Legal

Privacy Policy

How we collect, use, and protect your personal information.

Information We Collect

When you place an order or create an account, we collect:

  • Name and email address
  • Shipping and billing address
  • Payment information (processed securely by our payment provider)
  • Order history and preferences

We also automatically collect basic usage data such as pages visited and referral source to improve our website.

How We Use Your Information

Your information is used to:

  • Process and fulfill your orders
  • Send order confirmations and shipping updates
  • Respond to your questions and support requests
  • Improve our products and services
  • Send promotional emails (only if you opted in)

Information Sharing

We do not sell, trade, or rent your personal information to third parties.

We may share information with:

  • Shipping carriers to deliver your order
  • Payment processors to securely handle transactions
  • Analytics services (aggregated, non-identifying data only)
  • Marketplace partners (such as TikTok Shop) when you place an order through their platform, strictly to fulfill that order

Where Your Data Is Stored

Customer and order data is stored and processed in the United States. Our application database runs on Railway (US region) and our storefront is delivered through Vercel's global edge network. Sub-processors used for payments, email, search, and shipping operate in the United States and the European Union under their own contractual data protection commitments.

Information Security Program

Props Menu maintains a written information security policy that governs how we protect customer and partner data. The policy is reviewed at least annually and covers acceptable use, access control, data classification, encryption, incident response, and vendor management.

Day-to-day security baselines for all team members include:

  • Strong, unique passwords stored in an encrypted password manager
  • Multi-factor authentication on every system that supports it
  • Automatic screen locking on all company devices
  • Clear-desk and clear-screen practices when handling customer data

Network & Endpoint Security

All company endpoints run reputable anti-virus software with automatic updates and scheduled scanning. Access to internal systems is segmented and gated behind an authenticated private network that provides end-to-end encrypted connectivity, device-level access policies, and continuous monitoring of network activity. Production infrastructure is isolated from development and corporate networks.

Access Control

Access to personal data is granted on a least-privilege basis. We use role-based access control with distinct roles (such as admin, builder, and designer), each scoped to only the systems and data needed for that function. Access is reviewed periodically and revoked immediately when no longer required, when a team member changes roles, or at separation.

Data Classification & Encryption

We classify the data we handle (public, internal, confidential, and personal) and apply controls proportional to its sensitivity. Personal data is encrypted both in transit (TLS 1.2+ for all customer- and admin-facing traffic) and at rest (managed-database encryption for our PostgreSQL store and server-side encryption for object storage on Cloudflare R2). Payment card data is handled exclusively by PCI-DSS compliant processors (Stripe and PayPal); we never store full card numbers on our systems.

Incident Response & Breach Notification

We maintain a written incident response policy that defines roles, responsibilities, escalation paths, and communication channels for handling suspected or confirmed security incidents. The policy designates a single internal owner for coordinating response, evidence preservation, and external notifications.

If we discover a personal data breach affecting you, a marketplace partner, or a connected seller, we will notify the affected parties without undue delay, and in any case within the timeframes required by applicable law and our partner contracts. Notifications are sent to privacy@propsmenu.com and to the partner's designated security contact.

Vulnerability & Threat Management

We follow a documented vulnerability management procedure that includes dependency scanning, monitoring of upstream security advisories for the frameworks and libraries we use, prompt patching of critical issues, and review of platform-level security alerts from our hosting providers. Significant changes to production systems are reviewed for security impact before release.

Data Security

In addition to the controls above, we apply industry-standard safeguards to protect your information from unauthorized access, alteration, disclosure, or destruction. No method of transmission or storage is perfectly secure, but we continually work to harden our systems and reduce risk.

Cookies

We use cookies to:

  • Keep you logged in
  • Remember items in your cart
  • Understand how visitors use our site

You can disable cookies in your browser settings, but some site features may not work properly.

Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Request a portable copy of your data
  • Opt out of marketing communications

We will also assist marketplace partners and connected sellers (including TikTok Shop) in fulfilling user requests to access, correct, delete, or export personal data that we process on their behalf.

To exercise these rights, please contact us or email privacy@propsmenu.com.

Data Retention & Deletion

We retain personal data only for as long as needed to provide our services, comply with our legal and tax obligations, resolve disputes, and enforce our agreements. At the end of a contractual relationship with a marketplace partner or seller, we will delete or return all customer data we hold on their behalf, subject to any limited retention required by law.

Internal Privacy Governance

Props Menu maintains an internal personal data protection policy that governs how employees and contractors collect, access, share, and dispose of personal data. The policy is reviewed and updated at least annually, and whenever there is a material change to our products, vendors, or applicable privacy laws. We have not currently obtained ISO 27001, ISO 27701, SOC 2 Type II, or ePrivacy certification.

Privacy Contact

Our privacy point of contact handles data protection questions, data subject requests, and breach notifications. You can reach them at privacy@propsmenu.com.

Changes to This Policy

We review this privacy policy regularly and update it whenever there is a material change to how we handle personal data. Significant changes will be communicated via email or a notice on our website.

Contact

General questions about this privacy policy? Reach out at support@propsmenu.com

Need Help?
Contact us — we're here to help!