How we handle data

Privacy Policy

Effective 2026-05-13

Effective Date: 2026-05-13 Last Updated: 2026-05-13

This Privacy Policy explains how YK Global LLC, a Wyoming limited liability company doing business as PurpleTurret ("PurpleTurret," "we," "us," or "our"), collects, uses, shares, and protects personal information in connection with the PurpleTurret platform, software, websites, APIs, and related services (the "Services").

This Privacy Policy applies to:

Sellers — businesses and individuals who create a PurpleTurret account to build checkout pages and sell their products through the Services; and
Buyers — end customers who interact with checkout experiences powered by PurpleTurret.

It also covers visitors to our marketing websites.

By using the Services, you acknowledge that your personal information will be handled as described here. If you do not agree, do not use the Services.

1. About PurpleTurret and Our Role

PurpleTurret provides software-as-a-service that lets Sellers create simple checkout pages and embed them on their own websites and sales pages. Payments are processed by Stripe, Inc. ("Stripe") through Stripe Connect Express, under Stripe's own terms.

PurpleTurret is not the seller, merchant of record, marketplace operator, payment processor, money transmitter, or tax remitter for transactions made through the Services. The Seller is the merchant of record. Stripe processes the payments. PurpleTurret provides the software.

Our role under privacy law depends on the data and the purpose:

Context	Seller's role	PurpleTurret's role
Seller account, billing, support, security, fraud and risk monitoring, service improvement	n/a	Independent controller / business
Buyer personal information processed to build, host, and operate Seller's checkout experience and orders	Controller / business	Processor / service provider acting on Seller's behalf
Payment-card data, KYC/KYB, anti-fraud, payouts	n/a	Not the controller. Stripe collects and processes payment information under its own terms.

Where we act as a processor or service provider for a Seller, we process Buyer personal information on the Seller's documented instructions and under our Data Processing Terms (available on request or at /legal/dpa).

2. Information We Collect

2.1 Information About Sellers

When you register for or use a Seller account, we collect:

Account and contact information: name, business name, email address, phone number, country, login credentials or authentication identifiers, and time zone or language preferences.
Business profile information: website URL, product or service category, business description, support contact, and answers to our onboarding questionnaire (including responses about restricted-business categories).
Stripe Connect data: Stripe account identifier, Stripe account status, capabilities, requirements, and limited account and payment metadata that Stripe shares with us via Connect (including payment status, payment method type, last four digits of a card and card brand where available, transaction identifiers, refund and dispute status, and payout status). We do not receive or store full card numbers or CVVs.
Billing and Platform Fee data: plan, invoices, payment method we use to bill you for our Services (where applicable), and fee history.
Content you submit: product names, descriptions, prices, images, checkout-page configuration, marketing copy, refund policies, and any other content you upload or configure for your Checkout Experiences.
Support and communications: messages, attachments, and call/chat records when you contact our support team or we contact you.
Device, log, and usage data: IP address, device identifiers, browser type, operating system, referring/exit pages, pages viewed, features used, session timestamps, security event logs, and similar technical information.

2.2 Information About Buyers

When a Buyer interacts with a Checkout Experience, we (acting as a processor on the Seller's behalf, and as a controller for our own limited purposes such as fraud prevention and security) may collect:

Identification and contact information: name, email address, and (if the Seller requires it for the offer) billing or shipping address and phone number.
Order data: product/offer being purchased, Seller identity, price, currency, quantity, checkout/session ID, timestamps, and order status.
Subscription data: subscription status, trial-conversion date, cancellation status, and consent/disclosure evidence for recurring billing where applicable.
Payment metadata received from Stripe: payment status, payment method type, last four digits of a card and card brand where available, transaction identifiers, and refund/dispute status. Full card numbers, CVVs, and bank-account credentials are collected and processed directly by Stripe and are not received or stored by PurpleTurret.
Device, browser, and security data: IP address, device identifiers, browser type, operating system, session data, fraud and security logs, and similar technical information collected when a Buyer loads a Checkout Experience.
Communications: receipts, support correspondence, cancellation and dispute communications, and privacy-rights-request communications.

