Privacy Policy

Elixio Digital ("we", "us", "our") operates the marketplace at elixiodigital.com. We are the data controller for any personal information you provide when using our Service. You can reach our Data Protection Officer at [email protected].

We collect the following categories of personal data:

• Account data — email, display name, hashed password (bcrypt, cost factor 12). OAuth profile data if you sign in with Google or GitHub.
• Authentication metadata — IP address, user agent, approximate geo-location (country/city via ipapi.co, 7-day cache), login timestamps, MFA factors (TOTP seeds encrypted with AES-256-GCM, WebAuthn passkey public keys).
• Creator content — uploaded asset files, preview images, storefront metadata, sales analytics aggregated from your activity.
• Buyer activity — purchases, download history, tax-region snapshots attached to each Order.
• Usage data — pages viewed, features used, error logs. We do not sell your data to third parties.

We use your personal data for the following purposes:

• Creating and authenticating your account.
• Processing payments and issuing invoices/receipts.
• Calculating and collecting applicable taxes (VAT, GST, sales tax).
• Sending transactional emails (verification, password reset, purchase receipts).
• Sending security alerts when we detect a sign-in from a new country or device.
• Improving the Service through aggregated analytics.
• Complying with legal obligations (tax reporting, anti-fraud).

We rely on the following legal bases under GDPR Article 6: (a) performance of contract (your purchase), (b) our legitimate interests (security, fraud prevention), (c) legal obligation (tax, anti-money-laundering), and (d) your consent (marketing communications, non-essential cookies).

We use a minimal set of cookies and localStorage entries:

• Authentication — access token + refresh token in localStorage. Essential to the Service and cannot be disabled.
• Locale preference — your chosen language + RTL flag in localStorage. Essential for i18n; cannot be disabled.
• Theme preference — light/dark/system mode + brand palette in localStorage. Functional but non-essential.
• Cookie consent — your Accept/Decline choice in localStorage. Stored for 12 months as required by GDPR / ePrivacy.

We do not use third-party advertising cookies. See our Cookie Policy for full details.

We share personal data with a small set of vetted processors:

• Cloudflare — DNS, CDN, DDoS protection.
• Railway — application hosting (US region).
• Cloudflare R2 — encrypted file storage (zero-egress).
• Resend — transactional email delivery.
• Google Gemini API — AI features (listing copywriter, asset critique, sales coach). Only the content you submit is sent; no account data.
• Stripe / Razorpay — payment processing (when payments ship).
• ipapi.co — IP-to-location lookup (7-day cache).

Each processor has a Data Processing Agreement (DPA) on file. We do not sell your personal data, and we do not share it with advertisers.

Our primary database is hosted in the US (Railway). If you are in the EEA, UK, or Switzerland, your data is transferred to the US under the European Commission's Standard Contractual Clauses (SCCs) plus supplementary measures (encryption at rest and in transit, access logging). Contact us for a copy of our Transfer Impact Assessment (TIA).

We keep your personal data only as long as needed:

• Account data: while your account is active + 30 days after deletion request.
• Authentication logs: 90 days, then aggregated.
• Tax records (orders, invoices): 7 years (required by tax law).
• Backups: encrypted, retained for 35 days then deleted.

Depending on your jurisdiction, you have some or all of these rights:

• Access — request a copy of your personal data.
• Rectification — correct inaccurate data.
• Erasure — request deletion (“right to be forgotten”).
• Restriction — pause processing while a dispute is resolved.
• Portability — receive your data in a machine-readable format (JSON).
• Object — opt out of processing based on legitimate interest.
• Withdraw consent — for marketing or non-essential cookies.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email [email protected] from your registered account email. We respond within 30 days.

We protect your data with industry-standard measures:

• TLS 1.3 in transit, AES-256 at rest.
• Passwords hashed with bcrypt cost 12.
• TOTP seeds and OAuth tokens encrypted with AES-256-GCM (key managed separately).
• HSTS preload, strict CSP, X-Frame-Options: DENY.
• Rate limits per action + global IP limits.
• New-location sign-in email alerts.
• Regular access-log review + automated anomaly detection.

The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided data, contact us and we will delete it within 7 days.

We may update this Privacy Policy. Material changes will be announced via email at least 30 days before they take effect. The "Last updated" date at the top reflects the current version.

For any privacy-related question, write to [email protected]. We aim to respond within 5 business days.