Stoutner Merch

My Account

Everyone should believe in privacy

Privacy Policy

Overview

The goal with creating Stoutner’s merch store was, as much as currently possible, to create a store that aligned with Privacy Browser’s principles, which are that online activity should require the least amount of information from the user. What we have implemented is not perfect, but it is as close as we can currently get with a reasonable implementation cost. Going any further would probably require writing our own software (something we might do at some point in the future), handling the production and fulfillment of the merchandise ourselves (time consuming and distracting from the core mission of producing software that changes the expectation of how security and privacy on the internet should work) and becoming our own credit card and other financial instrument processor (unlikely to ever happen).

Self-Hosted Components

The first part of the design process was to host all the code possible on our own hardware. The website is running WordPress. E-commerce is handled by the WooCommerce plugin. Credit card or other financial instrument processing is handled by the WooCommerce Payments plugin and the WooCommerce PayPal Payments plugin. Tax calculations are handled by the WooCommerce Shipping & Tax plugin. The WooCommerce Shipping & Tax plugin requires the installation of the Jetpack plugin for no good reason. The Printful Integration for WooCommerce plugin is used to integrate with Printful, which handles the actual manufacture and fulfillment of the products sold on the merch store.

The WooCommerce WordPress instance is separate from the WordPress instance that runs the rest of www.stoutner.com, although they are both hosted on the same hardware. This is why it uses the separate subdomain of woocommerce.stoutner.com. This separation allows the above plugins to be enabled for the merch store without having them enabled for the main website, which does not use any plugins.

Third-Party Services

Even though the above plugins are all hosted on hardware that Stoutner controls, some of them communicate with third-party services. WordPress, WooCommerce, and Jetpack are all owed by Automattic, a company that creates open-source or semi-open-source solutions, but who always seems to want to be stealing your data, which is why at some point in the future I would like to replace their code with something better. As explained in the overview, unless Stoutner becomes a clothing manufacturer and an international bank, some partnership with third-party services is required to process financial payments and handle production and fulfillment. As much as possible, all data-sharing options have been turned off. Specifically, WordPress has been set to not use Gravitar avitars (Gravitar is also owned by Automattic). WooCommerce Payments is set to not allow users to save credit cards. Customers can check out as a guest without creating an account if desired. WooCommerce is set to allow removal of personal data on request. In addition, all data related to inactive accounts, pending orders, failed orders, cancelled orders, and completed orders are purged from WooCommerce after two years (information on completed orders continues to be retained by Printful beyond that period). WooCommerce tracking (analytics) is disabled.

Third-Party Privacy Policies

Additional information can be found in the privacy policies for the individual plugins and services: Automattic, WooCommerce, Jetpack, and Printful. The following text was suggested by these services for the privacy policy. As such, it is likely to represent how their systems work on the back end, so I have included it below. I would really like to get rid of Jetpack, as their privacy policy includes the promise to sync data to them even if modules are not activated, but it is required to calculate tax rates, which isn’t a feature the site can function without.

WordPress Policies

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

Who we share your data with

If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website, we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

WooCommerce Policies

We collect information about you during the checkout process on our store.

What we collect and store

While you visit our site, we’ll track:

  • Products you’ve viewed: we’ll use this to, for example, show you products you’ve recently viewed
  • Location, IP address and browser type: we’ll use this for purposes like estimating taxes and shipping
  • Shipping address: we’ll ask you to enter this so we can, for instance, estimate shipping before you place an order, and send you the order!

We’ll also use cookies to keep track of cart contents while you’re browsing our site.

When you purchase from us, we’ll ask you to provide information including your name, billing address, shipping address, email address, phone number, credit card/payment details and optional account information like username and password. We’ll use this information for purposes, such as, to:

  • Send you information about your account and order
  • Respond to your requests, including refunds and complaints
  • Process payments and prevent fraud
  • Set up your account for our store
  • Comply with any legal obligations we have, such as calculating taxes
  • Improve our store offerings

If you create an account, we will store your name, address, email and phone number, which will be used to populate the checkout for future orders.

We generally store information about you for as long as we need the information for the purposes for which we collect and use it, and we are not legally required to continue to keep it. For example, we will store order information for 2 years for tax and accounting purposes. This includes your name, email address and billing and shipping addresses.

We will also store comments or reviews, if you choose to leave them.

Who on our team has access

Members of our team have access to the information you provide us. For example, both Administrators and Shop Managers can access:

  • Order information like what was purchased, when it was purchased and where it should be sent, and
  • Customer information like your name, email address, and billing and shipping information.

Our team members have access to this information to help fulfill orders, process refunds and support you.

What we share with others

We share information with Printful, who handles production and fulfillment of merchandise.

Payments

We accept payments through WooCommerce PayPal Payments, which can process payments through PayPal, Venmo, and various credit card companies. When processing payments, some of your data will be passed to the payment system you selected at checkout, including such information as the purchase total and billing information.

WooCommerce Shipping & Tax

Data Used: For payments with PayPal: purchase total, currency, billing information. For taxes: the value of goods in the cart, value of shipping, destination address. For checkout rates: destination address, purchased product IDs, dimensions, weight, and quantities. For shipping labels: customer’s name, address as well as the dimensions, weight, and quantities of purchased products.

Data Synced: For payments, we send the purchase total, currency and customer’s billing information to the respective payment processor. Please see PayPal’s Privacy Policy for more details. For automated taxes we send the value of goods in the cart, the value of shipping, and the destination address to TaxJar. Please see TaxJar’s Privacy Policy for details about how they handle this information. For checkout rates we send the destination ZIP/postal code and purchased product dimensions, weight and quantities to the carrier directly or via EasyPost, depending on the service used. For shipping labels we send the customer’s name, address as well as the dimensions, weight, and quantities of purchased products to EasyPost. We also store the purchased shipping labels on our server to make it easy to reprint them and handle support requests.

Jetpack Brute Force Attack Protection

Data Used: In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user.

Activity Tracked: Failed login attempts (these include IP address and user agent). We also set a cookie (jpp_math_pass) for 1 day to remember if/when a user has successfully completed a math captcha to prove that they’re a real human. Learn more about this cookie.

Data Synced: Failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information.