🌿 Pure Ceylon. No Fillers. No Compromise.
Legal

Privacy Policy

Last updated: April 2026. We are committed to protecting your personal data and being transparent about how we use it.

Your privacy matters to us

Spicylon collects only the data necessary to operate our service. We do not sell your data, and we do not show you targeted advertisements.

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and a securely hashed password. This information is used solely to manage your account and process your orders.

Order & Payment Information

When you place an order, we collect your shipping address, phone number, and order details. Payment processing is handled entirely by Stripe. Spicylon does not store, access, or log any card numbers or payment credentials.

Usage Data

We may collect basic, anonymised information about how you interact with our website (e.g. pages visited, browser type) to improve our service. This data is never sold or shared with third parties for advertising.

2. How We Use Your Information

Order Fulfilment

Your name, email, and shipping address are used to process and deliver your orders and to send you transactional emails (order confirmation, dispatch notification, invoice).

Account Management

Your email address is used for account verification (OTP), password resets, and essential service communications.

No Marketing Without Consent

We do not send marketing emails unless you have explicitly opted in. You may unsubscribe at any time.

3. Data Storage & Security

Where Your Data is Stored

Your data is stored securely in a MongoDB database hosted on MongoDB Atlas. Data is encrypted at rest and in transit using TLS/SSL.

Password Security

Passwords are hashed using bcrypt before storage. We never store or transmit plain-text passwords.

Authentication Tokens

Session tokens are stored in secure, HTTP-only cookies and are not accessible via JavaScript. Tokens expire automatically.

4. Cookies

Essential Cookies Only

We use only essential cookies required for authentication and session management. We do not use tracking or advertising cookies.

5. Third-Party Services

Stripe

We use Stripe for payment processing. Stripe has its own privacy policy and is PCI-DSS compliant. We do not receive or store your full card details.

Google OAuth

If you choose to sign in with Google, we receive only your name and email address from Google. We do not access any other Google account data.

6. Your Rights

Access & Deletion

You have the right to access the personal data we hold about you and to request its deletion at any time. You can delete your account directly from your Profile page under Settings, which permanently removes all your personal data from our systems.

Data Portability

You may request a copy of your personal data by contacting us at support@spicylon.com.

7. Contact

Questions or Concerns

If you have any questions about this Privacy Policy or how your data is handled, please contact us at support@spicylon.com.

Terms of ServiceContact Us