CCGNinja

Privacy Policy

Effective date: March 2, 2026

1. Introduction

CCGNinja ("we," "us," or "our") is operated by Forgeborn. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit ccgninja.com (the "Site") or use our marketplace services. By using the Site you agree to the practices described below.

2. Information We Collect

2.1 Buyer Information

  • Account data: name, email address, and password (or Google OAuth profile) when you create an account.
  • Shipping addresses: street address, city, state, ZIP code, and country provided at checkout and optionally saved for future orders.
  • Order history: items purchased, order totals, and tracking numbers.

2.2 Seller Information

  • Seller profile: store name, description, shipping preferences, and return policy.
  • Identity verification: information required by our payment providers (Stripe Connect and/or Square) to verify your identity, such as name, date of birth, last four digits of SSN, and business address. This data is collected and processed directly by the payment provider — see Stripe's Privacy Policy and Square's Privacy Policy.
  • Payout data: Stripe Connect account IDs and/or Square merchant IDs used to route payouts. We do not store your bank account or card numbers directly.

2.3 Payment Data

All payments are processed by Stripe and/or Square. We never see or store your full credit card number, CVV, or bank account details. Our payment providers supply us with a tokenized reference, the last four digits of your card, and transaction amounts for order fulfillment and accounting purposes.

2.4 Automatically Collected Data

  • Cookies: we use session cookies to keep you logged in and to remember your shopping cart. We do not use third-party advertising or tracking cookies.
  • Log data: IP address, browser type, pages visited, and timestamps are collected automatically by our servers for security monitoring and debugging.

3. How We Use Your Information

  • Process and fulfill your marketplace orders (buyers and sellers).
  • Generate shipping labels and provide tracking information via USPS.
  • Route payments and payouts through Stripe Connect and/or Square.
  • Send transactional emails (order confirmations, shipping updates, dispute notifications).
  • Detect and prevent fraud or abuse.
  • Improve and maintain the Site.

4. Information Sharing

We do not sell your personal information. We share data only in the following circumstances:

  • Sellers ↔ Buyers: when you place an order, the seller receives your shipping address and order details so they can fulfill the shipment. Buyers receive the seller's store name and general location.
  • Stripe & Square: payment and identity data is shared with our payment providers for payment processing and seller onboarding.
  • USPS: shipping addresses are shared with USPS to generate labels and calculate shipping rates.
  • Legal obligations: we may disclose information if required by law, court order, or governmental regulation.

5. Cookies

We use the following types of cookies:

  • Essential cookies: session authentication and CSRF protection. These are required for the Site to function and cannot be disabled.
  • Functional cookies: shopping cart persistence and user preferences (e.g., dark mode).

We do not use analytics, advertising, or social-media tracking cookies.

6. Data Retention

  • Account data: retained for as long as your account is active. You may request deletion at any time (see Section 8).
  • Order records: retained for 7 years after the transaction date for tax, legal, and dispute-resolution purposes.
  • Shipping addresses: saved addresses can be deleted by you at any time. Addresses associated with completed orders are retained with the order record.
  • Payment provider tokens: Stripe Connect account IDs and Square merchant tokens are retained while your seller account is active. Upon seller account closure, these are deleted after any pending payouts are settled.
  • Server logs: automatically purged after 90 days.

7. Data Security

We protect your data using HTTPS (TLS) encryption for all data in transit. Sensitive credentials, including payment provider OAuth tokens, are encrypted at rest using AES-256-GCM before being stored in our database. Access controls limit data access to authorized personnel only. Payment card data is handled entirely by Stripe and Square and never touches our servers. While no system is 100% secure, we take commercially reasonable measures to protect your information.

8. Your Rights (CCPA / GDPR)

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request correction of inaccurate or incomplete data.
  • Deletion: request deletion of your personal data, subject to legal retention requirements.
  • Portability: receive your data in a structured, machine-readable format.
  • Opt-out of sale: we do not sell personal data. If this changes, we will provide a "Do Not Sell My Personal Information" mechanism.
  • Non-discrimination: we will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at privacy@ccgninja.com. We will respond within 30 days (or 45 days for complex requests, with notice).

9. Children's Privacy

CCGNinja is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact us so we can promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of the Site after changes constitutes acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

Forgeborn
Email: privacy@ccgninja.com