ETapri
Back to home

Trust, Security & Privacy

This page is maintained by the ETapri team to answer common security and privacy questions about the ETapri platform. It describes controls that are enabled today; it is not an independent certification or audit attestation.

Shared responsibility

ETapri operates the platform (application, database, storage and payment integrations). Merchants are responsible for the data they upload, the products they sell, and customer communications from their stores. Customers are responsible for safeguarding their own account credentials.

Authentication & access

  • Merchant and customer accounts are authenticated through our backend auth provider with email/password and Google sign-in.
  • Session tokens are scoped per user; the application never trusts client-supplied role data for authorization.
  • Administrative roles are stored in a dedicated, server-validated role table — never on user profiles.
  • Row-level security policies restrict every sensitive table so users can only read or modify their own records.

    • Platform & hosting

  • The application runs on a managed serverless runtime with TLS 1.2+ on all public endpoints.
  • The database, file storage and authentication services are provided by our managed backend (Lovable Cloud / Supabase) and inherit its encryption at rest and in transit.
  • Backups and point-in-time recovery are handled by the managed backend provider.

    • Data we collect

  • Merchants: account profile, store configuration, business documents required for onboarding, and payment-processor identifiers.
  • Customers: account profile (when signing in), order and shipping details, and any reviews you submit.
  • Operational data: request logs, webhook deliveries and security events used to operate and protect the service.

    • We do not sell personal data.

    Payments

    Payments are processed by MyFatoorah and Stripe. Card numbers, CVVs and full bank credentials never reach ETapri servers — they are submitted directly to the payment processor. ETapri stores only processor-issued identifiers, payment status and the amounts needed for reconciliation.

    Subprocessors

  • Lovable Cloud / Supabase — application hosting, database, authentication and file storage.
  • MyFatoorah — payment processing for KWD and regional methods.
  • Stripe — payment processing for card payments and SaaS subscriptions.
  • Google (OAuth) — optional sign-in.
  • Email delivery provider — transactional and marketing emails (when enabled).

    • Retention & deletion

    Account, order and store data is retained while your account is active. To request deletion or export of your personal data, email privacy@etapri.shop from the address on your account. We respond within 30 days. Some records (invoices, tax and fraud-prevention data) may be retained longer when required by law.

    Cookies & analytics

    We use strictly-necessary cookies for sign-in and shopping-cart functionality. Optional analytics cookies are only enabled when configured by the store owner.

    Vulnerability reporting

    If you believe you have found a security vulnerability, please email security@etapri.shop with a description and reproduction steps. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.

    Contact

  • Security: security@etapri.shop
  • Privacy: privacy@etapri.shop
  • General support: support@etapri.shop