This Privacy Policy describes how SuccessVariable LLC ("Company," "We," "Us," or "Our") collects, uses, stores, and protects information in connection with the ENDUURE Checkout application.
1.Information We Collect
We collect and process the following categories of information:
Account and Store Information
- Store identification (store hash or ID), store name, URL, and storefront configuration
- User names, email addresses, and roles/permissions
- BigCommerce store settings relevant to the Application
- BigCommerce OAuth access tokens and storefront API tokens required to operate on your behalf
- Owner email address and user ID associated with the BigCommerce store
Merchant Store Data
- Product catalog information (names, SKUs, categories, pricing, inventory status) retrieved on demand
- Order data (order IDs, totals, status, line items, shipping addresses, customer names and email addresses) received via webhooks and API calls
- Customer data from your store (names, email addresses, shipping addresses, phone numbers) as necessary for compliance, verification, and checkout features
- Shopping cart and checkout session data processed in real time
- Shipping zones, methods, and payment method configurations
- Category structures and product metadata used for rule-based checkout logic
- B2B Edition data (company accounts, company addresses) if applicable
Important: We access your store data solely to provide the Application's services. We do not independently market to, solicit, or contact your customers. You are the data controller for your store data and your customers' personal information. We act as a data processor on your behalf.
Terms Acceptance Records
- Timestamp of acceptance
- IP address at time of acceptance
- Browser, device, and operating system information
- Device fingerprint data and full browser metadata
- Session identifiers and cookie status
- Specific version and cryptographic hash of the terms accepted
Usage and Analytics Data
- Feature activation records and settings/preferences
- API interactions and webhook events
- Error logs, crash reports, and diagnostic information collected via Sentry (error monitoring), which may include user context and session replay data
- Session recordings and interaction analytics collected via PostHog (product analytics), which may record clicks, scrolls, page views, and on-screen content visible during your use of the admin dashboard
- Feature usage patterns, navigation paths, and time spent on features
Payment and Subscription Information
- Subscription plan details, billing frequency, and status
- Payment transaction records via Stripe (we store only card brand and last four digits, never full card numbers)
- Billing contact information and Stripe customer ID
- Invoice history, balance transactions, and usage-based billing data
Compliance and Customer Verification Data
- Identity verification data from government IDs and selfies (via Persona)
- Compliance forms, attestations, and digital signature text
- Shipping addresses associated with compliance orders
- FFL selection data (dealer name, address, license number)
- Verification status, flags, and results from identity verification
- Hashed address data for returning customer verification reuse
- Partial ID extraction data stored for manual review when automated extraction fails
- Compliance documents stored in encrypted cloud storage (AWS S3) with regulatory retention periods
Order Tracking and Recovery Data
- Order IDs, cart IDs, checkout IDs, and customer IDs
- Customer email addresses and names associated with tracked orders
- Order totals, status, and feature-specific metadata
- Recovery link tokens, IP addresses, and user agents for post-checkout recovery
- Email delivery logs including recipient addresses, subjects, and delivery status
FFL Locator Data
- IP address and user agent of searchers
- Search parameters (ZIP code, radius) and license numbers queried
Administrative and Support Data
- Support interactions synced to Plain.com (email, store identifier, conversation context)
- BI dashboard access records (email, IP address, authentication tokens)
- Compliance document access logs (who accessed what, from what IP/browser)
Cookies, Session Storage, and Local Storage
- Encrypted session cookies for admin authentication
- Session storage for checkout settings cache and feature flags
- Local storage for verification tokens, B2B session data, and shipping insurance preferences
- We do not use third-party advertising or tracking cookies
Note: Customer compliance data is processed solely to facilitate compliance on your behalf. You are responsible for obtaining necessary consents from your customers, maintaining your own privacy policy that discloses this collection, and complying with all applicable data protection laws.
2.Biometric Information
When identity verification is required (such as for California AB 1263 compliance), we use Persona as our identity verification provider. The following biometric data may be processed:
What We Collect
- Facial Geometry: Measurements derived from selfie photos for matching against ID photos
- Liveness Data: Analysis to confirm a real person is present (not a photo or video)
- Document Images: Photos of government-issued identification documents
How We Use Biometric Data
- Verify that the person presenting the ID is the legitimate owner
- Confirm the ID document is authentic and valid
- Meet California AB 1263 and SB 704 identity verification requirements
- Create compliance records for regulatory audits
What We Do NOT Do
- We do NOT use biometric data for surveillance, tracking, or behavioral profiling
- We do NOT sell, lease, trade, or profit from biometric data
- We do NOT retain raw biometric templates beyond verification completion
Consent for Biometric Data
By using the identity verification features, you acknowledge and consent to biometric data processing. For merchants in Illinois or other jurisdictions with biometric privacy laws (e.g., BIPA), you are responsible for ensuring your customers provide informed written consent before initiating identity verification.
Data Retention for Biometric Information
| Data Type | Retention | Reason |
|---|---|---|
| ID/Selfie Images | 90 days | Minimize breach exposure |
| Verification Results | 3 years | AB 1263 compliance defense |
| Compliance Documents (S3) | Up to 20 years | Regulatory retention with object lock |
| Audit Logs | 7 years | Regulatory compliance |
Third-Party Processing: Biometric verification is performed by Persona. Their processing is governed by their own privacy policy. We receive verification results and compliance records, but do not directly process raw biometric data.
3.How We Use Your Information
We use collected information for:
- Providing the Application: Operating core functionalities including checkout customization, compliance steps, FFL lookup, and BigCommerce API integration
- Processing Transactions: Managing subscription billing through Stripe and tracking usage-based billing
- Communicating: Service-related notifications, compliance alerts, shipped order notifications, billing notices, and support
- Security: Monitoring for suspicious activity, verifying API requests via HMAC-SHA256, and preventing unauthorized use
- Product Improvement: Using anonymized usage data, session recordings (PostHog), and error reports (Sentry) to improve performance and develop features
- Legal Obligations: Complying with applicable laws and responding to lawful requests
- Creating Legal Records: Evidence for compliance verification, dispute resolution, and legal defense
- Billing Reconciliation: Tracking orders and verifications for accurate usage-based billing
4.Legal Basis for Processing
- Consent: By accepting this policy and using the Application
- Contract Performance: Processing data needed to provide services under our Terms of Service
- Legal Obligations: Complying with laws, court orders, and record retention requirements
- Legitimate Interests: Improving the Application, security, fraud prevention, and customer support
5.Data Retention
| Data Category | Retention Period |
|---|---|
| Terms Acceptance Records | Indefinite (immutable legal evidence) |
| Feature Activation / Compliance Logs | 7 years minimum |
| Compliance Documents (S3) | Regulatory retention periods (up to 20 years) |
| Usage / Analytics Data | ~3 years |
| Account Information | Active use + 7 years after termination |
| Order Tracking / Billing Data | 7 years after billing period |
| FFL Audit Logs | 3 years |
| Email Delivery Logs | 2 years |
| Recovery Link Data | 90 days |
Important: California law may require certain records to be kept for at least five years. You must ensure you retain your own copies as required by applicable law. You are solely responsible for downloading and securely storing compliance documentation.
6.Data Sharing and Sub-Processors
We disclose information to the following categories of sub-processors and service providers:
| Service | Purpose | Data Processed |
|---|---|---|
| Vercel / AWS | Cloud hosting and infrastructure | All Application data |
| Stripe | Payment processing | Billing info, subscription details |
| Persona | Identity verification | ID images, selfies, name, DOB, address |
| PostHog | Product analytics and session recordings | User email, store ID, usage events, session recordings |
| Sentry | Error monitoring | Error context, user IDs, session replay |
| Resend | Email delivery | Recipient emails, email content |
| Plain.com | Customer support | Merchant email, store ID, support content |
| Trigger.dev | Background job processing | Data required for async tasks |
We also disclose information for:
- Legal Compliance: When required by law, subpoena, court order, or to protect our rights
- Professional Advisors: Attorneys, accountants, and auditors as necessary
- Business Transfers: In the event of a merger, acquisition, or sale of assets
- Aggregated Data: Anonymized data that cannot reasonably identify you
We do NOT sell your personal information to third parties. We do not share personal data for cross-context behavioral advertising.
7.Merchant Data: Roles and Responsibilities
THIS SECTION IS CRITICAL FOR MERCHANTS
This section clarifies who is responsible for what when it comes to your store data and your customers' personal information.
Data Controller vs. Data Processor
You (the Merchant) are the data controller for your store data and your customers' personal information. SuccessVariable LLC acts as a data processor processing this data on your behalf.
Your Obligations as Data Controller
- Maintain a privacy policy on your store that discloses all data collection through the Application, including identity verification, biometric data, analytics, and session recordings
- Obtain all legally required consents from your customers (including biometric consent under BIPA and equivalent laws)
- Ensure your use of the Application complies with all data protection laws (GDPR, CCPA/CPRA, BIPA, etc.)
- Respond to data subject access requests, deletion requests, and other privacy rights requests from your customers
- Ensure all data provided to us is collected lawfully with proper authorization
Our Obligations as Data Processor
- Process your data only as necessary to provide the Application's services
- Implement appropriate security measures to protect data
- Not use your customers' data for our own independent commercial purposes
- Assist you in responding to data subject rights requests
- Notify you of data breaches affecting your data within 72 hours
- Delete or return your data upon termination, subject to legal retention
Prohibited Uses of Customer Data
- We will NOT contact your customers for marketing or solicitation
- We will NOT sell, rent, or lease your customers' personal information
- We will NOT use your customers' data to compete with your business
- We will NOT share your customers' data with other merchants
8.Data Security
- Encryption in Transit: TLS 1.3 / HTTPS for all data transmission
- Encryption at Rest: AES-256 encryption for databases and cloud storage; S3 objects with server-side encryption and object lock
- Access Controls: Multi-factor authentication, strict need-to-know access, role-based permissions
- Session Security: Encrypted iron-session cookies; JWE (A256GCM) encrypted authentication tokens
- API Security: CORS validation, HMAC-SHA256 signed requests with timestamp validation, path-based security rules
- Secure Development: Regular security assessments and code reviews
- Audit Logs: Tamper-evident logs for critical actions with IP, user agent, and timestamp
- Data Isolation: Multi-tenant data isolated by store hash; all queries scoped to authenticated tenant
- Compliance Document Security: AWS S3 with object lock (WORM), presigned URLs with expiration, and access logging
9.International Data Transfers
The Application is hosted and operated in the United States. If you are located outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.
By using the Application, you consent to this transfer. We implement appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) where required.
10.Data Breach Notification
In the event of a security breach affecting personal information we process on your behalf:
- We will notify you within 72 hours of becoming aware of the breach
- Notification will include: nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken
- We will cooperate with your breach notification obligations to affected individuals and regulatory authorities
- You are responsible for complying with breach notification laws applicable to your business (state laws vary from 15 to 60 days)
11.Your Rights
Depending on your jurisdiction, you may have the right to:
- Access: Request a copy of your personal data
- Rectification: Request correction of inaccurate data
- Deletion: Request deletion (subject to legal retention requirements)
- Portability: Request transfer of your data in a portable format
- Object: Object to certain processing activities
- Withdraw Consent: Withdraw consent at any time where processing is consent-based
Contact us at checkout_bc@enduure.com to exercise these rights. We will respond within 30 days.
Note: Terms Acceptance Records, compliance audit logs, and transaction records cannot be deleted as they serve as legal evidence or are required for regulatory compliance.
12.California Residents
California residents have additional rights under CCPA/CPRA:
- Right to know what personal information we collect and how it is used
- Right to access specific pieces of personal information
- Right to request deletion (with legal exemptions)
- Right to correct inaccurate personal information
- Right to opt out of "sale" or "sharing" of personal information
- Right to limit use and disclosure of sensitive personal information
- Right not to be discriminated against for exercising these rights
Categories of Personal Information Collected (per CCPA)
- Identifiers (name, email, IP address, store hash, device identifiers)
- Commercial information (subscription records, order tracking, billing history)
- Internet/electronic activity (usage data, session recordings, error logs, API logs)
- Geolocation data (IP-derived location, FFL search locations)
- Biometric information (facial geometry via Persona)
- Professional information (store owner details, business information)
- Sensitive personal information (government ID data, biometric data)
We do not sell personal information as defined under CCPA/CPRA.
To exercise your rights, contact checkout_bc@enduure.com with "CCPA Request" in the subject line. We will respond within 45 days.
13.Other State Privacy Laws
We respect the privacy rights granted by all applicable U.S. state privacy laws, including the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Utah Consumer Privacy Act (UCPA). If you are a resident of a state with applicable privacy legislation, you may exercise your rights by contacting us at checkout_bc@enduure.com.
14.Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the Application or via email. Continued use of the Application after updates constitutes acceptance of the revised policy.
15.Data Deletion Requests
You have the right to request deletion of your personal data. To submit a deletion request:
How to Request Deletion
- Email checkout_bc@enduure.com with subject line "Data Deletion Request"
- Include your store hash or store URL for identification
- Specify what data you would like deleted
- We will respond within 30 days confirming receipt and timeline
What Can Be Deleted
- Account information and preferences
- Usage data, session recordings, and error reports
- Biometric images (ID photos, selfies) after 90 days automatically
- Email delivery logs and FFL search audit logs
- Recovery link data
What Cannot Be Deleted
- Terms Acceptance Records: Legal evidence of agreement
- Compliance Audit Logs: Required for regulatory purposes
- Transaction / Billing Records: Financial and tax compliance requirements
- Compliance Documents: Subject to legal retention requirements
Important: Deletion of account data will result in termination of your subscription and loss of access to the Application. Compliance records may be retained as required by law even after account deletion.
16.Contact Us
SuccessVariable LLC
Email: checkout_bc@enduure.com