Privacy Policy

1. Data Controller

The data controller responsible for your personal information is:

2. Information We Collect

a) Information You Provide Directly

• Email address — collected when you make a purchase, used to verify your access and provide customer support.

b) Information Collected Automatically

When you visit the Service, we or our service providers may automatically collect:

• Log data — IP address, browser type and version, pages visited, time and date of visit, time spent on pages, and referring URL
• Device information — device type, operating system, and screen resolution
• Usage data — which games were played and general interaction patterns with the Service
• Session storage — we use browser session storage (not cookies) to remember your unlock status during an active browser session. This data is cleared when you close your browser

c) Payment Information

We do not collect or store payment card information. All payment processing is handled directly by Stripe, Inc. We receive only a confirmation of your payment and your email address from Stripe. See Section 6 for more details.

3. How We Use Your Information

We use the information we collect to:

• Verify your purchase and grant or restore access to unlocked content
• Provide customer support
• Maintain and improve the Service
• Detect, prevent, and address fraud, abuse, and security incidents
• Comply with applicable legal obligations
• Enforce our Terms of Service

We do not use your email address for marketing or promotional emails. We will never send you unsolicited communications.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal basis for collecting and processing your personal data depends on the information concerned and the context:

• Contract performance — processing your email address is necessary to fulfill our service agreement with you
• Legitimate interests — processing log and usage data to maintain security, prevent fraud, and improve the Service
• Legal obligation — processing necessary to comply with applicable laws and regulations

5. Cookies and Local Storage

We use a minimal number of technical cookies strictly necessary for the operation of the Service:

• Admin authentication cookie — used solely to maintain admin login sessions for authorized administrators. This is an httpOnly, secure session cookie and is not used for tracking.
• Browser session storage — used to remember your unlock status during an active browser session. Session storage is not a cookie and is automatically cleared when you close your browser tab or window.

We do not use analytics, advertising, or tracking cookies. We do not use Google Analytics, Facebook Pixel, or any third-party tracking services.

6. Payment Processing — Stripe

All payment transactions are processed by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. When you make a purchase:

• You are redirected to Stripe's secure hosted checkout page
• Stripe collects and processes your payment card details, billing address, and related financial information directly
• We never see, store, or have access to your full card number, CVV, or billing address
• We receive only a payment confirmation and your email address from Stripe

Stripe's handling of your payment data is governed by Stripe's Privacy Policy.

7. Data Sharing and Disclosure

We do not sell, rent, trade, or otherwise share your personal information with third parties for their own marketing purposes.

We may share your information only in the following limited circumstances:

• Service providers — with Stripe solely for payment processing purposes
• Hosting — our Service is hosted on Vercel, Inc. Infrastructure providers may process data as part of service delivery and are bound by appropriate data processing agreements
• Legal compliance — if required by law, regulation, court order, or governmental authority
• Protection of rights — to protect the rights, property, or safety of Hilly Shore Inc., our users, or others
• Business transfers — in connection with a merger, acquisition, or sale of assets, in which case we will provide notice before your information is transferred

8. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy:

• Email addresses associated with purchases are retained for a minimum of 10 years from the date of purchase. This extended retention period is necessary to: (i) verify historical purchases; (ii) maintain accurate business and financial records; and (iii) comply with applicable tax and accounting obligations.
• Log and usage data may be retained for up to 12 months for security and operational purposes.

Upon the expiration of applicable retention periods, or upon a valid deletion request (subject to legal obligations), data will be securely deleted or anonymized.

9. Data Security

We implement reasonable and appropriate technical and organizational security measures to protect your personal information, including:

• HTTPS encryption for all data transmitted between your browser and our Service
• Secure, encrypted database storage with access controls
• httpOnly and Secure flags on authentication cookies
• No storage of payment card data (handled entirely by Stripe)

No method of transmission over the internet is 100% secure. We cannot guarantee absolute security of your information.

10. Children's Privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us via our website and we will promptly delete such information from our records.

We comply with the Children's Online Privacy Protection Act (COPPA) and do not knowingly allow users under 13 to create accounts or make purchases.

11. Your Privacy Rights

For All Users

Regardless of your location, you may contact us via our website to:

• Request a copy of the personal data we hold about you
• Request correction of inaccurate data
• Ask questions or raise concerns about your data

California Residents (CCPA)

Under the California Consumer Privacy Act, California residents have the right to:

• Know what personal information we collect, use, disclose, and sell
• Delete personal information we have collected (subject to exceptions)
• Opt out of the sale of personal information — we do not sell your personal information
• Non-discrimination — we will not discriminate against you for exercising your CCPA rights
• Correct inaccurate personal information

To submit a CCPA request, contact us via our website.

EEA, UK, and Switzerland Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the right to:

• Access your personal data and obtain a portable copy
• Rectification of inaccurate or incomplete personal data
• Erasure ("right to be forgotten") in certain circumstances
• Restriction of processing in certain circumstances
• Object to processing based on legitimate interests
• Withdraw consent at any time (where processing is based on consent)
• Lodge a complaint with your local supervisory authority

To exercise any of these rights, contact us via our website.

12. International Data Transfers

Hilly Shore Inc. is based in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

If you are located in the EEA or UK, such transfers are made subject to appropriate safeguards in accordance with applicable data protection law.

13. Do Not Track

Some browsers offer a "Do Not Track" (DNT) feature. Because we do not use tracking cookies or behavioral advertising, we do not track users across third-party websites.

14. Third-Party Links

The Service may contain links to third-party websites, including Etsy and Stripe. These links are provided for your convenience. We are not responsible for the privacy practices of any third-party sites.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

16. Contact Us

For questions, concerns, or requests regarding this Privacy Policy, please contact us via our website.