Privacy Policy

Your Privacy Is Sacred – Here Is How We Protect It

At Sistabag Magic and Melanin LLC, we believe that trust is the foundation of every relationship – including the relationship we have with you, our customer. When you visit sistabag.store, browse our Leather HandbagsClutchesEclipse Makeup Bags, and Wallets, or share your personal information with us, you are placing your trust in our hands. We take that responsibility seriously.

This Privacy Policy explains in clear, plain English what information we collect, how we use it, who we share it with, and what rights you have over your own data. We comply with applicable US privacy laws (including the California Consumer Privacy Act – CCPA) and international standards (such as GDPR for our European customers). We will never sell your personal information to third parties. Period.

By using our website or purchasing our products, you consent to the data practices described in this policy. Please read it carefully. If you have any questions, contact us at ngocanh21.hn@gmail.com or +84369909540.

I. Quick Summary (The Short Version)

If you are in a hurry, here are the most important points:

  • Information we collect: Name, email, shipping address, phone number, payment details (via Stripe – we never see your full card number), IP address, browsing behavior.

  • How we use it: To process orders, ship products, communicate with you, prevent fraud, improve our website, and (with your consent) send marketing emails.

  • Sharing: We share data only with essential service providers (shipping carriers, Stripe, email platform). We never sell your data to marketers or data brokers.

  • Your rights: You can access, correct, or delete your personal information. You can opt out of marketing emails anytime. California and EU residents have additional rights.

  • Data security: We use encryption, PCI-compliant payment processing, and restricted employee access.

  • Cookies: We use them to remember your cart and analyze traffic. You can disable them in your browser.

For full details, including how long we keep your data and how we handle children’s privacy, please continue reading.

II. Information We Collect

We collect two types of information: information you actively give us and information automatically collected when you use our website.

A. Information You Provide Directly

When you interact with Sistabag Magic and Melanin LLC, you may provide the following:

Category Specific Data Points When Collected
Identity Data Full name, date of birth (if provided), username (if you create an account) Account creation, checkout
Contact Data Email address, shipping address, billing address, phone number Checkout, account creation, contacting customer service
Payment Data Credit/debit card number (processed by Stripe, not stored by us), cardholder name, expiration date, CVV Checkout
Order Data Products purchased, order date, order value, shipping method, return history During and after purchase
Communication Data Emails you send us, chat messages, phone call notes, survey responses Customer service interactions, feedback forms
Account Data Password (hashed, not plain text), saved addresses, wishlist items When you create an account or save preferences

Important note on payment data: We never see your full credit card number. Our payment processor, Stripe, collects that information directly via a secure iframe. We receive only a “token” that represents your payment method and the last four digits of your card (for reference). Stripe’s privacy policy governs their handling of your card data – see Section VII.

B. Information Collected Automatically

When you browse sistabag.store, we (and our third-party partners) automatically collect:

Category Specific Data Points Purpose
Device Data IP address, browser type (e.g., Chrome, Safari), operating system (Windows, iOS, Android), device type (desktop, phone, tablet) To optimize website display, detect fraud
Usage Data Pages visited, time spent on each page, products viewed, search queries, clicks, scrolling behavior To improve website design, recommend products
Location Data Approximate geographic location derived from IP address (city/region level, not precise GPS) To calculate shipping costs, display local currency, comply with tax laws
Cookie Data Unique identifiers stored in your browser (see Section XI on cookies) To remember cart contents, login status, preferences

C. Information from Third Parties

We may receive information about you from:

  • Stripe: Fraud risk scores and verification results (but not your full card number).

  • Shipping carriers (USPS, UPS, FedEx, DHL): Delivery confirmation and address correction suggestions.

  • Social media platforms (if you log in via Google or Facebook in the future): Public profile information (name, email, profile picture) – we do not currently offer social login, but may in the future.

III. How We Use Your Information

We use your personal information only for legitimate business purposes, as described below. We never use your data for purposes incompatible with these without asking for your consent.

A. To Process and Fulfill Your Orders (Contractual Necessity)

  • Process payments via Stripe.

  • Ship products to your address.

  • Send order confirmations, shipping updates, and delivery notifications.

  • Handle returns, refunds, and exchanges.

  • Communicate with you about your order (e.g., “Your package was delayed”).

B. To Improve Our Website and Products (Legitimate Interest)

  • Analyze browsing behavior to understand which products are popular.

  • Test different website layouts and features (A/B testing).

  • Detect and fix technical errors (broken links, slow loading pages).

  • Optimize product recommendations (“Customers who bought this also bought…”).

C. To Prevent Fraud and Ensure Security (Legal Obligation & Legitimate Interest)

  • Monitor transactions for suspicious activity (e.g., multiple orders from same IP in short time).

  • Block known fraudulent IP addresses.

  • Verify your identity if you request account changes.

  • Comply with anti-money laundering laws (not applicable to our small transactions, but we still monitor).

D. To Communicate With You (Consent)

  • Send marketing emails about new collections, sales, and events (only if you opted in).

  • Send abandoned cart reminders (if you added items to cart but did not check out – you can opt out).

  • Request product reviews via email (you can opt out).

  • Respond to your customer service inquiries.

You can opt out of marketing emails at any time by clicking “unsubscribe” at the bottom of any marketing email. Transactional emails (order confirmations, shipping updates, refund notifications) cannot be unsubscribed from because they are necessary for your purchase.

E. For Legal Compliance (Legal Obligation)

  • Respond to lawful requests from law enforcement or courts (subpoenas, warrants).

  • Comply with tax laws (retaining order records for 7 years as required by IRS).

  • Enforce our Terms and Conditions.

F. For Business Transfers (Legitimate Interest)

If we are acquired by or merged with another company, or if we sell our assets, your data may be transferred as part of that transaction. We will notify you via email and a prominent notice on our website before any such transfer.

IV. Legal Bases for Processing (For International Users)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data under the following legal bases under the General Data Protection Regulation (GDPR):

Processing Activity Legal Basis
Order processing, shipping, payment Contract performance (Article 6(1)(b))
Fraud prevention, website security Legitimate interest (Article 6(1)(f)) – our interest in protecting our business and customers
Marketing emails (with opt-in) Consent (Article 6(1)(a))
Tax record keeping Legal obligation (Article 6(1)(c))
Analytics and website improvement Legitimate interest (Article 6(1)(f)) – our interest in improving our services

You have the right to withdraw consent at any time (for marketing) and to object to processing based on legitimate interest. See Section IX for your rights.

V. How We Share Your Information

We do not sell your personal information to third parties. We do not share your data with advertisers or data brokers. However, we do share your information with essential service providers who help us run our business. These providers are contractually obligated to use your data only for the purposes we specify and to protect it with appropriate security measures.

A. Service Providers (Processors)

Provider What They Do What Data They Receive
Stripe Payment processing, fraud detection Payment card token, billing address, order amount, IP address
USPS, UPS, FedEx, DHL Shipping and delivery Name, shipping address, phone number, email (for tracking notifications)
Klaviyo (or similar email platform) Sending marketing and transactional emails Email address, name, order history (to personalize emails)
Google Analytics Website analytics (anonymous) IP address (anonymized), browsing behavior, device data
Route Package protection (if you opt in) Order value, shipping address, email (to file claims)
Shopify (our website platform) Hosting our website, managing orders All data you provide (subject to Shopify’s privacy policy)

B. Legal Compliance and Protection

We may disclose your information if required by law, such as in response to a subpoena, court order, or government request. We may also disclose your information to enforce our Terms and Conditions, protect our rights or property, or protect the safety of our customers or others.

C. Business Transfers

As noted in Section III.F, if Sistabag Magic and Melanin LLC is acquired, your data may be transferred to the new owner. You will be notified.

D. With Your Consent

We may share your information for any other purpose if you give us explicit consent.

VI. Data Retention: How Long We Keep Your Information

We retain your personal information only as long as necessary to fulfill the purposes outlined in this policy, plus any additional period required by law.

Data Type Retention Period Reason
Order records (name, address, product purchased, price) 7 years from date of purchase IRS tax record requirement (we must keep sales records for audit)
Payment tokens (via Stripe) Stripe’s retention policy (typically 2–3 years) To process refunds and handle disputes
Customer service emails 3 years from last contact To provide consistent support history
Account information (if you create an account) Until you delete your account, plus 30 days To allow you to access order history
Marketing email consent records Until you unsubscribe, plus 1 year after last interaction To prove consent if required by law
Website analytics data (Google Analytics) 26 months (aggregated, anonymized after 14 months) To analyze long-term trends
Abandoned cart data 30 days To send reminder emails

After the retention period expires, we will delete or anonymize your data. Anonymized data (where you cannot be identified) may be kept indefinitely for analytical purposes.

VII. Payment Security & Stripe

Your payment security is our highest priority. As explained earlier, we use Stripe to process all credit/debit card payments, Apple Pay, and Google Pay. Stripe is certified as a PCI Service Provider Level 1 – the highest level of security in the payments industry.

What Stripe Does With Your Data:

  • Stripe collects your full card number, CVV, expiration date, and billing address.

  • Stripe encrypts this data and stores it in their secure vault.

  • Stripe may use your data for fraud detection (e.g., checking against global fraud databases).

  • Stripe retains your card data according to their own retention policy (typically to allow for refunds and recurring billing, though we do not offer subscriptions).

What We Receive From Stripe:

  • A payment token (e.g., tok_visa_1Fg3k...). This token is useless to anyone who does not have Stripe’s secret key.

  • The last 4 digits of your card (for reference on your invoice).

  • The card brand (Visa, Mastercard, etc.).

  • A fraud risk score.

Your Rights With Stripe:

Stripe is an independent data controller for the payment information they collect. You can view Stripe’s privacy policy here: https://stripe.com/privacy. If you have questions about how Stripe handles your card data, you must contact Stripe directly. However, we can assist you in deleting your payment token from our Stripe account (contact ngocanh21.hn@gmail.com).

We never store your full credit card number on our servers – not in our database, not in logs, not in emails. If you see your card number in any communication from us, that is a phishing attempt – report it immediately.

VIII. Cookies and Tracking Technologies

A. What Are Cookies?

Cookies are small text files that websites place on your computer or phone when you visit. They help the website remember your actions and preferences (like login status or cart contents) over time.

B. Types of Cookies We Use

Cookie Type Purpose Examples
Essential (Strictly Necessary) Required for the website to function. Cannot be disabled. Cart cookie (cart_currencycart_uid), session cookie (secure_session_id)
Functional Remember your preferences for a better experience. Language preference, saved login (if you check “Remember Me”)
Analytics Collect anonymous data about how you use our website to improve it. Google Analytics (_ga_gid)
Marketing Track your activity across websites to show relevant ads (we do not run retargeting ads currently, but may in the future). Facebook Pixel (not currently active)

C. Third-Party Cookies

We use Google Analytics, which sets its own cookies. Google’s privacy policy governs those cookies. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on (https://tools.google.com/dlpage/gaoptout).

D. How to Control Cookies

You can manage cookies through your browser settings. Most browsers allow you to:

  • See which cookies are installed on your device.

  • Block all cookies (including essential ones – this will break our website).

  • Delete existing cookies.

  • Set preferences for specific websites.

Instructions for popular browsers:

  • Chrome: Settings → Privacy and Security → Cookies and other site data.

  • Safari: Preferences → Privacy → Cookies and website data.

  • Firefox: Options → Privacy & Security → Cookies and Site Data.

  • Edge: Settings → Site permissions → Cookies and site data.

Note: If you disable all cookies (including essential), you will not be able to complete a purchase because our cart cannot remember your items. You can still browse, but checkout will fail.

E. Do Not Track (DNT)

Some browsers have a “Do Not Track” feature that sends a signal to websites requesting not to be tracked. We do not currently respond to DNT signals because there is no industry standard. However, we only use analytics cookies that can be opted out via Google’s tool.

IX. Your Privacy Rights

Depending on where you live, you have specific rights regarding your personal information. We respect these rights for all customers, regardless of location, to the extent reasonably possible.

A. Rights for All Customers

Right What It Means How to Exercise
Right to Access You can request a copy of all personal information we hold about you. Email ngocanh21.hn@gmail.com with “PRIVACY REQUEST – ACCESS” in the subject line. We will respond within 30 days.
Right to Correction If your information is inaccurate or incomplete, you can ask us to correct it. Email us with the correct information. We will update our records.
Right to Deletion You can ask us to delete your personal information, subject to legal retention requirements (e.g., we cannot delete tax records until 7 years have passed). Email with “PRIVACY REQUEST – DELETE” in the subject line. We will delete what we legally can.
Right to Opt Out of Marketing You can unsubscribe from marketing emails at any time. Click “unsubscribe” in any marketing email, or email us requesting removal from marketing lists.
Right to Data Portability You can request a copy of your data in a machine-readable format (CSV or JSON). Email us – we will provide a download link.

B. Additional Rights for California Residents (CCPA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: You can request that we disclose the categories of personal information we have collected, the sources, the business purpose, and the categories of third parties with whom we share it. (This information is already in this policy.)

  • Right to Delete: You can request deletion of your personal information (subject to exceptions).

  • Right to Opt Out of Sale: We do not sell your personal information, so there is nothing to opt out of. However, you may still submit a request to confirm that we do not sell.

  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights (no higher prices, worse service, etc.).

To make a CCPA request: Email ngocanh21.hn@gmail.com with “CCPA REQUEST” in the subject line. We will verify your identity by asking for your order number and email address used on the order. We will respond within 45 days (extendable by another 45 days if necessary).

CCPA Authorized Agent: You may designate an authorized agent to make a request on your behalf. The agent must provide written permission signed by you, and we may require you to verify your identity directly.

C. Additional Rights for European (GDPR) Residents

If you are in the European Economic Area (EEA), the UK, or Switzerland, you have the following rights under GDPR:

  • Right to Restrict Processing: You can ask us to stop processing your data (but still store it) under certain circumstances (e.g., you dispute accuracy while we verify).

  • Right to Object: You can object to processing based on legitimate interests (e.g., analytics). We will stop unless we have compelling legitimate grounds.

  • Right to Withdraw Consent: For marketing emails, you can withdraw consent at any time.

  • Right to Lodge a Complaint: You have the right to complain to your local Data Protection Authority (DPA) if you believe we have violated your rights. In the UK, the ICO; in France, CNIL; in Germany, the BfDI, etc.

To exercise GDPR rights: Email ngocanh21.hn@gmail.com with “GDPR REQUEST” in the subject line. We will respond within 30 days (extendable to 60 days for complex requests). We may ask for proof of identity (e.g., a copy of your ID with redacted photo – we need only your name and address).

D. How We Verify Your Identity

To protect your data from being accessed by unauthorized people, we will verify your identity before fulfilling any access or deletion request. Verification methods include:

  • Asking you to confirm your order number and the last four digits of the credit card used (if you remember).

  • Sending a verification link to the email address associated with your account.

  • Asking for a copy of your government ID (name and address only – we recommend redacting your photo and ID number).

If we cannot verify your identity, we will deny the request and explain why.

X. Children’s Privacy

Our website and products are intended for adults aged 18 and over. We do not knowingly collect personal information from children under the age of 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at ngocanh21.hn@gmail.com. We will delete the information promptly.

For children between 13 and 18, we require parental consent before they can make a purchase. By placing an order, you affirm that you are either 18 or older, or have parental permission.

We do not market to children. Our product designs (leather handbags, clutches) are not targeted at minors.

XI. Data Security

We implement a variety of security measures to protect your personal information:

A. Technical Safeguards

  • Encryption: All data transmitted between your browser and our website is encrypted using TLS 1.2 or higher (the padlock icon in your browser).

  • Tokenization: As explained, payment data is tokenized by Stripe – we never store card numbers.

  • Firewalls: Our servers are protected by firewalls that block unauthorized access.

  • Password Hashing: Customer account passwords are hashed (using bcrypt) and salted. We cannot see your password; if you forget it, you must reset it.

  • Regular Updates: Our website platform (Shopify) and plugins are updated regularly to patch security vulnerabilities.

B. Administrative Safeguards

  • Access Control: Only specific employees (customer service, operations) have access to customer data, and only when necessary to perform their jobs (e.g., processing a return).

  • Training: All employees are trained on privacy and security best practices.

  • Vendor Assessment: We require all third-party service providers to have appropriate security measures and contracts.

C. Physical Safeguards

  • Our offices (where our computers are located) are locked after hours.

  • Paper records (very few – mostly printed return forms) are shredded when no longer needed.

D. What to Do If You Suspect a Breach

If you believe your data has been compromised in connection with Sistabag, please email ngocanh21.hn@gmail.com immediately. We will investigate and notify affected users and regulators as required by law (within 72 hours for GDPR breaches).

Despite our best efforts, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

XII. Third-Party Links

Our website may contain links to third-party websites (e.g., Stripe’s payment page, social media platforms, shipping carrier tracking pages). We are not responsible for the privacy practices of those websites. We encourage you to read their privacy policies before providing any personal information.

This Privacy Policy applies only to information collected by Sistabag Magic and Melanin LLC on sistabag.store.

XIII. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make material changes, we will:

  • Post the updated policy on this page with a new “Last Updated” date.

  • Notify you via email (if we have your email address) within 30 days of the change.

  • For significant changes (e.g., new data sharing practices), we will obtain your consent if required by law.

Your continued use of our website after the effective date of any changes constitutes your acceptance of the revised policy. If you do not agree, please stop using the site and request deletion of your data.

Last Updated: January 2026

XIV. How to Contact Us About Privacy

If you have any questions, concerns, or complaints about this Privacy Policy or our data handling practices, please contact our Privacy Officer (which is our Operations Director, Ngoc Anh):

  • Email: ngocanh21.hn@gmail.com (use subject line “PRIVACY – [your issue]” for faster routing)

  • Phone / Text: +84369909540

  • Mail: Sistabag Magic and Melanin LLC, Attn: Privacy Officer, 30 N Gould St Ste R, Sheridan, WY 82801, USA

For data deletion requests, please use email – we need a written record.

We aim to respond to all privacy inquiries within 5 business days (but usually within 24 hours). If you are not satisfied with our response, you may escalate to your local data protection authority (for EU customers) or the Federal Trade Commission (for US customers).

XV. California Privacy Rights (CCPA Addendum)

In addition to the rights in Section IX, California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not share your information with third parties for their own marketing purposes. Therefore, we have no such disclosures to report.

If you are a California resident and wish to request information about our compliance with this law, please contact us at ngocanh21.hn@gmail.com with “California Shine the Light Request” in the subject line.

Also under the CCPA, we are required to disclose the categories of personal information we have collected in the past 12 months. Based on our data inventory:

Category Collected? Source Purpose
Identifiers (name, email, address, IP) Yes You, automatically Order processing, shipping, fraud prevention
Customer records (phone, credit card last 4) Yes You Order processing, returns
Commercial information (products purchased) Yes You Order fulfillment, analytics
Internet activity (browsing history) Yes Automatically Analytics, website improvement
Geolocation data (approximate) Yes Automatically Shipping, tax calculation
Inferences (preferences, shopping habits) Yes Derived from analytics Product recommendations
Sensitive data (precise geolocation, SSN, etc.) No N/A N/A

We do not sell any of these categories to third parties.

XVI. Nevada Privacy Rights

Nevada residents have the right to opt out of the sale of their personal information. We do not sell personal information, so there is nothing to opt out of. Nonetheless, you may contact us at ngocanh21.hn@gmail.com with “Nevada Opt-Out Request” to confirm.

XVII. International Data Transfers

Our website is hosted in the United States. If you are accessing sistabag.store from outside the US, please be aware that your information will be transferred to, stored, and processed in the US. US privacy laws may not provide the same level of protection as those in your country. However, we ensure that any international transfers comply with applicable data protection laws by using:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (for transfers of EU data to the US).

  • Privacy Shield certification (no longer valid, but we rely on SCCs).

By using our website, you consent to the transfer of your data to the United States.

XVIII. Specific Disclosures for Different Jurisdictions

For Australian Customers

Under the Australian Privacy Act (1988), you have the right to access and correct your personal information. We will respond to your request within 30 days. If you believe we have breached your privacy, you may complain to the Office of the Australian Information Commissioner (OAIC). However, please give us the opportunity to resolve the issue first by contacting ngocanh21.hn@gmail.com.

For Canadian Customers

Under PIPEDA (Personal Information Protection and Electronic Documents Act), you have the right to access your information and challenge our compliance. We will respond within 30 days. You may also file a complaint with the Office of the Privacy Commissioner of Canada.

For UK Customers

Following Brexit, the UK has its own version of GDPR (UK GDPR). We comply fully. You have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

XIX. Emails and SMS Messages

Email Communications

When you provide your email address, we use it for:

  • Transactional emails: Order confirmations, shipping updates, refund notifications. These are necessary for your purchase and cannot be unsubscribed from.

  • Marketing emails: Newsletters, new product announcements, sales. You must opt in to receive these (checkbox at checkout or signup form). You can opt out anytime.

How to unsubscribe: Click the “Unsubscribe” link at the bottom of any marketing email. It may take up to 10 days for your request to fully process (due to batch sending schedules). If you continue receiving emails after 10 days, email us.

SMS/Text Messages

If you provide your phone number and opt in to receive SMS updates, we may send:

  • Order status notifications (if you check the SMS opt-in at checkout).

  • Promotional texts (if you separately opt in).

How to unsubscribe from SMS: Reply STOP to any text message from us. You will receive a confirmation that you have been unsubscribed. Standard message and data rates apply from your carrier. We do not charge for texts.

We never share your phone number with third parties for their own marketing.

XX. Do-Not-Track (DNT) Signals

Some browsers offer a “Do Not Track” (DNT) setting that requests websites not to track your activity. Currently, there is no uniform standard for how to respond to DNT signals. Therefore, we do not currently respond to DNT signals. However, we limit our tracking to essential analytics via Google Analytics, which you can opt out of using Google’s tool (see Section VIII.C).

We are committed to supporting DNT once the industry establishes a clear standard.

XXI. Special Information for Job Applicants

If you apply for a job with Sistabag Magic and Melanin LLC via email (we do not currently have an online application portal), we will collect your name, contact information, resume, and cover letter. We use this information solely to evaluate your application. We retain unsuccessful applications for 1 year in case a similar position opens. After that, we delete your data. You may request deletion earlier by emailing ngocanh21.hn@gmail.com with “JOB APPLICATION DELETE” in the subject line.

XXII. Privacy Policy for Minors (Under 18)

As noted in Section X, we do not knowingly collect data from children under 13. For users aged 13–17, we collect the same data as for adults, but we strongly encourage parental supervision. If you are under 18, please do not provide us with personal information without your parent’s or guardian’s permission.

If we discover that we have inadvertently collected data from a child under 13, we will delete it immediately. Please contact us to report any such instances.

XXIII. Your Acceptance of These Terms

By using sistabag.store, you signify your acceptance of this Privacy Policy. If you do not agree to this policy, please do not use our website. Your continued use of the site following the posting of changes to this policy will be deemed your acceptance of those changes.

XXIV. Contact Information Summary

For any privacy-related matter, please reach out:

  • Email: ngocanh21.hn@gmail.com (best for detailed requests)

  • Phone / Text: +84369909540 (best for urgent privacy concerns, e.g., suspected identity theft)

  • Mail: Sistabag Magic and Melanin LLC, Attn: Privacy Officer, 30 N Gould St Ste R, Sheridan, WY 82801, USA

Business hours for privacy team: Monday–Friday, 9 AM – 5 PM Mountain Time (Wyoming, USA). We respond to all privacy emails within 5 business days.

XXV. Final Words

Your trust is the most valuable thing we earn. At Sistabag Magic and Melanin LLC, we do not take that lightly. We have written this Privacy Policy not as a legal shield, but as a transparent promise. We will never sell your data. We will never spam you without your permission. We will always respect your choices.

Thank you for being part of our community. Your melanin is magic – and your privacy is our priority.

Now, shop with confidence at sistabag.store.