it (apex or vendor subdomain) so a vendor cannot read another vendor's session.
• CSRF token cookie — protects forms from cross-site request forgery.
• Theme preference (shoppa_theme in localStorage and a matching cookie) — remembers your light/dark choice.
• Cart — items in your basket, stored in localStorage on your device only; we do not transmit it to our server until you proceed to checkout.

Stripe sets its own cookies on the checkout iframe (under js.stripe.com). Cloudflare may set bot-detection cookies in front of the platform. We do not use Google Analytics, Meta Pixel, advertising trackers, or behavioural tracking of any kind.

• All traffic is served over TLS 1.2+ via Cloudflare.
• Passwords are hashed with bcrypt (cost 12) — we never store plaintext passwords.
• Vendor Stripe secret keys, webhook signing secrets, and AliExpress/CJ OAuth tokens are encrypted at rest using AES-256-GCM with an environment-variable-held key.
• Sessions are regenerated on login and at fixed intervals to mitigate session fixation.
• Rate-limit, honeypot and email-throttle defences guard signup, login, contact, vendor messaging and other user-facing endpoints.
• Production servers are firewalled to permit only HTTPS in and outbound connections to Stripe / Brevo / supplier APIs.
• Customer payment-card data never reaches our servers — Stripe's hosted Elements components handle card capture client-side.

If you suspect a security issue, please email [email protected] with details.

We use the following sub-processors to operate the Platform. Each is contractually bound to UK-GDPR-equivalent protections and, where based outside the UK, transfers data under either an adequacy decision or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

• Amazon Web Services / AWS Lightsail — hosting (United Kingdom region, eu-west-2).
• Cloudflare, Inc. — DNS, TLS termination, DDoS protection, optional cache.
• Stripe Payments Europe Ltd — payment processing (Stripe is a controller for payment data, a processor for subscription billing data).
• Brevo (formerly Sendinblue) SAS — transactional email delivery (verification emails, order confirmations, etc.).
• AliExpress / Alibaba.com Singapore E-Commerce Private Ltd — for Vendors who use AliExpress dropshipping; the Vendor (not the Operator) decides to share the order data.
• CJ Dropshipping (Yiwu Jiyou E-Commerce Co Ltd) — for Vendors who use CJ Dropshipping; same.
• Google (Gemini API) — optional AI features (mascot chat, listing-text generation) used by some Vendors. Inputs are not used for advertising; per Google's API terms inputs are not used to train Google's consumer models.

We do not sell or rent personal data, and we do not share it with advertising networks or data brokers.

Most data is processed in the United Kingdom (AWS eu-west-2) or the European Economic Area (Stripe Ireland, Brevo France). Transfers to the United States (Cloudflare, certain Stripe and Brevo functions) are made under the UK Extension to the EU-US Data Privacy Framework where the recipient is certified, or under the UK International Data Transfer Addendum where it is not. Transfers to AliExpress and CJ are made on the instruction of the Vendor as part of the Vendor-supplier relationship.

• Vendor account: kept for the lifetime of the Subscription plus 6 years after termination (UK statutory tax-record retention).
• Customer account on a Vendor Storefront: as long as the Vendor's Subscription is active, plus 30 days after Subscription termination during which the Vendor may export it. Then deleted from active systems, except where the Vendor's own retention obligations require longer.
• Order records: 6 years from order date (UK statutory business-record retention).
• Marketing-site visitor logs: 90 days, then aggregated.
• Security/audit logs: 12 months.
• Encrypted backup snapshots: 30 days rolling.

Under the UK GDPR you have the right to:

• Access the personal data we (or the Vendor) hold about you.
• Rectify data that is inaccurate.
• Erase data ("right to be forgotten"), subject to our retention obligations and to the Vendor's business-record obligations as controller.
• Restrict processing while a dispute is resolved.
• Object to processing based on legitimate interest.
• Portability — receive your data in a machine-readable format.
• Withdraw consent at any time, where consent was the lawful basis.
• Complain to the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113. We hope you'll contact us first so we can try to resolve the issue.

For data the Operator controls (Vendor account, marketing-site data), email [email protected]. For Customer-account data on a Vendor's Storefront, contact the Vendor first; the contact details are on their Storefront. We will assist on reasonable request.

We respond to verified rights requests within one calendar month (extendable by two further months for complex requests, in which case we will tell you).

The Platform is not directed at children under 13. Vendors are responsible for not directing their Storefronts at children under 13 without verifiable parental consent. If we become aware that a Customer account belongs to a child under 13 with no parental consent on file, we will delete it.

We may update this policy. Material changes will be flagged on the homepage banner and emailed to active Vendors. The "Last updated" date at the top of this page records the most recent revision.

J J Cunningham, sole trader
25A Fa'side Avenue South, Wallyford, EH21 8AN
Email: [email protected]

For data-protection requests relating to a Customer account on a specific Vendor's Storefront, please contact the Vendor first using the contact details on their Storefront.