Privacy notice

1. Who we are

Flatbridge is the data controller (or, in Quebec terms, the person responsible for your information) for the personal information collected through this site. The legal entity name and registered address will be specified here at incorporation. Our hosting and database are in the Canada region of our cloud providers; specifically, Supabase Postgres in ca-central-1.

2. What we collect from buyers

• Name, email address, phone number.
• Shipping and billing addresses, including any address fields specific to the destination country.
• Order history, including the items purchased, prices paid, shipping methods, and delivery confirmations.
• Payment information — we do not see or store full payment-card numbers. Card data is processed by our PCI-compliant payment processor (Stripe) directly.
• Technical data: IP address, browser fingerprint, session identifiers, used for security and rate-limiting.

3. What we record about merchants we shop at

Flatbridge is a personal shopping service, not a marketplace. Jamaican merchants we source from do not enrol in a platform relationship. The records we keep about them are operational — to maintain a catalogue of items we know we can shop — and are sourced from public-business listings or our own visits.

• Public business identifiers (legal name, registered address, TRN, Companies Office file number) where these are publicly listed and used to verify the merchant is a real business.
• Public-facing contact details (shop address, hours, social handles, website).
• Product photos and descriptions, where the merchant has published them publicly or supplied them for inclusion in our catalogue.
• Internal records of our shopping runs: items purchased on behalf of buyers, prices paid, and any fulfilment correspondence.

Sensitive identifiers (TRN where collected) are encrypted at rest. We do not collect bank or payment-rail details from merchants — we pay merchants in cash or their preferred walk-in rail at the time of shopping, on each transaction.

4. Why we process this information

• Performance of contract: to fulfill your order, process payment, and arrange shipping.
• Legal obligation: to comply with tax, consumer-protection, and AML/CFT obligations (including the Jamaican Proceeds of Crime Act cash transaction limits).
• Legitimate interest: fraud prevention, network security, audit-log integrity.
• Consent: marketing emails (only where you opt in; you can withdraw consent at any time).

5. Who we share it with

• Merchants: we generally do not disclose your identity to merchants when shopping — we present as a walk-in customer. For specialised orders where the merchant needs your contact (custom items, made-to-order), we ask your consent before sharing your name and phone.
• Payment processor (Stripe): for processing your payment to Flatbridge.
• Couriers (diaspora orders only): shipping name, address, phone, and parcel weight/value for customs declarations.
• Hosting providers: Vercel (CA), Supabase (CA Central), Resend (transactional email), Twilio (SMS for phone OTP).
• Authorities: where compelled by law, court order, or as required for AML/CFT reporting.

6. International transfers

Your order data is transferred to merchants in Jamaica for fulfillment. Payment data is processed by Stripe, which may process data in the United States and other jurisdictions where it operates. We rely on standard contractual safeguards and the recipient’s own legal framework (Jamaican DPA 2020, US sectoral law and Stripe’s SCCs) to protect transferred data.

7. How long we keep it

• Order records: 7 years from the date of the order, for tax and accounting purposes.
• Buyer phone numbers: 24 months after resolution of any related dispute, then auto-purged.
• Merchant records: for the duration of the merchant relationship plus 7 years.
• Marketing-consent data: until you withdraw consent.
• Audit logs: retained for the lifetime of the entity for tamper-evidence; PII redacted on erasure request while the hash chain is preserved.

8. Your rights

The rights available to you depend on where you live:

• Canada (PIPEDA): right to access, correct, and know what is held about you. Right to file a complaint with the Office of the Privacy Commissioner of Canada.
• Quebec (Loi 25):rights to access, rectification, deletion, data portability, and to be informed of automated decisions. Complaints can be filed with the Commission d’accès à l’information.
• UK and EU (GDPR / UK GDPR): rights of access, rectification, erasure, restriction, portability, objection, and to complain to your supervisory authority (e.g., the ICO in the UK, your national data-protection authority in the EU).
• Jamaica (DPA 2020): rights of access, correction, and objection. Complaints can be filed with the Office of the Information Commissioner.
• United States:rights vary by state (e.g., California CCPA/CPRA, Virginia, Colorado). Where you have rights under your state’s law, we will honour them.

To exercise a right, contact us at the privacy email posted on Flatbridge. We respond within the timeframe required by your jurisdiction (typically 30 days; extensions where the law allows).

9. Cookies and tracking

Flatbridge uses strictly-necessary cookies for session, authentication, and rate limiting. We do not use third-party advertising trackers. If we add analytics in the future, you will see a consent banner the first time you visit and can decline.

10. Children

Flatbridge is intended for adult buyers. We do not knowingly collect data from children under 13 (US/Canada) or 16 (UK/EU). If you believe a child has provided data to us, contact us and we will delete it.

11. Security

We use industry-standard controls: TLS in transit, encryption of sensitive identifiers at rest, role-based access, an append-only audit log, MFA for staff accounts, and a strict Content Security Policy. No system is perfectly secure; if we detect a breach affecting your data, we will notify you and the relevant authority within the timeframe required by your jurisdiction.

12. Updates

We may update this notice. The effective date at the top reflects the current version. Material changes will be emailed to registered users.

13. Contact

For privacy questions, data-subject requests, or breach reports, contact the privacy address posted on Flatbridge. A French-language version of this notice will be available in accordance with applicable Quebec law.