Circle Halo Privacy Policy

Effective Date: October 2, 2025

Last Updated: October 2, 2025

1. Introduction

Circle Halo (“Circle Halo,” “Company,” “we,” or “us”) provides a software-as-a-service (SaaS) platform that enables sellers of personalized and made-to-order products to manage, monitor, and fulfill eCommerce orders (the “Services”).

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in connection with our Services. It applies to all users, visitors, and customers who access Circle Halo’s websites, applications, or connected integrations (collectively, the “Software”).

By using our Services, you acknowledge and agree to this Privacy Policy. If you do not agree, you should discontinue use of the Services.

2. Scope, Roles, and Responsibility

(a) Scope of Policy

This Privacy Policy applies to:

User Data: Information collected directly from you when you create an account, subscribe, or interact with us.
Order Data: Data imported from third-party platforms you connect (e.g., Etsy, Amazon, Shopify) for order management.
Payment Data: Processed through our merchant-of-record provider, Paddle.

This Policy does not govern the privacy practices of third parties (such as Etsy, Amazon, Shopify, or Paddle), which maintain their own privacy policies.

(b) Data Controller and Processor Roles

For the purposes of the General Data Protection Regulation (GDPR) and similar global privacy laws:

You (Our Customer/Seller) are the Data Controller for the Order Data (personal data of your end-customers) that is imported into the Services. You determine the purposes and means of processing that data.
Circle Halo is the Data Processor acting strictly on your instructions to provide the Services (e.g., importing, unpacking, displaying data for fulfillment). Our use of Order Data is governed by this Policy and our Terms of Service.

3. Data We Collect

We collect information to provide, maintain, and improve our Services.

(a) Information You Provide (User Data)

Account Data: Name, email address, password, phone number, company details, and business identification information.
Billing Data: Payment details and billing address (processed securely by our Merchant of Record, Paddle).
Communications: Support requests, survey responses, platform feedback, or other correspondence.

(b) Information from Connected Platforms (Order Data)

When you connect Circle Halo to your eCommerce accounts (e.g., Etsy, Amazon, Shopify), we collect personal data related to your sales and fulfillment:

Authentication Data: API tokens or credentials required for secure, ongoing synchronization.
Order Details: Order IDs, customer names, shipping addresses, personalization requests, and any files (including ZIP files) containing design or order information.
Product Data: Listing details and inventory information required for effective order management.

(c) Automatically Collected Data

When you use our Software, we automatically collect:

Device & Connection Data: IP address, operating system, device identifiers, browser type, and time zone.
Usage Data: Login timestamps, activity logs, performance metrics, pages viewed, and feature interactions.
Tracking Technologies: Data collected via cookies, pixels, and similar technologies used to authenticate sessions, analyze platform usage, and improve security.

4. How We Use Data

We process personal data for the following lawful purposes:

Service Delivery: To provide, operate, and maintain the Services you subscribe to.
Order Management: To import, unpack, and display Order Data for fulfillment (as your Processor).
Billing & Payments: To process subscriptions and generate invoices via Paddle.
Account Security & Support: To create, secure, and maintain your user account and respond to inquiries.
Analytics & Improvements: To analyze platform performance, enhance features, and monitor usage patterns.
Compliance & Legal: To comply with tax, legal, and regulatory requirements.

We do not sell personal data and do not use customer order data for advertising or marketing unrelated to the Services.

5. Legal Basis for Processing (GDPR)

If you are located in the EU/EEA or UK, our legal basis for processing your data includes:

Performance of a Contract (Art. 6(1)(b) GDPR): Processing data necessary to provide you with the Services and maintain your account.
Compliance with a Legal Obligation (Art. 6(1)(c) GDPR): Processing data required for tax, billing, security, or regulatory requirements.
Legitimate Interests (Art. 6(1)(f) GDPR): Processing data to improve the Services, prevent fraud, and ensure platform security (where our interests are not overridden by your rights).
Consent (Art. 6(1)(a) GDPR): Where applicable (e.g., for optional marketing communications).