We do not intentionally collect special-category data (such as racial or ethnic origin, religion, health, or biometric identifiers) or government identifiers through Checkout Experiences. Sellers are prohibited from configuring Checkout Experiences to collect special-category or sensitive personal information without our prior written approval.

2.3 Information from Other Sources

We may receive information from:

Stripe — via the Stripe Connect API and webhooks (account status, capabilities, payment metadata, dispute and refund events, payout events, and risk-related signals).
Service providers — including hosting, cloud, email, analytics, fraud/security, and customer-support providers.
Public or business sources — for risk and compliance review (e.g., your website, business registries, or sanctions lists).
Sellers — about Buyers, where the Seller routes communications, orders, or support through us.

2.4 Cookies and Similar Technologies

We and our service providers use cookies, local storage, and similar technologies on our marketing website, the Seller dashboard, and Checkout Experiences. See Section 7 (Cookies and Tracking) for details.

3. How We Use Information

We use personal information to:

Provide the Services: create and manage Seller accounts; connect Sellers to Stripe; create checkout sessions, payment intents, and orders through Stripe; render Checkout Experiences; record orders, receipts, refunds, cancellations, and subscription events.
Process Platform Fees and billing: charge, invoice, and reconcile fees for the Services.
Operate Seller dashboards and tools: provide reports, order and buyer views, support tooling, and account administration.
Communicate: send service notices, security alerts, transactional messages, support replies, product updates, and (where lawful and consistent with your preferences) marketing communications about our own Services. You can opt out of marketing emails by following the unsubscribe instructions.
Detect and prevent fraud, abuse, and risk: identify restricted-business activity, sanctions risk, fraud, security incidents, account takeover attempts, dispute and chargeback patterns, and Stripe-flagged risk; cooperate with Stripe, banks, card networks, regulators, and law enforcement where appropriate.
Enforce our Terms and policies: investigate violations of our Terms of Service, AUP, or applicable law, and take responsive action.
Comply with law and legal process: respond to lawful requests, comply with tax, accounting, and recordkeeping obligations, and meet payment-network and Stripe requirements.
Improve and develop the Services: measure usage, debug, perform analytics on usage patterns, and develop new features. Where required by law, we use de-identified or aggregated information for these purposes.
Handle privacy and rights requests: verify and respond to requests under applicable privacy laws.

3.1 Legal Bases (EEA/UK)

If GDPR or UK GDPR applies to our processing, we rely on the following legal bases:

Contract — to provide the Services to Sellers and to perform the checkout transaction at a Buyer's request.
Legitimate interests — to operate, secure, and improve the Services; to prevent fraud and abuse; to enforce our Terms; and to communicate about our Services. We balance our legitimate interests against your rights and interests.
Legal obligation — to comply with tax, accounting, payment-compliance, anti-money-laundering, sanctions, and consumer-protection laws.
Consent — where we ask for it (for example, non-essential cookies, certain marketing communications, or where required by local law). You may withdraw consent at any time.

For processing where the Seller is the controller, the Seller is responsible for establishing a lawful basis.

We share personal information as described below. We do not sell personal information for money, and we do not engage in "sharing" for cross-context behavioral advertising as defined under California law through Checkout Experiences. See Section 8.4 for additional California-specific disclosures.

4.1 With Stripe

We share information with Stripe to enable payment processing through your or the Seller's Stripe Connected Account. Stripe collects and processes payment information directly from Sellers and Buyers under Stripe's own terms and privacy notices, including the Stripe Privacy Policy and the Stripe Connected Account Agreement. PurpleTurret is not a controller of payment-card data, KYC/KYB data, or AML/sanctions-screening data held by Stripe.

4.2 With the Seller (for Buyer Data)

For Buyer information collected through a Checkout Experience, we make that information available to the Seller for the Seller's own purposes, including fulfillment, support, recordkeeping, refunds, tax, and (subject to applicable law) marketing. The Seller is the controller/business for those purposes. Buyers should direct privacy-rights requests about their own orders to the Seller in the first instance; we will assist Sellers in responding where required.

4.3 With Service Providers

We share information with vendors that help us provide the Services, including:

hosting and cloud-infrastructure providers;
database and storage providers;
email, notification, and SMS providers;
analytics providers (where used);
customer-support and helpdesk tools;
security, fraud-detection, and identity-verification providers; and
professional advisors (lawyers, accountants, auditors).

These providers may process personal information only for the purposes for which we engaged them and under contractual obligations of confidentiality and security.

4.4 With Authorities, Networks, and Other Third Parties

We may share information with regulators, tax authorities, law enforcement, courts, payment networks, banks, and Stripe where we believe disclosure is necessary or appropriate to comply with law, respond to legal process, enforce our Terms, protect rights, property, or safety, or investigate fraud or risk.

4.5 In a Business Transfer

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, personal information may be transferred as part of that transaction, subject to confidentiality safeguards and applicable law.

We may share information with other parties where you have given us your consent.

5. Data Retention

We retain personal information for as long as necessary to provide the Services and for the additional periods described below, after which we delete, anonymize, or aggregate it, except where a longer period is required by law:

Seller account records — while the account is active and for a reasonable period after closure to wind down the relationship and meet legal obligations.
Order and transaction records — for the period required by applicable law (typically several years) and by Stripe and payment-network rules, and to support disputes, chargebacks, refunds, fraud investigations, tax, and accounting.
Subscription consent and disclosure logs — for at least three (3) years from the end of the subscription (or longer where required by law) to evidence compliance with consumer-protection rules.
Security and access logs — for a defined period reasonably necessary for security, fraud prevention, and investigation.
Support records — for a reasonable period after the matter is resolved.
Backups — for the period of the backup cycle, after which deleted records are no longer reproducible from backups in the ordinary course.

When you close your account, we may retain certain information as needed to comply with legal obligations, support Stripe and payment-network requirements, resolve disputes, prevent fraud and abuse, and enforce our agreements.

6. Security

We use technical, administrative, and physical safeguards designed to protect personal information, including encryption in transit, access controls, audit logging, multi-factor authentication for administrative access, and integration with Stripe's PCI-DSS-compliant payment infrastructure so that we do not collect or store full card numbers or CVVs. No system is perfectly secure, however, and we do not guarantee that personal information will never be accessed, disclosed, altered, or destroyed by breach of our safeguards. If you believe your account has been compromised or you identify a security issue, contact us promptly at support@purpleturret.com.

7. Cookies and Tracking

7.1 What We Use

We and our service providers use cookies, local storage, pixels, and similar technologies for:

Strictly necessary purposes — authentication, session continuity, load balancing, checkout-session functionality, security, and fraud prevention. These are required for the Services to work.
Functional purposes — remembering preferences and settings.
Analytics — measuring usage and improving the Services (where used, with appropriate disclosures and, where required, consent).
Stripe technologies — Stripe sets and reads cookies and similar identifiers in payment flows under its own Stripe Cookies Policy.

7.2 What We Do Not Allow on Checkout Experiences (by Default)

By default, we do not allow Seller-configured advertising pixels, retargeting tags, heatmaps, session replay, or cross-site tracking on Checkout Experiences. We will not enable those categories until we have implemented a consent-management architecture and updated this Privacy Policy accordingly.

7.3 Your Choices

You can configure most browsers to refuse, accept, or delete cookies. Blocking strictly necessary cookies will impair or break the Services. Where required by law (for example, the EU/UK ePrivacy regime), we present a cookie banner allowing you to consent to or reject non-essential cookies.

7.4 Do Not Track

We do not currently respond to "Do Not Track" browser signals because no consensus standard exists. We honor recognized opt-out preference signals where required by applicable law (for example, the California Global Privacy Control).

8. Your Privacy Rights

Depending on where you live, you may have rights regarding personal information about you. We honor these rights where they apply by law.

