The Painted Porch

Privacy Policy

Last updated: April 30, 2026

DotWin LLC, doing business as The Painted Porch ("Painted Porch", "TPP", "we", "us"), respects your privacy. This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and the choices and rights you have. It applies to every Painted Porch website, app, and service, including paintedporch.market, thepaintedporch.shop, paintedporchproject.org, myporch.shopand its subdomains, and every vendor custom domain hosted on our platform (collectively, the "Services").

1. The short version

  • We collect what we need to operate the marketplace, run vendor storefronts, and fulfill orders.
  • When you buy from a Vendor, both TPP and that Vendor receive transaction data. The Vendor is the merchant of record for that sale.
  • We never sell personal information for money. Where applicable laws define "sale" or "sharing" broadly to include cross-context behavioral advertising, you can opt out (see Section 12).
  • You can access, correct, export, or delete your data at any time. See Section 15 and the in-product Delete-my-account flow at /account/delete.

2. Who is the controller

For data collected by TPP about your use of the Platform, DotWin LLC is the controller (or business, under California law). For data collected by an independent Vendor about its own customers (including order details, shipping addresses, and customer-service correspondence), the Vendor is an independent controller. We act as a processor for that Vendor's data only to the extent we host or transmit it on the Vendor's behalf.

3. Information we collect

3.1 Information you provide

  • Account information. Name, email, phone, password (hashed), and profile information you submit at signup or in your account.
  • Vendor information. Business name, store description, brand assets, business address, tax identification (where required), and Stripe Connect account identifiers.
  • Order information. Items, quantities, prices, shipping address, billing address, fulfillment selections, and order status.
  • Payment information. Billing details are submitted directly to Stripe through their secure elements. We receive a token, last four digits, card brand, and expiration. We do not store full card numbers.
  • Communications. Messages you send to TPP support, Vendors, or Porch Pros through our messaging tools.
  • Content. Photos, descriptions, reviews, posts, comments, listings, and any other Content you submit.

3.2 Information we collect automatically

  • Device and connection data. IP address, browser, operating system, device identifiers, and language preferences.
  • Usage data. Pages visited, products viewed, search queries, cart events, time and duration of activity, referrer URL, and clickstream.
  • Cookies and similar technologies. See Section 5.
  • Location data. Approximate location derived from IP, plus more precise location only if you grant permission for ZIP-based pickup matching.

3.3 Information we receive from third parties

  • Payment processors. Stripe shares limited information about transactions, disputes, payouts, and risk signals.
  • Identity and authentication providers. If you sign in via a third-party identity provider, we receive the basic profile fields you authorize.
  • Advertising partners. Meta, TikTok, Google, and Pinterest share aggregated conversion and audience data tied to ads we run.
  • Vendors. Vendors may import contact lists or order history they already hold about you.
  • Public sources. Business registries, social profiles, and publicly available data we use for fraud prevention.

4. How we use information

  • provide, operate, secure, and improve the Services;
  • create accounts, render storefronts, and route traffic across our domains;
  • process and fulfill orders, including Porch Pickup Network coordination;
  • process payments through Stripe and reconcile payouts;
  • communicate with you, including transactional, support, and dispute messages;
  • send marketing emails to people who have opted in, with unsubscribe in every message;
  • personalize the Marketplace, recommend products, and surface relevant Vendors;
  • generate AI assistance grounded in your store's brand voice;
  • detect, investigate, and prevent fraud, abuse, and security incidents;
  • comply with law, enforce our Terms, and respond to legal process;
  • research and analyze usage in aggregate to improve the Services.

5. Cookies and similar technologies

We use first-party and third-party cookies, local storage, and similar technologies. Categories include:

  • Strictly necessary. Authentication, session management, cart, fraud prevention, and tenant resolution. Examples: tpp_store_id, tpp_host, tpp_buyer_id, tpp_guest_cart_id, Supabase auth cookies. Cannot be disabled.
  • Functional. Preferences such as theme and language.
  • Analytics. Aggregate usage measurement to improve the Services.
  • Marketing and attribution. Conversion tracking and audience building for ads we run; attribution cookies such as tpp_ref (30-day) and partner pixels for Meta, TikTok, Google, and Pinterest.

Most browsers allow you to refuse or delete cookies. The cookie banner shown on first visit lets you adjust non-essential categories. Refusing strictly necessary cookies may break sign-in, checkout, or tenant routing.

6. How we share information

  • Vendors. When you buy from a Vendor, the Vendor receives the information necessary to fulfill the order, including your name, shipping address, contact email, and items purchased. The Vendor is an independent controller of that data and uses it under its own privacy policy.
  • Service providers (processors). Stripe (payments), Supabase (database and authentication), Vercel (hosting and edge), Cloudflare (CDN, video via Stream, email security, image delivery), Resend (transactional email), Anthropic (AI assistance), Meta and TikTok (conversion APIs and ads), Google (analytics, ads), and similar providers under contracts that bind them to appropriate confidentiality and security.
  • Porch Pros. When you choose Porch Pro pickup, we share the first name, order number, item description, and pickup window with the host who receives your package.
  • Legal and safety. We may disclose information to comply with a subpoena, court order, or other legal process; to enforce our Terms; or to protect the rights, property, or safety of TPP, our users, or the public.
  • Business transfers. We may transfer information in connection with a merger, acquisition, financing, reorganization, or sale of assets.
  • Aggregated or de-identified data. We may share data that does not identify you for research, analytics, or marketing.

