Clypex Privacy Policy

This Privacy Policy explains how Clypex collects, uses, stores, and protects personal data when providing its platform, website tools, and related services.

It applies to:

• businesses and merchants using Clypex services;
• customers who place orders in stores or environments powered by Clypex;
• visitors interacting with the Clypex website, builder tools, dashboards, or connected services.

If you have questions about this Policy or about how personal data is handled, please contact us at legal@clypex.com.

1. Who we are

Throughout this Policy, "Clypex", "we", "us", and "our" refer to the Clypex entity identified above.

2. When this Policy applies

This Policy covers personal data processed in connection with:

• the Clypex platform and store infrastructure;
• website and site-building functionality;
• merchant dashboards and account management;
• order-related operations processed through Clypex-enabled stores;
• analytics, security, support, and technical maintenance;
• optional marketing or email-related tools made available by Clypex.

This Policy does not override the privacy notices of merchants who use Clypex to operate their own stores. Where a merchant independently decides why and how customer data is used, that merchant remains responsible for its own privacy disclosures.

3. Roles and responsibilities

Depending on the context, Clypex may act either as a data processor or as a data controller.

Merchants as controllers

Merchants using Clypex generally determine how buyer and order data is used for selling products, fulfilling orders, handling customer communication, and operating their stores. In those situations, the merchant acts as the data controller.

Clypex as processor

Where Clypex handles personal data solely on behalf of a merchant in order to provide the platform and related services, Clypex acts as a data processor.

Clypex as controller

Clypex acts as an independent data controller for data relating to its own business operations, including:

• merchant account creation and administration;
• subscriptions and billing;
• support requests;
• security monitoring;
• service analytics;
• legal and compliance obligations.

Where required, processing carried out on behalf of merchants is governed by a separate Data Processing Addendum or equivalent contractual terms.

4. Categories of personal data we process

The exact data we process depends on how our services are used. In general, we may process the following categories.

Merchant account data

• full name;
• business name;
• email address;
• billing details;
• VAT or tax identifiers;
• login and authentication data.

We use this information to open and manage accounts, provide access to services, handle billing, and maintain customer relationships.

Buyer and order data

• customer email address;
• order reference details;
• timestamps;
• IP address;
• browser or device information;
• order status and transactional metadata.

This data is used to support checkout, delivery-related workflows, fraud prevention, transaction reliability, and store operations.

Payment-related metadata

• transaction identifiers;
• payment status;
• processor response codes;
• error or failure information.

Clypex does not claim to collect more payment data than is necessary to support platform functionality, reconciliation, or fraud prevention.

Technical logs and analytics

• IP address;
• user agent;
• session or event identifiers;
• operational telemetry;
• performance metrics;
• security and diagnostic logs.

This helps us maintain platform performance, investigate incidents, detect abuse, and improve reliability.

Email or marketing tool data

• sender domain details;
• campaign content;
• recipient email addresses provided by the merchant;
• delivery and engagement statistics.

Sensitive data

Clypex does not intentionally collect special-category personal data or children's data as part of its standard services.

5. Why we process personal data

We process personal data for the following purposes:

• to provide access to the Clypex platform and related services;
• to operate hosted stores, builder tools, and associated infrastructure;
• to authenticate users and manage accounts;
• to support checkout, transactional workflows, and order processing;
• to prevent fraud, abuse, and unauthorized activity;
• to provide support and respond to technical issues;
• to monitor, debug, and improve service stability;
• to manage subscriptions, invoicing, and financial administration;
• to comply with tax, accounting, regulatory, and legal obligations.

6. Legal bases for processing

Where applicable under GDPR or similar laws, Clypex relies on one or more of the following legal bases:

Contract

We process data where necessary to provide services requested by merchants or to support transactions carried out through the platform.

Legitimate interests

We process certain data where necessary for legitimate business interests, including:

• securing the platform;
• preventing misuse and fraud;
• monitoring service health;
• improving product performance;
• maintaining internal records.

Where we rely on legitimate interests, we consider and balance those interests against the rights and freedoms of individuals.

Consent

Where consent is required, such as for optional marketing-related activities or non-essential analytics, we rely on consent and allow it to be withdrawn where applicable.

Legal obligation

We may process and retain data where required to comply with tax, accounting, audit, legal, or regulatory obligations.

7. How data is shared

Clypex does not sell personal data. We may share personal data only where necessary to operate our services, comply with legal duties, or protect our legitimate interests.

Data may be shared with:

• infrastructure and hosting providers;
• payment-related service providers;
• support and monitoring vendors;
• communications or email delivery providers;
• analytics and security providers;
• legal, regulatory, or public authorities where required by law;
• professional advisers, auditors, or insurers where appropriate.

All service providers are expected to operate under contractual confidentiality and data protection obligations.

8. Service providers and subprocessors

Clypex may use carefully selected third-party providers to support service delivery, hosting, monitoring, communications, storage, and security.

Examples of subprocessors or service categories may include:

• cloud hosting and compute providers;
• content delivery and storage providers;
• email delivery services;
• payment and billing partners;
• logging, error monitoring, and performance tools;
• fraud prevention and operational support vendors.

A current subprocessor list may be provided separately by Clypex or made available upon request.

9. International data transfers

Where personal data is transferred outside the European Economic Area or another jurisdiction with applicable transfer restrictions, Clypex uses appropriate safeguards.

These safeguards may include:

• the European Commission's Standard Contractual Clauses;
• adequacy decisions;
• other lawful transfer mechanisms recognized under applicable law.

You may contact us if you want more information about the safeguards used for cross-border transfers.

10. Data retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Policy, unless a longer retention period is required by law.

Retention periods may vary depending on the type of data:

• merchant account data may be retained for the life of the account and for a limited period afterward to meet legal or operational requirements;
• buyer and order data processed on behalf of merchants may be retained according to merchant instructions, deletion workflows, or applicable legal requirements;
• security, error, and performance logs may be stored for a limited operational period;
• backup data may remain temporarily in encrypted archival systems until automatic expiry or rotation.

Where data is no longer required, we delete it, anonymize it, or isolate it in accordance with our retention and backup practices.

11. Security measures

Clypex uses appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, misuse, loss, or destruction.

Depending on the service context, these measures may include:

• encryption at rest and in transit;
• secure access controls;
• infrastructure segmentation;
• authentication and authorization safeguards;
• rate limiting and abuse prevention controls;
• monitoring, logging, and incident response procedures;
• restricted internal access based on role and necessity.

No system can be guaranteed to be completely secure, but we work continuously to maintain a level of protection appropriate to the risks involved.

12. Cookies and similar technologies

Clypex and merchants using the platform may use cookies or similar technologies for purposes such as:

• session continuity and login functionality;
• basic site performance and reliability;
• load balancing;
• security and fraud prevention;
• analytics, where permitted.

Essential cookies are used to make services function properly and generally cannot be switched off. Non-essential analytics or similar technologies may be used only where the applicable legal basis, including consent where required, has been obtained.

13. Email and campaign functionality

If Clypex provides optional email or campaign tools, merchants are responsible for ensuring that their use of those tools complies with applicable marketing and privacy laws.

Where relevant:

• merchants must have a lawful basis to send communications;
• merchants remain responsible for recipient data they upload or manage;
• Clypex may process sending, delivery, and engagement data to operate and secure the feature.

Where domain verification or sender authentication is required, merchants must complete those steps before using outbound communication features.

14. Rights of individuals

Where applicable under law, individuals may have the right to:

• request access to their personal data;
• request correction of inaccurate data;
• request deletion of data;
• object to certain processing;
• request restriction of processing;
• receive data in a portable format;
• withdraw consent where processing is based on consent;
• lodge a complaint with a supervisory authority.

Buyer requests

If you are a buyer and your data was collected by a merchant using Clypex, the merchant is usually the primary controller for that data. In most cases, you should contact the relevant merchant first regarding your order-related data.

Merchant or direct requests to Clypex

If Clypex is acting as controller for the relevant data, requests may be sent to legal@clypex.com.

We aim to respond within the timeframe required by applicable law.

15. Complaints

If you believe your personal data has been processed unlawfully, you may contact Clypex first so we can review the issue.

You may also lodge a complaint with:

• the supervisory authority in the country where you live;
• the authority where you work; or
• the authority where the alleged infringement took place.

If Clypex is established in the EU, you may also include the details of its lead or local supervisory authority here in a future update if desired.

16. Changes to this Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or business developments.

Where changes are material, we may provide notice through appropriate channels, such as:

• dashboard notifications;
• account notices;
• email updates; or
• publication of the revised version on our website.

The updated version will indicate the new effective date.

17. Contact us

LLC Clypex
1075 Brighton Beach Avenue, Brooklyn, NY, 11235
legal@clypex.com