Legal
Privacy Policy
Effective: May 20, 2026 · Last updated: May 20, 2026
Plain English Summary
We collect the information you provide when you create an account or place an order (name, email, shipping address). We use it to operate the platform and fulfill your orders. Payment information is handled by Stripe — we never see or store your credit card number. We do not sell your data. You can access, correct, or delete your data anytime by emailing contact@goldendoko.com. If you live in California, the EU, or another region with specific privacy rights, we honor those rights as described below.
1. Who We Are
GoldenDoko ("we," "us," "our") operates this platform (the "Service") at goldendoko.com and at custom domains owned by independent merchants who use our platform to operate their own online stores. We are an Ohio-based business and the data controller for the personal information described in this Policy.
Contact: contact@goldendoko.com
2. Scope of This Policy
This Policy describes how we collect, use, share, and protect personal information when you:
- Visit goldendoko.com or any of its sub-paths
- Create a customer account
- Place an order
- Visit a merchant's storefront powered by our platform (e.g. a custom domain)
- Contact us by email or through our forms
When you order from an independent merchant operating on our platform, that merchant is the seller of record for your purchase. GoldenDoko provides the software and processes payment through Stripe, but the merchant fulfills your order. See Section 5 for details on our multi-tenant architecture.
3. Information We Collect
Information You Provide Directly
- Account information: name, email, password (stored hashed; never plain text), optional phone, optional business name
- Order information: shipping/billing address, items, notes
- Payment information: processed by Stripe. We receive only order amount, last 4 digits of card, and a tokenized reference. We never see or store full card number, CVV, or expiration date.
- Communications: messages you send via contact form or email
Information Collected Automatically
- Device and browser data: IP address, browser type, OS, device type, referring page
- Usage data: pages visited, time spent, items added to cart, search queries
- Cookie data: see our Cookie Policy
Information We Do NOT Collect
- Government ID numbers
- Social Security numbers
- Race, religion, sexual orientation, health, or biometric data
- Precise geolocation without your explicit consent
4. How We Use Your Information
We use your personal information only for these purposes:
- Process orders and payments
- Send order confirmations and shipping updates
- Provide customer support
- Operate the multi-tenant platform (route customers to merchant pages, attribute signups)
- Improve the platform (usage analytics, bug fixes)
- Send marketing emails (only if you opt in)
- Comply with legal obligations (tax records, fraud prevention)
- Defend our rights in disputes
We do NOT use your data for:
- Selling to data brokers
- Building advertising profiles to sell to advertisers
- Training AI models with your personal data
- Sharing with social media platforms for ad targeting
5. Multi-Tenant Architecture — Important to Understand
GoldenDoko is a software platform (not a marketplace operator) that enables independent merchants to operate their own online stores at their own custom domains while sharing our infrastructure.
When you visit a merchant's storefront:
- The page is rendered by GoldenDoko's servers under the hood
- Your account is a single global account — same email and password across merchant storefronts
- When you order from a merchant, that merchant is the seller of record and handles fulfillment
- Each merchant sees only their own customer data, not your activity with other merchants
- We retain the central customer record for unified login; each merchant's view is scoped to their own customers
This design follows the Shopify model: one technology platform, many independent businesses, no cross-vendor data sharing without your explicit consent.
6. Who We Share Data With
Service Providers (Subprocessors)
| Provider | What they do | Location |
|---|---|---|
| Stripe | Payment processing, fraud detection, merchant payout | United States |
| Supabase | Database, authentication, file storage | United States |
| Cloudflare | Hosting (Workers), CDN, DNS, email routing | Global anycast |
| Resend | Transactional email delivery | United States |
We have data processing arrangements with each subprocessor. We do not authorize them to use your data for their own purposes.
Independent Merchants
When you order from a merchant, we share the order details (your name, shipping address, contact info, ordered items) with that merchant so they can fulfill the order. They are the seller of record and must disclose their own privacy practices to you.
