// privacy

Privacy Policy

Last updated June 6, 2026.

This policy explains what data Cup of Malice collects for the public website and the paid UVULITES Insider membership, why we collect it, who processes it, and how long we keep it. The marketing site can be browsed without an account; the data below applies once you sign in or subscribe.

What we collect

  • Identity (via Shopify). When you sign in we receive your Shopify customer id, name, and email address from the Shopify Customer Account API. We never see or store your password.
  • Session. A server-side session keyed by a random cookie token; the database stores only the SHA-256 hash of that token, and any Shopify tokens are encrypted at rest (AES-256-GCM).
  • Subscription & billing metadata (via Seal). Subscription status, paid-through dates, and the orders tied to your membership. Payment-card details are handled by Shopify/Seal — we never receive them.
  • Discord (optional). If you connect Discord, we store your Discord user id, username, and avatar to grant the Insider role. The Discord OAuth token is used once and discarded.
  • Operational logs. An audit log of membership and role changes, and short-lived IP addresses used only for rate-limiting abuse on authentication endpoints.

How we use it

  • To authenticate you and decide your membership access.
  • To deliver membership benefits: the development newsletter, private Discord, and previews.
  • To keep records accurate (reconciliation) and to apply refund/chargeback outcomes.
  • To protect the service (rate limiting, error monitoring) and meet legal obligations.

Who processes your data

We use trusted processors and share only what each needs:

  • Shopify — identity, customer tags for newsletter segmentation, and orders.
  • Seal Subscriptions — subscription billing.
  • Discord — community access and role assignment (only if you connect it).
  • Vercel (hosting), Neon (membership database), and Sentry (error monitoring) — infrastructure providers.

How long we keep it

  • Membership records persist while your account exists.
  • Expired login states and sessions, and old processed webhook records, are purged automatically.
  • Rate-limit IP counters expire within minutes.

Your choices & rights

  • You can disconnect Discord at any time from your member account, which removes the Insider role.
  • You can cancel your subscription through Shopify/Seal.
  • Depending on where you live, you may have rights to access, correct, or delete your data. To make a request, email us at hello@cupofmalice.com.

Contact

Questions about this policy? Email hello@cupofmalice.com.