Privacy policy

1. About This Policy

This Privacy Policy applies to all users of abiotp.store (“we”, “us”, “our”)—a website currently in pre-launch phase (displaying a “work in progress” notice) that will eventually operate as an e-commerce platform (product categories to be finalized post-launch). It governs the collection, use, storage, protection, and disclosure of your personal data across all interactions with our site, including browsing the pre-launch page, subscribing to launch updates (once available), creating an account (post-launch), placing orders (post-launch), or contacting customer support.

We comply with global data protection laws, including the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), and UK Data Protection Act, to ensure transparent and ethical handling of your data. “Personal data” refers to any information that identifies or could reasonably identify you, such as your full name, email address, phone number, postal address, IP address, browser/device details, browsing activity (e.g., time spent on the pre-launch page), and preferences (e.g., opt-ins for launch alerts or product interests).

This Policy does not cover third-party websites or services linked from our site (e.g., LinkedIn, Instagram, Facebook)—we strongly recommend reviewing these third parties’ privacy policies independently before engaging with them, as we have no control over their data practices.

2. Data Controller & Contact Information

The data controller responsible for managing your personal data is the operator of abiotp.store. For privacy-related inquiries, requests (e.g., accessing your data, updating preferences, withdrawing consent), or complaints, contact our Privacy Team:

  • Email: support@abiotp.store (Subject Line: “Privacy Inquiry”)
  • Response Commitment: We acknowledge all requests within 1 business day and aim to resolve them within 30 days. For complex requests (e.g., exporting your full data record), we may extend this timeline by up to 2 months, but will notify you of delays in writing and provide biweekly updates until resolution.

3. What Personal Data We Collect

We collect personal data only for specific, legitimate purposes and avoid unnecessary collection. Data collection is currently limited to pre-launch interactions, with additional categories to be added post-launch (outlined below):

3.1 Data Collected During Pre-Launch Browsing (No Account Required)

When you visit the pre-launch page, we automatically collect technical data to support launch planning and site security:

  • IP Address: To identify your general geographic region (e.g., country, state) for two key purposes:
    • Pre-launch optimization: Understanding user traffic origins to tailor post-launch logistics (e.g., selecting shipping carriers for high-traffic regions) and regional marketing strategies (e.g., promoting seasonal products based on location).
    • Fraud prevention: Blocking unauthorized access attempts (e.g., repeated automated requests from high-risk IP ranges linked to spam or cyberattacks).
  • Visit Metrics: Date/time of your visit, duration spent on the pre-launch page, and interactions (e.g., clicks on social media icons, “Notify Me” buttons once available). This helps us measure pre-launch interest and refine post-launch user experience (e.g., prioritizing features that drive engagement).
  • Browser & Device Details: Browser type/version (e.g., Chrome 120, Safari 17.3), operating system (e.g., iOS 18, Windows 11), and device model (e.g., iPhone 15, Samsung Galaxy S24). This ensures the post-launch store is compatible with popular devices and resolves potential display issues (e.g., optimizing mobile responsiveness if 70% of pre-launch users visit via smartphones).
  • Referral Source: How you found our pre-launch page (e.g., Google search, social media link, direct URL entry) to evaluate the effectiveness of pre-launch marketing channels (e.g., investing more in high-converting platforms like Instagram).

Legal Basis: This collection is based on Article 6(1)(f) GDPR (our legitimate interest in preparing a secure, user-friendly store for launch) and CCPA Section 1798.100 (reasonable business purposes for pre-launch planning).

3.2 Data Collected for Pre-Launch Updates (Future Voluntary Feature)

Once we enable launch notifications (e.g., a “Be the first to know” form), we will collect contact data to send timely updates:

  • Email Address: To deliver pre-launch teasers (e.g., “Sneak peek: Our first product line!”), launch date announcements, early access invitations, and exclusive pre-launch offers (e.g., “10% off your first order for subscribers”).
  • Optional Name: For personalized communication (e.g., “Hi [Name], your launch access link is ready!”)—you may choose to provide only your email address if preferred.

