KROWN
TermsPrivacyCookiesAcceptable UseDPASub-processors
Notice. This document is a working template. It must be reviewed by qualified legal counsel in your jurisdiction before being relied upon. Clauses on liability, governing law, GDPR/CCPA compliance and third-party-platform integration must be tailored to your specific business and applicable laws.

Legal

Privacy Policy

Last updated: May 28, 2026 · Governing law: New Mexico, United States

Krown provides custom checkout software for online stores. This Privacy Policy explains, in plain language, what personal data we process, why, on what legal basis, how long we keep it, and what choices and rights you have. We collect only what we need to deliver the service.

01

Who we are; scope

Krown”, “we”, “us” refers to the operator of the Krown service, contactable at krowncheckout@gmail.com, registered address 1209 Mountain Road PL NE #5605, Albuquerque, NM 87110, United States.

This policy applies to personal data processed in connection with the Krown website, dashboard, checkout pages and any related API. It applies to two groups of individuals: merchants who create a Krown account and use the service, and buyers who complete an order through a checkout page operated by a merchant on Krown.

02

Our roles

The legal role we play depends on whose data is being processed:

DataOur roleOther party
Merchant account, billing, communicationsControllern/a
Buyer data processed for a merchant's saleProcessorMerchant is the Controller
Aggregated, de-identified usage analyticsControllern/a

When we act as Processor (buyer data), the merchant decides the purposes and means of processing within the boundaries set by our agreement and the law, and we process only on documented instructions. The terms governing that role are in our Data Processing Agreement.

03

Personal data we process

3.1 Merchant data

  • Account: email, name, password (never stored in clear text; hashed using industry-standard algorithms).
  • Store configuration: brand name, branding assets, custom domain, checkout settings, products and pricing imported from your store.
  • Connection data: identifiers and access tokens needed to connect your storefront and your payment processor. Access tokens are encrypted at rest.
  • Operational data: orders processed, carts created, subscriptions managed, fees charged.
  • Communications: support tickets, emails, attachments you send us.
  • Billing: legal name, tax ID, billing address required for invoicing.

3.2 Buyer data (collected through the merchant's checkout)

  • Identifiers: email, first and last name, phone number when provided.
  • Addresses: shipping and billing address.
  • Cart and order: products, quantities, prices, discounts, currency, language.
  • Marketing attribution: UTM parameters present in the inbound URL.
  • Technical: IP address, user agent, timezone, browser locale (logged for security and fraud prevention).
Payment instrument data (full card number, expiry, CVV, banking credentials) are never collected, seen or stored by Krown. They are entered by the buyer on a hosted payment page operated by the payment processor selected for the merchant and transmitted directly from there to the underlying card or bank network. We receive only the outcome (success/failure) and a transaction identifier.

3.3 Children

Krown is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a minor has provided us with data, contact us at krowncheckout@gmail.com and we will delete it.

04

How we use the data

We use personal data for the following purposes:

  • To create and operate merchant accounts and the related billing.
  • To operate the checkout pages and forward each completed order back to the merchant's store.
  • To enable optional features the merchant turns on (subscriptions, upsells, abandoned cart recovery, analytics, server-side marketing events).
  • To provide customer support, debug issues, and respond to your requests.
  • To prevent fraud, secure the service, investigate abuse.
  • To meet our legal, tax, and accounting obligations.
  • To send merchants product updates and marketing emails, when permitted; you can unsubscribe at any time.
05

Legal bases (EEA/UK GDPR)

ProcessingLegal basis
Merchant account, checkout operation, order processingContract performance — GDPR art. 6(1)(b)
Invoicing, tax and accounting recordsLegal obligation — art. 6(1)(c)
Security, fraud prevention, abuse investigationLegitimate interest — art. 6(1)(f)
Product marketing emails to merchantsConsent — art. 6(1)(a), withdrawable
Marketing pixels and analytics on the checkoutBuyer consent obtained by the merchant — art. 6(1)(a)
06

Sharing

We disclose personal data only in the following circumstances:

  • The merchant on whose checkout an order is placed receives the buyer's order data so they can fulfill it and provide customer service.
  • Service providers (sub-processors) we rely on to deliver the service (e.g. cloud hosting, database, transactional email, payment processing). The categories are described in our Sub-processor list. Each is bound by a written agreement requiring confidentiality and an equivalent level of data protection.
  • Authorities when required by valid legal process. We will notify you unless prohibited by law.
  • Professional advisors (legal, accounting, audit) bound by professional duty of confidentiality.
  • An acquirer in the event of a corporate transaction (merger, acquisition, sale of assets), with prior notice.
We do not sell personal data to third parties and we do not process it for cross-context behavioral advertising.
07

International data transfers

Our primary infrastructure is hosted in the European Union (Ireland). Some service providers operate outside the EEA, including in the United States. For such transfers we rely on the European Commission's Standard Contractual Clauses and, where required, conduct a Transfer Impact Assessment. We supplement the clauses with appropriate technical and organisational measures (encryption in transit and at rest, access controls).

08

Retention

CategoryHow long we keep it
Active merchant accountFor the duration of the contract
Deleted merchant account30-day grace period, then permanently deleted (except as required by law)
Invoicing, tax and accounting recordsAs required by applicable tax law (typically up to 10 years)
Orders and related buyer dataFor as long as the merchant retains the account, unless deletion is requested
Abandoned carts90 days
Technical and security logs12 months
BackupsUp to 35 days (rotation cycle)
09

Security

  • TLS 1.2 or higher on all public endpoints.
  • Encryption at rest for personal data and application secrets.
  • Passwords stored only as salted hashes; never in clear text.
  • Webhook signatures verified before any data is acted on.
  • Daily encrypted backups; documented restore procedure.
  • Mandatory multi-factor authentication for internal access.
  • Audit logs on administrative actions.
  • Annual rotation of cryptographic master keys; immediate rotation on suspected compromise.

No security program eliminates risk entirely. We notify affected users of a personal-data breach without undue delay and consistent with our legal obligations (see DPA section on breach notification).

10

Your rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data, subject to retention obligations.
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your local supervisory authority.

To exercise these rights, email krowncheckout@gmail.com. We respond within 30 days and may need to verify your identity first.

11

US state privacy rights (CCPA / CPRA and similar)

If you are a resident of California, Colorado, Connecticut, Virginia, Utah or another US state with a comprehensive privacy law, you have rights similar to those above, including the right to know what personal information we process, the right to delete, the right to correct, and the right to opt out of sale or sharing for cross-context behavioral advertising. We do not sell personal information and we do not share it for cross-context behavioral advertising as those terms are defined under applicable US state law. To exercise your rights, contact us at krowncheckout@gmail.com. We will not discriminate against you for exercising any of these rights.

12

Automated decision-making

Krown does not make decisions producing legal or similarly significant effects based solely on automated processing. Automated systems used for fraud detection flag transactions for human review rather than taking a final action on their own.

13

Changes to this policy

We may update this policy. Material changes will be communicated with at least 30 days' notice through the merchant dashboard and by email. The “Last updated” date at the top reflects the latest revision.

14

Contact

For any question about this policy or to exercise any right, contact us at krowncheckout@gmail.com. Postal address: 1209 Mountain Road PL NE #5605, Albuquerque, NM 87110, United States.