WhiteFang.ai ("WhiteFang," "we," "us," or "our") is a digital credits platform that connects local merchants with their customers through a map-based mobile application. Merchants issue digital credits (redeemable discounts linked to their point-of-sale system) to consumers, who can discover, earn, and redeem those credits at participating businesses.

We are incorporated and operate in the United States. Our principal contact for privacy matters is support@whitefang.ai.

2a. Information Collected from Consumers

Account information: Name (auto-populated from your email address at registration; you can update it), email address, and optionally phone number and birthday (month and day only — year is never requested).

Authentication credentials: Passwords are never stored by WhiteFang. They are managed entirely by Supabase Auth using industry-standard hashing.

Credit and transaction data: Every credit issued to you, its value, expiration date, issuing merchant, and status (active, redeemed, or expired). When you redeem a credit, the redemption amount, timestamp, and merchant are recorded.

Activity log: A timestamped history of earn, redeem, and expire events associated with your account.

Location data: We derive your approximate city or region from your IP address to show relevant nearby merchants on the map. If you grant explicit permission, we access your device's GPS only to center the map on your current location. GPS data is used in real time and is not stored.

Device and session data: Browser type and version, operating system, referring URLs, and session identifiers used to maintain your login session.

2b. Information Collected from Merchants

Business information: Business name, street address (converted to geographic coordinates for map display), category, logo image, and optional website and social media URLs (Instagram, Facebook, Twitter/X, TikTok, YouTube).

Account information: Name and email address for all account holders and staff members with access to the merchant dashboard.

Point-of-sale credentials: API tokens and keys required to connect your Shopify or Toast account. These credentials are encrypted using AES-256-GCM before being written to our database and are never stored in plain text.

Campaign and automation configuration: Credit values, labels, expiration periods, and triggers you configure for your campaigns and automations (including birthday and anniversary automation rules).

Shopify store information: For merchants using Shopify, we retrieve your store name, currency, and product catalog metadata via the Shopify Admin API to facilitate credit creation.

3a. To Operate the Platform

• ●Creating and authenticating your account
• ●Issuing, tracking, and displaying credits in your wallet
• ●Processing credit redemptions through your connected POS system
• ●Displaying your business on the consumer map (merchants only)
• ●Enabling merchants to manage customer relationships and issue targeted credits

3b. Automated Campaigns and Communications

• ●Running merchant-configured birthday and anniversary credit automations using the month/day birthday you provide
• ●Sending transactional emails: credit issuance notifications, redemption confirmations, expiry reminders, and merchant alert emails
• ●Scheduling and delivering credits on merchant-specified dates

3c. Safety and Platform Integrity

• ●Detecting and investigating fraudulent or anomalous credit activity across all merchants using automated pattern analysis
• ●Enforcing rate limits and abuse prevention measures

3d. Analytics and Improvement

• ●Generating anonymized, aggregated usage statistics to improve platform features
• ●Providing merchants with their own performance reports (campaign redemption rates, revenue attribution, customer counts)

3e. Legal Compliance

We may use or retain information as required by applicable law, court order, or regulatory obligation.

The WhiteFang platform is built on a two-sided relationship between merchants and consumers. The following describes what each party can see about the other as part of normal platform operation.

4a. What Merchants See About Consumers

When a consumer earns or redeems a credit issued by a merchant, that merchant can see the following information about that consumer in their dashboard:

• ●Consumer name and email address
• ●Number of credits earned, currently active, redeemed, and expired (specific to that merchant)
• ●Total revenue attributed to credit redemptions (specific to that merchant)
• ●Date first added as a customer and date of most recent activity
• ●Automated segment classification: New, Active, Champions, At-Risk, or Lost — generated by the platform based on the consumer's credit activity pattern with that merchant

Merchants do not see your GPS location, device data, birthday, phone number, or your credit history with other merchants. Credit activity is scoped strictly to the merchant viewing it.

4b. What Consumers See About Merchants

• ●Business name, address, and category
• ●Available credit offers: value, label, and expiration date
• ●Website URL and any social media profiles the merchant has chosen to display
• ●Merchant location on the map

Consumers do not see any merchant financial data, POS credentials, staff information, or other merchant account details.

4c. Data Flowing to Merchant POS Systems at Redemption

When you redeem a credit via a Shopify-connected merchant, your redemption is processed as a discount applied to an order in that merchant's Shopify store. This means your transaction may be visible to the merchant within their Shopify admin and is subject to Shopify's Privacy Policy. For Toast-connected merchants, redemption data is sent to Toast's system per their applicable policies.

