PRIVACY
POLICY

1. Who we are

CryptoNight Mafia is an independent crypto-merch brand operated by an individual (pessoa singular) based in Portugal, trading on Etsy as CryptonightM.

This site (cryptonight-mafia.vercel.app) is the brand's public face. Etsy is the merchant of record for all sales — purchases happen on etsy.com, not on this site.

Privacy contact: privacy@cryptonightmafia.com

2. What data this site collects

Newsletter email (only if you sign up)

• Your email address
• The timestamp + IP from your signup (kept by MailerLite for spam-protection compliance)
• Double opt-in confirmation status

What we email you about: CryptoNight Mafia drop announcements, drop teasers, and brand notes — nothing else. We don't use the newsletter list for unrelated promotions, affiliate offers, or third-party content.

How you got on the list: only by completing the signup form on this site with an unchecked GDPR consent checkbox, and then confirming your email via the double opt-in link we send. We don't add addresses from any other source — no purchased or rented lists, no scraped addresses, no imports from our Etsy buyer data or any third-party service.

How long we keep you on the list: until you unsubscribe (see §5). If you've been on the list for more than 24 months without opening or clicking any email, we may remove you and ask you to re-confirm before sending again — permission doesn't age well.

Processed by MailerLite on our behalf, under their terms and Data Processing Agreement. MailerLite's Anti-Spam Policy applies in addition to this notice. We don't sell, rent, or share your email with third parties.

Site visit data (everyone — privacy-friendly)

• Page views, referrer, country (no IP storage)
• Browser type + viewport size for layout debugging
• Aggregate click events on CTAs and product links (no per-user identification)

Processed by Vercel Web Analytics — cookieless, GDPR-compliant by design. No persistent identifiers.

What we do NOT collect:

• Card numbers, payment data, billing/shipping addresses (Etsy handles those for purchases)
• Account credentials (no accounts on this site)
• Government IDs, tax IDs
• Cross-site tracking cookies

3. What data Etsy + Printful collect (when you buy)

When you click through to Etsy and complete a purchase, the data flow looks like this:

• Etsy collects your name, email, shipping address, and payment details for the order. They are the data controller for that transaction. Their privacy policy: etsy.com/legal/privacy.
• Printful receives only the data needed to print and ship your order (name, shipping address, design files, sizes). They act as a data processor under Etsy's instruction. Their privacy policy: printful.com/policies/privacy.
• We (the brand) see the order summary in our Etsy seller dashboard — usually just first name + city + items ordered. We never see card numbers or full billing addresses.

4. Why we use this data (GDPR lawful basis)

• Consent (Art. 6(1)(a)): newsletter signup. Double opt-in required; you can unsubscribe from every email or by contacting us.
• Legitimate interest (Art. 6(1)(f)): basic site analytics for UX improvements and abuse detection. Limited to aggregate, non-identifying data. You can opt out via browser-level "Do Not Track" or by disabling JavaScript.

5. Your rights under GDPR

If you're in the EU/EEA/UK, you have the following rights regarding data we hold:

• Access — request a copy of your data we hold
• Rectification — correct inaccurate data
• Erasure ("right to be forgotten") — delete your newsletter subscription + any associated record
• Restriction — pause our processing of your data
• Portability — receive your data in a portable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — every newsletter email includes a one-click unsubscribe link at the bottom. Clicking it removes you from our list immediately; we won't email you again unless you re-subscribe via the form on this site.

To exercise any of these rights, email privacy@cryptonightmafia.com with your request. We respond within 30 days (typically same week).

For order-related data (held by Etsy), use Etsy's account-level privacy controls or contact Etsy directly.

6. Retention + breach notification

• Newsletter: retained until you unsubscribe. After unsubscribe, MailerLite holds a suppression-list record (email hash only) for ~12 months to prevent accidental re-add.
• Vercel Analytics: aggregated visit data retained for 12 months, then deleted.
• Etsy order data: handled by Etsy under their own retention policy — see Etsy's privacy notice.

Personal-data breach notification: in the unlikely event of a personal-data breach affecting newsletter subscriber data, we will notify the Portuguese supervisory authority (CNPD) within 72 hours of becoming aware of the breach, per GDPR Art. 33. Where the breach is likely to result in a high risk to your rights and freedoms (Art. 34), we will also notify affected subscribers directly without undue delay.

7. International data transfers

Some of the processors above (Vercel, MailerLite) are based outside the EU. They rely on Standard Contractual Clauses (SCCs) and/or EU-US Data Privacy Framework participation for lawful EU-to-third-country transfers under GDPR Art. 46. Full details in each processor's privacy notice.

8. Cookies + similar technologies

This site does not set any cookies of its own. Third-party scripts loaded on the page:

• MailerLite + Google reCAPTCHA — only loaded when you interact with the newsletter form. MailerLite uses Google reCAPTCHA for spam protection, which sets its own cookies for fraud detection under Google's terms.
• Vercel Analytics — cookieless. No persistent identifiers.
• Google Fonts — used to load Bebas Neue / Space Mono / Inter. Google may log the IP that requests the font, under Google's privacy policy.

9. Complaints

If you believe we've handled your data unlawfully, you can file a complaint with the Portuguese data protection authority:

• CNPD — Comissão Nacional de Proteção de Dados
• Web: cnpd.pt

If you're in another EU/EEA country, your local supervisory authority can also handle the complaint.

10. Changes to this policy

Material changes will be communicated via the brand's social channels (@cryptonight_m, @cryptonight_m) and reflected in the "Last updated" date at the top of this page. Continued use after a change indicates acceptance of the updated policy.

When the brand incorporates as a Sociedade Unipessoal por Quotas (Phase 0.5), this policy will be updated to reflect the new data controller (the Lda.) and any new processing introduced by the own-site crypto checkout.

11. How we keep your data secure

We take reasonable technical and organisational measures to protect newsletter subscriber data from unauthorised access, alteration, or loss (GDPR Art. 32):

• In transit: all communication between this site, MailerLite, and your email client is encrypted via TLS 1.2 or higher.
• At rest: newsletter data is held within MailerLite's infrastructure under the safeguards described in their legal documents and Data Processing Agreement.
• Access control: the brand's MailerLite account is protected by a strong password and two-factor authentication. We don't export full subscriber lists locally and don't store them on shared devices.
• No payment-data surface: this site never handles card data, banking information, or wallet keys — Etsy is the merchant of record for purchases — so there's no payment-data attack surface here.
• Content we send: all images, copy, and design assets in our newsletter are original to CryptoNight Mafia or used with the relevant rights or permissions.
• Incident response: if a personal-data breach affects subscriber data, the notification procedure described in §6 (CNPD within 72 hours, subscriber notice where the breach is high-risk) applies.

No system is 100% secure. If you spot a security issue affecting your subscription or this site, email privacy@cryptonightmafia.com and we'll investigate.