Privacy Policy

1. Data we collect

Sellers: email address, password (hashed), shop details you enter (name, WhatsApp number, description, social links, address, payment-method labels), product data, uploaded images. Buyers: cart contents (stored in your browser, not on our servers), and — when you tap to send an order — the order details you confirm. We do NOT collect buyer phone numbers, names, or addresses unless you type them into the WhatsApp message yourself. Applicants completing /apply: see section 11. Messages you send us (WhatsApp + contact form): see section 12.

2. Why we collect it (PDPA lawful basis)

We process personal data on three lawful bases under the Sri Lankan Personal Data Protection Act (PDPA, No. 9 of 2022) and the EU General Data Protection Regulation (where applicable): (a) performance of a contract — running your shop, processing your application, providing the platform; (b) legitimate interests — preventing abuse, securing the platform, basic operational analytics (never sold to third parties, never used for targeted advertising); (c) consent — where you explicitly opt in (service announcements, WhatsApp follow-up after approval). You can withdraw consent at any time by emailing legal@chatkatalog.com.

3. Cookies & analytics

We use a small number of strictly-necessary cookies: an auth session cookie (sellers only), a language preference cookie (pref_locale), and a Cloudflare Turnstile cookie on the signup, /apply, and contact forms to block bots. We also use Google Analytics 4 (cookies prefixed `_ga`, `_ga_<container>`) for aggregate behaviour analytics — page views, session length, traffic sources — and Cloudflare Web Analytics (cookie-free, aggregate-only) for performance monitoring. Neither carries personal identification or fuels advertising. A cookie notice is shown on first visit and dismissed for 90 days; you can opt out of Google Analytics tracking globally via the official Google Analytics opt-out browser add-on (https://tools.google.com/dlpage/gaoptout). We do not engage advertising or remarketing pixels.

4. Who we share it with (subprocessors)

Cloudflare (hosting, CDN, bot mitigation, image storage via R2, Cloudflare Web Analytics), Supabase (database, auth), Google LLC (Google Analytics 4 — aggregate behaviour analytics), Sentry (error monitoring; PII is scrubbed before send), Resend (transactional email — application confirmations, approval and rejection emails, contact-form acknowledgements), Zoho Mail (administrative email). Each operates under their own privacy terms. We do not sell personal data and do not engage marketing or advertising subprocessors.

5. Where data is stored

Our primary database and image storage are hosted on infrastructure regions selected for low latency to Sri Lanka. Some subprocessors (Cloudflare, Sentry, Resend) may process data outside Sri Lanka in the course of providing their service. We rely on each subprocessor's standard contractual safeguards and will align to the Data Protection Authority's formal cross-border directive when it is issued.

6. How long we keep it

Active seller accounts: as long as the account is open. Closed seller accounts: 30 days, then deleted. Operational logs: 90 days. Backups: 30 days rolling. Applications, rejected: 90 days after the rejection decision, then deleted. Applications, pending without review: 30 days, then auto-rejected (and start the 90-day deletion clock). Applications, approved-but-expired-unconsumed: 30 days after invite expiry, then auto-rejected (and start the 90-day deletion clock). Applications, consumed (you signed up and onboarded): retained for the life of the seller account. Contact-form messages: 180 days after the message is archived, then deleted.

For details on when inactive shops and their data may be removed, see the Account inactivity and shop removal section of our Terms.

7. Your rights (PDPA + GDPR)

You can request a copy of your data (PDPA right of access; GDPR Article 15), ask for corrections (PDPA right to rectification; GDPR Article 16), ask for deletion (PDPA right of erasure; GDPR Article 17), restrict processing (GDPR Article 18), object to processing (GDPR Article 21), or request portability (GDPR Article 20). We action requests within 21 business days. Email legal@chatkatalog.com. Self-service export and account deletion are on the roadmap.

8. Children

ChatKatalog is not intended for use by anyone under 18 (our seller terms require age 18+). We do not knowingly collect data from children.

9. Changes to this policy

Material changes will be announced via email to active sellers. The "Last updated" date at the top of this page is authoritative.

10. Contact

Data requests, questions, complaints: legal@chatkatalog.com. The Privacy Contact title (Privacy Officer vs. Data Protection Officer) is pending counsel review at our M4.6 audit.

11. What we collect when you apply

The /apply form on this site collects, before any account exists: your full name (full_name), email address (email), WhatsApp number (whatsapp_number), city (city), address (address), business or shop name (business_name), a one-line description of what you sell (what_you_sell), the product categories you tick (product_categories), an optional free-text "other" category (product_categories_other), your shop size (shop_size), the channels you currently sell on (current_channels), an optional link to your social or online presence (social_url), optional applicant notes (applicant_notes), and the language you submitted from (apply_locale) — plus four legal-acceptance booleans (accepted_seller_rights, accepted_age, accepted_no_prohibited, accepted_terms_and_privacy). We use this information only to review your application and (if approved) contact you to begin onboarding. We ask for your address because the Sri Lankan PDPA requires us to know which seller is responsible for the goods listed on each catalog; it is never shown publicly. Application retention follows section 6: rejected applications kept 90 days then deleted; pending applications without review kept 30 days then auto-rejected (90-day clock starts); approved-but-expired-unconsumed applications same as pending stale.

12. Messages you send us (WhatsApp + contact form)

When you message ChatKatalog through WhatsApp, those messages remain on your device under WhatsApp's terms; we receive only what you send. We use WhatsApp to reach you about your application (after you give us a working number on /apply), to deliver the approval invite link, and for occasional ops follow-up. When you submit the contact form on this site we collect: your full name (full_name), your email address (email), the subject line you set (subject), the message body (message), and the locale you submitted from (locale: en or si). Contact messages are retained for 180 days after we archive them, then deleted (section 6).

13. How we keep sellers' data separate

ChatKatalog is a multi-tenant platform: every seller's shop, products, images, orders, and customer-confirmed data are stored on shared infrastructure with row-level security enforced at the database. Each row carries the owning seller's identifier; database policies block reads and writes across the shop boundary by default. The service-role credential that could bypass those policies is restricted to a narrow set of administrative endpoints reviewed in our M4.6 security audit. We do not sell, share, or expose one seller's catalog or customer-message data to another seller.