MR MerchantReady
中文 Run free scan
Legal · 02 / Privacy
EFFECTIVE May 22, 2026 · v1.0

Privacy Notice

How MerchantReady collects, uses, retains, and protects information you provide and information collected automatically when you use our service.

1. Scope

This notice describes how MerchantReady ("we", "us") handles personal and business information collected through merchantready.org, the free Stripe readiness scan, the paid Stripe Risk Readiness Report, and related communications. By using the service, you agree to the practices described here.

2. Information we collect

2.1 You provide directly

  • Email address (free scan and paid intake)
  • Business name, website URL, country, business type, and product description
  • Subscription, billing, refund, and shipping arrangements you describe
  • Whether you have an existing Stripe account and any prior issues you choose to describe
  • Payment information for paid reports — processed by our payment provider, not stored by us
  • Free-text fields you fill in (concerns, notes, supplementary context)

2.2 Collected automatically

  • Public content of the website URL you submit (HTML, visible text, page metadata)
  • IP address (hashed before storage for rate-limiting and abuse prevention)
  • User agent string (hashed)
  • Approximate geographic region (from IP, for analytics and routing)
  • Aggregate, cookie-free analytics via Cloudflare Web Analytics

2.3 What we never collect

  • Your Stripe Secret Key, password, or login credentials
  • Your Stripe Dashboard data, transaction records, or balances
  • Card numbers, CVCs, or card verification data
  • Customer payment details from your business
  • Government identification documents (in MVP scope)

3. How we use information

  • To run the free readiness scan and produce a score
  • To produce a draft and final paid readiness report for you
  • To send you the report by email and respond to your questions
  • To send a 30-day follow-up offering a fresh free scan (you can opt out at any time)
  • To improve our scoring rules, prompts, and templates
  • To prevent abuse (rate limiting), debug errors, and meet legal obligations

We do not sell personal information. We do not use your data to train third-party AI models.

4. Third-party processors

We rely on the following sub-processors to operate the service. Each receives only the data needed for their function.

  • Cloudflare — DNS, CDN, Workers runtime, R2 object storage, Web Analytics
  • Supabase — Postgres database and admin authentication (hosted on AWS)
  • OpenAI — AI draft generation (we use the API with Zero Data Retention where eligible)
  • Resend — Transactional email delivery
  • Stripe — Payment processing for paid reports (we receive payment status only, not card data)
  • Sentry — Error monitoring (scrubbed of personal identifiers)

5. Cookies and tracking

MerchantReady does not set cookies for tracking, advertising, or analytics. Our primary analytics provider is Cloudflare Web Analytics, which is cookie-free and aggregates traffic at the network layer.

Functional cookies may be set for admin authentication on /admin/* paths. These are essential for the admin experience and are not used by public visitors.

6. Retention

  • Free scan leads: 365 days from creation, then deleted unless converted to a paid report
  • Paid audit requests and reports: 24 months from delivery, then archived; archived records anonymized after 36 months
  • Email logs: 24 months (with recipient hashed after 6 months for compliance audits)
  • Crawled website snapshots: deleted from active storage 90 days after report delivery

7. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete personal information we hold about you. To exercise these rights, contact support@merchantready.org from the email associated with your account. We respond within 30 days.

You may opt out of follow-up emails at any time using the unsubscribe link in the email footer.

8. International transfers

Our infrastructure spans multiple regions. Data may be processed in the United States, the European Union, Singapore, and other jurisdictions where our sub-processors operate. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

9. Security

Production secrets are stored in encrypted secret managers and never committed to source control. Database access is restricted to server-side routes; client code does not hold database credentials. Customer report access is gated by an unpredictable token and HMAC signature with a configurable expiry.

No security model is perfect. If you discover a vulnerability, email security@merchantready.org and we will respond promptly.

10. Children

MerchantReady is a B2B service for online merchants. We do not knowingly collect information from anyone under 16.

11. Changes

We will post the effective date at the top of this notice when it changes. Material changes will be summarized in our footer or by email to paid customers.

12. Contact

Questions or requests: support@merchantready.org.