We will store this data securely and never share it with third parties for marketing without your explicit consent.

3.3 Data Collected Post-Launch (Future Functionality)

Once the store launches, we will collect additional data to support core e-commerce features, including account management and order fulfillment:

3.3.1 Account Registration Data

Creating an account (required for purchases, post-launch) will involve collecting:

  • Full Name: To personalize your account dashboard (e.g., “Welcome back, [Name]”) and verify your identity for order fulfillment (reducing the risk of shipping to unauthorized addresses).
  • Email Address: To send account confirmations (you must click a verification link to activate your account), password reset links, order updates (e.g., “Your package shipped”), and marketing communications (if opted in).
  • Encrypted Password: Stored using industry-standard hashing technology (e.g., bcrypt with a work factor of 12)—we never access or store your raw password, even internally.
  • Optional Phone Number: For SMS alerts (e.g., “Password reset code: 456789” or “Delivery today between 2–4 PM”) if you explicitly opt in. You can disable SMS notifications anytime via your account’s “Communication Preferences” tab.
  • Shipping/Billing Addresses: To save time on future orders—you can add multiple addresses (e.g., home, work) and set a default. We will validate addresses against third-party databases (e.g., USPS Address Validation) to minimize delivery failures.
3.3.2 Purchase & Transaction Data

When you place orders post-launch, we will collect data to fulfill your purchase and comply with legal requirements:

  • Delivery Address: Full address (including apartment numbers, postal codes) and special instructions (e.g., “Leave at back door—no signature needed”) to ensure accurate shipping.
  • Billing Address: To verify your payment method (e.g., matching the address on your credit card statement) and comply with anti-money laundering (AML) laws.
  • Payment Identifiers: Last 4 digits of a credit card, PayPal ID, or Apple Pay/Google Pay token. We never store full credit card details—all payments will be processed by PCI DSS (Payment Card Industry Data Security Standard)-compliant third-party providers (e.g., Stripe, PayPal), who encrypt and secure your financial data.
  • Order Details: Product name, SKU, quantity, color, size, price, and any customizations (e.g., “embroidered logo”) to ensure correct fulfillment and resolve issues like missing items or incorrect sizes.

Legal Basis: Post-launch purchase data collection is based on Article 6(1)(b) GDPR (necessary to fulfill our contractual obligation to deliver your order) and CCPA Section 1798.100 (contractual compliance).

3.4 Data Collected via Cookies & Tracking Technologies

We use cookies (small text files stored on your device) and web pixels to enhance security and user experience—even during the pre-launch phase. You can manage cookie preferences via the “Cookie Settings” link in the site footer (available post-launch; pre-launch uses minimal, non-intrusive cookies):

Cookie Type Purpose Legal Basis
Strictly Necessary Cookies Enable core functionality: pre-launch page loading, session security (e.g., preventing repeated form submissions), and post-launch cart persistence. Cannot be disabled. Article 6(1)(f) GDPR (legitimate interest)
Functional Cookies Save preferences post-launch (e.g., saved shipping addresses, language/currency settings) to avoid re-entering information. Article 6(1)(f) GDPR (legitimate interest)
Performance/Analytics Cookies Collect anonymous data (e.g., pre-launch page load time, post-launch product page visits, bounce rate) to improve site speed, fix bugs, and optimize layout. Consent (if required by law) or Article 6(1)(f) GDPR
Marketing Cookies Track interactions with pre-launch/launch promotions (e.g., clicking a “Launch Alert” email link) to deliver targeted updates (e.g., “Your saved item is now in stock”) post-launch. Explicit consent (GDPR/CCPA)

Web pixels (invisible images embedded in emails or web pages) will track pre-launch email opens (e.g., “Did you view our launch teaser?”) and post-launch purchase conversions—this data is aggregated and anonymized unless you consent to linking it to your personal data.

4. How We Use Your Personal Data

We use your personal data exclusively for the purposes it was collected—no unstated use without your explicit consent:

4.1 Pre-Launch Planning & Communication

  • Site Development: Use browsing data (IP region, device details) to refine the post-launch store (e.g., prioritizing mobile design if most pre-launch users visit via smartphones) and test features (e.g., load time optimization for product pages).
  • Launch Updates: Once launch notifications are enabled, send email notifications (if you subscribed) about launch timelines, early access opportunities, and exclusive offers—you can unsubscribe anytime via the “Unsubscribe” link in emails.

4.2 Post-Launch Account Management & Order Fulfillment

  • Account Maintenance: Update your saved preferences (addresses, communication opt-ins), secure your account (e.g., sending alerts for unusual login activity from a new device), and provide password reset functionality.
  • Payment Processing: Share billing address and payment identifiers with PCI DSS-compliant providers to verify funds, process transactions securely, and prevent fraud (e.g., flagging stolen credit cards).
  • Shipping Coordination: Share your name, delivery address, and order number with trusted carriers (e.g., UPS, FedEx) to ensure timely delivery—if you opted in to SMS alerts, we may share your phone number with the carrier for updates (e.g., “Your package is out for delivery”).

4.3 Communication & Support

  • Transactional Updates: Send non-marketing communications (required to fulfill our contract) post-launch, including order confirmations, shipping notifications, refund alerts, and password reset links. These emails are not optional—they are essential to keep you informed.
  • Marketing Communications: Send emails/SMS about post-launch sales, new product launches, or personalized offers (e.g., “You viewed these items—save 15%”) only if you opt in. These include an easy unsubscribe option (e.g., “Unsubscribe” link in emails, replying “STOP” to SMS).
  • Customer Support: Use your order history and contact data to resolve inquiries (e.g., tracking a missing package, addressing a product defect) efficiently—retain communication records for 30 days post-resolution to ensure follow-up support (e.g., checking if a replacement item arrived).

4.4 Security & Compliance

  • Fraud Detection: Use IP address, billing/delivery address matching (post-launch), and order patterns to flag suspicious activity (e.g., multiple pre-launch email sign-ups from the same IP, post-launch orders with mismatched addresses).
  • Legal Compliance: Retain pre-launch communication records and post-launch order data for 7 years to meet U.S. tax/accounting requirements (e.g., IRS audits) and disclose data if required by law (e.g., court orders, subpoenas). We only share the minimum amount of data necessary.

5. How We Share Your Personal Data

We never sell your personal data to third parties for marketing purposes—this includes sharing your email address, phone number, or browsing history with advertisers, data brokers, or other businesses for their own promotions. We only share data with trusted partners who assist us in delivering services, and these partners are bound by strict contractual obligations to protect your data and use it only as instructed:

5.1 Pre-Launch/Post-Launch Technical Partners

  • Hosting & Security Providers: Share anonymized browsing data (e.g., pre-launch IP regions, post-launch traffic trends) with providers like AWS to maintain site uptime, block DDoS attacks, and prevent unauthorized access to the pre-launch page.
  • Analytics Providers: Share aggregated, anonymized data with Google Analytics to measure pre-launch engagement (e.g., how many users subscribe to launch alerts) and post-launch store performance (e.g., checkout abandonment rate). Anonymized data cannot be linked to individual users (e.g., IP addresses are truncated).

5.2 Post-Launch Payment & Shipping Partners

  • Payment Service Providers: Share billing address and payment identifiers (last 4 digits of a card) with PCI DSS-compliant providers (e.g., Stripe, PayPal) to process transactions—these providers retain data only for the transaction lifecycle (typically 30 days) and do not use it for marketing.
  • Shipping Carriers: Share your name, delivery address, and order number with carriers (e.g., UPS, FedEx) to deliver products—carriers are prohibited from using your data for any purpose other than delivery (e.g., adding you to their marketing lists) and must delete your data post-delivery.

5.3 Marketing Partners (If Opted In)

  • Share your email address or phone number (with explicit consent) with trusted marketing providers (e.g., Mailchimp for emails, Twilio for SMS) to send pre-launch updates and post-launch promotions. These partners are contractually required to:
    • Use your data only to execute our campaigns (not their own).
    • Honor your opt-out requests within 7 days.
    • Protect your data with encryption and access controls.

5.4 Legal & Regulatory Authorities

  • Disclose your personal data if required by law (e.g., to comply with a court order, tax audit, or anti-fraud investigation) or to protect our legitimate interests (e.g., investigating fraudulent orders, defending against legal claims). We notify you of the disclosure unless prohibited by law (e.g., sealed court orders).

6. Data Security & Retention

6.1 Data Security Measures

We use industry-leading technical and organizational measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction:

  • Encryption: All data transmitted between your browser and our server (e.g., pre-launch email sign-ups, post-launch payments) is encrypted using SSL/TLS 1.3 technology—the global standard for secure online communications.
  • Secure Storage: Sensitive data (encrypted passwords, post-launch order records) is stored on servers with:
    • Physical security: Data centers with 24/7 security guards, biometric entry systems (e.g., fingerprint scanners), and video surveillance.
    • Digital security: Multi-factor authentication (MFA) for authorized staff, role-based access controls (e.g., only support teams can view order details), and firewalls to block unauthorized server access.
  • Regular Audits: Conduct quarterly security audits and penetration testing (by independent firms like HackerOne) to identify and fix vulnerabilities (e.g., weak password policies, unpatched software).
  • Employee Training: All staff receive annual data protection training to recognize phishing attempts, avoid unauthorized data sharing, and report security incidents (e.g., a lost laptop with customer data).
  • Breach Response Plan: If a data breach occurs (e.g., unauthorized access to pre-launch email lists or post-launch order data), we will:
    1. Contain the breach (e.g., isolate affected servers, revoke compromised credentials).
    2. Assess the impact (e.g., identifying which users’ data was exposed).
    3. Notify affected users and regulators within 72 hours (as required by GDPR/CCPA) and provide steps to protect yourself (e.g., password resets, credit monitoring tips).

While we take every reasonable step to secure your data, no system is 100% secure. We cannot guarantee that unauthorized third parties will never bypass our measures, but we will take all commercially reasonable steps to mitigate risks and notify you promptly if a breach occurs.

6.2 Data Retention Periods

We retain your personal data only as long as necessary to fulfill the purposes it was collected, plus any time required by law:

  • Pre-Launch Data:
    • Browsing data (IP, visit metrics): Anonymized or deleted within 3 months of your last visit.
    • Subscription data (email/name): Retained until 30 days post-launch (or longer if you opt in to post-launch marketing).
  • Post-Launch Data:
    • Account data: Retained while your account is active—deleted 30 days after you close your account (unless legal obligations apply).
    • Order data: Retained for 7 years to comply with U.S. tax laws—anonymized after 7 years (identifiers like your name/address are removed).
    • Support data: Deleted 30 days after your inquiry is resolved (unless it involves a legal dispute, in which case it is retained until the dispute is finalized).
    • Marketing data: Retained only while you opt in—deleted within 7 days of unsubscribing (we may retain a hashed version of your email to avoid re-adding you to lists).

If you request erasure of your data (via the “Right to Erasure” in Section 7), we will delete or anonymize it within 14 business days—unless we are required by law to retain it (e.g., order records for tax compliance). In such cases, we will “block” the data (restrict access to authorized staff only) until the legal retention period expires.

7. Your Privacy Rights

Under GDPR, CCPA, and other regional laws, you have the following rights regarding your personal data. To exercise these rights, email support@abiotp.store with proof of identity (e.g., a copy of your pre-launch subscription confirmation, a redacted government ID, or a response to a security question like “What email did you use to subscribe to launch alerts?”):

7.1 Right to Access

You can request a copy of all personal data we hold about you, including:

  • What data we collected (e.g., your email address, pre-launch browsing activity, post-launch order history).
  • When and how it was collected (e.g., “Collected via pre-launch subscription form on 2025-09-25”).
  • How we used and shared it (e.g., “Used to send launch alerts; shared with Mailchimp”).
  • The retention period for the data (e.g., “Retained until 2032 for tax compliance”).

