Privacy Policy
Last Updated: April 9, 2026
1. Introduction
Welcome to TinyStoked ("we," "our," or "us"). We operate an e-commerce store selling adventure-themed apparel and curated books for families. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at tinystoked.com.
By using our site, you agree to the practices described in this policy. If you do not agree, please do not use our services.
2. Information We Collect
2.1 Information You Provide
- Account information: Email address used for authentication (passwordless magic link)
- Order information: Shipping name and address, order contents
- Payment information: Processed entirely by Stripe — we never see or store your card details
- Waitlist/email signup: Email address if you join our mailing list
- Support inquiries: Any information you send us via email
2.2 Automatically Collected Information
- Usage data: Pages visited, time on site, referral source (via Vercel Analytics)
- Performance data: Core web vitals and load times (via Vercel Speed Insights)
- IP address and device info: Browser type, operating system, approximate location (country/region)
- Cookies: Session authentication cookies from Supabase; Cloudflare Turnstile CAPTCHA tokens on forms
3. How We Use Your Information
- Processing and fulfilling your orders
- Transmitting your shipping address to Printful for apparel fulfillment
- Sending order confirmations and shipping updates
- Responding to customer service inquiries
- Sending marketing emails if you opted in (you can unsubscribe at any time)
- Improving our website and product offerings
- Detecting and preventing fraud and abuse
- Complying with legal obligations
4. How We Share Your Information
We do not sell your personal information. We share it only with the service providers necessary to run our business:
Printful (Apparel Fulfillment)
Your name and shipping address are sent to Printful to produce and ship your order. Printful is our print-on-demand fulfillment partner. Their privacy policy governs how they handle this data.
Stripe (Payments)
All payment processing is handled by Stripe. We receive a confirmation that payment was successful, but never see your card number, CVV, or full billing details.
Supabase (Authentication & Database)
Your email address and order history are stored in our Supabase database, hosted on secure cloud infrastructure.
Loops.so (Email)
We use Loops.so to send transactional emails (order confirmations, shipping updates) and optional marketing emails. Your email address is stored in Loops if you opt in or place an order.
Cloudflare (Infrastructure & CAPTCHA)
Our site is served through Cloudflare. Cloudflare Turnstile is used on forms to prevent spam. Cloudflare R2 stores our product images.
Vercel (Hosting)
Our website is hosted on Vercel. Vercel Analytics and Speed Insights collect anonymized usage data to help us improve site performance.
We may also disclose your information if required by law, to protect our rights, or in connection with a business transfer or acquisition.
5. Children's Privacy
Our products are designed for children, but our website services are directed at parents and guardians aged 18 and older. We do not knowingly collect personal information directly from children under 13. When you place an order for children's apparel or books, any personal information you provide (such as a shipping name) is provided by you as a parent or guardian.
If you believe we have inadvertently collected information from a child under 13, please contact us at privacy@tinystoked.com and we will delete it promptly.
6. Cookies
We use a minimal set of cookies:
- Authentication cookies: Set by Supabase when you sign in. Required for site functionality.
- CAPTCHA tokens: Short-lived tokens from Cloudflare Turnstile, used to verify form submissions are from real users.
- Analytics: Vercel Analytics uses privacy-friendly, cookie-free measurement by default.
We do not use advertising or tracking cookies. You can disable cookies in your browser settings, though authentication-dependent features will not work without session cookies.
7. Data Retention
- Order data: Retained for up to 7 years for tax and legal compliance.
- Account data: Retained while your account is active. You may request deletion at any time.
- Email list: Retained until you unsubscribe or request deletion.
- Analytics data: Aggregated and anonymized; no individual retention period.
8. Your Privacy Rights
California Residents (CPRA)
You have the right to know, access, correct, delete, and opt out of the sale of your personal information. We do not sell personal information. To exercise your rights, contact us at privacy@tinystoked.com.
EEA/UK Residents (GDPR/UK GDPR)
You have rights of access, rectification, erasure, restriction, portability, and objection. Our lawful basis for processing is contract performance (orders), legitimate interests (fraud prevention, analytics), and consent (marketing emails). To exercise your rights, contact us at privacy@tinystoked.com.
We will respond to all requests within 30 days (or as required by applicable law).
9. Data Security
We implement industry-standard security measures: HTTPS/TLS for all data in transit, encrypted storage via Supabase and Cloudflare R2, passwordless authentication (no passwords to compromise), and strict access controls. That said, no internet transmission is 100% secure — please contact us immediately if you suspect unauthorized access.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated policy on this page with a new "Last Updated" date. For material changes, we will notify you by email if you have an account with us. Your continued use of our site after changes are posted constitutes acceptance of the updated policy.