1. Controller & processor roles
For information about our own merchants’ accounts, Kastomise is the data controller. For personal data belonging to a merchant’s shoppers that flows through the widget — such as uploaded images and personalisation text — the merchant is the controller and Kastomise acts as a data processor on the merchant’s behalf. Shoppers with questions about that data should contact the store they are buying from.
2. Information we collect
From merchants:
- account and authentication details (name, email, password hash);
- store details and team-member emails and roles;
- connected-platform credentials (for example, Shopify API access tokens);
- brand assets you upload, such as fonts and 3D models;
- billing information — payment card details are collected and stored by our payment processor, Stripe, not by Kastomise;
- product configurations and usage/diagnostic data about how you use the dashboard.
From shoppers (via a merchant’s store):
- images uploaded to personalise a product;
- personalisation text and design selections;
- order references and the resulting design and print files;
- basic technical data needed to render the widget (for example, device and browser information).
We do not intentionally collect payment card numbers or sensitive categories of personal data through the widget. Shoppers should avoid uploading such information.
3. How we use information
- to provide, operate, and secure the Service;
- to render live previews and generate print-ready files when an order is paid;
- to process subscriptions, billing, and account management;
- to provide support and communicate service-related notices;
- to monitor, debug, and improve performance, reliability, and features;
- to comply with legal obligations and enforce our terms.
4. Sub-processors & sharing
We share data with trusted service providers who process it on our behalf under contractual safeguards:
- Stripe — subscription billing and payment processing;
- Supabase — database, authentication, and backend functions;
- Amazon Web Services (S3 & Lambda) — file uploads, storage, and print rendering;
- Shopify — cart integration and order webhooks for connected stores.
We do not sell personal data. We may disclose information if required by law, to protect our rights, or in connection with a merger, acquisition, or sale of assets (in which case we will provide notice).
5. Design files & retention
Design files are stored in cloud storage. Files associated with an in-progress customisation are held temporarily and are promoted to longer-term storage once the related order is paid. We retain information for as long as needed to provide the Service, meet legal and accounting obligations, and resolve disputes. Merchants can request deletion of their account data as described below; shopper-data deletion requests should be directed to the relevant merchant, and we will assist merchants in fulfilling them.
6. International transfers
Our providers may process data in countries other than yours. Where data is transferred internationally, we rely on appropriate safeguards (such as standard contractual clauses) as required by applicable law.
7. Security
We use industry-standard measures to protect information, including encryption in transit, access controls, and reputable infrastructure providers. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. Merchants are responsible for protecting their account credentials and connected-platform tokens.
8. Your rights
Depending on your location, you may have rights to access, correct, delete, or export your personal data, to object to or restrict certain processing, and to withdraw consent. Merchants can exercise these rights, or ask us to act on a shopper’s behalf as a processor, by contacting us at the address below. We will respond within the timeframes required by applicable law.
9. Cookies & tracking
The Kastomise dashboard uses essential cookies and local storage to keep you signed in and remember preferences. The embedded widget uses only the storage necessary to function within the merchant’s store. Any analytics we use are limited to operating and improving the Service.
10. Children
The Service is not directed to children, and we do not knowingly collect personal data from children. Merchants are responsible for ensuring their own compliance with laws relating to minors.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or an in-dashboard notice, and the “last updated” date above will change. Continued use of the Service after an update means you accept the revised policy.
12. Contact
For privacy questions or to exercise your rights, contact us at hello@kastomise.com. See also our Terms & Conditions.