Trust & Privacy
This page is maintained by Custory to answer common security and privacy questions about custory.com and the services we provide. It reflects our current practices and is updated as those practices evolve. It is not an independent certification or third-party audit.
Last updated: June 2026
Customer accounts on custory.com use email and password sign-in, with optional Google sign-in. Passwords are never stored in plain text — they are hashed and managed by our authentication provider. Sessions are scoped to the signed-in user, and order history is only visible to the account that placed the order.
The Custory website and shop are built on Lovable and deployed to a managed edge runtime. Our database, authentication, and storage are provided by Supabase. Both platforms host data in managed cloud infrastructure with TLS in transit and encryption at rest provided by the underlying cloud provider.
We collect the information you give us directly: name, email, shipping address, and order details when you purchase merchandise; name, email, company, and message when you book a discovery call or contact us. We also collect basic technical data (IP address, browser, pages visited) to operate and improve the site.
Card payments on the Custory shop are processed by Stripe. We do not see or store your full card number, CVV, or expiry on our servers. Stripe is PCI DSS compliant and handles cardholder data on our behalf.
We use a small number of essential cookies to keep you signed in, remember your cart, and operate the site. We may also use privacy-respecting analytics to understand how visitors use the website. We do not sell your personal data to third parties.
To deliver our services we share limited data with: Lovable (hosting), Supabase (database, auth, storage), Stripe (payments), and Resend (transactional email). Each of these providers is contractually bound to protect your data and process it only on our instructions.
We retain order and account records for as long as your account is active or as required to meet legal, tax, and accounting obligations. You may request access to, correction of, or deletion of your personal data by emailing us. Some records (e.g. invoices) may be retained where the law requires.
For privacy requests, data deletion, or to responsibly report a security concern, email hello@custory.com. We aim to acknowledge security reports within five business days.
Security is a shared responsibility. Custory configures and operates the application, chooses reputable platform providers, and applies role-based access control on customer data. Our platform providers secure the underlying infrastructure. Customers are responsible for safeguarding their own account credentials and the devices they use to access the site.
Questions about this page or a specific request? hello@custory.com
← Back to home