Privacy Notice
How Merch365 collects, uses, shares, and retains personal information on the merch365.ai platform, and the privacy rights and choices you have.
Scope: This Notice covers the Merch365 platform at
merch365.aiand its subdomains (the “Platform”), plus business contacts who receive Merch365 outbound communications. Shoppers on tenant storefronts are covered by the separate Storefront Privacy Notice.
Effective date: June 8, 2026 · Last updated: June 8, 2026
Merch365, Inc. (“Merch365”, “we”, “us”, “our”) provides a platform that lets organizations design and launch branded merchandise stores. This Notice explains what personal information we collect through the Platform and through our business-development activities, why we collect it, how we share and retain it, and the choices and rights you have. It supplements, and is incorporated into, the Terms of Use.
This Notice does not cover personal information of shoppers on tenant
storefronts at *.merch365.shop — see the
Storefront Privacy Notice.
1. The people this Notice covers
Merch365 collects information from two main groups, who have different data and different rights:
- Creators / Organization users — people who register, claim a store, upload brand assets, configure products, and operate a store through the Platform.
- Prospects / business contacts — people whose business-contact information we use for outbound business development, including recipients of preview-store outreach.
The current Platform is not designed to ingest bulk personal information about a tenant’s own employees or end customers; tenants should not upload such data. Tenants provide brand assets, product configurations, and their own account/contact details. If, in the future, the Platform supports tenant-uploaded end-customer or employee data, the tenant will be the controller/business for that data, Merch365 will act as a service provider/processor on the tenant’s behalf, and a Data Processing Addendum will govern it (see §10).
2. Information we collect
2.1 Information you provide.
- Account & organization data: name, email, password/credentials, organization name, role, and contact details.
- Brand & design content: logos, brand assets, artwork, color/font choices, product selections, designs, and generated mockups you upload or create.
- Billing & payout data: billing contact and, where applicable, payout/tax details. Card numbers are collected and processed by Stripe, not stored by Merch365 (see §4).
- Support & communications: messages, support requests, and survey/feedback responses.
2.2 Information collected automatically. Device and usage data such as IP address, browser/device type, referring URLs, pages and features used, session and authentication state, tenant/store context, onboarding progress, and timestamps. We collect this using cookies and similar technologies and product analytics — see the Cookie & Advertising Notice.
2.3 Prospect & business-contact data. For business development we obtain business-contact information (such as company name, business email, role, and publicly available brand information) from the prospect’s own public website and publicly available business sources, and, where used, third-party business-lead providers. We use it to prepare preview stores and to send outreach as described in §3 and §5.
2.4 Generated and derived data. Brand-kit variants, placement recommendations, mockups, and analytics we derive from the above.
We do not intend to collect sensitive categories of personal information from Platform users for the Platform’s own purposes. Please do not upload sensitive personal information into brand assets or designs.
3. How we use information
We use personal information to: (a) provide, operate, secure, and improve the Platform; (b) create accounts and run the claim flow; (c) generate brand kits, product recommendations, mockups, and stores at your direction; (d) process billing and payouts; (e) provide support and respond to inquiries; (f) conduct business development, including preparing and sending preview-store outreach to prospects (§5); (g) detect, prevent, and address fraud, abuse, security, and technical issues; (h) comply with law and enforce our Terms; and (i) send administrative and, where permitted, marketing communications (you can opt out of marketing).
We use the information in a manner reasonably necessary and proportionate to these disclosed purposes.
4. Payments
Payment-card processing is handled by Stripe. When you provide card details, they are transmitted to and processed by Stripe under Stripe’s terms and privacy policy; Merch365 does not store full card numbers. We receive limited transaction metadata (such as status, amount, and a payment token) needed to operate billing.
5. Business development and outbound email
Where we send commercial email to prospects, we maintain accurate header and “from” information, use non-deceptive subject lines, identify the message as a commercial/advertising message where required, include a valid physical postal address, and provide a working opt-out. We honor opt-out requests promptly (and in any event within the time required by law). If you no longer wish to receive outreach, use the unsubscribe link in any message or email privacy@merch365.ai.
6. How we share information
We share personal information with:
- Service providers / subprocessors that perform services for us — hosting and infrastructure, payments, email, analytics, customer support, and our fulfillment partner — under contracts that limit their use to providing those services. Our current list is in Subprocessors.
- Our fulfillment / branding partner as needed to produce and ship merchandise ordered through stores.
