Privacy Notice
What personal information we collect from shoppers and visitors, how we use and share it, and the privacy rights you have.
Scope: Shoppers and visitors on the merchandise stores at
*.merch365.shopand the marketing site atmerch365.shop/www.merch365.shop(the "Storefront"). Creators and portal users atmerch365.aiare covered by the separate Application Privacy Notice.
Effective date: June 8, 2026 · Last updated: June 8, 2026
Merch365, Inc. ("Merch365", "we", "us", "our") is the seller and merchant of record for purchases on the Storefront (see the Storefront Terms of Sale & Use). This Notice explains the personal information we collect from shoppers and visitors, why, how we share and retain it, and your choices and rights.
1. Information we collect
1.1 You provide:
- Order & contact data: name, email, phone, shipping and billing address.
- Order contents: items, sizes, quantities, and any personalization content (text/images you submit for custom products).
- Payment data: card details, which you enter into Stripe; Stripe processes the payment and Merch365 does not store full card numbers (see §3).
- Account data (if you create one): credentials and saved preferences.
- Customer-service messages and any reviews or communications you send.
1.2 Collected automatically: IP address, device/browser type, pages viewed, referring URLs, cart activity, the store/tenant you visited, and timestamps, collected via cookies and similar technologies and analytics. See the Cookie & Advertising Notice.
We do not seek sensitive personal information; please do not include it in personalization content.
2. How we use information
To: process and fulfill your order; take payment and calculate taxes; arrange production, decoration, and shipping; provide customer support and handle returns; prevent and investigate fraud and abuse; operate, secure, and improve the Storefront; comply with law; and, where permitted, send you marketing about Merch365 or the store you bought from (you can opt out). We use information in a manner reasonably necessary and proportionate to these purposes.
3. Payments
Card payments are processed by Stripe. Your card data is transmitted to and handled by Stripe under its terms and privacy policy; Merch365 receives limited transaction metadata (status, amount, payment token) needed to complete and manage your order. We maintain payment acceptance in a PCI-compliant manner as a shared responsibility with Stripe.
4. How we share information
- Stripe — to process payments and help prevent fraud.
- Fulfillment / decoration / shipping providers — including our branding/ fulfillment partner and carriers — to produce and deliver your order. We share only what is needed (e.g., order contents, personalization files, shipping details).
- The Brand whose store you purchased from — Merch365 does not share your contact details with the Brand for the Brand's own marketing. We may share aggregated or order-level information with the Brand for fulfillment and store-operations purposes.
- Service providers / subprocessors — hosting, analytics, customer support, email — under contracts limiting use to providing services (Subprocessors).
- Authorities / advisors — where reasonably necessary to comply with law or legal process, enforce our Terms, or protect rights, property, or safety.
- Business transfers — in a merger, acquisition, or asset sale, subject to this Notice.
We require service providers to use your information only for the specified purposes and to provide the same level of privacy protection required of us.
5. Cookies, analytics, and advertising
We use cookies and similar technologies for essential functions (cart, checkout, security) and first-party analytics. We do not currently use third-party advertising or retargeting technologies, and we do not sell or share your personal information for cross-context behavioral advertising. If this ever changes, we will update this Notice, provide a "Do Not Sell or Share My Personal Information" link, and honor a valid Global Privacy Control (GPC) signal. See the Cookie & Advertising Notice.
6. Data retention
We keep personal information only as long as needed for the purposes above, then delete or de-identify it. Our standard schedule:
| Category | Retention |
|---|---|
| Order & fulfillment records | As required for tax/accounting and returns (up to 7 years for transaction records) |
| Personalization files | 12 months after fulfillment, then deleted |
| Account data | Life of account + 90 days after closure |
| Customer-service messages | 24 months |
| Analytics/logs | 13 months |
7. Your privacy rights
7.1 Marketing opt-out. Use the unsubscribe link in any marketing email or contact privacy@merch365.ai. We may still send transactional messages (order and shipping updates).
7.2 California residents (CCPA/CPRA). You may request to know/access, delete, and correct your personal information, and opt out of any sale/sharing for cross-context behavioral advertising. We do not discriminate against you for exercising these rights. We will not require you to create an account to submit an opt-out, and we honor a valid GPC signal.
7.3 How to exercise rights. Email privacy@merch365.ai, or use the unsubscribe link for marketing. Because we operate online with a direct relationship with shoppers, email is our designated request method; we may add a web form as we grow. We respond within 45 days, extendable once by another 45 days with notice. We may verify your identity for access/deletion/correction (generally not for opt-out). Authorized agents may submit requests.
7.4 Other states / regions. Residents of other U.S. states with comprehensive privacy laws (e.g., Virginia, Colorado, Connecticut, Texas, Oregon) may have similar rights, and we extend the process above to them. Merch365 sells within the United States and does not currently target the EU/UK; if that changes we will add a GDPR/UK-GDPR section first.
8. Security
We use administrative, technical, and organizational safeguards (including encryption in transit and access controls) and rely on Stripe for card data security. No system is perfectly secure. We maintain an incident-response process and provide breach notifications as required by law.
9. Children
The Storefront is not directed to children under 13 (or higher age set by law) and we do not knowingly collect their personal information. Contact privacy@merch365.ai if you believe a child has provided information and we will delete it.
10. Changes and contact
We may update this Notice; the current version is posted with its "Last updated" date. For material changes we will provide additional notice.
Merch365, Inc. · Attn: Privacy 131 Continental Dr, Suite 305 Newark, Delaware 19713 Email: privacy@merch365.ai · support@merch365.shop