1 Who We Are
Pure Merch ("we", "our", or "us") is a Chrome browser extension and web platform built for professional Merch by Amazon creators. Our platform is operated at puremerch.app and is developed by lakiup.
This Privacy Policy explains how we handle information collected through our website, license key dashboard, and Chrome extension.
2 Data We Collect
We only collect the minimum data necessary to provide our services.
Account Registration:
- Email address (from an accepted provider: Gmail, Yahoo, Outlook, etc.)
- Password (stored as a secure bcrypt hash โ never in plain text)
- Account creation timestamp
- Subscription plan status (free or PRO active)
Extension License Activation:
- Your license key (auto-generated, unique per account)
- A browser-generated machine/device ID (a random anonymous identifier)
- Device name / browser user-agent string
- Last-active timestamp per device
We do NOT collect:
- Your Amazon Merch account credentials or sales figures
- Your browsing history or any page content outside Merch by Amazon
- Payment card numbers (payments handled externally)
- Any personally identifiable data beyond your email
๐ก The Pure Merch Chrome extension reads data only from merch.amazon.com pages to power your dashboard. No data from other websites is ever accessed or transmitted.
3 How We Use Your Data
Your data is used exclusively to provide and improve the Pure Merch service:
- To authenticate you and grant access to your license key dashboard
- To validate your license key when the extension activates on a device
- To enforce device limits per license (max concurrent active devices)
- To manage and display your subscription status
- To respond to support inquiries submitted via the contact form
- To prevent fraudulent or spam account registrations
We do not use your data for advertising, profiling, or sale to third parties.
4 License Keys & Device Data
When you activate Pure Merch PRO on a browser, your extension sends your license key and a browser-generated machine ID to our server. This allows us to:
- Verify your subscription is active and not revoked
- Track how many devices are currently using your key
- Allow you to remotely deactivate a device from your dashboard
When you regenerate your license key, all previously registered device entries for the old key are immediately and permanently deleted from our database.
๐ Machine IDs are anonymous random strings generated by the browser. They do not contain your IP address, hardware serial numbers, or any personally identifiable information.
5 Data Sharing
We do not sell, rent, or share your personal data with any third parties, except in the following limited circumstances:
- Hosting providers: Our website data is stored on servers operated by our hosting provider (Namecheap / fidzair.com). They are bound by data processing agreements.
- Payment processors: If you upgrade to PRO, payment is handled by a third-party processor (e.g., Stripe or PayPal). We do not receive or store your payment card details.
- Legal requirements: We may disclose data if required by law or to protect our rights.
6 Cookies & Sessions
We use standard PHP session cookies to keep you logged in to the dashboard. These are:
- Session-only cookies โ they expire when you close your browser
- Used solely for authentication and CSRF protection (anti-hack security tokens)
- Not used for tracking, analytics, or advertising
We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts on this website.
7 Data Retention
- Account data is retained as long as your account is active.
- Device activation records are deleted immediately when you regenerate your license key or manually deactivate a device.
- Deleted accounts โ upon request, all your data will be permanently removed within 7 days.
- Contact form messages are not stored in our database; they are only processed at submission time.
8 Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the data we hold about you
- Correction: Update your email or password at any time from your dashboard
- Deletion: Request full deletion of your account and all associated data
- Portability: Request your data in a machine-readable format
- Objection: Object to how we process your data
To exercise any of these rights, contact us at contact@puremerch.app.
9 Security
We take security seriously and implement multiple layers of protection:
- All passwords are hashed using bcrypt โ never stored in plain text
- All forms are protected with CSRF tokens to prevent cross-site request forgery
- Input data is sanitized and parameterized to prevent SQL injection
- Security headers (X-Frame-Options, X-XSS-Protection, X-Content-Type-Options) are set on every page
- Password changes require verification of the current password
- License keys are cryptographically random and unique
While we take every reasonable precaution, no system is 100% immune. If you discover a security vulnerability, please disclose it responsibly to contact@puremerch.app.
10 Children's Privacy
Pure Merch is not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has registered without parental consent, please contact us and we will delete the account immediately.
11 Changes to This Policy
We may update this Privacy Policy from time to time. When we do, the "Last updated" date at the top of this page will be revised. Continued use of Pure Merch after changes constitutes acceptance of the updated policy.
We encourage you to review this page periodically to stay informed.
12 Contact Us
If you have any questions or concerns about this Privacy Policy or your data, please get in touch:
Pure Merch Support
Email: contact@puremerch.app
Website: puremerch.app
Developer: lakiup