Saltar al contenido principal

Política de Privacidad

Última actualización: April 4, 2026

1. Introduction

DabDash is operated by Shadow Software LLC ("Company", "we", "us", or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the DabDash platform (the "Service"), including our marketing website at dabdash.com, your dashboard, and customer-facing storefronts. By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Information You Provide

  • Account data: Name, email address, business name, store slug, and password when you register
  • Store configuration: Products, pricing, delivery zones, inventory settings, branding preferences (logo, colors, fonts), and storefront content
  • Customer order data: Customer names, delivery addresses, phone numbers, and order details submitted through your storefront
  • Communications: Messages sent through our contact form or support channels

Information Collected Automatically

  • Usage data: IP address, browser type, operating system, referring URLs, pages visited, and session duration
  • Geolocation data: Approximate location derived from IP address, used for automatic delivery zone detection on storefronts
  • Age gate confirmation: Where the storefront operator has enabled an age gate, a session flag records that a visitor confirmed they meet the minimum age. This is a browser-session-only flag — it is not stored in the database, is not tied to any identity, and resets when the browser session ends. It does not constitute identity verification or KYC.
  • Marketing analytics: Anonymized browsing data on dabdash.com (our marketing site only) via Google Analytics

Identity Verification Data (Vendor-Configured)

If the storefront operator has enabled ID verification in their compliance settings, we may also collect:

  • Government-issued ID photo: A photograph of the customer's ID document (e.g., driver's license or passport) uploaded at checkout or via the customer account profile
  • Date of birth: Customer's date of birth, where provided during account registration or checkout
  • Face crop image: If the operator has enabled the invoice face crop feature, a cropped image of the face region from the uploaded ID is automatically extracted and included on order invoices and packing slips

ID collection is fully controlled by the storefront operator. Customers using storefronts where the operator has not enabled ID collection will not have this data collected. ID verification is performed manually by the operator — DabDash does not perform automated identity verification, liveness checks, or document authenticity analysis, and does not share ID data with any third-party verification service.

Information We Do NOT Collect

  • Credit card numbers or full payment card details (handled entirely by Stripe for vendor billing; not applicable to customer orders)
  • Customer payment information for storefront orders (DabDash storefronts use cash-on-delivery only)
  • Social Security numbers or taxpayer identification numbers
  • Biometric data, facial recognition data, or fingerprints

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process subscription payments and send billing communications
  • Operate your storefront and process customer orders on your behalf
  • Automatically detect customer delivery zones based on location
  • Support manual identity verification by the storefront operator (where ID upload is enabled)
  • Generate order invoices and packing slips, including face crops where the operator has enabled that feature
  • Send technical notices, security alerts, and support messages
  • Respond to contact form submissions and support requests
  • Monitor platform usage trends and improve features
  • Detect and prevent fraudulent activity or abuse of the Service

4. Your Responsibilities (Data Controller)

As a storefront operator using DabDash, you are the data controller for all customer data collected through your storefront (customer names, addresses, phone numbers, order history). DabDash acts as a data processor on your behalf. If you collect personal data from individuals in the European Economic Area, United Kingdom, or Switzerland, our Data Processing Agreement applies and forms part of your agreement with us.

You are responsible for:

  • Complying with applicable privacy laws regarding your customers' personal data
  • Providing your customers with appropriate privacy notices
  • Responding to customer data access, correction, or deletion requests
  • Ensuring age verification compliance in your jurisdiction

5. Sharing of Information

We do not sell, trade, or rent your personal information to third parties. We share data only with service providers that perform essential services on our behalf (see Section 6). We will disclose information if required to do so by law or in response to a valid legal request (subpoena, court order, or government investigation).

6. Third-Party Service Providers

We use the following third-party service providers to operate the platform. Each is a sub-processor under our Data Processing Agreement:

  • Stripe — Vendor subscription billing only (PCI DSS Level 1 certified). No customer payment data is processed. Stripe Privacy Policy
  • Cloudflare — CDN, DDoS protection, and SSL/TLS services
  • Transactional email provider — Delivery of order notifications, account alerts, and billing communications
  • Error monitoring — Application error tracking and performance monitoring to maintain platform stability (error reports may include anonymized request data)
  • Google Analytics — Anonymized website analytics on dabdash.com marketing pages only (not on vendor dashboards or customer storefronts)
  • MaxMind GeoIP — IP-based geolocation for automatic delivery zone detection (processed locally — no customer data is sent to MaxMind)
  • OpenStreetMap — Map tiles for the delivery zone editor (no personal data transmitted)

7. Payment Processing

Subscription payments are processed exclusively by Stripe, a PCI DSS Level 1 certified payment processor. DabDash never receives, stores, or has access to your full credit card information. We store only:

  • Stripe customer ID (to manage your subscription)
  • Subscription status and billing period
  • Email address for billing communications

Customer orders on storefronts use cash-on-delivery — customers pay the delivery driver in cash. No online payment processing occurs through the platform for customer transactions.

