Privacy Policy

1. Introduction

OrderAtlas ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, and safeguard your information when you use our website and API service.

2. Information We Collect

Account Information: When you sign up, we collect your name, email address, and profile picture via Google or Discord OAuth. We do not collect or store your Google or Discord password.

Payment Information: Credit purchases are processed by Stripe. We do not store your credit card number, CVV, or full billing details. We receive only your email and transaction confirmation from Stripe.

API Usage Data: We log API requests for rate limiting, usage analytics, and debugging. Logs include the endpoint called, timestamp, API key identifier, and response status.

Platform Credentials: When you use the BYOA (Bring Your Own Account) model, you submit retail platform credentials (email, password, 2FA secret) via the API. These credentials are used only for the duration of the session to perform the requested action and are not stored permanently. Session cookies may be cached temporarily (encrypted at rest) to avoid repeated logins but are automatically purged when they expire.

Order Data: We store order IDs, status, tracking numbers, and related metadata to provide tracking and fulfillment features. This data is associated with your account.

3. How We Use Your Information

• To provide, maintain, and improve the Service.
• To process credit purchases and maintain transaction history.
• To send webhook notifications about order status changes.
• To enforce rate limits and prevent abuse.
• To respond to support inquiries.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

4. Data Security

• All API communication is encrypted via HTTPS (TLS 1.2+).
• API keys are stored as one-way SHA-256 hashes — we cannot recover your raw key.
• Webhook URLs are validated to prevent SSRF attacks (private/internal IPs are blocked).
• Platform session cookies are encrypted at rest and automatically deleted upon expiry.
• Database access is restricted and protected by firewall rules.

5. Third-Party Services

We use the following third-party services:

• Stripe — Payment processing. Subject to Stripe's Privacy Policy.
• Google OAuth — Authentication. Subject to Google's Privacy Policy.
• Discord OAuth — Authentication and community features. Subject to Discord's Privacy Policy.
• Cloudflare — CDN and bot protection (Turnstile).

6. Data Retention

Account data and order history are retained for as long as your account is active. If you request account deletion, we will remove your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., transaction records for accounting).

API usage logs are retained for up to 90 days for debugging and analytics purposes.

7. Your Rights

You have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated data.
• Export your order data.

To exercise these rights, contact us via our Discord server or at the email listed on our website.

8. Cookies

Our website uses minimal cookies: authentication tokens stored in localStorage for session management, and Cloudflare Turnstile for bot protection. We do not use advertising or third-party tracking cookies.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes take effect when posted on this page. We encourage you to review this page periodically.

11. Contact

For questions about this Privacy Policy, contact us via our Discord server or at the email listed on our website.