Fashion Dora

Privacy Policy

Last updated: February 2026

1. Introduction

Fashion Dora ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, and your rights regarding that data when you use our platform at fashiondora.lk.

By using Fashion Dora, you consent to the data practices described in this policy.

2. Data We Collect

We collect the following categories of personal data:

Account Information

  • Full name
  • Email address (used for OTP login and notifications)
  • Phone number (stored with delivery addresses)
  • Hashed password (for vendor and admin accounts)

Order & Transaction Data

  • Delivery addresses (street, city, province, postal code)
  • Order history and item details
  • Payment status and transaction references (no card data is stored — handled by PayHere)
  • Wallet balance and transaction history

Usage Data

  • Pages visited and products viewed
  • Cart contents
  • Chat messages (stored for dispute resolution)
  • Device type and browser (via standard server logs)

Vendor-Specific Data

  • Business name and shop details
  • Bank account information (for payouts — stored securely)
  • Product listings, images, and inventory

3. How We Use Your Data

We use your personal data to:

  • Process and fulfil your orders
  • Send OTP verification codes and account notifications via email
  • Communicate order status updates and shipping information
  • Process payments and manage wallet balances
  • Resolve disputes and support requests
  • Detect and prevent fraud or abuse
  • Improve the platform based on usage patterns
  • Comply with legal obligations

We do not sell your personal data to third parties.

4. Third-Party Services

To provide our services, we share data with trusted third-party providers:

  • PayHere — payment processing. Your payment details are entered directly on PayHere's secure gateway. We never see or store card numbers. PayHere's privacy policy applies to payment data.
  • Resend — transactional email delivery (OTP codes, order confirmations, notifications).
  • Cloudinary — image storage and optimisation for product photos and dispute evidence.
  • Supabase / PostgreSQL — secure database hosting for all platform data.
  • Upstash Redis — temporary caching for OTP codes and session data.

All third-party providers are selected for their security standards and are contractually required to handle your data appropriately.

5. Chat Message Monitoring

All chat messages between customers and vendors are stored and may be reviewed by our admin team, particularly in the context of dispute resolution. To protect user safety and prevent off-platform transactions, our system automatically filters and blocks messages containing personal contact information such as:

  • Phone numbers (Sri Lankan and international formats)
  • Email addresses
  • Social media usernames or links (WhatsApp, Instagram, Facebook, etc.)

By using our chat feature, you acknowledge that messages are monitored and filtered.

6. Cookies & Session Tokens

We use httpOnly cookies to store your authentication tokens (access token and refresh token) securely. These cookies are:

  • Not accessible by JavaScript (prevents XSS attacks)
  • Automatically deleted when you log out
  • Access tokens expire after 1 hour; refresh tokens after 7 days

We do not currently use tracking or advertising cookies. We may use analytics cookies in the future and will update this policy accordingly.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services and comply with legal requirements. Specifically:

  • Order records: retained for 7 years (legal/tax compliance)
  • Notifications: auto-deleted after 90 days
  • OTP codes: deleted immediately after use or expiry
  • Chat messages: retained for dispute resolution purposes

You may request deletion of your account and personal data at any time (see Section 9).

8. Data Security

We take the security of your data seriously. Our security measures include:

  • HTTPS encryption for all data in transit
  • httpOnly cookies for authentication tokens
  • Bcrypt password hashing (cost factor 12+)
  • Parameterised database queries (prevents SQL injection)
  • Role-based access control for all API endpoints
  • PayHere webhook signature verification

No system is 100% secure. If you suspect a security breach, please contact us immediately at support@fashiondora.lk.

9. Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your account and personal data (subject to legal retention requirements)
  • Objection: Object to certain uses of your data

To exercise any of these rights, please email us at support@fashiondora.lk. We will respond within 30 days.

10. Children's Privacy

Fashion Dora is not intended for children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. We encourage you to review this policy periodically.

12. Contact Us

If you have any questions or concerns about this Privacy Policy or how your data is handled, please contact us:

Fashion Dora
Email: support@fashiondora.lk