Privacy Policy

1. Introduction

Thread Theory ("we", "us", "our") is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our artisan crochet store platform, website, and related services (collectively, the "Platform").

We operate from Ghana and serve customers globally. This policy complies with applicable data protection laws and follows industry best practices for data security, including OWASP guidelines.

By using our Platform, you consent to the data practices described in this policy. If you do not agree with our privacy practices, please do not use our Platform.

2. Information We Collect

2.1 Personal Information

We collect personal information that you voluntarily provide, including:

• Account Information: Name, email address, phone number, password
• Contact Details: Billing and shipping addresses, emergency contacts
• Payment Information: Payment method details (processed securely through third parties)
• Order Information: Purchase history, custom order specifications, delivery preferences
• Communication Data: Chat messages, support inquiries, feedback
• Profile Data: Product preferences, favorite items, notification settings

2.2 Technical Information

We automatically collect certain technical information:

• Device Information: IP address, browser type, device type, operating system
• Usage Data: Pages visited, time spent, click patterns, session duration
• Location Data: General geographic location based on IP address
• Cookies and Tracking: Session cookies, preferences, authentication tokens
• Performance Metrics: Page load times, error logs, system performance data

2.3 Images and Media

Through our chat system and custom order process, we may collect:

• Uploaded Images: Reference photos for custom orders, chat attachments
• Image Metadata: File size, format, dimensions, compression data
• Processed Images: Optimized, resized, and thumbnail versions

2.4 Chat and Communication Data

Our real-time chat system collects:

• Message Content: Text messages, timestamps, read receipts
• Session Data: Chat duration, participant information, session status
• Visitor Fingerprints: Unique identifiers for anonymous users
• Rate Limiting Data: Message frequency, upload counts, violation tracking

2.5 Business Intelligence Data

For authenticated admin users, we collect additional data for business operations:

• Audit Logs: User actions, system changes, security events
• Analytics Data: Sales metrics, inventory levels, customer behavior patterns
• Security Logs: Login attempts, access patterns, potential threats

3. How We Use Your Information

3.1 Core Platform Services

• Process and fulfill your orders and custom requests
• Provide customer support through our chat system
• Manage your account and authenticate your identity
• Process payments securely in Ghana Cedis (GHS)
• Send order confirmations, shipping updates, and delivery notifications
• Track order progress and provide real-time updates

3.2 Platform Improvement

• Analyze usage patterns to improve our products and services
• Optimize website performance and user experience
• Develop new features based on customer feedback
• Troubleshoot technical issues and maintain system security

3.3 Security and Fraud Prevention

• Detect and prevent fraudulent activities
• Enforce our Terms of Use and community guidelines
• Maintain audit trails for compliance and security purposes
• Implement rate limiting to prevent abuse
• Monitor for spam and inappropriate content in chat

3.4 Communication

• Respond to your inquiries and provide customer support
• Send important updates about your orders or account
• Notify you of changes to our policies or services
• Send promotional communications (with your consent)

3.5 Legal Compliance

We may use your information to comply with legal obligations, resolve disputes, and enforce our agreements as required by law.

4. Data Security and Encryption

4.1 Encryption Standards

We implement industry-leading security measures:

• AES-256 Encryption: All personal information is encrypted using AES-256 standard
• Data in Transit: All communications use TLS 1.3 encryption
• Secure Storage: Encrypted databases with access controls
• Password Protection: Passwords are hashed using industry-standard algorithms

4.2 Security Measures

• Multi-factor authentication for admin accounts
• Regular security audits and vulnerability assessments
• Rate limiting to prevent automated attacks
• Intrusion detection and monitoring systems
• Regular security updates and patches
• Employee background checks and security training

4.3 OWASP Compliance

Our platform is designed to address the OWASP Top 10 security risks and follows secure coding practices to protect against common vulnerabilities including injection attacks, broken authentication, and sensitive data exposure.

5. Information Sharing and Disclosure

5.1 We Do Not Sell Your Data

We do not sell, trade, or rent your personal information to third parties for marketing purposes.

5.2 Service Providers

We may share information with trusted service providers who assist us with:

• Payment processing (payment gateways, financial institutions)
• Shipping and delivery services
• Cloud hosting and data storage
• Email and communication services
• Analytics and performance monitoring

All service providers are contractually obligated to protect your information and use it only for the specified purposes.

5.3 Legal Requirements

We may disclose your information when required by law or to:

• Comply with legal processes or government requests
• Protect our rights, property, or safety
• Investigate fraud or security issues
• Enforce our Terms of Use

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity, subject to the same privacy protections.

6. Cookies and Tracking Technologies

6.1 Types of Cookies We Use

• Essential Cookies: Required for basic platform functionality and security
• Authentication Cookies: Keep you signed in and maintain your session
• Preference Cookies: Remember your settings and customizations
• Analytics Cookies: Help us understand how you use our platform
• Performance Cookies: Monitor site performance and identify issues

6.2 Managing Cookies

You can control cookies through your browser settings. However, disabling certain cookies may limit platform functionality. Essential cookies cannot be disabled as they are necessary for security and core features.

6.3 Third-Party Tracking

We use minimal third-party tracking and only with reputable providers for essential services like analytics and performance monitoring. We do not allow third-party advertising cookies on our platform.

7. Data Retention and Deletion

7.1 Retention Periods

We retain your information for different periods based on its purpose:

• Account Data: Until you delete your account plus 30 days
• Order History: 7 years for tax and business records
• Chat Messages: 2 years for customer service purposes
• Audit Logs: 7 years for security and compliance
• Anonymous Analytics: 3 years for business insights
• Images: Until related order is completed plus 1 year

7.2 Data Deletion

You can request deletion of your personal information by:

• Deleting your account through your profile settings
• Contacting our support team at privacy@threadtheory.com
• Using our automated data deletion tools (where available)

Some information may be retained for legitimate business purposes (e.g., fraud prevention) or legal requirements even after account deletion.

8. Your Privacy Rights

8.1 Access and Control

You have the right to:

• Access: Request a copy of your personal information
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal information
• Portability: Receive your data in a machine-readable format
• Objection: Object to certain processing activities
• Restriction: Request limitations on how we use your data

8.2 Communication Preferences

You can control communications by:

• Updating notification preferences in your account settings
• Unsubscribing from promotional emails
• Opting out of SMS notifications
• Managing push notification settings

8.3 Exercising Your Rights

To exercise your privacy rights, contact us at privacy@threadtheory.com or use the privacy tools in your account settings. We will respond to verified requests within 30 days and may require identity verification for security purposes.

9. International Data Transfers

Thread Theory operates from Ghana and serves customers globally. Your information may be transferred to and processed in countries other than your own, including:

• Cloud hosting providers for data storage and processing
• Payment processors for transaction handling
• Third-party services for platform functionality

We ensure that all international transfers comply with applicable data protection laws and include appropriate safeguards such as standard contractual clauses and certification schemes.

10. Children's Privacy

Our Platform is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@threadtheory.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Provide notice through our Platform or via email
• Give you time to review changes before they take effect
• Obtain consent where required by law

Your continued use of the Platform after changes take effect constitutes acceptance of the revised Privacy Policy.

12. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

• Investigate and contain the breach immediately
• Notify relevant authorities within 72 hours (where required)
• Inform affected users within 72 hours of discovery
• Provide clear information about what happened and what we're doing
• Offer guidance on protecting yourself from potential harm
• Implement additional security measures to prevent future incidents

13. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us: