privacy policy

Phase 1 — Scope, Roles, and What We Collect (Data Map & Accountability)

Who we are (Controller).
Photobattery Inc., operating SophiCart (“we,” “us,” “our”), is headquartered in Toronto, Ontario, Canada. For EU/UK users, we act as the data controller under GDPR/UK-GDPR for website use, marketing, and customer support data. For order fulfillment, certain logistics and supplier partners act as processors or sub-processors.

Scope.
This Policy applies to our website(s), customer support channels, email/SMS communications, and e-commerce integrations (such as WooCommerce plugins, payment gateways, and shipping or fulfillment platforms). It covers data collected directly from you and from third parties in connection with your orders and interactions. It does not cover the privacy practices of third-party websites we link to.

Definitions (plain language).

Personal Information (“PI” / “Personal Data”): information that identifies or can reasonably be linked to a person.
Processing: any operation performed on PI (collection, storage, use, sharing, deletion).
Sale / Share (CCPA/CPRA): disclosure of PI for monetary value or cross-context behavioral advertising.
Sensitive PI: precise location, login credentials, payment details, or other data requiring higher protection.

Categories of PI we collect (examples).

(A) Identifiers: name, shipping address, email, phone number, IP address, device identifiers.
(B) Commercial: products viewed, wish-listed, or purchased (e.g., bags, jewelry, eyewear), order history, returns.
(C) Payment: card brand, last four digits, tokenized payment IDs (processed by PCI-compliant providers; we do not store full card numbers or CVV).
(D) Internet/Device: cookie IDs, pages viewed, time on site, referral URLs, approximate location (country/region).
(E) User-Generated: reviews, ratings, questions, customer support messages.
(F) Inferences/Profiles: non-sensitive segments used for recommendations (e.g., “eco-friendly bags interest”).
(G) Sensitive PI (limited): account credentials (hashed), precise location only if you enable it. We do not collect health or biometric data.

Sources of PI.
Directly from you (checkout, account creation, support); automatically via cookies or analytics tools; from payment, shipping, and fulfillment partners; and from social log-ins if you opt in.

Why we collect PI (purposes).

Order processing & delivery (payments, shipping, fraud prevention).
Customer support (returns, inquiries, dispute resolution).
Site improvement & security (analytics, performance, abuse prevention).
Personalization & marketing (emails/SMS with consent, product recommendations).
Legal compliance (tax, accounting, regulatory obligations).

Data minimization & accuracy.
We collect only what is necessary. You may update your information via your account or by emailing customer-service@sophicart.com.

Accountability & contact.
We appoint a Privacy Officer reachable at customer-service@sophicart.com.

Effective date & updates.
We publish an Effective Date and notify users of material changes before they take effect, unless required sooner for legal or security reasons.

Phase 2 — Lawful Bases, Consent, Cookies, and Age Limits

Lawful bases (GDPR / UK-GDPR).

Contract: to process and deliver your orders.
Legitimate interests: site security, fraud prevention, analytics, basic personalization.
Consent: marketing emails/SMS, non-essential cookies, targeted advertising where required.
Legal obligation: tax, accounting, and regulatory record-keeping.

CASL (Canada).
We send commercial messages only with consent or a lawful exemption. Every message includes identification and a working unsubscribe mechanism.

CCPA / CPRA (California).
We may collect categories (A–F) above for business purposes. We do not sell PI for money. We may share PI for advertising unless you opt out via “Do Not Sell or Share My Personal Information.” We honor Global Privacy Control (GPC) signals.

Cookies & tracking technologies.

Strictly necessary: cart, checkout, security.
Analytics/performance: site usage measurement.
Functional: language and preferences.
Advertising: interest-based ads where permitted.

You can manage cookies through our banner, preference center, or your browser/device settings.

Profiling & automated decisions.
We create basic, non-sensitive segments (e.g., “reusable accessories shopper”). We do not make decisions with legal or significant effects solely by automated means.

Children.
Our services are not directed to children under 13. We do not knowingly collect PI from minors without parental consent where required by law.

Do Not Track.
We do not respond to browser DNT signals but honor legally recognized opt-out mechanisms such as GPC.

Phase 3 — Sharing, International Transfers, Security, and Retention

Who we share data with (processors).

Payment & fraud prevention providers.
Fulfillment, logistics, and shipping partners.
Customer support and CRM platforms.
Analytics and advertising providers.
IT hosting, security, and backup services.
Legal and regulatory authorities when required.

International transfers.
Data may be processed in Canada, the U.S., the EU/EEA, or other regions where our partners operate. Transfers rely on adequacy decisions, standard contractual clauses, or equivalent safeguards.

Security measures (summary).

Encrypted data transmission (TLS).
Secure storage and access controls.
Role-based access and admin MFA.
Monitoring, patching, and vendor reviews.

Data breaches.
If a breach affecting your PI occurs, we notify affected users and authorities within legally required timelines.

Retention periods (typical).

Orders, invoices, tax records: 7 years.
Inactive accounts: anonymized or deleted after 24 months.
Support communications: 24 months.
Marketing data: until consent is withdrawn.
Fraud prevention records: up to 5 years.

Phase 4 — Your Rights, Choices, and How to Use Them

Your rights (GDPR / UK-GDPR & similar laws).

Access, correction, deletion, restriction, portability.
Object to processing or direct marketing.
Withdraw consent at any time.

U.S. state rights.
Access, delete, correct, opt out of sale/share or targeted advertising, and appeal decisions.

Canada (PIPEDA).
Access and correction rights; complaints may be escalated to the Office of the Privacy Commissioner of Canada.

How to exercise your rights.
Email customer-service@sophicart.com with subject “Privacy Request.” Include your name, email, country/state, and request type. We may verify your identity.

Marketing controls.

Unsubscribe via email links.
Reply STOP to SMS.
Manage cookies via our preference center.
Use “Do Not Sell or Share My Personal Information” where applicable.

Complaints & appeals.
If unresolved, you may contact your local data protection authority.

Third-party services.
Third-party links and social log-ins are governed by their own privacy policies.

Contact details.
Support: customer-service@sophicart.com
Mailing Address: Photobattery Inc. (SophiCart), Toronto, ON, Canada

Governing law.
Except where local law requires otherwise, this Policy is governed by the laws of Ontario, Canada.