Privacy Policy

1. Who We Are

Seal & Shelf is an online store for rare and vintage video games, operated within the European Union. When we refer to “we”, “us”, or “our”, we mean Seal & Shelf. For any privacy-related questions, contact us at info@sealandshelf.com.

2. Information We Collect

2.1 Information you provide

• Account data: name, email address, and password when you create an account.
• Profile data: phone number, shipping address, city, country, and postal code when you update your profile.
• Order data: shipping name, shipping address, and purchase details when you place an order.

2.2 Information collected automatically

• Usage data: pages visited, browser type, device type, and general interaction patterns through Vercel Analytics (privacy-friendly, no cookies).
• Authentication tokens: session tokens managed by Supabase Auth to keep you signed in.

2.3 Information we do NOT collect

• We do not collect or store payment card details. All payment processing is handled entirely by Stripe.
• We do not use tracking cookies or third-party advertising trackers.

3. How We Use Your Information

• Fulfilling orders: processing purchases, arranging shipping, and sending order confirmations.
• Account management: creating and maintaining your account, authenticating your identity, and managing your wishlist.
• Customer support: responding to your inquiries and resolving issues.
• Improving our service: understanding how users interact with our site to improve functionality and user experience.
• Legal compliance: meeting our legal and regulatory obligations.

4. Who We Share Your Information With

We do not sell your personal data. We share information only with the following service providers, strictly for the purposes described:

• Stripe — payment processing. Stripe receives your payment details and shipping address to process transactions. Stripe’s Privacy Policy.
• Supabase — database and authentication hosting. Your account data, profile, and order information is stored in Supabase infrastructure (EU region). Supabase’s Privacy Policy.
• Vercel — website hosting and analytics. Vercel’s Privacy Policy.
• Cloudflare Turnstile — bot protection on login and registration forms. Cloudflare Turnstile’s Privacy Policy.

5. How We Protect Your Information

• All data is transmitted over HTTPS (TLS encryption in transit).
• Passwords are hashed and never stored in plain text (handled by Supabase Auth).
• Database access is protected by Row Level Security (RLS) policies — users can only access their own data.
• Admin operations require authenticated accounts with an explicit admin role.
• Webhook endpoints verify cryptographic signatures to prevent tampering.
• Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) are applied to all pages.
• CAPTCHA protection is enforced on all login and registration forms to prevent automated attacks.

6. Data Retention

We retain your account and profile data for as long as your account is active. Order data is retained for the period required by applicable tax and commercial laws. If you delete your account, we will remove your personal data within 30 days, except where retention is required by law.

7. Your Rights (GDPR)

As a user in the European Economic Area, you have the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data via your account profile or by contacting us.
• Erasure — request deletion of your personal data.
• Restriction — request that we limit how we process your data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing of your data for specific purposes.

To exercise any of these rights, contact us at info@sealandshelf.com. We will respond within 30 days.

8. Cookies & Local Storage

• Authentication cookies: essential cookies set by Supabase Auth to maintain your login session.
• Local storage: we store your cart contents and language preference in your browser’s local storage. This data never leaves your device.
• Cloudflare Turnstile: may set cookies necessary for bot detection during login.

We do not use any advertising, marketing, or non-essential tracking cookies.

9. Children’s Privacy

Our service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated “Last updated” date. We encourage you to review this policy periodically.

11. Contact Us

If you have any questions about this privacy policy or how we handle your data, please contact us at: info@sealandshelf.com