4d. Merchant Enrollment of Consumers

Merchants can add consumers to their customer list by email address and can enroll consumers in campaigns. If a merchant uses birthday automations and you have provided your birthday, the platform will issue credits to you automatically on or around your birthday on that merchant's behalf. You can remove your birthday from your profile at any time to opt out of all birthday-based automations across all merchants.

We share data with the following sub-processors solely to operate the platform. We do not sell your personal information to any third party, and none of our sub-processors are permitted to use your data for their own marketing purposes.

We may also disclose information to law enforcement or regulatory authorities when required by valid legal process, court order, or applicable law.

• ●Account data (profile, credentials, merchant settings) is retained for as long as your account remains active.
• ●Credit and transaction records are retained to support dispute resolution and financial record-keeping.
• ●Activity logs are retained for fraud prevention, analytics, and platform integrity. They are not subject to a fixed deletion timeline.
• ●POS credential tokens are deleted upon disconnection of a POS integration.
• ●After account deletion, your profile and associated personal data are hard-deleted once the 30-day grace period expires (see deletion details below).

Consumers can request account deletion via Profile → Security → Delete Account. The request carries a 30-day grace period during which you can cancel it. During the grace period your account is deactivated and your credit wallet is no longer accessible. Hard deletion of your profile and associated data occurs after the grace period expires.

Merchants can request account deletion from the Settings page in their dashboard. Deletion carries a 30-day grace period during which you can cancel the request. Immediately upon requesting deletion, your merchant listing is deactivated and all outstanding consumer credits are cancelled so consumers are not left with unredeemable balances. Hard deletion of all merchant data occurs after the grace period expires.

Merchants using Shopify may also trigger consumer data deletion via Shopify's mandatory GDPR deletion webhooks, which our platform supports (see Section 16).

• ●All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
• ●All database tables use row-level security (RLS) policies enforced at the database layer — queries from one user cannot access another user's data.
• ●POS API credentials (Shopify, Toast tokens) are encrypted with AES-256-GCM before storage. The encryption keys are stored separately from the encrypted values.
• ●Authentication is handled by Supabase Auth; passwords are never stored or visible to WhiteFang.

No security system is impenetrable. In the event of a data breach affecting your personal information, we will notify you as required by applicable law. Our full security program, including technical safeguards and incident response procedures, is published at whitefang.ai/security.

IP-based location: We use your IP address to approximate your city or region. This is used solely to show nearby merchants on the map. We do not log or store raw IP addresses beyond what our infrastructure provider (Netlify) retains for standard access logging.

Device GPS: If you grant location permission in your browser or device, we use your precise GPS coordinates only to center the map view. This data is processed in your browser and is not transmitted to or stored on our servers.

WhiteFang automatically classifies consumers into behavioral segments on behalf of each merchant. These segments — New, Active, Champions, At-Risk, and Lost — are calculated based on how recently and frequently you have interacted with that merchant's credits. Segmentation is scoped per merchant and does not consider your activity with other merchants.

These segments affect how merchants choose to target credit campaigns, but do not affect your access to the WhiteFang platform, your credit balance, or any right or service provided to you by WhiteFang.

We also run automated anomaly detection across transaction patterns to identify unusual activity. This process does not result in automated decisions that produce legal or similarly significant effects on you. Flagged activity is reviewed by our team before any action is taken.

Authentication cookies: Your login session is stored in HTTP-only, secure cookies set by Supabase Auth (named sb-*-auth-token). These are strictly necessary cookies — the platform cannot function without them. Because they are strictly necessary to provide a service you have explicitly requested, they do not require separate cookie consent under GDPR or ePrivacy rules.

Browser local storage: We store your theme preference (light/dark/auto) and non-sensitive app UI state in browser local storage under the key whitefang-app. This is distinct from your session cookie and does not contain authentication credentials.

We do not use third-party advertising cookies, analytics cookies, or any cross-site tracking technologies. Map tiles are served by CartoDB; their tile CDN may set its own cookies subject to Carto's Privacy Policy.

Signing out clears your session cookie and removes the local storage entry. You can also clear both manually through your browser settings.

Do Not Track: Some browsers transmit a "Do Not Track" (DNT) signal. WhiteFang does not engage in cross-site tracking and does not alter its data practices based on DNT signals, because the practices described in this policy apply uniformly regardless of whether a DNT signal is present.

WhiteFang is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected personal information from a minor, we will delete it promptly. Contact us at support@whitefang.ai if you believe a minor's information has been submitted.

Regardless of your location, you may exercise the following rights with respect to your personal data by contacting support@whitefang.ai:

• ●Access: Request a copy of the personal data we hold about you.
• ●Correction: Request that we correct inaccurate or incomplete personal data.
• ●Deletion: Request that we delete your personal data (subject to retention obligations described in Section 6).
• ●Portability: Request a machine-readable export of your personal data.
• ●Objection: Object to specific processing of your personal data.
• ●Restriction: Request that we restrict processing of your personal data in certain circumstances.
• ●Withdraw consent: Where processing is based on your consent (e.g., birthday automations), withdraw that consent at any time without affecting prior processing.

For account deletion, consumers use Profile → Security → Delete Account and merchants use Settings → Account. Both flows include a 30-day grace period. For all other requests, email support@whitefang.ai. We will respond to verified requests within 30 days. We do not charge a fee to exercise these rights unless requests are manifestly unfounded or excessive.

Depending on the state where you reside, you may have additional rights under applicable state privacy law.

California (CCPA / CPRA)

California residents have the right to: know what personal information is collected and how it is used; delete personal information we hold about you; correct inaccurate personal information; opt out of the "sale" or "sharing" of personal information; limit the use and disclosure of sensitive personal information; and not be discriminated against for exercising these rights.

We do not sell your personal information. We do not share personal information for cross-context behavioral advertising. The sharing of consumer data with merchants described in Section 4 is a necessary component of providing the service you signed up for, not a sale or targeted-advertising share under CCPA/CPRA.

Sensitive personal information we collect includes: account log-in credentials (managed by Supabase Auth), precise geolocation (GPS, only if you grant permission and only processed in real time). We do not use sensitive personal information for purposes beyond providing the platform.

To submit a California privacy request, email support@whitefang.ai with the subject line "California Privacy Request." We will verify your identity before processing the request. You may designate an authorized agent to make a request on your behalf.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Texas (TDPSA)

Residents of Virginia, Colorado, Connecticut, and Texas have the right to: access personal data we process about you; correct inaccuracies; delete personal data; obtain a portable copy of your data; and opt out of processing for targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects.

WhiteFang does not engage in targeted advertising, sell personal data, or conduct profiling that produces legal or similarly significant effects as defined under these laws. The automated consumer segmentation described in Section 9 does not produce legal or similarly significant effects on consumers.

To submit a request under any of these state laws, email support@whitefang.ai. If your request is denied, you may appeal by replying to our denial response; we will address appeals within 60 days.

Nevada (SB 220)

Nevada residents may opt out of the sale of covered information. We do not sell covered information as defined under Nevada law. You may still submit an opt-out request to support@whitefang.ai and we will record your preference.

Massachusetts (M.G.L. c. 93H)

WhiteFang is based in the Commonwealth of Massachusetts and complies with Massachusetts data breach notification law (M.G.L. c. 93H). In the event of a breach of security affecting Massachusetts residents' personal information, we will provide written notice to affected residents and to the Massachusetts Attorney General's Office and the Office of Consumer Affairs and Business Regulation as required by law. Notification will be provided without unreasonable delay and no later than the timeframe required under M.G.L. c. 93H.

We maintain a Written Information Security Program (WISP) in compliance with Massachusetts data security regulations (201 CMR 17.00). The WISP is published at whitefang.ai/security.

If you are located in the European Economic Area (EEA) or United Kingdom, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR. We process your personal data on the following lawful bases:

• ●Contractual necessity: Processing required to create your account, operate the platform, issue and track credits, and process redemptions.
• ●Legitimate interests: Fraud detection and prevention, platform security, and aggregated usage analytics — balanced against your rights and interests.
• ●Consent: Processing of your GPS location (where you grant permission) and birthday data for automated campaigns. You may withdraw consent at any time.
• ●Legal obligation: Compliance with applicable laws and valid legal requests.

Under GDPR you have the right to: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection to processing, and to withdraw consent. You also have the right to lodge a complaint with your local supervisory authority.

WhiteFang is based in the United States. By using the platform, your personal data may be transferred to and processed in the United States. Our sub-processors are listed in Section 5; each maintains its own compliance certifications. If you are located in the EU/EEA and have questions about the legal basis for cross-border data transfers, contact us at support@whitefang.ai.

We have not appointed a formal Data Protection Officer, as we do not meet the GDPR thresholds that require one. Privacy inquiries should be directed to support@whitefang.ai.

When a merchant receives consumer data through the WhiteFang platform (as described in Section 4a), the merchant acts as an independent data controller with respect to how they use, store, or further process that data outside of WhiteFang. WhiteFang is not responsible for a merchant's independent use of consumer data beyond what is provided through the platform.

