Privacy Policy

Last Updated: November 2025

1. Introduction

Welcome to HUP ("we," "our," or "us"). We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our e-commerce platform at hup.rw and its subdomains.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, phone number, and password (hashed with Argon2id)
  • Shop Information: Business name, shop subdomain, logo, and theme preferences
  • Product Information: Product listings, images, descriptions, and inventory data
  • Order Information: Customer orders, delivery addresses, and payment method preferences
  • Customer Data: Customer names, emails, phone numbers, and delivery addresses

2.2 Automatically Collected Information

  • Usage Data: IP address, browser type, device information, and access times
  • Cookies: Authentication tokens (JWT) and session data
  • Log Data: Error logs and system performance metrics

3. How We Use Your Information

We use your information to:

  • Provide and maintain the HUP platform and services
  • Process and manage your shop, products, and orders
  • Send transactional emails (order confirmations, OTP codes, password resets)
  • Verify seller accounts via email OTP
  • Improve platform performance and user experience
  • Ensure platform security and prevent fraud
  • Comply with legal obligations and enforce our Terms of Service

4. Data Sharing and Disclosure

4.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties.

4.2 Service Providers

We share data with trusted service providers who help us operate the platform:

  • Cloudflare R2: Image storage and CDN delivery
  • Postmark: Transactional email delivery
  • Hosting Provider: Server infrastructure and database hosting

4.3 Legal Requirements

We may disclose your information if required by law or to:

  • Comply with legal processes or government requests
  • Protect our rights, property, or safety
  • Prevent fraud or security threats

5. Data Security

We implement industry-standard security measures:

  • Encryption: All connections use HTTPS/SSL encryption
  • Password Security: Argon2id hashing (OWASP recommended)
  • Authentication: JWT tokens with 15-minute access and 7-day refresh cycles
  • Data Isolation: Complete separation between shops (multi-tenant architecture)
  • Rate Limiting: Protection against brute-force attacks
  • Input Validation: XSS and injection attack prevention

6. Data Retention

We retain your data:

  • Active Accounts: As long as your account is active
  • Deleted Accounts: 30 days after account deletion (for recovery)
  • Legal Requirements: As required by Rwandan law or for dispute resolution
  • Soft-Deleted Products: Archived products retained for 90 days

7. Your Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and data
  • Data Portability: Export your shop and product data
  • Opt-Out: Unsubscribe from marketing emails (transactional emails required for service)

To exercise these rights, contact us at [email protected]

8. Cookies and Tracking

We use cookies for:

  • Authentication: JWT access and refresh tokens (httpOnly, secure)
  • Session Management: Maintaining your logged-in state
  • Security: CSRF protection and rate limiting

We do not use third-party advertising or analytics cookies in Phase 1.

9. Third-Party Links

Seller storefronts may contain links to external websites. We are not responsible for the privacy practices of third-party sites. Please review their privacy policies.

10. Children's Privacy

HUP is intended for business use by individuals 18 years or older. We do not knowingly collect data from children under 18. If you believe we have collected such data, contact us immediately.

11. International Data Transfers

Your data is primarily stored and processed in Rwanda. If data is transferred internationally (e.g., for CDN delivery), we ensure adequate safeguards are in place.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of HUP after changes constitutes acceptance.

13. Contact Us

If you have questions or concerns about this Privacy Policy, contact us:

Rwanda-Specific Notice: HUP complies with applicable Rwandan data protection laws. For questions about your rights under Rwandan law, please contact us at [email protected].

HUP