Privacy · how we handle your data

Privacy.

Last updated · 1 May 2026

em-modshop is a small workshop in Albania building retro audio / video cables. This page describes, in plain English, what data we collect when you shop with us or get in touch, why we collect it, who else sees it, and what rights you have over it.

The shop is run by one person and there is nothing fancy going on under the hood — but because we ship internationally and parts of our infrastructure run on services based outside Albania, this page is more detailed than you might expect for a small site. We would rather be upfront than vague.

What we collect, and why

We collect different things in different situations. For each category we list what we collect, why we need it, and the legal basis we rely on under EU and UK data protection law (this terminology comes from the GDPR — most other privacy regimes use equivalent concepts).

When you place an order

  • Your name, email address, and full shipping address.
  • Your phone number, if you provide one (optional, used for delivery issues).
  • The items you ordered, prices at the time, and totals.
  • A PayPal payment reference and capture ID. We never see or store your card details — PayPal handles the payment in their own iframe.

Why: to build the cable, ship it, send you order updates, and keep the records we are required to keep by law for accounting and tax.

Legal basis: performing our contract with you (most of the order data), and complying with our legal obligations (the part we keep for tax records).

When you use the contact form

  • Your name, email address, optional subject line, and the message you wrote.

Why: to reply to your message.

Legal basis: our legitimate interest in being able to respond to people who contact us.

Network and device data (every visit)

Like any website, we automatically receive certain data whenever your browser makes a request to us:

  • Your IP address (this is unavoidable — every TCP/HTTP request includes it).
  • Your browser's user-agent string and the URL you are visiting.
  • Standard server-log data: response status, latency, referring page.

We use your IP address briefly to rate-limit a few public endpoints (search, shipping estimates) so that nobody can hammer the workshop with thousands of automated requests. These rate-limit counters are kept in memory only on the server that handled your request and are cleared on a rolling basis. We do not log your IP to a database, send it to analytics, or share it with anyone.

The hosting provider (Vercel — see below) does keep its own short-term server logs of every request, including your IP, user agent, path, and response code. This is standard hosting infrastructure, used for security, abuse prevention, and debugging.

Why: to protect the site against abuse and keep it operational.

Legal basis: our legitimate interest in running a secure, available website.

Bot-detection signals (contact form only, production only)

When you submit the contact form on the live site, an invisible bot-detection challenge from Vercel BotID runs in your browser. It collects fingerprint-style signals — browser type and version, viewport, hardware concurrency, timezone, and timing data — to tell humans apart from automated abuse.

That signal data is sent to Vercel’s bot-detection provider (Kasada) for analysis. It is not used to track you across sessions or sites; it is used in the moment to score the request as human or bot. We never see the raw fingerprint — we only see Vercel’s yes-or-no verdict.

BotID does not run on any other page or form, and it does not run in development.

Why: to stop spam, abuse, and automated attacks on the contact form.

Legal basis: our legitimate interest in keeping the form usable for real people.

Analytics

We use Vercel Analytics. It is cookieless and privacy-preserving by design: no cookies are set, no persistent identifier is built, and Vercel uses a daily-rotating server-side hash to count unique visitors instead of a persistent identifier per person. We see aggregate page views and performance metrics, never an individual’s browsing trail.

Why: to understand which pages are popular and improve the catalog.

Legal basis: our legitimate interest in improving the site.

Who else sees your data

We rely on a small set of vetted services to run the shop. Each only sees the data it needs to do its job. None of them are advertising networks; none of them build a profile of you; we do not sell your data to anyone.