8.1 Rights Available (Where Applicable)

Access — request a copy of personal information we hold about you.
Correction — request that we correct inaccurate or incomplete personal information.
Deletion — request that we delete personal information, subject to exceptions for legal retention, fraud prevention, completed transactions, and other lawful bases.
Portability — request a copy of personal information you provided to us in a portable format.
Restriction or objection — request that we restrict or object to certain processing, including direct marketing.
Withdraw consent — where processing relies on consent, withdraw it at any time without affecting prior processing.
Non-discrimination — exercise your rights without unlawful discrimination.
Appeal — appeal a decision we make about your rights request, where required by state law.

8.2 How to Submit a Request

Submit requests to support@purpleturret.com. We will verify your identity using information reasonably necessary to confirm you are the person the request concerns and may ask for additional information. Authorized agents may submit requests on your behalf where applicable law permits and with appropriate documentation.

If you are a Buyer with a request about your purchase, your order, fulfillment, refund, or subscription, please contact the Seller directly — the Seller is the controller/business for that information. We will assist the Seller in responding where required by law. If you cannot identify or reach the Seller, you may contact us and we will help facilitate the request.

8.4 California Residents (CCPA/CPRA)

California residents have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. We have collected the categories of personal information described in Section 2 in the past twelve months, from the sources listed in Section 2.3, for the purposes listed in Section 3, and shared/disclosed those categories for the business purposes and with the recipients listed in Section 4.

We do not sell personal information for money. We do not "share" personal information for cross-context behavioral advertising through Checkout Experiences. We do not knowingly collect or process the personal information of minors under 16 for sale or sharing.

To exercise CCPA/CPRA rights (right to know, right to delete, right to correct, right to opt out of sale/sharing, right to limit use of sensitive personal information, and right to non-discrimination), submit a request as described in Section 8.2. You may also submit an appeal to support@purpleturret.com.

If GDPR or UK GDPR applies, you may also have the right to lodge a complaint with your local data-protection authority. We encourage you to contact us first so we can address your concern.

8.6 Other Jurisdictions

We will honor rights granted by other applicable privacy laws on the same principles described above.

9. International Data Transfers

PurpleTurret operates internationally, and our service providers may process information in countries other than yours, including the United States. Where required, we use appropriate transfer mechanisms (such as Standard Contractual Clauses for transfers out of the EEA/UK) and require service providers to maintain adequate safeguards. By using the Services, you acknowledge that your information may be transferred to and processed in jurisdictions with privacy laws different from your own.

10. Children

The Services are not directed to children. We do not knowingly collect personal information from children under the age of 16 (or the higher minimum age required by local law). Sellers must not use the Services to collect, sell to, or target children, or to collect children's personal information, without our prior written approval and the legal basis required by applicable law (including COPPA, GDPR Article 8, and analogous laws). If you believe a child has provided personal information to us, contact us at support@purpleturret.com and we will take appropriate action.

11. Third-Party Sites and Services

Checkout Experiences may be embedded on or linked from third-party websites operated by Sellers. The Services also integrate with Stripe and may interact with other third-party services. We are not responsible for the privacy practices of third parties. Their use of personal information is governed by their own privacy notices, which you should review.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by reasonable means (in-product notice, email to the address on file, or a banner on our marketing website) before they take effect. The "Last Updated" date at the top of this policy reflects when it was most recently revised. Your continued use of the Services after the effective date of the changes constitutes acceptance.

13. Contact Us

PurpleTurret is operated by YK Global LLC, a Wyoming limited liability company.

Mailing address: YK Global LLC, 1021 E Lincolnway, Suite 6574, Cheyenne, Wyoming 82001, United States Privacy contact: support@purpleturret.com Privacy requests: support@purpleturret.com Security: support@purpleturret.com

If you are an EU/UK resident and we have appointed a representative or Data Protection Officer, their contact details will be listed here: [INSERT IF/WHEN APPOINTED].

PurpleTurret is checkout software for independent sellers. Sellers — not PurpleTurret — sell their products and are the merchant of record. Payments are processed by Stripe.