Xiaotanology

Your Bag

Privacy Policy

Effective date: 14 June 2025

What data we collect and why

Data category What we store Why we need it
Account data Email address;
Google OAuth fields;
Display name;
Timestamps 		Let you sign in and manage your sandbox account (no passwords are stored).
Test-order data Cart contents and shipping address
(fake data encouraged) 		Run the checkout flow and display orders back to you.
Payment sandbox Stripe test card numbers and related transaction references Simulate payments in sandbox mode.
Technical & security data IP address, device type, basic headers;
ASP.NET_SessionId cookie;
cf_clearance cookie;
Google reCAPTCHA token 		Keep the site secure, block bots, and debug errors.
Feedback Any text you send via forms or support email Respond to questions and improve the sandbox.

Please don’t upload real personal or sensitive data. This is a sandbox; use fake names and numbers whenever possible.

Cookies and bot protection

We and our CDN (Cloudflare) set two essential cookies so the site recognises you and stays safe:

Cookie Type Purpose Lifespan
ASP.NET_SessionId Essential Maintains your login session Expires on browser close
cf_clearance Essential Confirms you passed Cloudflare’s security check and bypasses additional challenges 30 minutes – 24 hours

Google reCAPTCHA v3 is also embedded on forms to spot bots. reCAPTCHA collects device and browser metadata as described in the Google Privacy Policy.

Sharing and international transfers

We share data only with:

  • Stripe, Inc. (sandbox mode) – payment simulation
  • Google reCAPTCHA – bot detection
  • Cloudflare, Inc. – content delivery network and DDoS protection
  • Infrastructure and email providers that power the service
  • Authorities only if required by law

These partners may process data outside the UK/EU (e.g. the United States). We rely on Standard Contractual Clauses plus the UK Addendum to safeguard such transfers.

Storage & retention

Item Retention period
Account data Until you delete the account or after an extended period of inactivity
Test orders & Stripe sandbox transactions Kept as long as needed for ongoing testing and debugging; deleted during routine database resets
Error & access logs 90 days
Support emails/feedback 1 year

We routinely clear sandbox databases on a rolling schedule and wipe data regularly. If you need your test data erased sooner and the law grants you that right, email us and we’ll do our best to help.

Your rights

  • Access the data we hold about you
  • Correct inaccurate data
  • Request earlier deletion of your test data (where legally entitled)
  • Restrict certain processing

Email us at [email protected]. We aim to respond within 1 month.

Children

If you’re under 13, please do not use this site. We don’t knowingly collect data from children and will delete such data if discovered.

Changes

We may update this notice without prior warning. The “Effective date” at the top of this page tells you which version you’re reading. Continuing to use the site means you accept any changes.