Skip to main content

Privacy Policy

Effective date:
May 18, 2026
Last updated:
May 18, 2026
Version:
1.0

BashMerch LLC (“BashMerch,” “we,” “our,” or “us”) operates the BashMerch platform — a software-as-a-service tool that helps merchants design, manage, and publish print-on-demand products across marketplaces including Shopify, Etsy, and Printify (the “Service”). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have.

By using the Service you agree to this Privacy Policy.

1. Who we are

BashMerch LLC is a California-based limited liability company. We are the data controller for the personal information described in this Policy.

  • Entity: BashMerch LLC
  • Mailing address: [MAILING ADDRESS — TBD]
  • Contact: support@bashmerch.com

2. Information we collect

2.1 Information you provide

  • Account information. When you sign up, our authentication provider (Clerk) collects your email address, name, and authentication credentials. We receive a stable user identifier and your email from Clerk.
  • Workspace and organization data. The workspace name, organization membership, and roles you create within the Service.
  • Integration credentials. When you connect a third-party platform (Shopify, Etsy, Printify, and other supported integrations), we receive and store OAuth access tokens and refresh tokens issued by that platform. All such tokens are encrypted at rest. We never receive your password for those third-party platforms.
  • Payment information. When you purchase credits or subscribe to a paid plan, our payments processor (Stripe) collects and processes your payment information directly. We receive a Stripe customer identifier and subscription status; we do not receive or store your full card number, CVV, or bank credentials.
  • Content you upload. Design files, product images, prompts, and other content you upload to the Service are stored in Cloudflare R2 object storage. We process this content only to provide the Service.
  • Support communications. If you contact us by email or in-app, we retain that correspondence to help us respond and to improve the Service.

2.2 Information from connected platforms

When you connect Shopify, Etsy, Printify, or another supported integration, the Service receives data about your business on that platform — shop information, product catalogs, inventory levels, listing metadata, and similar operational data. We use this data solely to perform the actions you instruct (for example, publishing a product, syncing inventory).

We do not retrieve, store, or process personal information about your customers — end buyers, their email addresses, shipping addresses, payment details, or order contents. The Service does not require buyer-side data to function.

2.3 Information collected automatically

  • Usage and telemetry. API request counts, feature usage, credit consumption, and performance metrics used to operate, secure, and improve the Service.
  • Diagnostic and error data. When the Service encounters an error, we collect technical information about the error via Sentry to help us identify and fix bugs. This typically includes the error message, the route, your user identifier, and the browser environment.
  • Log data. Server logs include IP address, browser type, operating system, request URL, response status, and timestamps. We retain logs for operational and security purposes.
  • Cookies and similar technologies. See Section 11.

3. How we use information

We use personal information to:

  • Operate, maintain, and provide the Service to you.
  • Authenticate you and protect your account from unauthorized access.
  • Process payments and manage subscriptions or credit balances.
  • Execute the integration actions you instruct (e.g., publish a product to Shopify).
  • Communicate with you about your account, security alerts, and Service changes.
  • Provide customer support.
  • Improve, test, and develop new Service features.
  • Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms.
  • Comply with legal obligations, enforce our Terms, and protect our rights.

We do not use your information to train general-purpose machine-learning models. AI features that you use (such as AI-generated text or images) submit your prompts to the underlying AI providers (e.g., Google Gemini, Runware) only at the moment you request that feature.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases:

  • Performance of a contract — to provide the Service you signed up for.
  • Legitimate interests — to secure the Service, prevent fraud, improve the product, and operate our business. We have assessed that these interests are not overridden by your rights.
  • Consent — for any optional processing where we ask for it. You can withdraw consent at any time.
  • Legal obligations — to comply with applicable laws (e.g., tax, anti-fraud).

5. How we share information

5.1 Subprocessors

We share personal information with the following service providers (“subprocessors”) who process it on our behalf to operate the Service:

SubprocessorPurposeData shared
ClerkUser authentication and session managementEmail, name, authentication identifiers
NeonPostgreSQL database hostingAll persisted account, workspace, and operational data
Cloudflare R2Object storage for design files, mockups, and other contentUploaded content
VercelFrontend application hosting (Next.js)Server logs, IP address, request metadata
RailwayBackend API hosting (.NET, Hangfire jobs)Server logs, IP address, request metadata
SentryError tracking and diagnosticsError metadata, user identifier, browser environment
StripeSubscription and credit payment processingStripe customer identifier, subscription state; full payment details are processed by Stripe directly
Google GeminiAI text and image generationPrompts you submit, designs you submit for AI processing
RunwareAI image generationPrompts you submit
DynamicMockupsMockup renderingDesign files you submit for mockup

Each subprocessor is contractually obligated to protect personal information and to process it only as we instruct.

5.2 Third-party integrations (controlled by you)

When you connect a third-party marketplace (Shopify, Etsy, Printify, or similar) and instruct the Service to take an action, we send the necessary data to that platform on your behalf. Those platforms operate as independent controllers of the data you send them and are governed by their own privacy policies.

5.3 Legal disclosures

We may disclose information when we believe in good faith that disclosure is necessary to: (a) comply with applicable law or legal process; (b) protect the rights, property, or safety of BashMerch, our users, or others; (c) detect, prevent, or investigate fraud or security incidents; or (d) respond to lawful requests from public authorities.

5.4 Business transfers

If BashMerch is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections and continued application of this Privacy Policy or a successor policy at least as protective.

5.5 We do not sell personal information

We do not sell personal information as that term is defined under the California Consumer Privacy Act (CCPA / CPRA) or comparable laws. We do not share personal information for cross-context behavioral advertising.

6. International data transfers

Our primary infrastructure is located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States.

For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards for these transfers, including the European Commission’s Standard Contractual Clauses where required, and we ensure our subprocessors offer comparable protections.

7. Data retention

We retain personal information for as long as your account is active and for a limited period afterward as follows:

  • Active account data — retained for the life of your account.
  • Closed or deleted accounts — we retain operational data for up to 30 days after deletion to permit account recovery, then we delete or anonymize it. Encrypted database backups are purged on their normal rotation cycle, generally within an additional 30 days.
  • Financial and tax records — retained for the period required by applicable tax and accounting laws (typically 7 years), even after account deletion.
  • Security and audit logs — retained for up to 12 months for security and abuse-prevention purposes.

You can request earlier deletion at any time by contacting support@bashmerch.com (see Section 8).

8. Your rights

8.1 Rights for everyone

You can ask us to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete your personal information.
  • Export your data in a portable format.
  • Close your account and delete associated data, subject to the retention rules above.

To exercise these rights, email support@bashmerch.com from the address on your account. We may need to verify your identity before acting on the request. We will respond within the timeframes required by applicable law (generally 30 days under GDPR; 45 days under CCPA, with an option to extend).

8.2 Additional rights under GDPR / UK GDPR

If you are in the EEA, the UK, or Switzerland, you also have the right to:

  • Restrict or object to processing based on our legitimate interests.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your local data protection authority. We would appreciate the chance to address your concerns first, so please contact us before filing a complaint.

8.3 Additional rights under CCPA / CPRA (California residents)

If you are a California resident, you have the right to:

  • Know what personal information we have collected about you and how we use it.
  • Delete your personal information, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Limit the use of sensitive personal information. We do not use sensitive personal information for any purpose beyond what is necessary to provide the Service, so this right is satisfied by default.
  • Opt out of the sale or sharing of personal information. As stated above, we do not sell or share personal information for cross-context behavioral advertising.
  • Non-discrimination — we will not deny you services, charge you a different price, or provide a different level of service because you exercised any of these rights.

You can exercise these rights by emailing support@bashmerch.com.

9. Security

We use industry-standard measures to protect personal information, including:

  • TLS (HTTPS) encryption in transit between your browser and our servers.
  • Encryption at rest for sensitive integration credentials (OAuth tokens).
  • Role-based access controls limiting which BashMerch personnel can access production data.
  • Regular security reviews of our infrastructure and dependencies.
  • Audit logging of administrative actions.

No system is 100% secure. While we take reasonable measures to protect your information, we cannot guarantee absolute security. If we become aware of a personal-data breach, we will notify affected users as required by applicable law.

10. Children’s privacy

The Service is not directed to children under the age of 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided personal information to us, please contact support@bashmerch.com and we will delete it.

11. Cookies and similar technologies

We use a small number of cookies and similar technologies that are strictly necessary to operate the Service:

  • Session cookies placed by our authentication provider (Clerk) to keep you signed in and to protect your account.
  • CSRF and security cookies to prevent cross-site request forgery and other attacks.
  • Error reporting via Sentry, which may set a cookie or identifier when an error occurs to help us reproduce the issue.

We do not use cookies for advertising or cross-site tracking. You can configure your browser to refuse cookies, but the Service will not function correctly without the authentication cookies.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. For material changes, we will provide additional notice (for example, by email or an in-app notice) before the change takes effect. Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the updates.

13. Third-party trademark notices

Etsy

The term “Etsy” is a trademark of Etsy, Inc. This application uses the Etsy API but is not endorsed or certified by Etsy, Inc.

Shopify

Shopify is a trademark of Shopify Inc. This application uses the Shopify API but is not endorsed or certified by Shopify Inc.

Printify

Printify is a trademark of Printify, Inc. This application uses the Printify API but is not endorsed or certified by Printify, Inc.

14. Contact us

If you have questions about this Privacy Policy, want to exercise your rights, or need to report a privacy concern:

  • Email: support@bashmerch.com
  • Mailing address: BashMerch LLC, [MAILING ADDRESS — TBD]