Privacy Policy

We collect information you provide directly to us, such as when you create an account, make a purchase, or contact us for support.

This may include your name, email address, billing information, and any other information you choose to provide.

We also automatically collect certain information when you use our platform, including your IP address, browser type, operating system, and browsing behavior.

We collect IP addresses for legitimate purposes including security, rate limiting (to prevent abuse), and service delivery. However, we take your privacy seriously.

IP addresses are considered personal data under GDPR Article 4(1). To protect your privacy, we employ pseudonymization techniques:

• All IP addresses are cryptographically hashed (SHA-256) before storage

• The hash is irreversible - we cannot recover your original IP address

• This complies with GDPR Article 4(5) on pseudonymization

• Hashed IPs allow us to prevent abuse while protecting your identity

Example: Your IP '192.168.1.1' is stored as '8f3b5d2a...' (hash value)

This approach ensures we can maintain security and prevent service abuse without storing your actual IP address.

We use the information we collect to provide, maintain, and improve our services.

This includes processing transactions, sending you technical notices and support messages, and responding to your comments and questions.

We may also use your information to send you promotional communications, such as information about products, services, and events.

We do not sell, trade, or otherwise transfer your personal information to third parties without your consent, except as described in this policy.

We may share your information with service providers who assist us in operating our platform and conducting our business.

We may also disclose your information if required by law or to protect our rights, property, or safety.

We implement appropriate technical and organizational measures to protect the security of your personal information.

However, please note that no method of transmission over the Internet or electronic storage is 100% secure.

We cannot guarantee the absolute security of your information, but we strive to use commercially acceptable means to protect it.

We employ industry-standard security practices to protect your data:

• Encryption: All data in transit is encrypted using HTTPS/TLS

• Pseudonymization: IP addresses are cryptographically hashed (SHA-256) before storage

• Access Control: Strict role-based access control limits who can access personal data

• Rate Limiting: Automated abuse prevention systems protect against attacks

• Audit Logging: Security events are logged for monitoring and compliance

• Regular Updates: Security patches and updates are applied promptly

These measures comply with GDPR Article 32 requirements for appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

To maintain service quality and prevent abuse, we implement rate limiting on various actions:

• API requests: Limited to prevent automated attacks

• Contact form submissions: Limited to prevent spam

• Product downloads: Limited to prevent unauthorized distribution

• Account creation: Limited to prevent bot registrations

Rate limiting uses pseudonymized IP addresses (hashed) to identify clients without storing personal information. This data is:

• Automatically deleted after 24 hours (no long-term storage)

• Used solely for abuse prevention (not for tracking or profiling)

• Stored in pseudonymized form (compliant with GDPR)

If you encounter rate limiting errors, this is typically temporary and protects the service for all users.

We use cookies and similar tracking technologies to enhance your experience on our platform. A cookie is a small text file stored on your device that helps us remember your preferences and understand how you use our services.

You can manage your cookie preferences at any time by clicking the 'Cookie Settings' link in our website footer. You can also instruct your browser to refuse all cookies or indicate when a cookie is being sent.

These cookies are strictly necessary for the website to function and cannot be disabled. They are typically set in response to actions you take, such as logging in, adding items to your cart, or setting your privacy preferences.

Essential cookies we use include:

• sb-*-auth-token: Authentication session cookie that keeps you logged in securely. This cookie is set by Supabase and expires when your session ends or after 1 year for 'remember me' sessions.

• cc_cookie: Stores your cookie consent preferences. This cookie expires after 6 months.

• NEXT_LOCALE: Stores your language preference for the website.

With your consent, we may use analytics cookies to understand how visitors interact with our website. This helps us improve our services and user experience.

Analytics cookies we may use include:

• _ga, _ga_*: Google Analytics cookies that help us understand page views, session duration, and user journeys. These cookies expire after 2 years.

• _gid: Google Analytics cookie that distinguishes users. This cookie expires after 24 hours.

• _gat: Google Analytics cookie used to throttle request rate. This cookie expires after 1 minute.

These cookies are only set if you explicitly consent to analytics cookies in our cookie preferences panel. You can withdraw your consent at any time.

When you first visit our website, you will be presented with a cookie consent banner where you can choose which optional cookies to accept.

You can change your preferences at any time by clicking 'Cookie Settings' in the footer of any page.

Please note that disabling certain cookies may affect the functionality of our website and the services we can offer you.

Under the General Data Protection Regulation (GDPR) and similar data protection laws, you have specific rights regarding your personal data. We are committed to helping you exercise these rights.

You have the right to request a copy of all personal data we hold about you. This includes your profile information, purchase history, downloads, favorites, and any content you've created on our platform.

To request your data, log in to your account, go to Settings → Your Data, and click 'Download my data'. Your data will be provided in a machine-readable JSON format.

You have the right to request correction of any inaccurate personal data we hold about you.

You can update most of your personal information directly through your account settings. For data that cannot be self-corrected, please contact our support team.

You have the right to request deletion of your personal data. When you delete your account, we will permanently remove:

• Your profile and authentication credentials

• Your purchase history and order details

• Your download history

• Your favorites and shopping cart

• Your notification history

• Your follows and follower relationships

• If you are an author: all your published products and author profile

To delete your account and all associated data, go to Settings → Delete account. This action is permanent and cannot be undone.

Note: Some data may be retained for legal compliance purposes (e.g., financial records for tax purposes) even after account deletion.

You have the right to object to certain types of data processing, including direct marketing and analytics.

You can manage your cookie preferences at any time by clicking 'Cookie Settings' in the footer. You can also manage email preferences in your account notification settings.

You have the right to receive your personal data in a structured, commonly used, machine-readable format.

Use the data export feature in Settings → Your Data to download all your data as a JSON file that you can use elsewhere.

Most of these rights can be exercised directly through your account settings. For any requests that cannot be handled through the self-service options, or if you have questions about your rights, please contact us using the information in Section 10 below.

We will respond to all legitimate requests within one month. If your request is particularly complex, we may extend this period by a further two months, but we will notify you of any such extension.

Our platform is not intended for children under the age of 13.

We do not knowingly collect personal information from children under 13.

If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information.

Your data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place to protect your data in accordance with this privacy policy.

When we transfer personal data outside the European Economic Area (EEA), we ensure a similar degree of protection by using specific contractual clauses approved by the European Commission.

We may update this privacy policy from time to time.

We will notify you of any changes by posting the new policy on this page and updating the 'Last updated' date.

For significant changes, we may also notify you via email or through a notice on our website.

You are advised to review this policy periodically for any changes.

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at support@themely.dev.

You can also reach us by mail at: Themely.

If you are in the EU and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.