Privacy Policy

// GDPR Compliant | // UK Data Protection Act 2018 | // Your Data = Your Control

1. Introduction

At Undefined Threads, we treat your data like production codeβ€”with respect, security, and careful version control. This policy explains how we collect(), process(), and store() your information.

2. Data We Collect

Data Type Purpose Retention
Email Address Order confirmations, updates Until account deletion
Shipping Address Order delivery 2 years (legal requirement)
Payment Info Processing payments (via Stripe) We don't store it (Stripe handles it)
Order History Customer service, returns 7 years (tax purposes)
Cookies Cart persistence, analytics Session or 30 days

3. How We Use Your Data

function useCustomerData(data) {
  const purposes = [
    "Process your orders",
    "Send order confirmations",
    "Handle returns and refunds",
    "Improve our services",
    "Comply with legal obligations"
  ];
  
  // We DON'T:
  const neverDo = [
    "Sell to third parties",
    "Send spam",
    "Use for unrelated marketing",
    "Share without consent"
  ];
  
  return protectedData;
}

4. Your Rights (GDPR Article 15-22)

  • Right to Access: Request a copy of your data (JSON format available)
  • Right to Rectification: Update incorrect data (like fixing a typo in code)
  • Right to Erasure: Delete your account (DROP TABLE users WHERE id = yours)
  • Right to Portability: Export your data (we support CSV and JSON)
  • Right to Object: Opt-out of marketing (unsubscribe() method)
  • Right to Restrict: Limit how we process your data

5. Security Measures

We protect your data like we protect our production servers:

  • πŸ” SSL/TLS encryption (HTTPS everywhere)
  • πŸ”‘ Bcrypt password hashing (no plain text)
  • πŸ›‘οΈ Regular security audits (penetration testing)
  • πŸšͺ Access control (principle of least privilege)
  • πŸ“ Audit logs (who accessed what and when)
  • πŸ”„ Regular backups (with encryption)

6. Cookies & Tracking

We use cookies (the digital kind, not the edible kind):

πŸͺ Essential: Cart, authentication (can't disable)
πŸ“Š Analytics: Google Analytics (can opt-out)
🎯 Marketing: None (we don't retarget)

7. Third-Party Services

We integrate with trusted services (all GDPR compliant):

  • Stripe: Payment processing (PCI DSS compliant)
  • SendGrid: Transactional emails (not marketing)
  • Cloudflare: CDN and DDoS protection
  • Google Analytics: Anonymous usage statistics

8. Contact Our DPO

const dataProtectionOfficer = {
  email: "privacy@undefinedthreads.com",
  response_time: "48 hours max",
  languages: ["EN", "JS", "SQL"],
  office_hours: "9-5 GMT",
  emergency: "For data breaches only"
};

Last Updated: 24/08/2025 | Version: 1.2.0 | Next Review: 20/02/2026