Privacy Policy

Who we are

Stitchmap is a product discovery platform that connects shoppers with independent boutiques in London. This privacy policy explains how we collect, use, and protect information when you use our website and services.

For any privacy-related questions, contact us at [email protected].

Information we collect

From merchants

• Email address and account credentials (via email/password or Google sign-in)
• Organisation name and shop preferences (active locations, collections, product visibility settings)
• Shopify store data synced via the Shopify API: products, variants, pricing, inventory levels, locations, collections, and order data for attribution
• Shopify OAuth access token (used to sync your store data)
• Payment information processed by Stripe (we do not store card details)

From shoppers

• Anonymous click events: product views, checkout redirects, directions requests, and search impressions. These do not contain any personally identifiable information.
• Gender preference (stored as a cookie on your device)
• Itinerary data (saved products and starting point, stored locally on your device only)
• Geolocation data, only when you explicitly grant permission via your browser. This is used to show nearby shops and is not stored on our servers.

How we use your information

• To provide and operate the Stitchmap platform, including syncing your Shopify store and displaying products to shoppers
• To attribute orders and calculate billing charges for merchants
• To display analytics and conversion data in the merchant dashboard
• To process credit top-up payments via Stripe
• To send transactional emails (email verification, password resets)
• To classify and categorise products for search and filtering
• To monitor platform health and debug issues via logging

Lawful basis for processing

We process personal data on the following bases under the UK GDPR:

• Contract: to provide our services to merchants who register an account
• Legitimate interest: to operate the platform, track anonymous usage for billing and analytics, and improve the service
• Consent: for geolocation access and optional cookies

Third-party services

We share data with the following third parties to operate the platform:

• Stripe: processes credit top-up payments. Stripe receives your payment details directly. See Stripe's privacy policy.
• Google: provides Maps (directions, location search) and authentication (Google sign-in). See Google's privacy policy.
• Shopify: provides store data via their API when merchants connect their shop. See Shopify's privacy policy.

We also use additional service providers to operate the platform (hosting, email delivery, logging, product classification). These providers act as data processors on our behalf and do not use your data for their own purposes.

Cookies and local storage

• Authentication cookies: used to maintain your login session (essential, no consent required)
• Gender preference cookie: remembers your browsing preference for one year
• Local storage: stores your shopping itinerary and starting point on your device. This data is never sent to our servers.

We do not use advertising cookies, tracking pixels, or third-party analytics tools.

Data storage and security

Your data is stored on servers located in the United Kingdom and European Union. We use encrypted connections (TLS) for all data in transit and industry-standard security practices to protect data at rest. Payment information is handled entirely by Stripe and never stored on our servers.

Data retention

We retain merchant account data for as long as your account is active. If you delete your account, your organisation is deactivated and your data is retained for a reasonable period to comply with legal obligations, after which it is permanently deleted.

Anonymous click events and order attribution data are retained indefinitely for billing and analytics purposes.

Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate personal data
• Request deletion of your personal data
• Object to or restrict processing of your personal data
• Request portability of your data in a machine-readable format
• Withdraw consent at any time where consent is the basis for processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Changes to this policy

We may update this privacy policy from time to time. We will notify registered merchants of material changes via email. The "last updated" date at the top of this page indicates when the policy was last revised.