Privacy Policy

1. Data Controller

2. Data Collected

In the context of selling digital products via Gumroad, the following data may be collected:

2.1 Data Collected by Gumroad

• Identification information: Name, first name (optional), email address
• Payment information: Credit card number (encrypted), transaction data
• Technical data: IP address, browser, operating system

Note: Payment information is processed directly and exclusively by Gumroad. The Seller never has access to complete banking data.

2.2 Data Collected by Seller

• Email: Provided via Gumroad for delivery and support
• Purchase history: Products purchased, purchase date, amount
• Communications: Emails exchanged for technical support

3. Purpose of Processing

Personal data is collected and processed for the following purposes:

3.1 Contract Execution

• Processing and validating orders
• Delivering digital products (sending download links)
• Managing payments and invoicing
• Technical support and customer assistance

3.2 Legal Obligations

• Compliance with accounting obligations (invoice retention)
• Managing refund requests
• Compliance with tax obligations

3.3 Legitimate Interest

• Sending free updates for purchased products
• Improving products and services
• Fraud prevention

4. Legal Basis for Processing

The legal bases justifying personal data processing are:

• Contract execution: Art. 6(1)(b) GDPR - Processing necessary for contract performance
• Legal obligation: Art. 6(1)(c) GDPR - Compliance with accounting and tax obligations
• Legitimate interest: Art. 6(1)(f) GDPR - Service improvement and fraud prevention

5. Data Recipients

Personal data may be transmitted to the following recipients:

5.1 Technical Service Providers

• Gumroad: Sales and payment platform (USA - Privacy Shield certified)
• Stripe: Payment processor (USA/Europe - PCI-DSS certified)
• Hosting services: Vercel for website hosting (USA/Europe)

5.2 Email Services

• Resend: Transactional email delivery (support and updates)

5.3 Authorities

In case of legal request (judicial requisition, tax obligation), data may be communicated to competent authorities.

6. International Transfers

Some data is hosted or processed outside the European Union:

• USA (Gumroad, Stripe, Vercel): Appropriate safeguards via Standard Contractual Clauses (SCC) of the European Commission
• Certifications: Privacy Shield (when applicable), PCI-DSS, SOC 2

These transfers are framed in accordance with GDPR to ensure adequate data protection.

7. Data Retention

Personal data is retained for the following periods:

• Purchase data: 3 years (French accounting obligations)
• Email for support: Duration of customer relationship + 1 year
• Update emails: Until customer unsubscribes
• Gumroad data: According to Gumroad's policy (see gumroad.com)

After these periods, data is deleted or anonymized, unless legal obligation requires longer retention.

8. Your Rights

Under GDPR, you have the following rights regarding your personal data:

8.1 Right of Access

You can request a copy of all personal data concerning you.

8.2 Right to Rectification

You can request correction of inaccurate or incomplete data.

8.3 Right to Erasure

You can request deletion of your data, except for legal retention obligations (example: invoices for 3 years).

8.4 Right to Restriction

You can request temporary freezing of your data processing.

8.5 Right to Portability

You can retrieve your data in a structured, machine-readable format.

8.6 Right to Object

You can object to processing of your data for legitimate reasons.

8.7 Exercising Your Rights

To exercise your rights, contact us:

We will respond within a maximum of 1 month from receipt of your request.

9. Data Security

The Seller implements appropriate technical and organizational measures to protect personal data against:

• Accidental loss
• Unauthorized use or access
• Destruction or alteration
• Unlawful disclosure

Security Measures

• Encryption: SSL/TLS protocol for all communications
• Restricted access: Only authorized persons have data access
• Certified providers: PCI-DSS, SOC 2, ISO 27001
• Regular backups: To prevent data loss

10. Cookies and Similar Technologies

The getcraft.dev website uses cookies and similar technologies.

10.1 Essential Cookies

• Session: Maintaining user session
• Security: Protection against CSRF attacks

10.2 Analytics Cookies (if applicable)

With your consent, we may use analytics cookies to understand how visitors use the site (example: Google Analytics, Plausible).

10.3 Cookie Management

You can configure your browser to refuse cookies. However, some site features may not function properly.

11. Complaint to Supervisory Authority

If you believe your rights are not respected, you have the right to lodge a complaint with the competent supervisory authority:

If you are located in the European Union, you may also contact your local data protection authority.

12. Changes to Privacy Policy

The Seller reserves the right to modify this Privacy Policy at any time to reflect legal, regulatory, or operational changes.

Changes take effect upon publication on this page. The last update date is indicated at the top of the page.

We encourage you to regularly consult this page to stay informed about how we protect your data.

13. Contact

For any questions regarding this Privacy Policy or exercising your rights, contact us: