Privacy Policy

Effective Date: 17 June 2025

This Privacy Policy explains how Gleamcraft One Inc. (“GleamcraftOne.com”, “we,” “our,” or “us”) collects, uses, stores, and discloses personal information when artisans, assistants, suppliers, and visitors use our platform. We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws.

1. Information We Collect

  • Business profile: shop name, CRA number, address, primary contact
  • User credentials: email, role, WebAuthn seed, login IPs
  • Order data: purchaser initials (optional masking), SKU, quantity, postal code, gift notes, fulfillment status
  • Cost inputs: materials, invoices, labour hours, packaging, shipping labels
  • Financial records: channel fees, refunds, tax collected, deposits, deductions
  • Payment identifiers: tokenised card reference, billing address, last 4 digits
  • Diagnostics: browser build, usage metrics, error logs
  • Support: chat transcripts, voicemail files

2. Purpose of Collection

We use the above data to:

  • Reconcile marketplace payouts
  • Calculate real-time profit margins
  • Forecast reorder points
  • Draft CRA-compliant GST/HST tax returns
  • Deliver technical and user support
  • Prevent fraud and abuse
  • Improve pricing and inventory management tools using anonymized analytics

3. Data Retention

  • Transaction and tax records: 7 years or longer, per CRA audit requirements
  • Diagnostic logs: 12 months
  • Backups: Encrypted and rolled on a 35-day cycle

4. Access and Accuracy

Verified administrators can access or correct data anytime via Settings → Data Vault or by contacting privacy@gleamcraftone.com.

5. Consent

  • Express consent: obtained at sign-up and when connecting integrations (e.g., payment, marketplaces)
  • Implied consent: applies to essential security features
  • Users may withdraw consent, though this may disable margin tracking or tax features. Impacts are disclosed before confirmation.

6. GDPR (European Economic Area)

If you are in the EEA, we act as:

  • Controller for profile and billing data
  • Processor for order, cost, and margin records

Legal bases: performance of a contract (Art. 6(1)(b)), legitimate interest (Art. 6(1)(f)), and legal obligation (Art. 6(1)(c)).

EEA users can exercise GDPR rights by contacting dpo@gleamcraftone.com.

7. Cookie Policy

7.1 Types of Cookies

  • Essential: login session, CSRF protection, load balancers
  • Preference: currency, units, UI themes
  • Analytics: Matomo cookies with IP masking for usage and latency
  • Marketing: optional cookies for module releases and partner promotions

7.2 How to Disable Cookies

Most browsers allow users to delete or block cookies. Blocking essential cookies will prevent console access. Preference and analytics cookies can be declined via consent banners or “Do Not Track” settings.

8. Transfers to Third Parties

We do not sell personal information. Limited disclosures are made to:

  • Cloud hosting in Montréal and Vancouver (encrypted)
  • PCI-compliant payment processors
  • Independent CPAs (anonymized samples only)
  • Legal and regulatory bodies as required
  • Law enforcement if necessary for fraud or public safety

All vendors are bound by Data Processing Agreements equivalent to PIPEDA and EU standards.

9. Security Measures

  • AES-256-GCM encryption (data at rest)
  • TLS 1.3 + Perfect Forward Secrecy (in transit)
  • Zero-trust segmentation by workspace
  • WebAuthn-backed multi-factor authentication
  • Hourly + nightly backups with 15-min RPO
  • SOC 2 Type II audits, quarterly pen-tests, 24/7 scanning
  • Incident response protocol with 72-hour breach notice

10. Contact and Updates

All inquiries regarding this policy can be sent to our Privacy Officer at privacy@gleamcraftone.com.

Material changes will be notified by email and in-app banners at least 30 days before enforcement.