Legal Requirements
We may disclose your information if required by law, court order, or government request. We will notify you of such requests unless legally prohibited.
We Do NOT Sell Your Personal Information
We do not sell, rent, or trade your personal information. We do not engage in "sharing" your personal information for cross-context behavioral advertising as defined under California law.
7. How Long We Keep Data
| Data type | Retention period |
|---|---|
| Account information | Until you delete your account, or 24 months of inactivity |
| Order history | 7 years (US tax / accounting requirement) |
| Payment data | Stripe retains per their policy; we retain order amount + last-4 only |
| Email correspondence | 3 years from last contact |
| Server logs | 90 days |
| Marketing opt-ins | Until you opt out |
8. How We Protect Your Data
Technical safeguards
- TLS/SSL encryption for all data in transit
- Encryption at rest (database, file storage)
- Passwords hashed with industry-standard algorithms (never plaintext)
- Row-Level Security (RLS) policies — merchants see only their own data
- Access logs for administrative actions
Organizational safeguards
- Access to customer data restricted to authorized staff
- Two-factor authentication required for staff accounts
- Incident response process
No system is 100% secure. We cannot guarantee absolute security; by using the Service you acknowledge this inherent risk.
9. Your Rights
To exercise any right, email contact@goldendoko.com with the subject line "Privacy Rights Request". We respond within 30 days (or 45 days under CCPA with notice).
All users
- Access — request a copy of your personal information
- Correct — request correction of inaccurate information
- Delete — request deletion (subject to legal retention requirements)
- Withdraw consent — opt out of marketing emails anytime
California residents (CCPA / CPRA)
- Right to know what personal information we collect, use, share, and sell
- Right to delete (with exceptions)
- Right to correct inaccurate information
- Right to opt out of sale or sharing (we do not sell or share)
- Right to limit use of sensitive personal information (we do not collect sensitive PI)
- Right to non-discrimination for exercising your rights
EU / UK residents (GDPR / UK GDPR)
- All rights listed above
- Right to data portability (machine-readable format)
- Right to lodge a complaint with your local Data Protection Authority
- Right to object to processing based on legitimate interest
10. Data Breach Notification
If we discover a security incident that may affect your personal information, we will:
- Investigate and contain the incident
- Notify affected users without unreasonable delay (within 30 days of discovery, or sooner if required by law)
- Notify applicable regulators per applicable law
- Describe what happened, what data was involved, and what you can do
11. Children's Privacy
GoldenDoko is not directed to children under 13 (or under 16 in some EU jurisdictions). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, contact us immediately and we will delete it.
12. International Users
GoldenDoko is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States.
For users in the EU, UK, or other jurisdictions with data transfer restrictions, transfers occur under appropriate safeguards including the EU Standard Contractual Clauses or equivalent mechanisms with our subprocessors.
13. Cookies
We use cookies for essential functions (login, cart, checkout) and limited analytics. We do NOT use cookies for cross-context behavioral advertising. See our Cookie Policy for full details.
14. Do Not Track Signals
Some browsers send a "Do Not Track" (DNT) signal. We currently do not respond to DNT because there is no industry-standard interpretation. We do honor the Global Privacy Control (GPC) signal where applicable under state law.
15. Third-Party Links
The Service may contain links to third-party websites (e.g., merchant social media). We are not responsible for their privacy practices. Review their policies before providing information.
16. Changes to This Policy
We may update this Policy from time to time. When we make material changes:
- We post the updated Policy on this page with a new "Last Updated" date
- For significant changes affecting your rights, we notify you by email at least 14 days before they take effect
- For non-material changes (typos, clarifications), we may update without notice
Continued use of the Service after the effective date of the updated Policy constitutes acceptance.
17. Contact Us
For any privacy-related questions, requests, or complaints:
- Email: contact@goldendoko.com
- Subject line for rights requests: "Privacy Rights Request"
We aim to respond within 5 business days for general inquiries and within the time required by law for formal rights requests.