8. Data Retention

Account and storefront data. We retain your account and storefront data for as long as your account is active or your subscription is current. Upon cancellation or expiry of your subscription, your data is retained for 30 days, during which you may request an export. After 30 days, your data is permanently deleted unless we are required by applicable law to retain it longer. If you request account deletion, the same 30-day retention period applies before permanent deletion.

Government-issued ID photos and face crops. Customer ID photos are retained until the customer or the storefront operator deletes them — there is no automatic expiry. When a customer uploads a new ID, the previous file is immediately deleted. Customers may delete their own ID at any time from their account profile. Operators may also remove a customer's ID from the vendor dashboard. Face crop images are automatically deleted when the source ID photo is deleted or replaced.

Order-level ID snapshots. Where an ID photo is uploaded at checkout, a reference to that photo is stored with the order record. Order records are retained as part of your business history and are not subject to the customer's right to delete their profile ID — deletion of a customer's current ID does not retroactively alter historical order records.

Anonymized or aggregated data that cannot be re-identified may be retained indefinitely.

9. Security

We implement appropriate technical and organizational security measures to protect your information, including:

  • TLS encryption for all data in transit
  • Encrypted database connections and data at rest
  • Secure password hashing (bcrypt) — passwords are never stored in plaintext
  • CSRF protection on all forms
  • Rate limiting on authentication endpoints
  • Tenant data isolation — each vendor's data is logically isolated from other vendors' data
  • Access controls limiting personal data access to authorized personnel

No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security. In the event of a confirmed security incident affecting your personal data, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the incident.

10. Cookies

We use cookies for the following purposes:

  • Essential cookies: Session management, CSRF protection, authentication state
  • Functional cookies: Auto-detected delivery zone state, cart contents, storefront preferences
  • Analytics cookies: Google Analytics on dabdash.com marketing pages only

You can control cookies through your browser settings. Disabling essential cookies will prevent you from logging in or placing orders.

11. Your Rights

All users may:

  • Access and review your personal data by logging into your account
  • Correct inaccurate information through your account settings
  • Request deletion of your account and associated data
  • Request a portable copy of your data (CSV/JSON export)
  • Opt-out of non-essential communications

To exercise any of these rights, please use our contact form. We will respond within 30 days.

12. GDPR, UK GDPR, and Swiss FDPA (EEA, UK, and Swiss Users)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following additional rights under applicable data protection law (including GDPR, UK GDPR, and the Swiss Federal Act on Data Protection):

  • Right to Access — Request a copy of your personal data
  • Right to Rectification — Request correction of inaccurate data
  • Right to Erasure — Request deletion of your data ("right to be forgotten")
  • Right to Restriction — Request we limit processing of your data
  • Right to Portability — Request transfer of your data to another service
  • Right to Object — Object to processing based on legitimate interests
  • Right to Withdraw Consent — Withdraw consent at any time where processing is based on consent

Legal Basis for Processing: We process your data based on contractual necessity (to provide the Service you subscribed to), legitimate interests (platform security, fraud prevention, service improvement), and consent (marketing communications, if opted in).

International Transfers: The DabDash platform is operated in the United States. Where your personal data is transferred from the EEA, UK, or Switzerland to the United States, such transfers are conducted under the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914, Module 2) and, for UK transfers, the UK International Data Transfer Addendum. See our Data Processing Agreement for full detail.

To exercise your rights or lodge a complaint, please use our contact form. You also have the right to lodge a complaint with your local supervisory authority.

13. CCPA Compliance (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to Know — Request disclosure of the personal information we collect, use, and disclose
  • Right to Delete — Request deletion of your personal information
  • Right to Opt-Out — Opt-out of the sale of personal information
  • Right to Non-Discrimination — Equal service and pricing regardless of your privacy choices

Categories of personal information collected: Identifiers (name, email, business name), commercial information (subscription tier, billing history), and internet activity (usage analytics, IP address). We do not sell your personal information.

14. Age Requirement

The Service is intended for users who are at least 21 years of age. We do not knowingly collect personal information from anyone under 21. If you believe we have inadvertently collected data from a person under 21, please contact us immediately and we will delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting the updated policy on this page with a revised "Last updated" date. Continued use of the Service after changes constitutes acceptance of the new policy.

16. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact Shadow Software LLC through our contact form.