- Professional advisors and authorities where we have a good-faith belief disclosure is needed to comply with law or legal process, enforce our Terms, or protect the rights, property, or safety of Merch365, our users, or the public.
- In a business transaction — if we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred, subject to this Notice.
We require service providers and contractors to (a) use personal information only for the specified purposes, (b) provide at least the same level of privacy protection required of us, (c) notify us if they can no longer meet their obligations, and (d) permit us to take steps to stop and remediate unauthorized use. We do not sell Platform users’ personal information, and we do not share it for cross-context behavioral advertising. We use only first-party product analytics to operate and improve the Platform, not third-party advertising or retargeting technologies. If this ever changes, we will update this Notice, provide a “Do Not Sell or Share My Personal Information” mechanism, and honor Global Privacy Control signals (see §8 and the Cookie & Advertising Notice).
7. Data retention
We keep personal information only as long as reasonably necessary for the purposes in this Notice, then delete or de-identify it. Our standard schedule (Merch365 may adjust specific periods as operations mature):
| Category | Retention |
|---|---|
| Account & organization data | Life of the account + 90 days after deletion, then deleted/de-identified |
| Brand assets, designs, mockups | While the store is active; after a store is unclaimed, abandoned, or closed, retained 90 days then deleted, subject to retention needed to support orders already placed |
| Billing & payout records | As required by tax/accounting law (7 years) |
| Support communications | 24 months |
| Prospect / outreach data | Until opt-out or 18 months of no engagement, then deleted; opt-out suppression records kept as needed to honor the opt-out |
| Logs & analytics | 13 months |
When a store is unclaimed, abandoned, or closed, associated tenant data is handled per this schedule and the store lifecycle rules in the product. Backups are overwritten on a rolling basis.
8. Your privacy choices and rights
8.1 Marketing opt-out. You can opt out of marketing email via the unsubscribe link or by emailing privacy@merch365.ai. We may still send administrative messages (e.g., billing, security, policy updates).
8.2 Cookies/analytics. See the Cookie & Advertising Notice for controls.
8.3 California residents (CCPA/CPRA). If Merch365 is a covered business, you have the right to: know/access the categories and specific pieces of personal information we collect, use, disclose, and (if applicable) sell or share; delete personal information; correct inaccurate personal information; and not receive discriminatory treatment for exercising these rights. If we sell or share personal information for cross-context behavioral advertising, you may opt out, and we honor a valid Global Privacy Control signal.
To exercise rights, email privacy@merch365.ai. Because Merch365 operates exclusively online and has a direct relationship with its users, email is our designated request method; we may add a web form as the Platform matures. We will not require you to create an account to submit an opt-out. We respond within 45 days, extendable once by another 45 days with notice. We may need to verify your identity for access/deletion/correction requests (but generally not for opt-out). You may use an authorized agent.
8.4 Other states / regions. Merch365 currently targets U.S. business customers. Residents of other U.S. states with comprehensive privacy laws (e.g., Virginia, Colorado, Connecticut, Texas, Oregon) may have similar rights to access, correct, delete, and opt out; we extend the request process in §8.3 to those residents. We do not currently market to or knowingly serve individuals in the EU/UK; if that changes, we will add a GDPR/UK-GDPR legal-basis and data-subject-rights section before doing so.
9. Security
We maintain administrative, technical, and organizational measures designed to protect personal information, including encryption in transit, access controls, and tenant scoping. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security. We maintain an incident-response process and will notify affected individuals and authorities as required by applicable breach-notification laws.
10. Tenant-uploaded end-customer / employee data
If a tenant uploads personal information about its own employees or end customers, Merch365 processes that data only on the tenant’s instructions to provide the Platform, and the tenant is responsible for having a lawful basis and providing required notices to those individuals. Such processing, if and when supported, will be governed by our agreement with the tenant and a Data Processing Addendum.
11. Children
The Platform is for business users and is not directed to children under 13 (or the higher age set by applicable law). We do not knowingly collect personal information from children for the Platform’s purposes. If you believe we have, contact privacy@merch365.ai and we will delete it.
12. Changes to this Notice
We may update this Notice. We will post the updated version with a new “Last updated” date and, for material changes, provide additional notice (e.g., email or a prominent Platform notice). Material changes take effect 30 days after notice unless stated otherwise.
13. Contact
Merch365, Inc. · Attn: Privacy 131 Continental Dr, Suite 305 Newark, Delaware 19713 Email: privacy@merch365.ai · hello@merch365.ai