We provide this data in a machine-readable format (e.g., CSV, JSON) if requested, free of charge for the first request per 12 months. Subsequent requests may incur a reasonable fee (e.g., $10) to cover administrative costs.

7.2 Right to Rectification

If your personal data is inaccurate or incomplete (e.g., a typo in your email address, an outdated shipping address), you can request to correct it. We will update your data within 7 business days and notify you once changes are made—we also update linked records (e.g., post-launch order receipts) to ensure consistency.

7.3 Right to Erasure (“Right to Be Forgotten”)

You can request deletion of your personal data if:

  • It is no longer necessary for the purpose it was collected (e.g., you no longer want pre-launch updates).
  • You withdraw consent (e.g., opt out of marketing with no other legal basis for processing).
  • The data was collected unlawfully (e.g., we collected your phone number without consent).

We confirm deletion within 14 business days. If we shared your data with third parties (e.g., a marketing provider), we will notify them to delete your data or stop using it.

Exception: We cannot delete data required by law (e.g., post-launch order records for tax compliance)—we will notify you of the legal obligation and explain retention timelines.

7.4 Right to Restriction of Processing

You can request to limit how we use your data if:

  • You dispute its accuracy (we restrict processing until we verify correctness).
  • Processing is unlawful (but you do not want deletion).
  • You need the data for legal claims (even if we no longer need it).

While restricted, we only use your data with your consent or for legal purposes (e.g., defending a lawsuit).

7.5 Right to Data Portability

You can request your personal data in a structured, machine-readable format (e.g., CSV) to transfer to another service provider (e.g., another online store). This applies to data you provided (e.g., name, email, order history) and data processed via consent or contract (e.g., post-launch purchase data). We provide the data within 14 business days—if technically feasible, we can transfer it directly to the other provider.

7.6 Right to Object

  • Marketing: You can object to marketing processing at any time (unsubscribe via email links or account settings)—we stop processing immediately.
  • Legitimate Interest Processing: If we use your data for legitimate interests (e.g., pre-launch browsing data to improve the store), you can object by providing a reason why the processing harms your interests. We will stop processing if your rights outweigh our interests.

7.7 Right to Withdraw Consent

If you previously consented to data processing (e.g., pre-launch SMS alerts, marketing cookies), you can withdraw consent anytime. Withdrawal does not affect the legality of processing before consent was withdrawn.

7.8 Right to Lodge a Complaint

You can file a complaint with a data protection authority in your region:

  • EU/UK: Local authority (e.g., ICO in the UK, CNIL in France).
  • California: California Attorney General’s Office or California Privacy Protection Agency (CPPA).
  • U.S. (Other States): Federal Trade Commission (FTC) or your state’s attorney general.

8. Changes to This Policy

We may update this Privacy Policy to reflect:

  • Changes in legal requirements (e.g., new state privacy laws).
  • Post-launch store features (e.g., adding a loyalty program that collects points data).
  • Updates to data processing practices (e.g., switching to a new payment provider).

When we make changes:

  • We post the revised Policy on the site with a new “Last Updated” date.
  • We notify subscribers/account holders of material changes (e.g., new data collection, changes to sharing practices) via email at least 7 days before the changes take effect—including a summary of key updates and a link to the full Policy.
  • Non-material changes (e.g., updating contact information) are posted without additional notification.

Your continued use of abiotp.store after the revised Policy is posted constitutes acceptance of the changes. If you disagree with the changes, stop using the site and close your account (post-launch) via support@abiotp.store.

9. Children’s Privacy

We do not intentionally collect personal data from children under the age of 13 (or the age of majority in your region, if higher). Our site is not directed at children, and parents/guardians must ensure minors do not provide data (e.g., pre-launch email sign-ups, post-launch account creation). If we accidentally collect child data, we delete it within 7 business days and notify the parent/guardian (if contact details are available). To report child data collection, email support@abiotp.store