Effective Date: March 8, 2026
Portfolio Demonstration Project
Watch Shop is a portfolio demonstration project built to learn how to implement automated accessibility auditing in a CI/CD pipeline. The ecommerce context was chosen deliberately — it provides a realistic, feature-rich environment to test against WCAG standards. It is not a commercial operation. No products are physically sold or shipped.
This privacy policy explains exactly what personal information is collected when you interact with this demo, how it is protected, and how it is deleted. Transparency is a core design principle of this project.
To complete a test transaction, Stripe collects the following information on our behalf:
The name, email address, and shipping address are passed to this application via a Stripe webhook after payment is confirmed.
Standard server logs may record your IP address and browser information. This data is not stored in our database and is not used for tracking or marketing.
Your personal information is never stored in plain text. Before being saved to the database, the following fields are encrypted using AES-256-GCM — the same encryption standard used by banks and governments:
AES-256-GCM generates a unique initialisation vector for every encryption operation. This means that even if two customers share the same email address, the encrypted values stored in the database are different. The encryption key is stored separately from the database in environment variables and is never committed to source control.
Even if the database were to be breached, your personal information would be unreadable without the encryption key.
This application never sees, processes, or stores your payment card information. All card handling is performed directly by Stripe, a PCI-DSS Level 1 certified payment processor. Card data goes from your browser directly to Stripe — it never passes through our servers.
The admin dashboard is protected by WebAuthn passkey authentication. No passwords are stored anywhere in the system. Admin credentials use public-key cryptography — only the public key is stored in the database. The corresponding private key never leaves the administrator's device.
This is the most important section of this privacy policy. Unlike most services, this project is designed to delete your personal information automatically and permanently.
All personal information associated with your order is scheduled for permanent deletion within 24 hours of your order being placed. There are two deletion paths:
After deletion, the following information is permanently gone from our systems:
We do not store your data. We do not archive it. We do not back it up in secondary systems. Deletion is permanent.
You will receive an email confirming that your personal information has been deleted. This email is sent either with your shipping confirmation (manual path) or as a standalone demo completion notice (automatic path). The email explicitly states that deletion is complete.
This project uses the following third-party services to operate. Each has its own privacy policy.
Stripe processes all payment card transactions. When you enter your card details, that information goes directly to Stripe and is governed by Stripe's privacy policy. We receive only a payment confirmation and your shipping details from Stripe after a successful payment.
Order data (encrypted) is stored in MongoDB Atlas, a cloud database service. Data is stored in the United States. MongoDB Atlas is governed by MongoDB's privacy policy.
Order confirmation emails, shipping notification emails, and demo completion emails are sent via Brevo (formerly Sendinblue). Your email address is passed to Brevo solely for the purpose of sending these transactional emails. Brevo does not use your email address for marketing purposes on our behalf.
This project integrates with the FedEx sandbox API to generate demo tracking numbers. In this demonstration environment, your shipping address is sent to FedEx's sandbox (test) environment to generate a tracking number. No physical shipment is created.
This application is hosted on Vercel. Vercel may collect standard server log data including IP addresses and request headers as part of normal hosting operations. This is governed by Vercel's privacy policy.
This project is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has submitted personal information through this demo, please contact us so we can delete it immediately.
Because this project deletes all personal information automatically within 24 hours, most data rights are satisfied by design. However, you may also request:
To make any of these requests, contact the project owner directly. Because data is deleted within 24 hours regardless, requests are typically resolved within that window automatically.
This privacy policy may be updated as the project evolves. The effective date at the top of this document will always reflect the most recent version. Because this is a portfolio project and not a commercial service, we are not obligated to notify individual users of changes — however we will update the date when material changes are made.
This is a portfolio demonstration project. If you have questions about this privacy policy or about how your data is handled, please contact the project owner through the contact information provided in the project repository.