View Eyewear luxury independent eyewear brands and boutiques
Portal

Privacy Policy

What we collect, why, and what you can do about it. We do not sell your data.

Last updated: April 29, 2026 · Effective: April 29, 2026

1. What We Collect

  • Account info — email address, hashed password, optional 2FA secret.
  • Profile content — anything you upload: business name, address, photos, frame inventory, descriptions.
  • Technical data — IP address, browser user agent, page views, click events, referrer.
  • Payment data — your Stripe customer ID and the last 4 digits of your card. We never see, store, or process the full card number. Stripe does.
  • Communications — emails you send us and our replies.

2. How We Use It

  • To run the site, show your listing, and connect visitors to you.
  • To send transactional email — receipts, password resets, security alerts, plan changes.
  • To send monthly performance reports to paid subscribers (views, clicks, contact requests).
  • To detect fraud, abuse, and suspicious login activity.
  • To improve the site — aggregate, anonymized usage trends.

We do not use your data to train AI models, and we do not sell it. Period.

3. Cookies

We use a small number of first-party cookies:

  • ve-session — httpOnly authentication cookie, AES-256-GCM encrypted, 30-day lifetime.
  • ve-csrf — anti-forgery token used to protect form submissions.
  • Vercel Analytics — anonymized page-view tracking. No third-party advertising cookies.

4. Third Parties

We share data only with the services we need to operate:

  • Stripe — processes subscription payments. Their privacy policy applies to your card data.
  • Supabase — hosts our database (US region).
  • Vercel — hosts the site and provides anonymized analytics.
  • Gmail SMTP (Google Workspace) — sends transactional email.

We do not share, rent, sell, or barter your personal information with advertisers, data brokers, or any other party. If that ever changes, we will tell you first and give you a chance to opt out before it takes effect.

5. Your Rights

Regardless of where you live, you can:

  • Access — request a copy of the data we have on you.
  • Correct — edit your profile and account details directly in the portal.
  • Delete — email andy@gazaleyewear.com. We delete within 30 days unless we are subject to a legal hold (e.g., active fraud investigation, tax records).

California Residents (CCPA / CPRA)

You have the right to know what personal information we collect, to request deletion, to correct inaccurate data, and to opt out of any sale or sharing for cross-context advertising. We do neither, but the right exists. Email us to exercise it. We will not discriminate against you for doing so.

Virginia Residents (VCDPA)

You have the right to access, correct, delete, port your data, and opt out of targeted advertising and profiling. We do not engage in targeted advertising or profiling that produces legal effects.

Colorado Residents (CPA)

Same rights as Virginia: access, correction, deletion, portability, and opt-out from targeted advertising. Universal opt-out signals (Global Privacy Control) are honored.

EU / UK Visitors

The View Eyewear is a US-only service and is not designed to comply with the GDPR or UK GDPR. EU and UK residents are welcome to browse. If you contact us, we will honor reasonable data access and deletion requests in good faith.

6. Children's Privacy

The site is not directed to children under 13. We do not knowingly collect data from anyone under 13. If you believe a minor has signed up, email us and we will delete the account.

7. Data Retention

  • page_views — 2 years, then aggregated and purged.
  • login_attempts — 90 days.
  • audit_events — 5 years (compliance and fraud investigations).
  • Account records — kept until you request deletion.
  • Payment records — retained per US tax and accounting requirements (typically 7 years).

8. Security

  • Passwords are hashed with bcrypt.
  • Two-factor authentication uses TOTP (RFC 6238).
  • Session cookies are AES-256-GCM encrypted and httpOnly.
  • HTTPS is enforced site-wide via HSTS.
  • Stripe webhooks are signed and verified before processing.
  • Database access is restricted by row-level security and least-privilege roles.

No system is perfectly secure. If we detect a breach that materially affects your data, we will notify affected users within 72 hours of confirmation.

9. Changes to This Policy

We will update this page when our practices change. Material changes get 30 days' notice by email and a banner in the dashboard. Smaller edits take effect on posting.

10. Contact

Privacy questions, data requests, or concerns? Email andy@gazaleyewear.com. A real person reads it.