6. Data Sharing & Disclosure

We may disclose your data in limited circumstances to fulfill our obligations:

Service Providers: We share necessary data with vendors providing hosting, IT infrastructure, analytics, and platform support. These parties are contractually bound to process data only on our behalf and protect it securely.
Payment Processing: Paddle processes billing and payment information as the Merchant of Record. We do not store or process full credit card numbers ourselves.
Connected Platforms: We exchange data (primarily Order Data) with the third-party marketplaces (Etsy, Amazon, Shopify, etc.) that you explicitly choose to connect, solely for the purpose of syncing and managing orders.
Corporate Transactions: In connection with a merger, acquisition, or asset sale, your personal data may be transferred to the successor entity.
Legal Obligations: When required by law, subpoena, court order, or regulatory authority.

7. Cookies and Tracking

Circle Halo uses cookies and similar technologies for essential purposes:

Strictly Necessary: To authenticate sessions and secure your account.
Functionality: To remember your preferences and enhance the user experience.
Analytics: To analyze platform usage and performance metrics.

You may manage or disable cookies through your browser settings. Be aware that disabling strictly necessary cookies may limit the functionality of the Services. For more detail, please refer to our separate Cookie Policy.

8. Data Retention

We retain your personal data only for as long as necessary to provide the Services, fulfill legal obligations, or resolve disputes.

Account Data: Retained for as long as you maintain an active account.
Order Data: Retained as long as required for your order fulfillment operations and your own legal obligations as the Data Controller, typically tied to the life of your active account.
Upon verified account deletion, personal data will be deleted or anonymized within 30 days, except for data we are legally required to retain for tax, billing, or auditing purposes.

9. International Data Transfers

Your data may be transferred to and processed in jurisdictions outside your country, including the United States, the European Union, and Türkiye, where our service providers or we may operate.

Where required by law, especially for transfers of data outside the EU/EEA or UK, we implement appropriate safeguards, including:

Standard Contractual Clauses (SCCs): We use SCCs approved by the European Commission, and their UK equivalent, to ensure an adequate level of data protection.
Encryption: Utilizing industry-standard encryption for data in transit and at rest.

By using the Services, you consent to this international transfer and processing of your data.

10. Security Measures

We use industry-standard technical and organizational measures designed to protect personal data from unauthorized access, disclosure, alteration, or destruction. These measures include:

Encryption of data in transit (TLS/SSL) and at rest.
Strict role-based access control for employees.
Secure servers, firewalls, and regular vulnerability monitoring.
Routine security audits and data backup protocols.

While we strive for absolute protection, no internet-based system can guarantee 100% security.

11. Your Privacy Rights

You have rights concerning your personal data, which vary based on your location:

(a) GDPR (EU/EEA & UK)

Right to Access: To obtain confirmation about your data processing and receive a copy of your data.
Right to Rectification: To correct inaccurate or incomplete data.
Right to Erasure (‘Right to be Forgotten’): To request the deletion of your data when it is no longer necessary for the purposes collected.
Right to Restriction of Processing: To limit the way we use your data.
Right to Data Portability: To receive your data in a structured, commonly used, and machine-readable format.
Right to Object: To object to processing based on legitimate interests or for direct marketing.
Right to Withdraw Consent: To withdraw consent at any time where processing is based on consent.

(b) CCPA/CPRA (California)

Right to Know: To request the categories and specific pieces of personal data collected, used, and disclosed.
Right to Delete: To request the deletion of personal data we have collected, subject to exceptions.
Right to Opt-Out of Sale/Sharing: Circle Halo does not sell or share personal data for cross-context behavioral advertising.
Right to Non-Discrimination: For exercising your privacy rights.

(c) KVKK (Türkiye)

Right to Learn: Whether your personal data is processed.
Right to Request Information: Regarding the purpose of processing.
Right to Correction/Deletion: To request correction or deletion if the reasons for processing are no longer valid.
Right to Object: To the occurrence of an unfavorable outcome through automatic analysis.

To exercise any of these rights, please contact us at [email protected].

12. Data Deletion Requests

You may request the deletion of your Circle Halo account and all associated personal data at any time.

Verified requests will be processed within 30 days of receipt.
Certain data may be retained as required by tax, billing, or regulatory law, which will be clearly communicated upon request.

13. Children’s Privacy

Our Services are intended for business use and are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take steps to delete it promptly.

14. Changes to This Policy

We may amend this Privacy Policy from time to time. We will communicate significant changes by posting the updated policy on our website, through email notification, or via platform banners. The revised policy will be effective as of the “Last Updated” date.