← Back

Privacy Policy

Last updated: 2026-04-19. This is a draft stub. The authoritative policy will be published ahead of General Availability.

Kommercio (“we”, “us”) is a multi-tenant commerce platform. This page explains what personal data we collect, what we do with it, how long we keep it, and the rights you have regardless of where you live.

1. Who we are

Kommercio is operated by Direct Plumbing Supplies Ltd, a company registered in England and Wales. Our registered address and company number will be published here before GA. For privacy questions, email privacy@kommercio.io.

2. Two kinds of data

Kommercio processes two distinct classes of personal data:

  • Merchant account data — the person signing up to use Kommercio as a platform. Name, work email, company, billing details, and any profile information they add.
  • Shopper data — people who buy from merchants built on Kommercio. Kommercio stores this on behalf of the merchant, who is the data controller. Kommercio is the data processor.

3. What we collect

  • Account identifiers (name, email, Clerk user ID).
  • Billing data (handled by our payment processor).
  • Operational logs (IP, user agent, request paths) for security and debugging.
  • Merchant-configured shopper data (order history, addresses, wishlist).
  • Tenant configuration (theme, page schemas, integrations).

4. How we use it

  • To provide and operate the service.
  • To handle billing and plan entitlements via our identity partner (Clerk) and billing partner (Core / OnlyTrade).
  • To meet legal obligations (tax, fraud prevention, incident response).
  • To communicate with merchants about product updates — opt-out any time.

We do not sell personal data. We do not use merchant or shopper data to train AI models — any AI features use merchant-provided inputs at request time and don't persist them into training pipelines.

5. Sub-processors

A current list of sub-processors lives at /legal/security. Today these include Clerk (identity), DigitalOcean (hosting), Cloudflare (edge & offsite backup), and Anthropic (AI Studio copy generation).

6. Retention

  • Audit logs: 365 days; 730 days for security events.
  • Backups: 14 daily, 8 weekly, 12 monthly snapshots.
  • Merchant data: retained while the account is active; 30 days after cancellation, then purged.
  • Shopper data: retained per the merchant's retention policy.

7. Your rights

Depending on where you live you may have rights under the UK GDPR, EU GDPR, California CCPA, or other regimes — access, rectification, erasure, portability, restriction, objection. Email privacy@kommercio.ioand we'll respond within 30 days. For more detail on GDPR specifically see /legal/gdpr.

8. International transfers

Our primary compute lives in the UK; offsite backups are stored on Cloudflare R2 (multi-region auto). Transfers are covered by Standard Contractual Clauses where applicable.

9. Cookies

See /legal/cookies. In short: we use strictly-necessary cookies for auth and cart state; no marketing trackers without consent.

10. Changes

Material changes are emailed to account owners at least 30 days ahead of effective date.

This document is a draft stub for the pre-GA period. It will be superseded by a legally reviewed policy before the platform reaches General Availability. Nothing here constitutes legal advice.