Privacy Policy

Last updated: May 29, 2026

CommerceHub (“CommerceHub,” “we,” “us,” or “our”) operates a self-hosted, non-custodial commerce platform that lets merchants run online storefronts and run automated short-form video promotion across third-party social platforms. This Privacy Policy describes the information we collect when you use commercehub.bz and the merchant storefronts powered by it (collectively, the “Service”), how we use that information, who we share it with, and the rights you have over it.

By using the Service you confirm you have read this Policy. Capitalized terms not defined here have the meaning given in our Terms of Service.

1. Who We Are & How To Contact Us

CommerceHub is operated by the CommerceHub team. Questions about this Policy, requests to exercise your data rights, or any other privacy-related contact should be sent to privacy@commercehub.bz. We will respond within 30 days.

2. Information We Collect

2.1 Information you give us

• Account information — your email address, a password hash (we never store plaintext passwords), display name, store name and slug.
• Billing information — when you pay with a credit/debit card, your payment is processed by Stripe; we receive only a payment reference and the last four digits of the card. When you pay with cryptocurrency (BTC, ETH, USDC, XMR), we record the deposit address you used and the on-chain transaction hash. We never custody your funds and never see your private keys or seed phrase.
• Storefront content — product listings, prices, images, descriptions, and any other content you publish to your store.

2.2 Information we receive from connected platforms

When you choose to connect a third-party social platform (TikTok, YouTube, Instagram, etc.) to enable automated posting, we use OAuth to receive a token that authorizes us to publish videos on your behalf to that connected account only. Specifically:

• An OAuth access token and refresh token bound to the scopes you approved (e.g. on TikTok: user.info.basic, video.publish, video.upload; on YouTube: youtube.upload).
• Your public profile basics on that platform — username, display name, profile picture, follower-count band.
• Limited post analytics for the videos we publish on your behalf (views, likes, comments count) so the Service can show you how your autoposts performed.

We do not read your private messages, viewing history, saved videos, follower list, or any data unrelated to the videos we publish on your behalf. Tokens are encrypted at rest with AES-256-GCM and used only to make the platform calls you have explicitly authorized.

2.3 Information collected automatically

• Log data — IP address, browser type, referring URL, pages viewed, timestamps. Used for security monitoring, abuse prevention, and aggregate analytics.
• Cookies — a session cookie to keep you logged in. We do not use cross-site advertising cookies. See §7 below.

3. How We Use Information

• Operate and maintain the Service, including authenticating you and storing your storefront data.
• Publish content to connected social platforms onlyat your direction (manual posts, scheduled autoposts you have configured).
• Process payments and reconcile billing.
• Detect, prevent, and investigate fraud, abuse, security incidents, and violations of our Terms of Service.
• Send transactional notifications (receipts, password resets, critical service alerts). We do not send marketing email.
• Comply with legal obligations and respond to lawful requests by public authorities.

4. How We Share Information

We do not sell, rent, or trade your personal information. We share it only:

• With service providers who help us run the Service — hosting, payment processing (Stripe), email delivery, error monitoring — under contracts that restrict their use of the data to the services they provide.
• With connected social platforms — when you authorize an autopost, we send the resulting video and associated metadata (title, description, hashtags) to the connected platform's API on your behalf.
• For legal reasons — to comply with a subpoena, court order, or other valid legal process; to protect our rights and the safety of our users; or to investigate suspected fraud or abuse.
• With your consent — for any other purpose you specifically agree to.
• In a business transfer — if CommerceHub is acquired or merges with another company, your information may be transferred under the same privacy commitments.

5. Data Security

We protect the data you entrust to us with industry-standard technical and organizational safeguards: TLS in transit, AES-256 encryption at rest for OAuth tokens and HD wallet seeds, hashed and salted passwords, principle-of-least-privilege access controls. No system is perfectly secure; if we discover a breach affecting your data we will notify you without undue delay as required by applicable law.

6. Data Retention

We retain account and transactional information for as long as your account is active, plus a reasonable period after closure for legal, accounting, and dispute-resolution purposes (commonly up to 7 years for financial records). OAuth tokens are deleted immediately when you disconnect the corresponding platform. Aggregated, de-identified usage data may be retained indefinitely.

7. Cookies

We use a single first-party session cookie to keep you logged in. We do not use third-party advertising cookies, cross-site trackers, or analytics that share data with ad networks. You can clear the cookie at any time via your browser settings, which will log you out.

8. Your Rights

Depending on where you live, you may have the right to:

• Access the information we hold about you.
• Correct inaccurate or outdated information.
• Delete your account and the personal data associated with it (subject to the retention exceptions in §6 for legal compliance).
• Export your data in a portable format.
• Object to or restrict certain processing.
• Withdraw consent previously given, without affecting the lawfulness of processing carried out before withdrawal.
• Lodge a complaint with a data-protection authority. (EU/UK residents — your local DPA. California residents — see CCPA rights below.)

To exercise any of these rights, email privacy@commercehub.bz.

9. Region-Specific Notices

9.1 California (CCPA / CPRA)

California residents have the rights described in §8 plus the right to opt-out of any “sale” or “sharing” of personal information. We do not sell or share personal information for cross-context behavioral advertising.

9.2 European Economic Area, UK, Switzerland (GDPR / UK GDPR)

The legal bases on which we process your data are: (a) performance of the contract between us; (b) our legitimate interest in operating, securing, and improving the Service; (c) your consent (where required, e.g. for connecting a third-party social platform); and (d) compliance with legal obligations.

10. International Data Transfers

The Service is operated from the United States. If you access it from outside the United States, your information will be transferred to and processed in the United States. Where required by law, we use Standard Contractual Clauses or equivalent safeguards.

11. Children

The Service is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact us and we will delete it.

12. Changes to this Policy

We may update this Policy from time to time. If we make material changes we will post the updated Policy at this URL with a revised “Last updated” date and, where required, notify you by email. Continued use of the Service after the effective date constitutes acceptance.

13. Contact

Email privacy@commercehub.bz with any privacy question, data-rights request, or to report a suspected breach.