  • PayPal — processes payments. They see your name, email, billing address, payment details, and IP (their iframe loads from paypal.com when you check out). We never see your card details. Their privacy policy is at paypal.com/privacy.
  • Resend — sends our transactional emails (order received, shipped, refunded, contact-form alerts). They see the recipient email and the email body for the time it takes to deliver. Their privacy policy is at resend.com/legal/privacy-policy.
  • Vercel — hosts the site, serves images, runs the cookieless analytics, and runs the BotID challenge on the contact form. As the hosting provider they receive every HTTP request, including your IP and user agent. Their privacy policy is at vercel.com/legal/privacy-policy.
  • Neon — runs the PostgreSQL database where we store order details. Queries flow over HTTPS from the Vercel infrastructure to Neon's serverless endpoint; Neon sees the database query data, but does not see your IP directly (Vercel's outbound IP is what reaches Neon). Their privacy policy is at neon.tech/privacy-policy.
  • Kasada — Vercel's bot-detection provider, used through Vercel BotID. Their privacy policy is at kasada.io/privacy-policy.
  • Your shipping carrier — we print a shipping label with your name and address so the parcel can find you.

Each of these is a contracted data processor: they handle data on our behalf, under written terms (including the Standard Contractual Clauses where required), and cannot use your data for their own purposes.

Where your data lives — international transfers

em-modshop is based in Albania. Some of our processors are based in the United States or run infrastructure across both the EU and the US:

  • Vercel: US-headquartered, with EU edge locations.
  • Resend: US-based.
  • PayPal: US-headquartered, with European operating entities.
  • Neon: serverless PostgreSQL, region-selectable.
  • Kasada: bot-detection, accessed via Vercel BotID.

When personal data leaves the EU, the European Commission requires an adequate safeguard. All of the processors above rely on the European Commission’s Standard Contractual Clauses (or, where applicable, the EU-US Data Privacy Framework) as that safeguard. We will not send your data to a processor that does not have one of these in place.

Cookies and browser storage

The customer side of the site sets no cookies. Your cart, theme preference (dark / light), and currency choice live in your browser’s local storage — only on your device, never sent to us.

When the shop owner logs into the admin panel, an encrypted session cookie is set on their device. That cookie is never set for customers.

All four of these — local storage and the admin cookie — are what privacy law calls “strictly necessary”: they are needed for the features you actively use (a cart that remembers your items, a logged-in admin panel). That is why this site does not have a cookie banner — there is nothing optional to consent to.

How long we keep it

  • Order records (your name, address, order details, payment reference, email-send log): kept for as long as Albanian accounting and tax law requires, typically several years. After that we will delete them on request.
  • Refund records: kept alongside the order they relate to, on the same timeline.
  • Contact form messages: kept until the conversation is resolved and then deleted on request or in periodic cleanups.
  • Server logs at Vercel (IP, user agent, path): the hosting provider's standard short-term retention — not configured by us, typically days to a few weeks.
  • Rate-limit counters: in memory only, cleared continuously.
  • BotID fingerprint signals: handled by Vercel and Kasada under their own retention policies. We do not store them.
  • Browser storage on your device (cart, theme, currency): under your control. Clear it any time via your browser's storage settings.

Your rights

Under EU and UK data protection law, you have the right to:

  • See what data we hold about you (right of access).
  • Correct anything that is wrong (right to rectification).
  • Delete your data, where we are not legally required to keep it (right to erasure).
  • Receive your data in a portable format (right to data portability).
  • Restrict or object to how we process it (right to restriction and objection).
  • Withdraw consent at any time, where processing is based on consent (this site does not currently rely on consent for anything; it relies on contract, legal obligation, and legitimate interest).

To exercise any of these rights, send a message via the contact form. We do not charge for handling these requests and we aim to reply within 30 days.

You also have the right to lodge a complaint with a data protection authority. If you are in the EU or UK that is the authority in your country (find yours via edpb.europa.eu/about-edpb/board/members). If you are in another jurisdiction, contact the equivalent regulator there. We would prefer you reach out to us first so we can sort it directly — but the right is yours, not ours.

Children

em-modshop is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has shared data with us, get in touch and we will delete it.

Changes to this policy

If we change this policy in a way that materially affects how we handle your data, we will bump the “Last updated” date at the top of this page. For changes that affect existing customers (for example, adding a new processor that handles personal data), we will also send a note by email to anyone with an active or recent order.

Contact

For anything privacy-related — a question, a request, a complaint — use the contact form. We read everything.