Privacy policy
Last updated May 22, 2026
What we collect and why
When you place an order
- Email address — to send order confirmations, proof notifications, and link your order to your account.
- Name and shipping address — so we can ship your stickers to you.
- Phone number (if you provide it at checkout) — used only for delivery exceptions by our shipping carrier.
- Artwork files you upload — used to produce your stickers. We do not use your artwork for any other purpose, ever.
- Order details — what you ordered, when, for how much, and proof revisions.
When you sign in
- Email address only. We use magic-link authentication — no passwords, no social logins.
- A session cookie that keeps you signed in. Strictly necessary; no tracking.
What we don't collect
- No advertising or analytics pixels. No Google Analytics, no Meta Pixel, no TikTok, no third-party ad cookies.
- No payment card numbers — payment is processed by Shopify on Shopify-hosted pages. We never see your card.
- No browsing data outside what's strictly needed to deliver the page you requested.
How long we keep it
| Data | Retention |
|---|---|
| Order records (line items, totals, shipping address) | 7 years from order date — required for US tax and accounting |
| Artwork files | 90 days after order ships, then permanently deleted from our storage |
| Proof files and revisions | 90 days after final approval or rejection |
| Customer accounts | Until you request deletion (or 5 years of inactivity) |
| Admin audit logs | 2 years |
| Email server logs | 90 days, retained by our email provider |
Who we share it with
We share only what each provider needs to do their job. We do not sell or rent customer data. Ever.
- Shopify — processes your payment and stores your order details. Their privacy policy.
- Cloudflare R2 — stores your uploaded artwork and proof files. Files are encrypted at rest (AES-256). Their privacy policy.
- Railway — hosts our application and database. Database is encrypted at rest and in transit. Their privacy policy.
- Our email provider — delivers transactional email (proof notifications, order confirmations). No marketing email is sent without your explicit opt-in.
- Shipping carriers (USPS, UPS, FedEx) — receive your name + address to deliver your order.
Your rights
You can, at any time:
- Access your data — sign in at /account to see all orders and artwork we hold.
- Correct your data — email us with corrections.
- Delete your account — email us with the subject "Delete my account." We will delete your account and all artwork within 30 days. Order records may be retained as required by tax law.
- Export your data — email us to receive a JSON dump of everything we hold.
- Opt out of email — unsubscribe links on every email; transactional notifications can be turned off by deleting your account.
Email hello@yourdomain.com for any of the above.
Security
- All data in transit is encrypted (TLS 1.2+).
- All data at rest is encrypted (managed Postgres encryption, R2 AES-256).
- Admin access to customer data is restricted to authorized staff and logged in an audit trail.
- Magic-link authentication — no passwords stored, no reuse risk.
- We follow a written incident response policy. If we discover a breach affecting your data, you will be notified within 72 hours.
Children
This service is not intended for children under 13. We do not knowingly collect data from children. If you believe we have, email us and we will delete it.
Changes to this policy
We may update this policy as the service evolves. The "Last updated" date at the top will change when we do. Material changes (new data collected, new sharing) will trigger an email to active customers.
Jurisdiction
StickerSelect is based in Hazel Park, Michigan, United States. Customer data is stored in US data centers operated by Railway and Cloudflare.
Contact
Questions about this policy or your data? Email hello@yourdomain.com.