Privacy Policy

1. DEFINITIONS

2. INFORMATION WE COLLECT

2.1 Vendor Information

We collect information that vendors voluntarily provide when creating or using a Gridget account. This may include contact details (such as email address), business identifiers (such as company name), and transactional information (such as token purchases, template usage, and order activity).

We may also collect limited, vendor-defined text or labels associated with artwork or print jobs. Gridget does not require or request that personally identifiable information (PII) about end customers be entered into these fields.

2.2 End-Customer Information

When an end customer interacts with Gridget—for example, by uploading an image through a QR code or unique link—Gridget automatically processes only what is needed to fulfill the vendor's request.

This typically includes the image file, technical metadata (such as file size, format, device type, IP address, and timestamp), and any optional descriptive text the vendor provides.

Gridget does not knowingly collect names, contact information, or other direct identifiers about end customers, and any free-text entries are controlled solely by the vendor. Vendors are responsible for ensuring that such text complies with applicable privacy laws.

2.3 General Data Handling

All information is processed solely for the purposes of account management, service operation, and product fulfillment. We apply technical and organizational measures to protect data at rest and in transit and to minimize the amount of personal information stored.

We may aggregate or anonymize data for analytics or service improvement, but we do not sell or share personal information with third parties for marketing.

2.4 Access to Uploaded Content

The Widget Bot and its authorized personnel may access uploaded photos, orders, and related activity for legitimate operational purposes, including quality assurance, order verification, technical troubleshooting, and abuse prevention. Widget Bot does not manually review all content.

3. PURPOSES OF PROCESSING

We process collected data to:

• Provide and maintain the Gridget platform;
• Facilitate token transactions and image processing;
• Communicate with vendors about account and service matters;
• Monitor for misuse, illegal uploads, or technical errors;
• Comply with legal obligations.

We do not sell or rent personal information.

4. DATA CONTROLLER AND PROCESSOR ROLES

For compliance purposes:

• The Widget Bot LLC acts as a data controller with respect to vendor account data.
• Vendors act as data controllers with respect to any customer uploads and vendor-supplied text or metadata submitted through links or QR codes they generate. Although customers perform the image upload, the vendor determines the purpose, means, and associated text or branding added during processing. Widget Bot acts solely as a data processor, handling such data on behalf of the vendor and in accordance with their instructions.

5. DATA STORAGE AND SECURITY

All personal data and uploaded content are securely stored in the United States (Virginia region) using Vercel, Cloudflare, and NEON for hosting, storage, and secure global content delivery.

Data is encrypted in transit and at rest, and access is restricted to authorized personnel under strict confidentiality agreements.

6. DATA RETENTION

• Vendor data is retained while the vendor account is active or as required by law.
• End-customer uploads are stored temporarily for processing and deleted automatically within 30 days after printing or a defined retention period.
• Transaction data may be retained longer for tax and audit compliance.

7. COOKIES AND TRACKING

Gridget uses functional cookies and basic analytics (e.g., Vercel and Cloudflare metrics) to ensure site reliability, security, and performance. We do not use cookies or tracking technologies for advertising or behavioral profiling.

8. INTERNATIONAL DATA TRANSFERS

Transfers of personal data from the EEA, UK, or Australia to the U.S. are conducted pursuant to Standard Contractual Clauses (SCCs) approved by the European Commission or other appropriate safeguards.

9. USER RIGHTS AND REQUESTS

Users may request access, correction, or deletion of their personal data by contacting privacy@thewidgetbot.com. We will verify requester identity and respond within applicable legal timeframes.

10. U.S. STATE PRIVACY COMPLIANCE

We comply with applicable U.S. state privacy laws, including the California Consumer Privacy Act (CCPA/CPRA). We do not sell personal information as defined under those laws.

11. CHILDREN'S PRIVACY

Gridget is not directed to children under 13. We do not knowingly collect personal data from minors. If discovered, such data will be deleted promptly.

12. DATA BREACH NOTIFICATION

In the event of a data breach involving personal information, we will notify affected users and relevant supervisory authorities as required by law.

13. CONTACT INFORMATION

14. CHANGES TO THIS POLICY

We may update this Policy periodically. Continued use of Gridget after updates constitutes acceptance of the revised Policy.