Privacy Policy
Last updated: March 15, 2026
1. Introduction
Dundie Merch ("we", "us", "our") is committed to protecting your privacy globally. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Platform. This policy complies with the GDPR (EU/UK), CCPA (California), UAE Federal Decree-Law No. 45/2021, PIPEDA (Canada), and other applicable privacy laws worldwide.
2. Information We Collect
We collect the following categories of information: Wallet Data: Your public Solana wallet address when you connect your wallet. We never collect or store private keys. NFT Data: Metadata about NFTs in your wallet including token IDs, images, and ownership status obtained from public blockchain records. Purchase Data: Email address, shipping address, and order details when you make a purchase. Payment card information is processed directly by Stripe and is never stored by us. Usage Data: IP address, browser type, pages visited, and timestamps collected automatically for security and analytics purposes. Communications: Any messages you send to us via email.
3. Legal Basis for Processing (GDPR)
For users in the EU and UK, we process your data under the following legal bases: - Contract performance: Processing necessary to fulfill your purchase orders and NFT registrations. - Legitimate interests: Fraud prevention, security monitoring, and improving our Platform. - Legal obligation: Compliance with applicable laws and regulations. - Consent: Where we explicitly request it, such as marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
4. How We Use Your Information
We use your information to: - Process and fulfill merchandise orders - Verify NFT ownership via blockchain queries - Calculate and distribute royalty payments - Send order confirmations and shipping updates - Prevent fraud and ensure platform security - Comply with legal obligations - Respond to your inquiries We do not sell your personal information to third parties. We do not use your information for automated decision-making or profiling.
5. Data Sharing
We share your data only with: Fulfillment Partners (Printify): Your name, shipping address, and order details are shared with Printify to produce and ship your merchandise. Printify's privacy policy applies to their processing. Payment Processors (Stripe): Payment information is processed by Stripe under their privacy policy. We receive only transaction confirmation and metadata. Infrastructure Providers: Supabase (database hosting) and Vercel (hosting) process data on our behalf under data processing agreements. Both are GDPR compliant. Helius: Blockchain data queries to verify NFT ownership. Only public wallet addresses are shared. Law Enforcement: We may disclose information when required by law, court order, or to protect the rights and safety of users or the public.
6. Data Retention
We retain your data for the following periods: - Order records: 7 years for accounting and tax compliance purposes - Wallet addresses: While your NFT is registered, plus 1 year after deregistration - Purchase emails and shipping addresses: 2 years from order date - Usage logs: 90 days - Support communications: 2 years After these periods, data is securely deleted or anonymized.
7. International Data Transfers
Your data may be transferred to and processed in the United States and other countries. For EU/UK users, we ensure appropriate safeguards are in place including Standard Contractual Clauses (SCCs) where required. By using the Platform, you consent to these transfers as necessary to provide the service.
8. Your Rights
Depending on your location, you have the following rights: All Users: - Access: Request a copy of the personal data we hold about you - Correction: Request correction of inaccurate data - Deletion: Request deletion of your personal data ("right to be forgotten") - Portability: Receive your data in a machine-readable format EU/UK Users (GDPR): - Restriction: Request we limit processing of your data - Objection: Object to processing based on legitimate interests - Automated decisions: Not be subject to solely automated decisions California Users (CCPA): - Know what personal information is collected - Delete personal information - Non-discrimination for exercising rights UAE Users: Rights under Federal Decree-Law No. 45/2021 on Personal Data Protection To exercise any of these rights, contact us at ace.crypto3333@gmail.com. We will respond within 30 days (or 72 hours for urgent GDPR requests). We may need to verify your identity before processing requests.
9. Cookies and Tracking
We use minimal, necessary cookies only: - Session cookies: Required for wallet connection and authentication - Security cookies: CSRF protection We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics or Facebook Pixel. You may disable cookies in your browser settings, though this may affect Platform functionality.
10. Security
We implement industry-standard security measures including: - HTTPS encryption for all data in transit - Encrypted database storage via Supabase - Cryptographic signature verification for all wallet actions - No storage of private keys or payment card data - Regular security reviews No method of transmission over the internet is 100% secure. In the event of a data breach affecting your rights, we will notify you and relevant authorities as required by applicable law (within 72 hours for GDPR-covered breaches).
11. Children's Privacy
The Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that a minor has provided us with personal information, we will delete it immediately. If you believe a minor has used the Platform, contact us at ace.crypto3333@gmail.com.
12. GDPR Data Protection Officer
As we are a small independent platform, we do not currently have a designated Data Protection Officer. For all GDPR-related inquiries, please contact us at ace.crypto3333@gmail.com. EU users also have the right to lodge a complaint with their local supervisory authority (e.g., ICO in the UK, CNIL in France).
13. Changes to This Policy
We may update this Privacy Policy periodically. We will post the updated policy on this page with a revised date. For material changes, we will attempt to provide 30 days advance notice. Continued use of the Platform after changes constitutes acceptance.
14. Contact Us
For any privacy-related questions, requests, or complaints: Email: ace.crypto3333@gmail.com Platform: Dundie Merch (dundie-merch.vercel.app) We aim to respond to all privacy inquiries within 30 days.