Privacy Policy

Effective Date: March 24, 2026 | Last Revised: March 24, 2026

1. Introduction

Caravaan.shop ("Platform," "Company," "we," "our," or "us") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, store, share, and safeguard your data when you access or use our marketplace platform, create an account, make a purchase, or list products for sale.

By using the Platform, you consent to the data practices described in this policy. If you do not agree, please discontinue use of the Platform immediately. This policy should be read in conjunction with our Terms of Service.

2. Information We Collect

We collect and process the following categories of personal data:

2.1 Information You Provide Directly

Account registration: Full name, email address, and password.
Seller profile: Store name, business description, location (country, city), WhatsApp number, Instagram handle, hero images, signature images, craft specialisation, and years of experience.
Product listings: Product titles, descriptions, images, pricing, sizes, colours, materials, origin, stock quantities, and category selections.
Checkout and shipping: Full name, shipping address (street, city, state, postal code, country), and email address.
Communications: Messages exchanged between Buyers and Sellers through our in-platform messaging system.
Reviews: Star ratings and written comments submitted on purchased products.

2.2 Information Collected Automatically

Usage data: Pages visited, search queries, product interactions, and browsing patterns collected via Vercel Analytics and Speed Insights.
Device information: Browser type, operating system, screen resolution, and device identifiers.
Network data: IP address, approximate geographic location, and referring URLs.

2.3 Information from Third Parties

Stripe: Payment confirmation status, transaction identifiers, and payout details. We never receive or store your full card number, CVV, or banking credentials.

3. How We Use Your Information

We process your personal data for the following purposes:

Account management: To create, authenticate, and maintain your account, including password resets and security notifications.
Order processing: To facilitate purchases, calculate platform fees, process payments through Stripe, and create order records.
Transactional communications: To send order confirmations, shipping notifications with tracking information, and new order alerts to Sellers via email (powered by Resend).
Authentication emails: To send email verification, password reset, and security alert emails via Supabase Auth (delivered through our custom SMTP configuration).
Seller verification: To review and verify Seller stores prior to making product listings publicly visible, and to maintain verification status records.
Content moderation: To record Seller content responsibility acknowledgements (including timestamps) and to monitor compliance with our content policies.
Shipping and delivery: To share shipping addresses with Sellers for order fulfillment, and to store tracking numbers and carrier information for shipment tracking.
Inventory management: To track product stock quantities and automatically update product availability status.
Platform improvement: To analyse usage patterns, identify technical issues, and improve the user experience.
Legal compliance: To comply with applicable laws, regulations, and legal processes, and to enforce our Terms of Service.
Fraud prevention: To detect, investigate, and prevent fraudulent transactions, abuse, and security incidents, including via rate limiting on API endpoints.

4. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We share data only with the following categories of recipients, solely to the extent necessary to operate the Platform:

Stripe, Inc.: Payment processing, Seller payouts via Stripe Connect, and checkout session management. Stripe operates as an independent data controller for payment data. See Stripe's Privacy Policy.
Supabase, Inc.: Database hosting, user authentication, file storage (product images), and real-time messaging infrastructure. See Supabase's Privacy Policy.
Vercel, Inc.: Website hosting, deployment, analytics, and performance monitoring. See Vercel's Privacy Policy.
Resend, Inc.: Transactional email delivery (order confirmations, shipping updates, new order alerts to Sellers). See Resend's Privacy Policy.
Sellers: When you place an order, the relevant Seller receives your shipping name, shipping address, email address, and order details necessary to fulfill your purchase.
Buyers: Buyers may see the Seller's store name, location, and public profile information. Buyers receive tracking numbers and carrier details when a Seller ships their order.
Law enforcement: We may disclose personal data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Caravaan.shop, our Users, or others.

5. Cookies and Local Storage

We use essential cookies and browser local storage for the following purposes:

Authentication: Session cookies managed by Supabase Auth to keep you signed in.
Theme preference: Your light/dark mode preference stored in local storage.
Shopping cart: Cart contents stored in local storage for persistence across sessions.
Wishlist: Saved wishlist items stored in local storage.

We do not use advertising cookies, third-party tracking cookies, or behavioural profiling technologies. Vercel Analytics collects anonymised, aggregate performance data without using cookies.

6. Data Retention

Account data: Retained for as long as your account remains active. Upon account deletion, personal data is removed within 30 days, except as required by law.
Order and transaction records: Retained for a minimum of seven (7) years for legal, tax, and accounting compliance.
Seller content acknowledgements: Retained indefinitely as part of the compliance record for each product listing.
Shipping and tracking data: Retained alongside the associated order record.
Communications: In-platform messages are retained for as long as both accounts are active.
Analytics data: Aggregated and anonymised analytics data may be retained indefinitely.

You may request deletion of your account and personal data at any time by contacting us at support@caravaan.shop.

7. Data Security

We implement industry-standard technical and organisational measures to protect your personal data, including:

Encrypted connections (TLS/HTTPS) for all data in transit.
Secure authentication via Supabase with leaked password protection enabled.
Row Level Security (RLS) policies on all database tables to prevent unauthorised data access.
HTTP security headers achieving a Grade A rating (including CSP, HSTS, X-Frame-Options).
Rate limiting on sensitive API endpoints (checkout, webhooks) to prevent abuse.
Stripe webhook signature verification to ensure payment data integrity.
PCI-DSS Level 1 compliant payment processing via Stripe — we never store card details.
Admin route protection via middleware and database-level access controls.

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

8.1 European Economic Area (GDPR)

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete data.
Right to erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
Right to restrict processing: Request that we limit how we use your data.
Right to data portability: Receive your data in a structured, machine-readable format.
Right to object: Object to processing based on legitimate interests.
Right to lodge a complaint: File a complaint with your local data protection authority.

8.2 California (CCPA/CPRA)

Right to know: Request disclosure of the categories and specific pieces of personal information collected.
Right to delete: Request deletion of personal information, subject to exceptions.
Right to opt-out: We do not sell personal information; therefore, no opt-out mechanism is required.
Right to non-discrimination: You will not receive different service quality for exercising your privacy rights.

To exercise any of these rights, contact us at support@caravaan.shop. We will respond to verified requests within thirty (30) days.

9. International Data Transfers

Your data may be processed and stored in countries outside your country of residence, including the United States, where our service providers (Supabase, Vercel, Stripe, Resend) maintain infrastructure. By using the Platform, you consent to the transfer of your data to these jurisdictions. We ensure that appropriate safeguards are in place to protect your data in accordance with applicable data protection laws.

10. Children's Privacy

The Platform is not directed at, and we do not knowingly collect personal information from, individuals under the age of sixteen (16). If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information promptly. If you believe a child has submitted personal data to us, please contact us immediately at support@caravaan.shop.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or Platform features. Material changes will be communicated by posting the revised policy on this page with an updated "Last Revised" date. Where required by law, we will provide additional notice via email. Your continued use of the Platform following the posting of changes constitutes your acceptance of the revised policy.

12. Contact Us

For any privacy-related questions, concerns, data access requests, or complaints, please contact us at:

Caravaan.shop
General inquiries: info@caravaan.shop
Support: support@caravaan.shop
Seller support: sellers@caravaan.shop