Back to Selltoss
Privacy Policy

Selltoss Privacy Policy

This Policy explains how Selltoss processes and protects personal data and service records for sellers, buyers, visitors, and operators around the world.

Notice date
May 13, 2026
Last updated
May 13, 2026
Effective date
May 13, 2026

1. Controller, Scope, and Regional Rights

This Privacy Policy applies to personal data and service records processed by Selltoss, LLC when providing Selltoss.

Selltoss may act as a controller for account, console, payment-status, security, and product-review processing. Sellers may act as separate controllers or businesses for their own store operations, customer support, refunds, tax handling, marketing, and seller-specific policies.

Depending on where you live, you may have rights under laws such as the GDPR or UK GDPR, Korea's Personal Information Protection Act, Japan's APPI, U.S. state privacy laws, and other local privacy laws. This Policy does not limit non-waivable rights under those laws.

2. Purposes of Processing

We process personal data only as needed for the following purposes:

  1. Account registration, login, workspace creation, and account security.
  2. Store setup, product listing, order creation, payment status confirmation, digital fulfillment, and receipt delivery.
  3. Discord, Telegram, and other channel commerce integrations and buyer notifications.
  4. Subscriptions, credits, fees, billing, settlement support, payment failure handling, and refund support.
  5. Product review, prohibited-product detection, fraud prevention, abuse prevention, access control, and security-event response.
  6. Support, incident investigation, dispute handling, compliance, and legal requests.
  7. Service quality improvement, feature analytics, and operational statistics.

3. Categories of Personal Data

Sellers and operators

  1. Email address, login-provider identifiers, account status, and access records.
  2. Workspace name, store name, subdomain, custom domain, country, timezone, language, and currency.
  3. Plan, credit balance and usage, subscription and payment records, and billing identifiers.
  4. Product, category, price, image, stock, fulfillment content, coupon, theme, and email-template information.
  5. Discord or Telegram connection data, bot names, server, channel and chat identifiers, webhook status, and panel-message identifiers.
  6. Payment-method settings, SMTP settings, domain DNS status, and external-service connection status.

Buyers

  1. Email address, name, or display name entered at checkout.
  2. Order number, purchased product, quantity, price, currency, coupon, payment status, provider identifiers, receipt records, and order-status page access records.
  3. External user IDs, usernames, language, channel type, and message or notification delivery status needed for Discord or Telegram purchase flows.

Automatically collected and security data

  1. IP address, User-Agent, request URL, referrer, cookies, session identifiers, device and browser information, and access timestamps.
  2. Country, VPN, proxy, Tor, datacenter, or hosting-network signals used for access control and security.
  3. BotID, firewall, webhook signature verification, payment webhook, cron, error-log, and security-event records.

Support

  1. Support email, request content, attachments, conversation records, and handling records.
  2. Order, payment, store, and channel-connection information provided by users for troubleshooting.

4. Legal Bases

  1. Performance of a contract, including account access, orders, payments, receipts, and digital fulfillment.
  2. Legitimate interests, including fraud prevention, platform security, service reliability, dispute handling, and protection of users and Selltoss.
  3. Legal obligations, including ecommerce, tax, accounting, communications, privacy, sanctions, and lawful government or rights-holder requests.
  4. Consent, where required for marketing, optional features, cookies that are not strictly necessary, or certain integrations.

5. Retention

  1. Account and workspace information is kept while the account is active and deleted or de-identified after closure unless retention is required by law or legitimate security needs.
  2. Order, payment, fulfillment, receipt, settlement-support, and dispute records are kept for the period needed to verify transactions, support users, and comply with law.
  3. Records related to contracts, withdrawal, payment, supply of goods, complaints, or disputes may be retained for statutory periods that apply in the relevant jurisdiction.
  4. Access logs and security events may be retained as needed for service protection, investigation, and communications-security obligations.
  5. Abuse, prohibited-product, security-incident, payment-abuse, and infringement records may be retained as needed to prevent re-registration, respond to disputes, or comply with legal requests.

6. Sharing and Disclosure

We do not sell personal data as a general business practice. We may share or disclose data in the following limited cases:

  1. Buyer order and contact information may be made available to the seller when needed for fulfillment, support, refund handling, or legal compliance.
  2. Data needed for payment processing and payment-status confirmation may be sent to the payment provider selected by the seller or by Selltoss.
  3. If you buy or receive notifications through Discord, Telegram, or another external channel, identifiers and message-delivery data may be processed through that platform.
  4. We may disclose information to law enforcement, regulators, courts, rights holders, or other parties where we reasonably believe disclosure is legally required or necessary to protect rights, safety, or platform integrity.

7. Processors and International Transfers

We use external providers to operate the service. The providers actually used depend on the features enabled by Selltoss and by each seller.

Because we use global cloud, payment, messaging, security, and AI providers, personal data may be transferred to or processed in the United States, European Union, Japan, Singapore, or other countries where those providers operate infrastructure.

  1. Supabase: database, authentication, storage, and server-side processing.
  2. Vercel: hosting, deployment, security, firewall, and logs.
  3. Polar: subscription, credit purchase, payment, and billing processing.
  4. NOWPayments, Stripe, PayPal, Cash App: seller payment methods, checkout, and payment status confirmation.
  5. Discord and Telegram: channel commerce, bot panels, buyer notifications, and order messages.
  6. Resend and seller-connected SMTP providers: order, fulfillment, and operational email.
  7. Google Gemini and AI SDK providers: product text and image review and prohibited-product detection.
  8. Proxycheck and security providers: VPN, proxy, Tor, datacenter, and hosting-network detection.

8. Cookies and Similar Technologies

  1. We may use cookies and similar technologies for login, session security, language settings, store access control, purchase-flow continuity, and service improvement.
  2. You can block or delete cookies through your browser settings. Some required cookies are necessary for login, checkout, dashboard, and security features.
  3. For security, abuse prevention, and access control, the service may automatically process IP, country, VPN, proxy, Tor, datacenter, and browser signals.

9. Automated Processing and AI Review

  1. We may use automated systems to analyze product names, descriptions, images, stock or fulfillment content, orders, and access records to identify prohibited products, fraud, security threats, and access-control needs.
  2. Automated outputs may be used for product blocks, store limitations, access blocks, order attention states, or human review.
  3. You may contact us to request review of an automated outcome where applicable law gives you that right or where we otherwise provide an appeal path.

10. Your Rights

  1. Depending on your location and the legal basis for processing, you may request access, correction, deletion, restriction, objection, portability, or withdrawal of consent.
  2. EU/UK users may have rights to access, rectification, erasure, restriction, portability, objection, consent withdrawal, and complaint to a supervisory authority.
  3. Korean users may have rights to access, correction, deletion, suspension of processing, withdrawal of consent, and remedies through relevant Korean authorities.
  4. Japanese users may have rights to request notification of purpose of use, disclosure, correction, suspension of use, and disclosure of third-party provision records for retained personal data.
  5. Users in some U.S. states may have rights to access, delete, correct, port, opt out of sale or sharing, or limit sensitive personal information.
  6. Requests may be sent to the contact address in this Policy. We may need to verify your identity and may retain certain data where required for legal, security, payment, or dispute reasons.

11. Children

  1. The service is not directed to children under 14 or under the digital-consent age that applies in the user's jurisdiction.
  2. If we learn that we collected a child's personal data without required consent, we will delete it or take other appropriate steps.

12. Security

  1. HTTPS and encryption in transit.
  2. Authentication, session, and access-right controls.
  3. Secret storage or encryption for payment credentials, bot tokens, SMTP passwords, and other sensitive settings.
  4. Least-privilege operational access.
  5. Webhook signature checks, security logs, firewall controls, BotID, and abuse-prevention measures.
  6. Incident monitoring, backup, and recovery procedures.

13. Complaints and Remedies

You may contact us first, and you may also contact the privacy regulator, consumer protection body, or other authority in your country or region if you believe your rights were violated.

14. Privacy Contact

  1. Privacy contact: Selltoss Privacy Team
  2. Email: hello@selltoss.io
  3. Use this contact for privacy requests, complaints, objections to automated outcomes, and questions about international transfers.

15. Changes

We may update this Policy when laws, service features, providers, processing purposes, or data categories change. We will provide appropriate notice before material changes take effect.