Privacy Policy

Qingxuan International Trading Limited (“Kiln & Ink”, “we”, “us”, or “our”) operates the website kiln-ink.com and is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

1. Information We Collect

We collect information you provide directly to us, including:

• Account information: name, email address, and password when you create an account.
• Order information: billing address, shipping address, and payment details when you make a purchase. Payment card details are processed directly by Stripe and are never stored on our servers.
• Profile information: preferences, wishlist items, and collector membership details.
• Auction activity: bid history and auction participation records.
• Communications: messages you send to our customer support team.

We also collect certain information automatically when you visit our website:

• IP address, browser type, and device information
• Pages visited, time spent, and navigation patterns
• Referral source (e.g. which website brought you to us)
• Cookies and similar tracking technologies (see Section 6)

2. How We Use Your Information

We use the information we collect to:

• Process and fulfil your orders, including sending confirmation and shipping notifications
• Manage your account and collector membership
• Enable auction participation and notify you of bid activity
• Send you transactional emails (receipts, shipping updates, auction results)
• Send you marketing communications if you have opted in (you can unsubscribe at any time)
• Improve our website, product offerings, and customer experience
• Comply with legal obligations, including anti-fraud and anti-money-laundering requirements
• Resolve disputes and enforce our agreements

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

• Contract performance: to process orders and manage your account.
• Legitimate interests: to improve our services, prevent fraud, and for direct marketing to existing customers.
• Legal obligation: to comply with applicable laws and regulations.
• Consent: for optional marketing emails and non-essential cookies.

4. Sharing Your Information

We do not sell your personal data. We share your information only in the following circumstances:

• Payment processors: Stripe, Inc. processes all payment card transactions. Stripe's privacy policy is available at stripe.com/privacy.
• Shipping partners: your name and delivery address are shared with our logistics providers to fulfil orders.
• Technology providers: we use Supabase (database and authentication) and Sanity (content management). These providers process data on our behalf under data processing agreements.
• Legal requirements: we may disclose your information if required by law, court order, or government authority.
• Business transfers: if Kiln & Ink is acquired or merges with another entity, your information may be transferred as part of that transaction.

5. Data Retention

We retain different categories of personal data for different periods:

• Account data (name, email, password hash, profile preferences, wishlist): retained for as long as your account is active. If you do not log in for 36 months and have never placed an order, we will email you and then delete your account if no response is received within 30 days.
• Order & transaction records(order ID, items, prices, billing & shipping addresses): retained for seven (7) years from the order date to comply with Hong Kong Inland Revenue Ordinance tax-record retention rules. Payment card numbers are never stored on our servers — Stripe holds them under PCI DSS Level 1.
• Marketing subscription data (newsletter opt-in status): retained until you unsubscribe, plus 30 days for unsubscribe-confirmation auditing.
• Server & analytics logs (IP, user-agent, page-view events): retained for 90 days, then aggregated or deleted.

You may request immediate deletion of your account at any time (see Section 8). After deletion, order records may be retained in pseudonymised form (with personally-identifying fields nulled) for the seven-year tax-retention window.

6. Cookies

We use the following types of cookies:

• Essential cookies: required for the website to function (login sessions, shopping cart).
• Analytics cookies: help us understand how visitors use our site (e.g. Google Analytics). These are only set with your consent.
• Marketing cookies: used to deliver relevant advertising. These are only set with your consent.

You can control cookie preferences through your browser settings or our cookie consent banner. Note that disabling essential cookies may affect website functionality.

7. International Transfers

Kiln & Ink is based in Hong Kong. If you are accessing our website from outside Hong Kong, your information may be transferred to and processed in Hong Kong and other jurisdictions where our service providers operate. We ensure appropriate safeguards are in place for any international transfers of personal data.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete data.
• Deletion: request deletion of your personal data (“right to be forgotten”).
• Portability: request your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests or for direct marketing.
• Restriction: request that we restrict processing of your data in certain circumstances.

To exercise any of these rights, contact us at hello@kiln-ink.com. We will respond within 30 days.

9. Security

We implement the following measures to protect your personal information:

• Passwords: never stored in plaintext. All passwords are hashed using bcrypt (12-round salt) by our authentication provider Supabase before being written to the database. Even our own staff cannot retrieve a password — only verify that a login attempt matches the stored hash. If you forget your password, the reset flow generates a new one; the old one is permanently unrecoverable.
• Transport: all data in transit between your browser and our servers is protected by TLS 1.2+ encryption (HTTPS). We do not accept HTTP connections.
• Storage:account & order data is held in PostgreSQL databases managed by Supabase, with row-level-security (RLS) policies that prevent any user from reading or modifying another user's records, even if a query is crafted to attempt it.
• Payments: credit-card and bank-account numbers are processed end-to-end by Stripe (PCI DSS Level 1 certified). Card details never touch our servers; we receive only a tokenised reference.
• Access control: only a small number of authorised staff have administrative database access, and all such access is logged.
• OAuth providers: if you sign in with Google, your Google password is never shared with us — Google supplies a verified token directly.

However, no method of transmission over the internet or electronic storage is 100% secure. We commit to notifying affected users within 72 hours if we discover a data breach, in line with GDPR Article 33 timelines.

10. Updating Your Information

You can update most of your account information at any time:

• Name & profile preferences: in your Account Dashboard — open the “Profile Details” section, click Edit, save your changes.
• Email address: for security reasons, email-address changes are processed manually. Email hello@kiln-ink.com from your registered address with the new address you'd like to use.
• Password:use the “Forgot password?” link on the sign-in page. We'll email you a one-time reset link.
• Newsletter / marketing preferences: click the unsubscribe link in any marketing email, or contact us.
• Wishlist & order history: manage from your Account Dashboard.

11. Children's Privacy

Our website is not directed to children under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last updated” date. Your continued use of our website after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us: