Policy
Privacy Policy
Version 2026-06-A • Last updated: June 1, 2026
1. Scope of this policy
This Privacy Policy describes how Wehoz, Inc. (“Wehoz”, “we”, “our”) handles personal information collected through wehoz.com and our mobile interfaces (the “Site”), through email and customer-support channels, and through any related Wehoz service. This Policy does not apply to the practices of third-party sellers on the marketplace, who may collect or process information in connection with fulfilling your orders — those sellers act as independent controllers and their handling of your information is governed by their own privacy notices.
2. Information we collect
We collect the categories of personal information described below.
2.1 Identifiers and contact information
Examples: your name, email address, mailing and shipping addresses, telephone number, IP address, device identifiers, and any account username you choose. We collect this when you register, place an order, contact support, sign up for marketing communications, or interact with the Site as an anonymous visitor.
2.2 Commercial information
Examples: products viewed, items in your cart, wishlist items, past orders, returns and exchanges, payment-method type (we do not store the full card number; only the last four digits, brand, and a tokenized reference), gift-card activity, loyalty points balance, and subscription details.
2.3 Internet or other electronic-network activity
Examples: pages you view on the Site, search queries you run, click and scroll signals, referring URLs, the time of access, your approximate geolocation derived from IP, the browser and operating system you use, and crash diagnostics.
2.4 Geolocation (approximate)
We infer your approximate city or region from your IP address for fraud prevention, shipping availability, applicable taxes, and analytics. We do not use precise device GPS unless you grant explicit permission for a feature that requires it.
2.5 Audio and visual
We may collect photographs, videos, or other media you upload as part of a review, authenticity report, or buyer-protection dispute. We do not record phone calls or use facial recognition.
2.6 Inferences
We may derive product preferences, inferred buying intent, and risk-of-fraud signals from the categories above for the purposes described in Section 4.
3. Sources of information
We collect information directly from you when you provide it; automatically from your device when you interact with the Site (see our Cookie Policy); from third parties such as payment processors confirming a transaction, shipping carriers confirming a delivery status, fraud-prevention services, and social-sign-in providers if you choose to link one; and from sellers when they share order-fulfillment updates with us.
4. How we use information (purposes)
We process personal information for the following purposes:
- To operate the marketplace. Account creation, authentication, order processing, payment, tax calculation, shipping label generation, returns and refunds, customer-support replies, dispute resolution, fraud screening.
- To improve and personalize. Recommend products, remember preferences, fix bugs, conduct A/B tests, measure marketing effectiveness, train search and ranking models on aggregated behavior signals.
- To communicate with you. Transactional messages (order, return, refund, dispute, security), service announcements, and — only with your consent — marketing emails, restock alerts, and review reminders.
- To keep the platform safe. Detect and prevent fraud, abuse, money-laundering, copyright infringement, counterfeits, harassment, and violations of our policies.
- To comply with law. Respond to legitimate legal process, meet tax-reporting obligations, comply with sanctions screening, and demonstrate consent where required by privacy law.
5. Who we share information with
We share personal information with the categories of recipients below. We do not sell personal information for money. If a sharing relationship qualifies as a “sale” or “sharing” under California law (CCPA/CPRA), we describe it expressly below and offer an opt-out mechanism.
5.1 Sellers
When you place an order, the seller of the items in that order receives the order number, the items ordered with quantities and prices, the masked email and the shipping address required to fulfill it, and your name for the shipping label. Sellers do not receive your full payment-method details, your full email address (we route messages through our platform), or your browsing history. A seller’s use of this information is constrained by our Seller Agreement.
5.2 Service providers (sub-processors)
We use the following service providers, each contractually limited to processing personal information only on our instructions and only for the purposes we direct:
- Stripe, Inc. — payment processing, Stripe Connect marketplace flows, fraud detection (Radar). United States.
- Shippo, Inc. — shipping rate quotes, label purchase, delivery tracking. United States.
- Resend, Inc. — transactional email delivery and bounce/complaint handling. United States.
- Supabase Inc. — database hosting (Postgres) and authentication. United States.
- Cloudflare, Inc. — content delivery, edge compute (Workers), DDoS mitigation, file storage (R2). United States and other countries where Cloudflare operates.
- Vercel, Inc. — storefront hosting and serverless function execution. United States.
- PostHog, Inc. — product analytics. United Kingdom.
- Google LLC — Google Analytics 4 for aggregated traffic measurement only when you grant Analytics consent. United States.
5.3 Legal and protective disclosures
We may disclose information when we reasonably believe disclosure is required by law, a subpoena, or court order; necessary to enforce our terms; or necessary to protect the safety, rights, or property of Wehoz, our users, or the public.
5.4 Business transfers
If Wehoz is involved in a merger, acquisition, or sale of all or substantially all of its assets, your information may be transferred to the successor entity. We will notify you by email and a prominent notice on the Site at least thirty days before any change of control.
