Privacy Policy

Last updated: March 2026

Essential Online Traders LTD ("we", "us", or "our") operates the DSInfra platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Our commitment: We will never sell your data. We do not share your information with third parties for marketing purposes. Your data is used solely to provide our service and process orders.

1. Information We Collect

Information You Provide

  • Account Information: Name, email address, and password when you create an account. Passwords are cryptographically hashed and never stored in plain text.
  • Business Information: Company name, VAT number, and business address for invoicing and compliance.
  • Payment Information: Billing details are processed directly by Stripe. We do not store, access, or have visibility of your full card numbers, CVV, or other sensitive payment credentials.
  • Channel Credentials: OAuth tokens for connected platforms (Shopify, Squarespace, etc.). These are encrypted at rest and used only to sync data on your behalf.
  • Communications: Support requests and correspondence you send to us.

Data Synced From Your Channels

  • Product Data: Product listings, inventory levels, pricing, and product metadata from your connected sales and supply channels.
  • Order Data: Order details including customer shipping information required to fulfil orders. See Section 6 for our strict retention policy on this data.

Information Collected Automatically

  • Log Data: IP address, browser type, pages visited, and usage statistics for security and service improvement.
  • Device Information: Device type and operating system.
  • Cookies: We use only essential cookies for authentication and session management. We do not use tracking, analytics, or advertising cookies. See Section 12 for details.

2. How We Use Your Information

We use your data solely to operate the DSInfra platform:

  • Provide, maintain, and improve our services
  • Sync product data between your connected channels
  • Process and route orders to suppliers for fulfilment
  • Calculate pricing, margins, and analytics
  • Send essential service notifications (sync errors, order issues)
  • Respond to support requests
  • Detect and prevent fraudulent or unauthorised activity
  • Comply with legal obligations

We do not:

  • Sell your data to third parties
  • Share your data for marketing purposes
  • Use your data for advertising
  • Profile your customers for any purpose beyond order fulfilment

3. Legal Basis for Processing (UK GDPR)

We process your personal data on the following legal bases:

  • Contract: Processing necessary to perform our contract with you (providing the platform, syncing data, processing orders).
  • Legitimate Interests: Processing necessary for fraud prevention and service security.
  • Legal Obligation: Processing necessary to comply with applicable laws (e.g., fraud prevention, anti-money laundering).

4. Information Sharing

Your data is only shared when strictly necessary to provide our service:

Order Fulfilment

When you place an order through a supplier connection, the customer's shipping information (name and delivery address) is transmitted to the supplier's platform to create the fulfilment order. This is the sole purpose for which customer data is shared with external parties.

Payment Processing

Payment processing is handled by Stripe. We share only the minimum information required (transaction amount, currency, account identifiers). Stripe processes payments in accordance with their own privacy policy and PCI-DSS compliance.

Connected Platforms

Data is synced with sales channels (Shopify, Squarespace, Amazon, eBay) and supply channels that you explicitly connect. We only access data necessary for the integration to function.

Infrastructure Providers

Our infrastructure is hosted on industry-standard cloud providers with appropriate data processing agreements in place.

Legal Requirements

We may disclose data when required by law, court order, or to protect our legal rights.

We never share your data with:

  • Data brokers
  • Advertising networks
  • Marketing agencies
  • Any third party for their own commercial purposes

5. Data We Do Not Collect

For clarity, DSInfra does not collect or store:

  • Full credit/debit card numbers (handled directly by Stripe)
  • CVV/security codes
  • Bank account details beyond what Stripe requires for payouts
  • Customer browsing history
  • Social media profiles
  • Location tracking data

6. Data Retention

We maintain strict data retention policies that exceed GDPR requirements:

Customer Personal Data (Order Information)

30-day retention: Customer names, email addresses, phone numbers, and shipping addresses from orders are automatically and permanently deleted 30 days after order completion. This deletion is irreversible — we cannot recover this data once removed.

Channel Data

7-day retention after disconnection: When you disconnect a sales or supply channel, all associated product data, listings, and sync history are permanently deleted after 7 days. This grace period allows you to reconnect if disconnection was accidental.

Account Data

Your account information is retained while your account is active. Upon account deletion, all personal data is removed within 30 days. DSInfra is not the merchant of record for any transaction — you are responsible for your own invoice and tax record retention. We do not retain order data for tax purposes on your behalf.

Security Logs

Access logs and security audit trails are retained for 90 days for fraud prevention and security monitoring.

7. Your Rights

Under UK GDPR, you have the following rights:

  • Access: Request a copy of all personal data we hold about you.
  • Rectification: Request correction of inaccurate personal data.
  • Erasure: Request deletion of your personal data. We will comply within 30 days, subject to legal retention requirements.
  • Restriction: Request restriction of processing of your personal data.
  • Portability: Request your data in a machine-readable format (JSON or CSV).
  • Objection: Object to processing based on legitimate interests.

To exercise any of these rights, email support@dsinfra.io with the subject "Data Rights Request". We will respond within 30 days.

Account Deletion: You can request complete deletion of your account and all associated data at any time. This will permanently remove all your channels, products, orders, and business data from our systems.

8. Data Security

We implement comprehensive security measures to protect your data:

  • Encryption: All data is encrypted in transit and at rest using AES-256.
  • Credential Security: Passwords are cryptographically hashed. OAuth tokens are encrypted.
  • Access Controls: Database access is restricted and tenant-isolated.
  • PII Handling: Personal data is automatically redacted from system logs.
  • Regular Audits: We conduct regular security assessments and code reviews.

9. International Transfers

Your data may be processed in countries outside the UK where our infrastructure providers operate. Where data is transferred internationally, we ensure appropriate safeguards are in place through Standard Contractual Clauses or adequacy decisions recognised by the UK.

10. Children's Privacy

DSInfra is a business service not intended for individuals under 18. We do not knowingly collect personal data from children.

11. Service Providers

We use the following third-party service providers to operate DSInfra:

  • Stripe: Payment processing and billing (PCI-DSS compliant)
  • Resend: Transactional email delivery
  • Railway: Cloud infrastructure hosting
  • Shopify, Squarespace, Amazon, eBay: Sales channel integrations (user-connected)

All service providers are contractually bound to process data only as instructed and maintain appropriate security measures.

12. Cookies

We use only essential cookies required for the platform to function:

  • Session Cookie: Maintains your login session. Expires when you close your browser or after 24 hours of inactivity.
  • CSRF Token: Security cookie to prevent cross-site request forgery attacks.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. We do not participate in cross-site tracking.

Do Not Track: Because we do not track users across websites, Do Not Track (DNT) browser signals are not applicable to our service.

13. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware
  • Notify affected users without undue delay if the breach is likely to result in high risk
  • Document all breaches and remediation actions taken

14. Data Processing Agreements

Business customers who require a Data Processing Agreement (DPA) for compliance purposes can request one by emailing support@dsinfra.io with the subject "DPA Request".

15. International Users

European Economic Area (EEA)

If you are located in the EEA, you have the same rights as UK users under GDPR. Data transfers from the EEA to the UK are covered by the UK adequacy decision. For transfers to other countries, we use Standard Contractual Clauses.

United States

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your data, and the right to opt-out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at support@dsinfra.io.

Other Regions

We aim to comply with applicable data protection laws in all regions where we operate. If you have questions about your rights under your local privacy laws, please contact us.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-platform notification. The "Last updated" date at the top of this page indicates the most recent revision.

17. Contact Us

For questions about this Privacy Policy, data protection concerns, or to exercise your rights:

Email: support@dsinfra.io
Subject line: "Privacy Enquiry" or "Data Rights Request"

Essential Online Traders LTD
Registered Office: 8 Summering Close, Okehampton, England, EX20 1FY
Company Number: 11901044
VAT: GB350667201

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).