7. Multi-tenant data and dual ownership

The Painted Porch is a multi-tenant platform. When you make a purchase, two parties hold records:

  • TPP (platform). Account email, cross-vendor purchase history, saved payment-method reference (Stripe token only), cart and browsing behavior.
  • The Vendor (merchant of record).Email, shipping address, and that transaction's details, received via Stripe Connect Direct Charges.

Each party is responsible for the data it holds. If you delete your TPP account, we delete the platform-side records and notify each Vendor you have transacted with so they can act under their own policies. We cannot force a Vendor to delete its own copy.

8. Marketing communications

We send transactional messages (order updates, security alerts, billing notices) as part of providing the Services; you cannot opt out of these while you have an account. Marketing emails are sent only to people who have opted in or who fall within an applicable legal exception. Every marketing message includes an unsubscribe link, and you can update preferences in your account.

9. Data retention

We keep account information for as long as your account is active. Order and payment records are retained for at least seven (7) years to comply with tax, accounting, and dispute-resolution obligations. Behavioral and analytics data is retained in identifiable form for up to two (2) years and then aggregated. Backup copies persist on a rolling 90-day window. After deletion, residual copies may remain in encrypted backups until they expire.

10. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS) and at rest, access controls, audit logging, multi-tenant row-level security at the database layer, and limited service-role usage. No method of transmission or storage is 100% secure. If we discover a security incident affecting your data, we will notify you and any required regulator under applicable law.

11. International transfers

We are based in the United States, and our infrastructure is hosted primarily in the United States and Canada. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our service providers operate. Where required, we use Standard Contractual Clauses or other appropriate safeguards for cross-border transfers from the European Economic Area, the United Kingdom, and Switzerland.

12. Your privacy rights

12.1 Everyone

You may at any time access, correct, export, or delete your personal information through your account settings, by emailing privacy@paintedporch.market, or by using the Delete-my-account flow at /account/delete. We will verify your request before acting.

12.2 California residents (CCPA / CPRA)

California residents have the right to (a) know what categories and specific pieces of personal information we collect, use, disclose, and sell or share; (b) delete personal information; (c) correct inaccurate personal information; (d) opt out of the sale or sharing of personal information, including for cross-context behavioral advertising; and (e) limit our use and disclosure of sensitive personal information. We do not sell personal information for money. Where California law treats certain advertising signals (such as cookie-based identifiers shared with ad partners) as "sharing", you can opt out by clicking the "Do Not Sell or Share My Personal Information" link in our footer, by enabling Global Privacy Control (GPC) in your browser, or by emailing privacy@paintedporch.market. We will not discriminate against you for exercising any CCPA right. You may designate an authorized agent to make a request on your behalf with appropriate documentation.

12.3 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

If you are in the EEA, the UK, or Switzerland, you have rights of access, rectification, erasure, restriction, objection, portability, and the right not to be subject to solely automated decisions with legal or similarly significant effects. Our lawful bases for processing are: performance of the contract with you (Art. 6(1)(b)), our legitimate interests in operating and improving the Services and preventing fraud (Art. 6(1)(f)), your consent where requested (Art. 6(1)(a)), and compliance with legal obligations (Art. 6(1)(c)). You can withdraw consent at any time without affecting prior processing. You also have the right to lodge a complaint with your local supervisory authority.

12.4 Other US states

Residents of Virginia, Colorado, Connecticut, Utah, Oregon, Texas, and other states with comprehensive privacy laws have rights of access, correction, deletion, portability, and opt-out of targeted advertising, sale, and certain profiling. We honor verified requests to the extent required.

12.5 How to exercise rights

Email privacy@paintedporch.market with your request and the email tied to your account, or use the in-product controls. We respond within the windows required by applicable law (typically 30 days, with one 30-day extension where allowed). If we deny a request, we will explain why and how to appeal. To appeal, reply to our denial within 60 days.

13. Children

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it. Parents or guardians who believe their child has provided personal information to us should contact privacy@paintedporch.market.

14. Third-party links

The Services may contain links to third-party websites and services, including Vendor custom domains and external content. We are not responsible for the privacy practices of those sites. Review their policies before submitting information.

15. Account deletion

To delete your account, sign in and visit /account/delete, or email privacy@paintedporch.market. Deletion is permanent and irreversible. We will delete or de-identify platform-side records within 30 days, except where retention is required by law (for example, transaction records for tax purposes). Vendors you have transacted with retain their own copies of order data and apply their own policies; we will notify those Vendors of your deletion request.

16. Changes

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. We will provide reasonable notice of material changes. Continued use after the effective date of an update constitutes acceptance of the updated policy.

17. Contact

DotWin LLC d/b/a The Painted Porch
Operated in Texas, United States.
Privacy questions: privacy@paintedporch.market
General: hello@paintedporch.market
Data protection inquiries (EEA / UK): dpo@paintedporch.market

See also: Terms of Service · Vendor Agreement · Acceptable Use Policy