Privacy Policy

WHO WE ARE {{business_name}} operates this website. Business contact information shown on the site (including phone, email, address, and hours) is configured in our admin settings and displayed on pages such as Contact and the site footer. [Owner confirmation — Business-specific privacy details may be added by the site owner, including legal entity name, principal place of business, and applicable jurisdiction.] INFORMATION WE COLLECT Depending on how you use the site, we may collect the following: ORDER / CHECKOUT INFORMATION When you submit an order through the checkout flow, we collect: • Name (required) • Phone number (required) • City (optional) • Street address (optional) • Order notes (optional) • Cart items — product IDs, optional variant IDs, and quantities (required) Prices and totals are calculated on our servers from our product database. The checkout form does not send prices from your browser for final order processing. Order data is stored in our Cloudflare D1 database (orders, order_items, and related records). If you open WhatsApp after placing an order, we may record a timeline event indicating that WhatsApp was opened, linked to your order number. CONTACT / INQUIRY INFORMATION When you use the Contact form, we collect: • Full name (required) • Phone number (required) • Message (optional) • Inquiry type / service topic (optional) The Contact form on the storefront does not include an email field. Data is stored in our D1 leads table. If you open WhatsApp from a contact submission, we may update lead status and record when WhatsApp was opened. REVIEW SUBMISSIONS When you submit a review, we collect: • Name (required) • City (required) • Rating (required) • Message (required) • Category / service type (required on the storefront) • Photo upload (optional) Reviews are stored in D1 with status pending until approved by an administrator. Optional photos may be stored in Cloudflare R2 under a reviews/ path. The review form on the storefront does not collect phone or email. BROWSER STORAGE ON YOUR DEVICE The site uses browser localStorage (not server storage) for: • Shopping cart contents (perfumes-cart) • Saved favorites (perfumes-favorites) • A pseudonymous analytics visitor identifier used for first-party analytics and optional checkout correlation Cart and favorites are not stored on our servers unless you submit an order or otherwise provide information through a form. FIRST-PARTY ANALYTICS The site may collect first-party usage data sent to /api/analytics/events and stored in D1 (analytics_events). This may include a pseudonymous visitor ID, a hashed IP address, browser user-agent string, page URL/path, locale, product or search context where applicable, and UTM parameters when present in the URL. PUSH NOTIFICATIONS (IF OFFERED) If you opt in to web push notifications, the site may store a push subscription (endpoint and encryption keys), locale, user agent, and device type in D1 (push_subscriptions). WHAT WE DO NOT COLLECT THROUGH THESE FORMS Based on the current storefront implementation: • There is no newsletter or email signup form on the site. • There is no customer account registration or login for shoppers. • The checkout flow does not collect credit or debit card numbers, CVV, or billing card details. • There is no live payment gateway integration in the current codebase. COOKIES AND SIMILAR TECHNOLOGIES Admin area — Access to the private admin dashboard uses an HttpOnly session cookie (auth_session) for authenticated administrators only. Storefront — The public storefront does not set shopping or analytics data via document.cookie in application code. Cart, favorites, and the analytics visitor ID use localStorage in the browser. Third-party scripts (when enabled) — If environment configuration enables them, the site may load Google Analytics 4 (GA4), Meta (Facebook) Pixel, and/or TikTok Pixel. These services may use cookies or similar technologies according to their own policies. They load only when the corresponding public environment ID is configured. Spam prevention — Forms such as checkout, contact, and reviews may use Cloudflare Turnstile when configured. [Owner confirmation — Business-specific privacy details may be added by the site owner, including whether analytics or advertising pixels are enabled in production and whether a consent banner is used.] HOW WE USE INFORMATION We use collected information to: • Process and manage order requests submitted through the site • Respond to contact inquiries and leads • Moderate and publish approved customer reviews • Operate first-party analytics and understand site usage • Help prevent spam and abuse (rate limiting and Turnstile, when enabled) • Send optional web push notifications to users who opt in • Notify internal staff of new orders via configured channels (for example, Telegram when configured) [Owner confirmation — Business-specific privacy details may be added by the site owner, including data retention periods, marketing use, and internal access policies.] WHERE INFORMATION IS STORED • Cloudflare D1 — primary application database (orders, leads, reviews, products, CMS content, analytics events, rate-limit records, push subscriptions, and business settings) • Cloudflare R2 — object storage for images, including optional review uploads and CMS/product assets • Cloudflare Pages — website hosting • Your browser — cart, favorites, and analytics visitor ID in localStorage [Owner confirmation — Business-specific privacy details may be added by the site owner, including data processing agreements and subprocessors.] SHARING WITH THIRD PARTIES The site may interact with or link to: • WhatsApp (wa.me) — order coordination and customer contact after form submission • Google Maps — embedded map or external map link when configured in business settings • Google Reviews — external link when configured • Cloudflare (Turnstile, D1, R2, Pages) — hosting, storage, database, and bot challenge • Google Analytics 4 — optional analytics when configured • Meta Pixel — optional advertising/analytics when configured • TikTok Pixel — optional advertising/analytics when configured • Telegram — optional internal new-order notifications when configured • Web Push (VAPID) — optional browser push notifications when configured When you choose to open WhatsApp, you leave the site and are subject to WhatsApp's terms and privacy practices. [Owner confirmation — Business-specific privacy details may be added by the site owner, including a complete third-party vendor list.] DATA RETENTION AND DELETION Order, lead, and review records are stored in our database and may be viewed, updated, or deleted by authorized administrators through the private admin dashboard. There is no automated self-service delete-my-data tool for storefront visitors in the current codebase. When an administrator deletes a review with an uploaded image, the system may attempt to remove the associated file from R2 storage. [Owner confirmation — Business-specific privacy details may be added by the site owner, including standard retention periods and how to request access or deletion.] SECURITY MEASURES The site implements technical measures including, where applicable: • Server-side validation of orders, prices, and stock • Rate limiting on sensitive API routes (orders, leads, reviews, login, analytics, push) • Cloudflare Turnstile on selected forms when configured • Upload restrictions (file type, size, and allowed storage paths) for review and admin image uploads • Admin API protection and role-based access for the private admin area No method of transmission or storage is completely secure. [Owner confirmation — Business-specific privacy details may be added by the site owner, including incident response procedures.] CHILDREN'S PRIVACY [Owner confirmation — Business-specific privacy details may be added by the site owner regarding collection of information from children.] CHANGES TO THIS POLICY We may update this Privacy Policy from time to time. The last updated date below will be revised when changes are published. [Owner confirmation — Last updated date may be added by the site owner.] CONTACT US For privacy-related questions, contact {{business_name}} at {{email}}, {{phone}}, or via the contact form at {{contact_page}}.