6. International data transfers
Wehoz is based in the United States and processes personal information in the United States. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal information will be transferred to and processed in the United States. Where required, we rely on Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum, with each sub-processor named in Section 5.2 covered by those clauses.
7. How long we keep information
We retain personal information for the periods below, unless a longer period is required by law:
- Order, payment, and tax records: 7 years from the order date (US federal tax recordkeeping).
- Account profile and shipping addresses: until you delete your account, then we begin a 30-day grace period before permanent erasure, except for data required by Section 7 above.
- Marketing-preference state: indefinitely while you have an active account; we retain unsubscribe records to honor opt-outs even after account deletion.
- Analytics events: 14 months in identifiable form; aggregated and anonymized indefinitely.
- Customer-support transcripts: 3 years from last contact.
- Dispute and fraud-investigation records: 7 years from resolution.
- Cookie-consent audit log: 5 years from each consent change.
8. How we protect information
We use a layered set of technical and organizational measures: TLS 1.2+ for all data in transit; encryption at rest for the database; column-level encryption for shipping phone numbers and other sensitive identifiers; access control with role-based scoping; audited row-level reads on all PII fetches from the admin dashboard; minimum-privilege service-role credentials rotated regularly; mandatory two-factor authentication for internal staff; vendor-security reviews before adding any sub-processor; and intrusion- detection on all production endpoints. No system is perfect, but we work hard to minimize risk and to notify affected users promptly if a breach occurs.
9. Your rights
9.1 California (CCPA/CPRA)
If you are a California resident, you have the right to:
- know what personal information we collect about you, where it comes from, why we collect it, and to whom we disclose it;
- request a copy of the personal information we hold about you;
- request that we delete personal information we have collected from you;
- request that we correct inaccurate personal information;
- opt out of the sale or sharing of your personal information (we do not sell, but if you wish to opt out of any cross-context behavioral advertising we participate in, you may do so);
- limit the use of sensitive personal information to what is necessary for the service.
We will not discriminate against you for exercising any of these rights. If we deny a request, we will explain why and provide an appeals process.
9.2 European Economic Area, United Kingdom, Switzerland (GDPR/UK GDPR)
If you are in the EEA, UK, or Switzerland, you have the right to:
- access the personal information we hold about you;
- have inaccurate information corrected;
- have your information erased in certain circumstances (“right to be forgotten”);
- restrict our processing in certain circumstances;
- receive your information in a portable format;
- object to our processing where it is based on legitimate interests;
- withdraw consent at any time without affecting prior lawful processing;
- lodge a complaint with your national data-protection authority.
Our legal bases for processing are: contract (for order processing and account features); legitimate interests (for fraud prevention, platform safety, and certain analytics, balanced against your privacy interests); consent (for marketing emails, optional cookies, and any features that access precise device data); and legal obligation (for tax records and regulatory reporting).
10. How to exercise your rights
Sign in and visit /account/privacy to submit a data-export, deletion, or correction request directly. If you do not have an account (for example, you placed a guest order), email privacy@wehoz.com with sufficient detail for us to locate your record.
We will respond within forty-five days of receipt (or sixty days if the request is complex, with notice). For all requests we verify identity by matching the email address on file with a verification code; for high-risk requests (deletion of an account with prior order history, or export of payment-method last-four data) we may require additional verification such as confirming the order number and approximate total of a recent purchase.
You may authorize an agent to submit a request on your behalf by providing the agent with signed written permission; we will still verify your identity directly.
11. Children’s privacy
Wehoz is not directed at children under thirteen, and we do not knowingly collect personal information from anyone we believe to be under thirteen. If you are a parent or guardian and you believe your child has provided us with personal information without your consent, please email privacy@wehoz.com and we will delete the information promptly. See our full Children’s Privacy Notice.
12. Do Not Track and Global Privacy Control
Some browsers transmit a “Do Not Track” signal; because there is no industry consensus on what DNT means, we do not currently respond to DNT signals specifically. However, we do honor the Global Privacy Control (GPC) signal. When your browser sends Sec-GPC: 1, we treat that as an opt-out of any cross-context behavioral advertising and of marketing analytics that require consent, and we record the signal in our cookie-consent audit log.
13. Cookies and similar technologies
We use cookies, local storage, and similar technologies to operate the cart, keep you signed in, remember your preferences, measure how the Site is used, and (only with your consent) deliver more relevant marketing. See our Cookie Policy for the full list and how to control them.
14. Changes to this policy
We may update this Policy from time to time. When we make a material change, we will update the version chip and the effective date at the top, post a notice on the Site at least thirty days before the change takes effect, and where required by law notify you by email.
15. Contact
Wehoz, Inc.
Privacy team: privacy@wehoz.com
General customer support: help@wehoz.com