Privacy Policy

The short version

AfterMKT is built on a simple idea: a digital receipt should not require us to know who you are. We designed this service so that we never collect, store, or transmit buyer personal information. No email. No name. No phone number. No mailing address. No cookies that follow you around the internet. Our hosting providers automatically log request IP addresses for short windows for fraud and security purposes only — AfterMKT itself does not access, store, or correlate those logs against any buyer identifier.

If you are a shopper who just received a receipt from an AfterMKT-enabled store, this policy is mostly about what we don't do. If you are a Shopify merchant using AfterMKT to issue receipts, this policy describes the small amount of business information we store about your shop so the service can function.

We wrote this policy in plain English. If anything is unclear, email us at rastaar@aftermkt.io.

Who this policy applies to

This policy covers:

• The AfterMKT marketing website at aftermkt.io
• The AfterMKT buyer claim flow at aftermkt.io/claim
• The AfterMKT Shopify app and its checkout extension
• The AfterMKT backend services that process orders and mint digital receipts

AfterMKT is operated by AfterMKT, LLC, located at 4244 Duquesne Ave, Culver City, CA 90232.

The data we collect

We split the data we handle into two buckets: merchant data (information about the businesses that use AfterMKT) and order data (information about each line item that triggers a receipt). We do not have a third bucket for buyer data, because we do not collect any.

Merchant data

When a Shopify merchant activates AfterMKT on their store, we store:

• Business name
• Contact email (the merchant's email — never a customer's email)
• Phone number (optional)
• Business address (optional)
• Shopify shop domain, for example acme.myshopify.com
• Shopify numeric shop ID
• A generated Solana public key that represents the merchant on-chain (the merchant's merchantAuthority)
• Internal approval audit fields: who on the AfterMKT operations team approved the merchant, when, and why
• The timestamp at which the merchant accepted our Terms of Service

Order data

When a sale happens on a merchant's Shopify store, Shopify sends us an orders/paid webhook. From that webhook and follow-up calls to the Shopify Admin API, we store:

• Shopify order ID and order number (for example, #1042)
• A reference to the merchant who made the sale
• Order date, currency, totals, and the sales channel (web, POS, or mobile)
• Line items: product title, description, image URL, price, quantity, SKU, vendor, product type
• Additional product details fetched from the Shopify Admin API: description, images, tags, and public metafields

We strip everything else out of the webhook payload at ingestion. In particular, we do not persist any of the following fields that Shopify sends us:

• Customer email address
• Customer name
• Billing or shipping address
• Phone number
• Customer IP address
• Browser or user-agent information
• Marketing consent flags
• Any internal Shopify customer ID

If Shopify adds new buyer-identifying fields in the future, our ingestion pipeline drops any field that is not on an explicit allowlist of commercial data.

Buyer data

None. The AfterMKT service never receives or stores buyer email addresses, names, phone numbers, postal addresses, IP addresses, or any identifier that could personally identify a buyer. Buyer identity is represented entirely by the Solana wallet address the buyer chooses to connect at claim time, which is pseudonymous under the GDPR.

This is not an accident. It is the core design of the product. It is also the main reason we can offer a privacy policy this short.

Why we collect what we collect (lawful basis)

We rely on two lawful bases under the GDPR:

• Article 6(1)(b) — performance of a contract. We store merchant data and order data to deliver the service the merchant has signed up for: issuing a digital receipt for each line item in a paid order.
• Article 6(1)(f) — legitimate interest. We retain a minimal audit trail (who approved the merchant, when the Terms were accepted, which order triggered which receipt) so we can investigate incidents, resolve disputes, and meet security obligations to our infrastructure providers and to Shopify.

We do not rely on consent as a lawful basis for processing merchant or order data, because the merchant's relationship with us is contractual.

What we write to the Solana blockchain

When a buyer claims a receipt, AfterMKT mints a compressed NFT (cNFT) on the Solana blockchain. That cNFT is permanent and publicly readable. Anyone with access to a Solana explorer can see it forever. Because of that, we are deliberate about exactly what goes on-chain.

Each receipt written on-chain contains:

• The merchant's name (public commercial information)
• Product title
• A trimmed product description
• One product image URL
• Order number (a merchant-assigned reference like #1042)
• Sale date (date only, never a timestamp)
• Item price
• The buyer's Solana wallet address (the owner of the cNFT)

No buyer identifiers are written on-chain. The on-chain record is a commercial transaction proof, not personal data about a buyer. A wallet address on its own is considered pseudonymous under the GDPR. It becomes personal data only if it is combined with off-chain information that identifies a person — and AfterMKT holds no such information.

Data retention

• Merchant data is retained for as long as the merchant is an active AfterMKT user, plus up to 24 months after the merchant uninstalls the app. We retain it during that window to handle billing reconciliation, audit requests from Shopify, and disputes. After 24 months — or sooner if Shopify's shop/redact GDPR webhook fires for that shop — we purge the merchant record.
• Order data is retained indefinitely as a non-personal commercial record. It contains no buyer identifiers and therefore is not subject to GDPR erasure timelines under Article 17. If a merchant wants their order records deleted, we will honor that as part of the post-uninstall purge.
• Buyer data — we retain none, ever, because we collect none.

Your rights under the GDPR

Even though we hold almost no personal data, we honor the full set of data subject rights for the merchant contact information we do hold.

• Right of access (Article 15): You can request a copy of the data we hold about you. Email rastaar@aftermkt.io. We respond within one calendar month, as required by GDPR Article 12(3).
• Right to erasure (Article 17): You can request that we delete the data we hold about you. Email rastaar@aftermkt.io. We respond within one calendar month, as required by GDPR Article 12(3).

