Skip to content

Legal

Privacy Policy

Last updated: May 2026

Information we collect

When you create an account, we collect your email address and optionally your name and profile photo. If you sign in via Google or Apple, we receive your name and email address from those providers; no passwords are stored on our side for social logins.

When you make a purchase, payment is handled entirely by Stripe. We store a reference to your Stripe payment intent and the order amount, but never your card details.

Sellers who connect a Stripe account share their Stripe account ID with us to facilitate payouts. Seller profiles may also include a bio, website, and social links that you choose to provide.

How we use your data

We use your email to send purchase confirmations, sale notifications, download links, and responses to refund requests. We do not sell your data to third parties or use it for advertising.

If you submit a refund request, we store the reason and any details you provide in order to review and process your request.

Download links and tokens

Download links are time-limited (24 hours) and cryptographically signed. Links generated via the “Copy link” feature are single-use: they expire permanently after being opened once. We log when a download link is first accessed so that this single-use policy can be enforced.

File storage

Design system files uploaded by sellers are stored securely on Cloudflare R2. Files are not publicly accessible; all access requires a valid, time-limited signed URL.

Rate limiting

To protect against brute-force attacks, we store your IP address temporarily when you attempt to log in. This data is used solely for rate limiting and is automatically purged after the rate-limit window expires.

Third-party services

  • Stripe — payment processing and seller payouts. Stripe Privacy Policy.
  • Cloudflare R2 — secure file storage for seller uploads.
  • Resend — transactional email delivery.
  • Vercel — hosting and infrastructure. Vercel Analytics collects anonymous page-view data with no personal identifiers.
  • Sentry — error monitoring. Sentry may capture stack traces and request metadata when errors occur. No personally identifiable information is intentionally sent to Sentry.
  • Google / Apple — optional sign-in providers. Using these services is subject to their respective privacy policies.

Data retention

We retain your account data for as long as your account is active. Purchase records, refund requests, and order history are kept for legal and tax compliance purposes even after account deletion. You may request deletion of your account and personal data by contacting us.

Your rights

Depending on your jurisdiction, you may have the right to access, correct, or delete the personal data we hold about you. To exercise any of these rights, contact us at the address below.

Contact

For privacy-related questions, please contact us at contact@didot.design.