This Privacy Policy describes how SuccessVariable LLC ("Company," "We," "Us," or "Our") collects, uses, stores, and protects information in connection with the ENDUURE Checkout application.
1.Information We Collect
We collect and process the following categories of information:
Account Information
- Store identification (store hash or ID)
- User names, email addresses, and roles/permissions
- BigCommerce store settings relevant to the Application
Terms Acceptance Records
- Timestamp of acceptance
- IP address at time of acceptance
- Browser, device, and operating system information
- Session identifiers or device IDs
Usage Data
- Feature activation records
- Settings and preferences
- API interactions and webhook events
- Error logs and diagnostic information
Payment Information
- Subscription plan details and billing frequency
- Payment transaction records (via Stripe)
- Billing contact information
Compliance Data
- Identity verification data from government IDs
- Compliance forms and attestations
- FFL selection data
Note: Customer compliance data is processed solely to facilitate compliance on your behalf. You are responsible for obtaining necessary consents from your customers.
2.Biometric Information
When identity verification is required (such as for California AB 1263 compliance), we use Persona as our identity verification provider. The following biometric data may be processed:
What We Collect
- Facial Geometry: Measurements derived from selfie photos for matching against ID photos
- Liveness Data: Analysis to confirm a real person is present (not a photo or video)
- Document Images: Photos of government-issued identification documents
How We Use Biometric Data
- Verify that the person presenting the ID is the legitimate owner
- Confirm the ID document is authentic and valid
- Meet California AB 1263 and SB 704 identity verification requirements
- Create compliance records for regulatory audits
What We Do NOT Do
- We do NOT use biometric data for surveillance or tracking
- We do NOT sell biometric data to third parties
- We do NOT use biometric data for behavioral profiling
- We do NOT retain raw biometric templates beyond verification completion
Data Retention for Biometric Information
| Data Type | Retention | Reason |
|---|---|---|
| ID/Selfie Images | 90 days | Minimize breach exposure |
| Verification Results | 3 years | AB 1263 compliance defense |
| Audit Logs | 7 years | Regulatory compliance |
Third-Party Processing: Biometric verification is performed by Persona. Their processing is governed by their own privacy policy. We receive verification results and compliance records, but do not directly process raw biometric data.
3.How We Use Your Information
We use collected information for:
- Providing the Application: Operating core functionalities including checkout customization, compliance steps, and FFL lookup
- Processing Transactions: Managing subscription billing through Stripe
- Communicating: Service-related notifications, updates, and support
- Security: Monitoring for suspicious activity, verifying API requests
- Legal Obligations: Complying with applicable laws and regulations
- Creating Legal Records: Evidence for compliance verification and dispute resolution
4.Legal Basis for Processing
- Consent: By accepting this policy and using the Application
- Contract Performance: Processing data needed to provide services
- Legal Obligations: Complying with laws and court orders
- Legitimate Interests: Improving the Application, security, fraud prevention
5.Data Retention
Terms Acceptance Records
Retained indefinitely as immutable legal evidence of agreement acceptance.
Feature Activation Logs
Retained for seven (7) years for legal compliance and audit purposes.
Usage Data
Retained for approximately three (3) years for trend analysis and service improvement.
Account Information
Retained during active use plus seven (7) years after termination.
Customer Compliance Data
Stored temporarily during order processing. You are responsible for downloading and retaining compliance documentation as required by law.
Important: California law may require certain records to be kept for at least five years. You must ensure you retain your own copies as required by applicable law.
6.Data Sharing
We disclose information to:
- Service Providers: Cloud hosting, Stripe for payments, analytics services, Persona for identity verification
- Legal Compliance: When required by law, subpoena, court order, or to protect our rights
- Professional Advisors: Attorneys, accountants, and auditors as necessary
- Business Transfers: In the event of a merger, acquisition, or sale of assets
- Aggregated Data: Anonymized data that cannot reasonably identify you
We do NOT sell your personal information to third parties.
7.Data Security
- Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Controls: Strict access controls with multi-factor authentication
- Secure Development: Regular security assessments and code reviews
- Audit Logs: Tamper-evident logs for critical actions
- Data Minimization: We collect only what is necessary for the service
8.Your Rights
Depending on your jurisdiction, you may have the right to:
- Access: Request a copy of your personal data
- Rectification: Request correction of inaccurate data
- Deletion: Request deletion (subject to legal retention requirements)
- Portability: Request transfer of your data in a portable format
- Object: Object to certain processing activities
Contact us at checkout_bc@enduure.com to exercise these rights.
Note: Terms Acceptance Records cannot be deleted as they serve as legal evidence of your agreement.
9.California Residents
California residents have additional rights under CCPA/CPRA:
- Right to know what personal information we collect and how it is used
- Right to access specific pieces of personal information
- Right to request deletion (with legal exemptions)
- Right to correct inaccurate personal information
- Right to opt out of "sale" or "sharing" of personal information
- Right not to be discriminated against for exercising these rights
We do not sell personal information as defined under CCPA/CPRA.
To exercise your rights, contact checkout_bc@enduure.com with "CCPA Request" in the subject line.
10.Data Deletion Requests
You have the right to request deletion of your personal data. To submit a deletion request:
How to Request Deletion
- Email checkout_bc@enduure.com with subject line "Data Deletion Request"
- Include your store hash or store URL for identification
- Specify what data you would like deleted
- We will respond within 30 days confirming receipt and timeline
What Can Be Deleted
- Account information and preferences
- Usage data and analytics
- Biometric images (ID photos, selfies) after 90 days automatically
- Customer compliance data (subject to retention requirements)
What Cannot Be Deleted
- Terms Acceptance Records: Legal evidence of agreement
- Compliance Audit Logs: Required for regulatory purposes
- Transaction Records: Financial and tax compliance requirements
Important: Deletion of account data will result in termination of your subscription and loss of access to the Application. Compliance records may be retained as required by law even after account deletion.
11.Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the Application or via email. Continued use of the Application after updates constitutes acceptance of the revised policy.
12.Contact Us
SuccessVariable LLC
Email: checkout_bc@enduure.com