Privacy policy
PRIVACY POLICY
Effective Date: January 2025
Version: 1.0
DATA PROTECTION COMPLIANCE STATEMENT
MikeyResells.com operates in full compliance with comprehensive data protection regulations including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Shopify's Privacy Requirements, Shopify's Data Processing Agreement, Payment Card Industry Data Security Standards (PCI DSS), and all applicable international privacy frameworks. Our commitment to data protection is fundamental to our business operations and customer trust.
SHOPIFY PLATFORM INTEGRATION
As a Shopify merchant, we utilize Shopify's secure infrastructure for all e-commerce operations. Shopify processes payments on our behalf, manages customer data with bank-level security, and ensures PCI compliance throughout the transaction process. This integration allows us to leverage enterprise-grade security while focusing on delivering quality digital products to our customers.
INFORMATION COLLECTION PRACTICES
Essential Information We Collect
Our data collection practices are limited to information essential for legal compliance and service delivery. For legal and tax compliance purposes, we collect your full legal name as required for transaction records and tax reporting, your email address which serves as the primary delivery method for digital products, and your billing address which is required for payment processing and accurate tax calculation.
We also collect IP addresses for fraud prevention and geographic compliance verification, maintain transaction records as legally required for 7-year retention periods, and collect tax identification numbers where required by law, such as for EU VAT compliance. This information is collected solely to meet our legal obligations and ensure proper service delivery.
For service delivery purposes, we collect order information including products purchased, amounts, and dates to maintain accurate records. We track download history through access logs for security and support purposes, store account credentials using encrypted passwords and security questions, and maintain communication history including support tickets and correspondence to provide quality customer service.
Additionally, we collect payment tokens for secure payment method identification and device information to provide technical support and ensure compatibility. All information collected serves specific, legitimate purposes and is protected using industry-standard security measures.
Information We Explicitly Do NOT Collect
We maintain strict limitations on data collection and explicitly do not collect sensitive personal information unless legally mandated. We do not collect Social Security numbers except where absolutely required by law, government identification documents, biometric data of any kind, health or medical information, political affiliations or beliefs, sexual orientation or practices, genetic information, or information from children under 18 years of age. This limitation ensures we maintain only the minimum necessary data to operate our business effectively.
Automatic Collection Technologies
Our website uses various automatic collection technologies to ensure functionality and improve user experience. Essential cookies that cannot be disabled include session management cookies required for cart functionality, security tokens for CSRF protection and authentication, load balancing cookies for service availability, and fraud prevention mechanisms including device fingerprinting.
Analytics cookies, which can be disabled by users, include Google Analytics for anonymized usage pattern analysis, Shopify Analytics for e-commerce metrics, performance monitoring for site optimization, and A/B testing to improve our services. Users maintain control over non-essential cookie usage through their browser settings.
Third-Party Data Processing
We work with carefully selected third-party processors to deliver our services securely and efficiently. Our primary processor is Shopify Inc., which serves as our e-commerce platform, processing all transaction and account data from their secure facilities in Canada and the USA. Shopify maintains SOC 2 and PCI DSS Level 1 compliance and operates under a comprehensive Data Processing Agreement.
Payment processing is handled through Shopify's integrated payment partners, who process payment information in tokenized format to maintain security. These processors operate from various locations depending on your region but all maintain PCI DSS Level 1 compliance. Our email service provider handles digital product delivery, processing only email addresses, names, and purchase history from US-based servers while maintaining full GDPR and CCPA compliance.
DATA USE AND PURPOSE LIMITATION
Primary Purposes
We use collected data for specific primary purposes under the legal basis of contract fulfillment. These purposes include order fulfillment for delivering digital products, customer support for resolving technical issues, account management for maintaining user access, legal compliance for tax reporting and record keeping, security measures for fraud prevention and authentication, and meeting Shopify platform requirements for maintaining store compliance. Each use is directly related to providing our services or meeting legal obligations.
Secondary Purposes
Under the legal basis of legitimate interest, we process data for secondary purposes including service improvement through anonymous analytics, bug fixes for technical error resolution, feature development based on usage patterns, fraud prevention through pattern analysis, and business operations including financial reporting. These activities help us maintain and improve our services while protecting both our business and our customers.
Marketing Communications
Marketing communications are processed only with explicit consent. These include product updates about new releases, educational content with business tips, special offers and discounts, and surveys for service feedback. All marketing communications are opt-in, and users can withdraw consent at any time through clear unsubscribe mechanisms in every communication.
DATA SECURITY MEASURES
Technical Safeguards
We implement comprehensive technical safeguards to protect your data. All data is encrypted using AES-256 encryption at rest and TLS 1.3 encryption in transit. We maintain role-based access controls operating on the principle of least privilege, with 24/7 security operations center monitoring. Monthly vulnerability scanning ensures our systems remain secure, with a 4-hour incident response time for any security events. Data backups are encrypted and geographically distributed to ensure availability and recovery capability. We leverage Shopify's enterprise security infrastructure to provide bank-level protection for all customer data.
Organizational Safeguards
Our organizational safeguards ensure human factors in security are properly addressed. All employees undergo annual security training, with quarterly access reviews ensuring appropriate permissions. We conduct security assessments of all vendors through comprehensive questionnaires and maintain data classification by sensitivity levels. Retention policies are automatically enforced, and breach procedures ensure notification within 72 hours of any incident discovery.
Compliance Certifications
We maintain compliance with industry standards including PCI DSS Level 1 through Shopify's infrastructure, with SOC 2 Type II certification pending and ISO 27001 planned for the future. Our GDPR and CCPA compliance has been verified through comprehensive audits, ensuring we meet the highest standards for data protection.
YOUR PRIVACY RIGHTS
Universal Rights
All users enjoy fundamental privacy rights regardless of location. You have the right to access and download all your data, rectify any inaccuracies in your information, request deletion of non-essential data, export your data in standard portable formats, restrict or limit certain processing activities, and object to or opt-out of specific uses of your data. These rights form the foundation of our privacy program.
GDPR Rights for EU/UK Residents
Residents of the European Union and United Kingdom enjoy additional rights under GDPR including the ability to withdraw consent at any time, object to automated decision-making processes, lodge complaints with supervisory authorities, seek compensation for damages resulting from violations, designate a representative to act on their behalf, and request data protection impact assessments for high-risk processing activities.
CCPA Rights for California Residents
California residents have specific rights under CCPA including the right to know what personal information is collected, know if personal information is sold or disclosed to third parties, opt-out of any personal information sales, enjoy non-discrimination for exercising privacy rights, designate authorized agents to make requests on their behalf, and pursue a private right of action for certain data breaches.
Exercise Your Rights
To exercise any of your privacy rights, use our dedicated Privacy Rights Portal where you can submit requests easily. Verify your identity using your email address and order number, specify which rights you wish to exercise, and receive confirmation within 72 hours of submission. We commit to completing all valid requests within 30 days, with an appeals process available if you disagree with our initial response.
DATA RETENTION SCHEDULES
Mandatory Retention
Certain data must be retained for legal compliance including financial records retained for 7 years to meet tax law requirements, transaction data retained for 7 years for accounting purposes, legal documents retained for 10 years for potential litigation, security logs retained for 5 years for compliance requirements, and fraud records retained permanently for prevention purposes. These retention periods are non-negotiable legal requirements.
Standard Retention
For non-mandatory data, we maintain account data for the active period plus 3 years, support tickets for 2 years from resolution, marketing data until opt-out plus 6 months for suppression, analytics data for 26 months per platform standards, and temporary files for 30 days before automatic deletion. These periods balance business needs with privacy principles.
Deletion Procedures
Our deletion procedures ensure data is truly removed when no longer needed. We use automated deletion upon retention period expiration, secure overwriting with 3 passes for permanent removal, backup purging on a 90-day cycle to ensure deleted data doesn't persist, confirmation logging for audit purposes, and provide certificates of destruction when requested for regulatory compliance.
INTERNATIONAL DATA TRANSFERS
Transfer Mechanisms
We transfer data internationally using approved mechanisms including Standard Contractual Clauses approved by the EU, adequacy decisions where applicable between jurisdictions, explicit consent for specific transfers when required, and planned implementation of binding corporate rules. We also leverage Shopify's international infrastructure which maintains appropriate safeguards for global data transfers.
Data Locations
Our data is primarily stored in the United States with backups maintained in Canada and the European Union for redundancy. Content delivery networks distribute static content globally for performance, while support operations are conducted from the United States and Canada. Shopify maintains servers in multiple global locations to ensure optimal performance and compliance.
CHILDREN'S PRIVACY PROTECTION
Our services are strictly limited to users 18 years and older. We do not knowingly collect information from minors and have implemented age verification measures to prevent underage access. If we discover data from anyone under 18, we immediately cease all processing of that data, attempt to notify parents or guardians, delete all collected data within 48 hours, terminate the account permanently, consider refund requests on a case-by-case basis, and document the incident for compliance purposes.
DATA BREACH NOTIFICATION
Our Commitment
In the unlikely event of a personal data breach, we commit to notifying affected users within 72 hours of discovery, providing regulatory notifications as required by law, communicating the nature of the breach and likely consequences, offering mitigation measures and support including dedicated hotline access and identity monitoring where applicable, and providing full incident reports for transparency.
Your Protection
We protect your data through regular security audits, comprehensive cyber insurance coverage, a dedicated incident response team, partnerships with external security experts, continuous monitoring of our systems, and proactive threat hunting to identify potential issues before they become incidents.
PRIVACY POLICY UPDATES
We may update this policy periodically to reflect changes in law or our practices. When material changes occur, we provide email notification to all users, give 30 days notice before changes take effect, maintain archived versions for reference, provide redline documents showing specific changes, offer opt-out periods for users who disagree with changes, and grandfather existing users where applicable to minimize disruption.
CONTACT INFORMATION
For privacy-related matters, our Data Protection Officer can be reached at privacy@mikeyresells.com with a committed response time of 48 hours. Privacy rights requests can be submitted through our dedicated portal or via email to rights@mikeyresells.com. For regulatory matters, EU residents should contact their local Data Protection Authority, UK residents should contact the Information Commissioner's Office, and California residents should contact the California Privacy Protection Agency.