For on-chain records: because compressed NFTs minted by AfterMKT contain no personal data, they fall outside the scope of a GDPR erasure request. If you believe an on-chain record does contain personal data about you, email us with the details and we will investigate.

You also have the right to lodge a complaint with your local data protection authority if you believe we have mishandled your data.

Your rights under the CCPA (California)

• We do not sell personal information. We have almost no personal information to sell.
• We do not share personal information for cross-context behavioral advertising.
• California residents may request access to, or deletion of, the data we hold about them by emailing rastaar@aftermkt.io. We respond within 45 days, as required by CCPA §1798.130.

Who we share data with

AfterMKT uses a small number of sub-processors to operate the service:

• Shopify, Inc. — the source of merchant and order data. We receive data from Shopify via webhooks and the Admin API.
• Amazon Web Services (AWS) — our cloud infrastructure provider. Merchant and order data is stored in Amazon DynamoDB and related AWS services.
• Helius Labs — our Solana RPC provider, used to submit mint transactions and read on-chain state. Helius sees the public blockchain transactions we submit; it does not receive merchant or buyer personal data from us.
• Arweave — decentralized storage network used to host public receipt metadata and images. These networks host only the public commercial fields listed in the on-chain disclosure above.

We do not sell data to advertisers. We do not use buyer data for marketing, because we do not have any.

International data transfers

> DRAFT — pending counsel review (2026-05-04). This text was prepared by AfterMKT internal review and has not been validated by external counsel. Treat as a good-faith improvement over the prior version, not as the final, binding contract.

AfterMKT's infrastructure runs in AWS us-west-2 (gamma/staging) and us-east-1 (production). Merchant data we hold is therefore stored in the United States.

Current commercial scope. As of the effective date of this policy, AfterMKT has no active merchants established in the European Economic Area, the United Kingdom, or Switzerland, and we do not knowingly process personal data of data subjects located in those territories in our role as a controller. Order data we ingest from Shopify is stripped of buyer identifiers at ingestion (see "Order data" above); the only personal data we hold is the merchant's business contact information, and our active merchants are presently established outside the EEA, the UK, and Switzerland.

Transfer mechanisms in place today. For our sub-processors that support international transfers from the EEA, the UK, and Switzerland, we rely on the following published mechanisms, which apply to all of our processing on those platforms even though we do not currently route EEA/UK/Swiss personal data through them:

• Amazon Web Services (AWS). Our processing on AWS is subject to the AWS Data Processing Addendum (DPA), which incorporates the European Commission's Standard Contractual Clauses (Module 2 — Controller to Processor, Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office. AWS publishes the DPA at https://aws.amazon.com/service-terms/ and accepts it by reference for all customers.
• Vercel. Our processing on Vercel is subject to the Vercel Data Processing Addendum, which similarly incorporates the EU Standard Contractual Clauses and the UK IDTA. Vercel publishes the DPA at https://vercel.com/legal/dpa.
• Shopify, Inc. Where Shopify acts as our data source, Shopify's Data Processing Addendum and its own EU/UK transfer mechanisms apply to data Shopify sends us.

Sub-processor with no SCC in place yet. We use Helius Labs as our Solana RPC provider. Helius receives only the public Solana transactions we submit on the public Solana blockchain — it does not receive merchant business contact information from us. We have not yet executed Standard Contractual Clauses with Helius. We will execute SCCs (or rely on an equivalent valid transfer mechanism) with Helius before onboarding our first merchant established in the EEA, the UK, or Switzerland, and in any event within 90 days of the effective date of this policy. Until then, the absence of SCCs with Helius does not affect EEA/UK/Swiss data subjects, because no such personal data is sent to Helius.

For EEA, UK, and Swiss merchants. Our Data Processing Agreement is published at aftermkt.io/legal/dpa and incorporates the relevant Standard Contractual Clauses and the UK IDTA by reference. The published version is the template that applies to all merchants by reference, as part of the Terms of Service; if your legal team requires a separately countersigned copy, email rastaar@aftermkt.io and we will return one within five business days.

We will update this section as our sub-processor list, transfer mechanisms, or commercial scope changes.

Cookies and tracking

We use cookies and other terminal storage (such as browser local storage) sparingly and only for things the user expects.

• aftermkt.io (marketing site) — a small number of cookies for session state. No advertising cookies, no cross-site trackers.
• aftermkt.io/claim (buyer claim flow) — cookies and local storage for wallet connection state and claim progress only. No advertising cookies, no analytics tied to identity.
• Wallet apps you connect — Solana wallet apps such as Phantom may set their own cookies and local storage under their own privacy policies when you connect them on our site.
• Shopify checkout extension — rendered inside Shopify's checkout surface. We do not set cookies there.

We do not use third-party analytics or tracking services. All analytics are handled in-house.

Children's privacy

AfterMKT is a business tool for Shopify merchants and an infrastructure service for digital receipts. It is not directed at children under the age of 13, and we do not knowingly collect personal information from children. If you believe we have inadvertently received data about a child, email rastaar@aftermkt.io and we will investigate and delete as appropriate.

Security

Merchant and order data is encrypted in transit (TLS) and at rest (AWS-managed encryption on DynamoDB and related services). Access to production data is restricted to authorized AfterMKT personnel and gated by role-based access controls. We log administrative access for audit purposes.

No system is perfectly secure. If you believe you have found a security issue, please report it to rastaar@aftermkt.io.

Changes to this policy

If we make material changes to this policy, we will update the effective date at the top and notify active merchants by email. Minor clarifications and typo fixes may be made without notice. Previous versions will be available on request.

Contact

For any privacy question, data subject request, or concern:

Email: rastaar@aftermkt.io

Postal address: 4244 Duquesne Ave, Culver City, CA 90232

If you are in the European Economic Area, you also have the right to contact your local data protection authority.