Privacy Policy
Last updated: June 2026
Sarah's Siopa is committed to protecting your privacy. This policy explains what personal data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.
1. Who We Are
Sarah's Siopa Ltd is the data controller for personal data processed through this website. Our contact address for data matters is: privacy@sarahssiopa.ie.
2. Data We Collect
2.1 Account data
When you create an account: name, email address, password (hashed — never stored in plain text), county, and any profile information you choose to add.
2.2 Order & payment data
Delivery address, order details, and transaction records. Payment card details are processed and held by Stripe — we do not store full card numbers. We store only the last four digits and card type for display purposes, plus a Stripe customer reference for Auto-Send charges.
2.3 Occasions & Auto-Send data
Dates, recipients, and gift preferences you save for occasions. This data is used solely to operate the reminder and auto-send features.
2.4 Maker application data
Business name, VAT number (if applicable), bank/payout details (held by Stripe), product descriptions, and photos.
2.5 Usage data
If you consent, we use Plausible Analytics (a privacy-friendly, cookieless tool) to understand how the site is used. Plausible does not collect personal identifiers or use cookies. No data is shared with advertising networks.
2.6 Cookies
We use strictly necessary cookies for authentication (Supabase session). We only use analytics tools with your consent. See our Cookie Policy for details.
3. Legal Basis for Processing
- Contract performance — to fulfil orders, process payments, and operate Auto-Send
- Legitimate interests — fraud prevention, platform security, resolving disputes
- Consent — analytics (Plausible); you can withdraw at any time
- Legal obligation — tax records, financial reporting
4. How We Share Your Data
We share data only as necessary:
- Makers — receive your delivery address and order details to fulfil your order
- Stripe — payment processing and maker payouts (Stripe Privacy Policy applies)
- Supabase — our database and authentication provider (EU-hosted)
- Resend — transactional email delivery
- Law enforcement — if required by valid legal process
We never sell your data to third parties.
5. Retention
Account data is kept for as long as your account is active plus 6 years for tax records. Order data is retained for 7 years under Irish revenue law. You may request deletion of your account (see Your Rights below); tax-relevant order records must be retained even after deletion.
6. Your Rights
Under GDPR you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Request erasure ("right to be forgotten") where no legal obligation requires retention
- Restrict or object to processing
- Data portability (receive your data in a machine-readable format)
- Withdraw consent for analytics at any time without affecting other processing
To exercise these rights, email privacy@sarahssiopa.ie. We will respond within 30 days. You also have the right to lodge a complaint with the Data Protection Commission (Ireland): dataprotection.ie.
7. Security
We use industry-standard measures including TLS encryption in transit, hashed passwords, and row-level security on all database tables. We conduct regular reviews of access controls.
8. International Transfers
All core data is stored in EU data centres (Supabase EU region). Where any sub-processor operates outside the EEA, we ensure appropriate safeguards (Standard Contractual Clauses or adequacy decisions) are in place.
9. Children
Our platform is not directed at children under 18. We do not knowingly collect data from minors.
10. Changes
We may update this policy. Material changes will be notified by email. The "last updated" date above indicates the most recent revision.
11. Contact
Data queries: privacy@sarahssiopa.ie
General: hello@sarahssiopa.ie