Skip to main content

Privacy Policy

Effective Date: February 17, 2026 Last Updated: February 17, 2026 This Privacy Policy describes how Headless Commerce (“Company”, “we”, “us”, or “our”) collects, uses, stores, and protects personal data when you use the Headless Commerce platform, including the API, Dashboard, SDK, CLI, and related services (the “Service”). This policy applies to Merchants and their team members who use our platform. For information about how we process data on behalf of Merchants (i.e., your end-customers’ data), see our Data Processing Agreement.

1. Data Controller

The data controller for the personal data described in this policy is: Headless Commerce Email: privacy@headlesscommerce.io Address: [Company Address] Data Protection Officer / 개인정보 보호책임자: Email: dpo@headlesscommerce.io

2. Data We Collect

2.1 Account Data

When you register and use the Service, we collect:
DataPurpose
NameAccount identification, communications
Email addressAuthentication, notifications, billing
Password (hashed)Authentication (bcrypt hashed, never stored in plaintext)
Profile imageDashboard display
OAuth tokensAuthentication via Google/GitHub (stored encrypted)

2.2 Organization & Billing Data

DataPurpose
Organization nameAccount management
Billing emailInvoice delivery
Stripe Customer IDPayment processing (card data stored by Stripe, not by us)
Stripe Subscription IDSubscription management
Plan typeService entitlements

2.3 Technical & Usage Data

DataPurpose
IP addressSecurity, rate limiting, abuse prevention
User agentCompatibility, debugging
API request pathsUsage analytics, debugging
Request/response metadataTroubleshooting, audit logging
Dashboard activityFeature usage analytics

2.4 Data We Do NOT Collect

  • Credit card numbers — All payment card data is handled directly by Stripe. We never see, transmit, or store card numbers.
  • End-customer passwords — Customer authentication credentials are hashed and never accessible in plaintext.

3. Data We Process on Your Behalf

As a data processor, we process the following data that your end-customers submit through your store via our API:
  • Customer names, email addresses, phone numbers
  • Shipping and billing addresses
  • Order details and history
  • Cart contents and session data
This processing is governed by our Data Processing Agreement. You (the Merchant) are the data controller for this data and are responsible for obtaining appropriate consent from your end-customers.

4.1 Under GDPR (EU/EEA)

Legal BasisProcessing Activity
Contract performance (Art. 6(1)(b))Providing the Service, account management, billing
Legitimate interest (Art. 6(1)(f))Security, fraud prevention, service improvement, analytics
Consent (Art. 6(1)(a))Marketing communications (opt-in only)
Legal obligation (Art. 6(1)(c))Tax records, regulatory compliance

4.2 Under Korean Personal Information Protection Act (개인정보 보호법)

Legal BasisProcessing Activity
Consent (제15조 제1항 제1호)Account creation, marketing
Contract performance (제15조 제1항 제4호)Service delivery, billing
Legitimate interest (제15조 제1항 제6호)Security, fraud prevention
Legal obligation (제15조 제1항 제2호)Tax/financial record keeping
We obtain separate, specific consent for each purpose as required by Korean law. Consent is freely given and may be withdrawn at any time.

5. Data Sharing & Sub-processors

We share personal data only with the following categories of recipients:

5.1 Sub-processors

Sub-processorPurposeLocation
NeonPostgreSQL database hostingUS/EU
UpstashRedis caching and rate limitingRegional
StripePayment processing and billingUS (global)
ResendTransactional email deliveryUS
SentryError monitoring and debuggingUS
AWS S3Media/file storageRegional
CloudflareCDN and DDoS protectionGlobal
InngestBackground job processingUS

5.2 We Do NOT

  • Sell your personal data to any third party
  • Share data for advertising purposes
  • Use your data for profiling or automated decision-making

5.3 Law Enforcement

We may disclose data when legally compelled (court order, subpoena) or when necessary to prevent imminent harm. We will notify you unless prohibited by law.

6. International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction:

6.1 EU/EEA Transfers

For transfers outside the EEA, we rely on:
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable

6.2 Korean Cross-Border Transfers

In accordance with the Personal Information Protection Act (개인정보 보호법 제17조, 제28조의2):
  • We obtain your consent for international data transfers
  • We ensure that receiving parties maintain equivalent data protection standards
  • Details of cross-border transfers are listed in the sub-processor table above

7. Data Retention

Data TypeRetention PeriodBasis
Account dataUntil account deletion + 30-day grace periodContract
API logs (IP, user agent, requests)90 days rollingLegitimate interest
Billing/payment records7 yearsTax law compliance
Transactional records (Korean law)3 years전자상거래법 (Electronic Commerce Act)
Marketing consent recordsDuration of consent + 3 yearsLegal obligation
After the retention period, data is permanently deleted or anonymized.

8. Your Rights

8.1 Under GDPR

If you are in the EU/EEA, you have the right to:
  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (“right to be forgotten”)
  • Port your data to another service
  • Restrict or object to processing
  • Withdraw consent at any time
  • Lodge a complaint with your local supervisory authority

8.2 Under Korean Law (개인정보 보호법)

If you are in Korea, you have the right to:
  • 열람 (Access) — Request access to your personal data
  • 정정·삭제 (Rectification/Erasure) — Request correction or deletion
  • 처리정지 (Restriction) — Request suspension of processing
  • 동의 철회 (Withdraw Consent) — Withdraw previously given consent
  • 개인정보보호위원회 신고 — File a complaint with the Personal Information Protection Commission (PIPC)

8.3 Exercising Your Rights

To exercise any of these rights, contact us at privacy@headlesscommerce.io. We will respond within:
  • GDPR: 30 days
  • Korean law: 10 days

9. Security Measures

We implement appropriate technical and organizational measures to protect your data:
MeasureDetail
Encryption in transitTLS 1.3 for all API and Dashboard communications
Encryption at restAES-256 via database provider (Neon)
Password hashingbcrypt with appropriate work factor
API key securitySecret keys are hashed; rotation supported
Rate limitingRedis-based rate limiting to prevent abuse
Access controlRole-based access (Owner/Admin/Staff/Viewer)
Audit loggingAll admin actions logged with IP and user agent
PCI complianceSAQ-A eligible — no card data touches our servers

10. Cookies & Tracking

10.1 Cookies We Use

CookieTypePurposeDuration
Session tokenEssentialDashboard authentication (JWT)Session
CSRF tokenEssentialCross-site request forgery protectionSession

10.2 What We Don’t Use

  • No third-party advertising cookies
  • No cross-site tracking pixels
  • No fingerprinting technologies

11. Children’s Privacy

The Service is not directed to individuals under the age of 16 (or 14 in Korea under 개인정보 보호법). We do not knowingly collect personal data from children. If we become aware of such collection, we will promptly delete the data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:
  • Email notification to your account email
  • Dashboard notification
  • At least 30 days before taking effect

13. Contact

For privacy-related inquiries: