Skip to main content
LEGAL

Privacy Policy.

Effective date: May 19, 2026. Last updated: May 19, 2026.

This Privacy Policy explains what information eshtery.com (the “Service”) collects, why we collect it, how we use it, who we share it with, how long we keep it, and the rights you have. California residents have additional rights under the CCPA/CPRA, summarized in Section 9 below.

1. Who we are

eshtery.com is operated by Mahmoud Awad, an individual based in California, United States (“eshtery,” “we,” “us,” or “our”). For privacy questions or to submit a rights request, contact m@eshtery.com.

2. What we collect

We collect only the information necessary to operate the Service. The categories below mirror the CCPA categories of personal information.

  • Identifiers. Name, email address, country of residence, and (if you sign in via Google or Facebook) the profile fields those providers share with us. For brand applications: the applicant's name, brand name, website, email, and country.
  • Internet or other electronic network activity. IP address (stored only as a SHA-256 hash, never as raw IP), browser type and user-agent string, referring page, click events on outbound brand links, and the URL you arrived from.
  • Geolocation (general). Country-level location derived from your IP address at request time. We do not collect precise geolocation.
  • Commercial information. Saved briefs (the prose description of what you're looking for, optional budget range, ships-to country, optional event date), wishlist entries, digest opt-in status, and product preferences.
  • Inferences. We compute semantic embeddings of your saved briefs (mathematical vector representations) to match them against new products. Embeddings are not human-readable and cannot be used to reconstruct your brief text.

We do not knowingly collect Sensitive Personal Information under CCPA § 1798.140(ae): no Social Security numbers, no driver's license or passport numbers, no precise geolocation, no race, religion, philosophical belief, union membership, genetic, biometric, or health data, and no contents of mail, email, or text messages.

3. Where we get it

  • Directly from you. When you create an account, apply on behalf of a brand, save a brief, subscribe to the Dispatch, or use the Ask feature.
  • Automatically from your device. Standard HTTP request headers (IP, user-agent, referer), cookies set by the Service (see Section 6), and click events on outbound brand links.
  • From third-party identity providers. If you sign in with Google or Facebook, we receive the basic profile fields you authorize (typically name, email, profile image URL).

4. Why we use it

Each category of personal information is used for one or more of the following business or commercial purposes:

  • Operate and authenticate the Service. Account creation, sign-in, session management, security (rate limiting, abuse prevention).
  • Editorial personalization. Generating the weekly Dispatch, matching saved briefs against new products in our catalog, surfacing items relevant to your stated preferences.
  • Communications. Transactional notifications (welcome email, brief-match alerts, brand-application confirmation), the weekly Dispatch (only if you opt in), and responses to your support questions.
  • Click attribution and analytics. Logging outbound clicks on brand links so we can report aggregate traffic-volume statistics to brand partners and operate any future affiliate-revenue program in accordance with our disclosures.
  • Improving the Service. Diagnosing bugs, measuring feature adoption, and refining editorial signals.
  • Legal compliance and protection. Responding to lawful requests, enforcing the Terms, protecting against fraud or abuse.

5. Who we share it with

We do not sell personal information for money. We do not share personal information for cross-context behavioral advertising. We share the minimum necessary information with the following categories of recipient:

  • Service providers operating under contract. Vercel (hosting and edge logging), Supabase (database, server functions), Clerk (authentication and identity), Resend (email delivery), Anthropic (AI inference for the Ask feature), Voyage AI (semantic embeddings), Cloudflare (DNS and DDoS protection for some endpoints), Bing and Google (search indexing and webmaster verification only — no personal data).
  • Brand partners. Aggregated, de-identified click-volume statistics (e.g., “your brand received N clicks last month, M of them from signed-in shoppers”). We do not share your name, email, or any individually identifying information with brands without your explicit consent. When you click an outbound link, your browser will transmit standard HTTP information (IP, user-agent, the URL with UTM parameters) directly to the brand's server — this is your browser's behavior, not data we share on your behalf.
  • Legal authorities. When required to comply with applicable law, subpoena, court order, or to protect against fraud, security threats, or violations of the Terms.
  • Successor in interest. If eshtery is acquired, merged with another business, or transfers substantially all of its assets, personal information may transfer to the successor under the same protections as this Policy. We will notify account holders by email before any such transfer takes effect.

6. Cookies and similar technologies

We use a small number of cookies, all first-party, all functional (no advertising cookies, no third-party tracking pixels, no remarketing tags):

  • eshtery_cid — a 30-day HTTP-only cookie that holds a random UUID used to attribute outbound clicks to a consistent visitor session. Cannot be read by JavaScript.
  • __clerk_db_jwt and __session — set by our authentication provider (Clerk) when you sign in. Used to maintain your signed-in state across pages. See Clerk's privacy notice at clerk.com/privacy.

You can clear cookies at any time via your browser settings; doing so will sign you out and reset your click-attribution session.

7. How long we keep it

  • Account data. For as long as your account is active. You may request deletion at any time (Section 9).
  • Click logs. Twelve months in identifiable form (hashed IP, user-agent, cookie ID), then aggregated.
  • Brand applications. For as long as is necessary to evaluate the application, plus a reasonable record-keeping period not exceeding 24 months after the final disposition.
  • Email delivery records. Stored by our email provider (Resend) per their retention policy.

8. Security

We protect personal information with industry-standard safeguards: TLS encryption in transit, encryption at rest in our database, SHA-256 hashing of IP addresses before storage, Postgres Row-Level Security (RLS) policies on user-scoped data, and service-role separation. No system is perfectly secure; we cannot guarantee absolute protection.

9. Your California privacy rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you the following rights. We honor these rights for all users regardless of residency.

  • Right to know. You may request a list of the categories and specific pieces of personal information we have collected about you in the prior 12 months, the categories of sources, the business or commercial purposes for collecting it, and the categories of third parties with whom we have shared it.
  • Right to delete. You may request that we delete personal information we have collected from you, subject to limited exceptions (e.g., information needed to complete a transaction, detect fraud, or comply with legal obligations).
  • Right to correct. You may request that we correct inaccurate personal information we maintain about you.
  • Right to opt out of sale or sharing. eshtery does not sell personal information for money and does not share personal information for cross-context behavioral advertising. If our practices change, we will provide a “Do Not Sell or Share My Personal Information” mechanism on the Service.
  • Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined by CCPA § 1798.140(ae) (see Section 2). No limitation request is necessary.
  • Right to non-discrimination. We will not deny you service, charge you a different price, or provide a different level of service because you exercised any of these rights.

How to submit a request. Email m@eshtery.com with the subject line “CCPA Request” and describe which right you wish to exercise. We will respond within 45 days (extendable by 45 additional days if reasonably necessary, with notice to you). To verify your identity, we may ask you to confirm details associated with your account.

Authorized agents. You may designate an authorized agent to make a request on your behalf. The agent must provide signed permission demonstrating authority, and we may require you to verify your identity directly.

Shine the Light (California Civil Code § 1798.83). eshtery does not share personal information with third parties for their own direct-marketing purposes. No further disclosure is required under this section.

10. Children's privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If you believe we have collected information from a child under 16, email m@eshtery.com and we will delete it.

11. International users

eshtery is operated from California, United States. Our service providers are primarily located in the United States and the European Union. By using the Service from outside the U.S., you consent to the transfer of your information to the U.S. and other countries where we and our service providers operate. These countries may have data-protection laws different from those of your jurisdiction.

12. Changes to this Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top will reflect the most recent change. For material changes, we will notify signed-in account holders by email and post a prominent notice on the Service before the change takes effect.

13. Contact

For privacy questions, rights requests, or complaints, contact:

m@eshtery.com

Mahmoud Awad · California, United States

This document is provided for informational purposes only and is not legal advice. eshtery's operator is not a lawyer. If you need legal advice tailored to your situation, consult a qualified California attorney.

Privacy Policy — eshtery