Merchants are required, by their agreement to our Terms of Service, to handle consumer data in compliance with applicable privacy laws and to use it only for legitimate business purposes related to their participation on WhiteFang.

WhiteFang is available as an app in the Shopify App Store. This section discloses how the app interacts with merchant Shopify stores and the data it accesses.

Shopify API Permissions Requested

When a merchant installs WhiteFang through Shopify, the app requests the following OAuth scopes. Each scope is limited to what is strictly necessary for the platform to function:

Shopify Merchant Customer Data Accessed

Through the read_customers and write_customers scopes, WhiteFang may access or create Shopify customer records containing: first name, last name, and email address. This data is used only to match consumers to their WhiteFang accounts and to create discount codes scoped to the correct customer. It is not stored beyond what is necessary for credit issuance and is not used for any purpose unrelated to operating the platform.

Order data accessed via read_orders webhooks contains order IDs, line items, discount amounts, and order status. This data is used solely to confirm that a credit was successfully redeemed at the merchant's Shopify checkout. Raw webhook payloads are retained for fraud detection and dispute resolution.

Mandatory Shopify GDPR Webhooks

WhiteFang implements all three mandatory Shopify GDPR webhooks as required for Shopify App Store listing. These are configured in the Shopify Partners dashboard and respond as follows:

• ●customers/data_request: When a Shopify merchant's customer requests their data, WhiteFang compiles all personal data held about that consumer (profile, credits, activity) related to that merchant's store and delivers it to the customer by email within a reasonable timeframe.
• ●customers/redact: When a Shopify merchant requests erasure of a customer's data, WhiteFang deletes all credits, activity records, automation enrollments, and POS transaction payloads associated with that consumer and that merchant's store. The consumer's birthday is also cleared from their profile.
• ●shop/redact: Called 48 hours after a merchant uninstalls the app. WhiteFang nulls all Shopify-specific reference fields on transaction records, deletes all enrollment and automation data for that store, removes billing records, and deletes the access token and POS connection record.

GDPR webhook endpoints are cryptographically verified using HMAC-SHA256 signatures before any action is taken.

Data Residency and Shopify's Privacy Policy

Data shared between WhiteFang and Shopify is subject to Shopify's Privacy Policy. WhiteFang does not transfer Shopify merchant or customer data to any party not listed in Section 5 of this policy.

WhiteFang sends the following types of email to consumers and merchants:

• ●Transactional emails to consumers: credit issuance confirmations, redemption confirmations, credit expiry reminders. These are triggered directly by your actions or account activity.
• ●Transactional emails to merchants: campaign performance alerts, anomaly detection notices, credit activity summaries.
• ●Account emails: password reset links, email confirmation, account claim links.

Most emails sent by WhiteFang are strictly operational — account confirmations, password resets, credit issuance confirmations, and redemption receipts. These are transactional emails and are exempt from the commercial opt-out requirements of the CAN-SPAM Act (15 U.S.C. § 7701 et seq.).

Automated campaign emails — including birthday credit emails and scheduled credit campaigns triggered by merchant automations — may be considered commercial in nature under the FTC's primary-purpose test. These emails include an unsubscribe link. Clicking it prevents future automated campaign emails from that merchant. Unsubscribing from campaign emails does not affect your ability to receive account or transactional emails.

All emails are sent from @whitefang.ai addresses via Resend Inc. and include our contact information as required by law.

WhiteFang issues digital credits that function as restricted-use discount codes redeemable only at the issuing merchant's point-of-sale system. These credits are not general-purpose prepaid cards, are not redeemable for cash, and are not transferable between consumers.

Because WhiteFang credits are merchant-specific, restricted-use promotional credits (not gift cards purchased for value by the consumer), they are generally not subject to the gift card provisions of the Credit CARD Act of 2009 (15 U.S.C. § 1693l-1) or analogous state gift card laws. However, expiration dates are set by merchants and are disclosed to consumers at the time of issuance. Credits are never issued with hidden fees.

If you have questions about the nature of a specific credit you have received, contact support@whitefang.ai.

The platform may display links to merchant websites and social media profiles. WhiteFang is not responsible for the privacy practices or content of those external sites. We encourage you to review the privacy policies of any third-party sites you visit.

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and notify users via an in-app notice. Continued use of the platform after the effective date of any update constitutes acceptance of the revised policy.

For significant changes that affect how we use data you have already provided, we will seek fresh consent where required by law.

For privacy questions, data requests, or to exercise any of the rights described in this policy: