// Privacy.jsx — privacy policy, on-brand const Privacy = () => { const H = ({ children }) => (
// {children}
); const P = ({ children }) => (

{children}

); const Li = ({ children }) => (
{'>'}{children}
); return (
🔒

PRIVACY POLICY

$ cat /etc/privacy.conf
# look, we just want to send you coffee.
# we collect the bare minimum to do that.
# no trackers. no ad pixels. no data brokers.
# your data isn't the product. the coffee is.

Last updated: June 5, 2026

Operator Brewing Co. ("we", "us") takes your privacy seriously. We're security people — we know what bad data practices look like, and we want no part of it. This policy explains exactly what we collect, why, and where it goes.

WHAT WE COLLECT

To make your account and send you coffee:

  • Email + name — login, order confirmations, shipping updates
  • Shipping address — so the coffee arrives at your door, not ours
  • Handle — your public display name (3-32 chars, you pick it)
  • Order history — tier calculations, receipts, and knowing what you like

    • To run the loyalty system:

  • Lifetime spend + tier — stored in our database for point calculations
  • Notification preferences — which emails you want (orders, drops, subs)
  • Subscription details — cadence, grind preference, status

    • If you verify certifications:

  • Cert name + provider — which cert was verified, for your tier boost
  • A hash of the verification — prevents duplicate claims across accounts
  • NOT stored: your HTB API token, your Credly email, badge details — these are used once during verification and immediately discarded

    • If you enable MFA:

  • TOTP secret — AES-256-GCM encrypted at rest
  • Passkey public keys — for WebAuthn authentication
  • Recovery code hashes — salted SHA-256 (never plaintext)
    • WHAT WE DON'T COLLECT
  • No analytics or tracking pixels (no Google Analytics, no Facebook Pixel)
  • No third-party ad scripts or retargeting
  • No fingerprinting, no behavioral tracking
  • No selling or sharing data with data brokers — ever
  • No CRM or marketing automation platforms
  • We don't store your payment info — Shopify handles all payment processing (PCI-DSS compliant)
    • COOKIES

    We use three cookies. All are functional — none are for tracking.

    COOKIE
    PURPOSE
    DURATION
    obc_session
    Keeps you logged in (HttpOnly, Secure)
    10 hours
    obc_logged_in
    UI flag so the site knows to show your account
    10 hours
    obc_mfa_pending
    Temporary MFA verification state
    5 minutes

    We also use localStorage to save your cart contents on your device. This never leaves your browser — it's purely so your cart survives a page refresh.

    WHERE YOUR DATA LIVES
  • Shopify — your email, name, address, order history, and payment info. Shopify is PCI-DSS compliant and handles all payment processing. We never see your card number. Data stored in Shopify is subject to Shopify's Privacy Policy.
  • Cloudflare D1 — loyalty tier, points, cert verifications, MFA credentials, notification preferences. Encrypted at rest on Cloudflare's edge network.
  • Cloudflare Turnstile — bot detection on login/register forms. No data stored — just a pass/fail check.
    • THIRD PARTIES

    We share data with exactly three services, all necessary to operate:

  • Shopify — e-commerce platform (orders, payments, customer records) — their privacy policy
  • Cloudflare — hosting, database, CDN, and bot protection
  • Credly / Hack The Box — only when YOU initiate a cert verification. We send the minimum needed to confirm your cert, then discard it.

    • That's it. No ad networks. No data brokers. No "partners" getting a copy of your purchase history.

    WHAT SHOPIFY RECEIVES

    Your browsing and cart activity happen entirely on our infrastructure — no Shopify scripts run in your browser while you shop. When you proceed to checkout, the connection is proxied through our Cloudflare network, so you never leave our domain. Shopify receives:

  • Your cart contents (products and quantities)
  • Your account identity (so checkout can prefill your details)
  • Your IP address and browser info (forwarded through the proxy)
  • Your name, email, shipping address, and payment info to complete the order

    • We never see your card number — Shopify handles all payment processing. Data stored in Shopify is subject to Shopify's Privacy Policy.

    YOUR RIGHTS

    If it's not on your account page, we don't have it. Everything we store about you is visible right there — no hidden profiles, no shadow data.

  • Access — your account page shows everything we know about you
  • Correction — edit your handle, name, address, and preferences in account settings
  • Deletion — email us and we'll delete your account from both our database and Shopify
  • Marketing opt-out — toggle in account settings, or unsubscribe from any email
    • SECURITY
  • All traffic is encrypted with TLS 1.2+
  • Session cookies are HttpOnly, Secure, and SameSite=Strict with a 10-hour expiry
  • Sessions are revoked server-side on logout — tokens are invalidated, not just cleared
  • MFA secrets are AES-256-GCM encrypted at rest with HKDF-derived keys
  • Recovery codes are salted + hashed (never stored in plaintext)
  • Rate limiting on login, registration, MFA, and cert verification (per-account and per-IP)
  • We don't store verification artifacts — emails, API tokens, and badge data are used once and discarded
    • CONTACT

    Questions about your data? Something feel wrong? Let us know.

  • privacy@operatorbrewing.co
    • // tl;dr: we collect what we need to send you coffee and run a loyalty program.
    // we encrypt the important stuff, we don't track you, and we don't sell your data.
    // if you want out, email us and we'll nuke your records.
    // drink responsibly. pwn responsibly. store data minimally.
    ); }; window.Privacy = Privacy;