Privacy Policy

yotmerch.com is operated by EFX79 LLC, a limited liability company formed in Wyoming, USA, with its registered office at 30 N Gould St, Ste N, Sheridan, WY 82801, USA ("YotMerch", "we", "us").

Privacy contact: info@yotmerch.com.

YotMerch does not currently have an establishment in the EU or UK. If and when we are required to, we will appoint a representative under Article 27 of the EU and UK GDPR and update this policy with their details.

Account holders (owners/crew)

Email address, name, password (hashed by our auth provider), and verification/KYC status.

Guests (buyers)

Email address, shipping name and address, the name/text you add to personalise a product, and the rendered personalisation image.

Order data

Items, amounts, tax country, shipping method, order number.

Identity verification (KYC)

We use Didit to verify identity. Your ID documents are uploaded to and held by Didit, NOT by us. We store only a session reference and a pass/fail status — we do not store your ID documents, name from the document, date of birth, or document numbers.

Payments

Card and billing details are processed by Stripe and held by Stripe, not stored on our servers.

Technical

Essential cookies only (see our Cookie Policy). We do not currently run analytics or advertising trackers.

• To provide the store and fulfil orders — performance of a contract.
• To verify identity and pay out earnings — legal obligation (anti-money-laundering) and contract.
• To secure accounts and prevent fraud — legitimate interests.
• Marketing email — only with your consent (we do not currently send marketing email).

Supabase (hosting, database, auth), Printful (print and shipping — receives shipping name/address and the personalisation file), Stripe (payments), Didit (identity verification), Wise (payouts), and our email provider for transactional email. Each acts under a data processing agreement. Some are outside the EU/UK; transfers are protected by appropriate safeguards such as Standard Contractual Clauses.

We put data processing agreements in place with our processors, and where personal data is transferred outside the EU or UK we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

• Account data: kept while your account is active, then deleted or anonymised within 90 days of account closure — except records we are legally required to keep.
• Order and tax records: kept for 10 years to meet UK and EU VAT and accounting obligations.
• KYC: we keep only a verification session reference and pass/fail status, for 5 years after account closure, in line with anti-money-laundering rules. (Your identity documents are held by Didit, not by us.)
• Cart and personalisation data: cleared after 90 days of inactivity.
• Server and email logs: kept for a short period (typically up to 90 days for technical logs, up to 24 months for transactional email records).

You have the right to access, rectification, erasure, restriction, objection, portability, and withdrawing consent. To exercise any right — including deleting your account or data — email info@yotmerch.com. We respond within one month. You can also complain to your local supervisory authority (in the UK, the ICO).