Security & Privacy

Alkemy Market is built on the principle that your data is yours. This page explains how we handle merchant data, customer information, payment processing, and platform security.

The Merchant-of-Record Model

Unlike most marketplaces, Alkemy does not sit between you and your customers financially. Through Stripe Connect with direct charges, you are the merchant of record on every transaction. This means:

• Customers pay you directly through your own Stripe account
• Alkemy never holds, delays, or controls your revenue
• You receive real customer email addresses — never masked or anonymized
• Your Stripe account is yours, governed by your relationship with Stripe

Data Handling

What we store

Alkemy stores the minimum data required to operate the marketplace: your store profile, product listings, order references (synced from Stripe), and storefront configuration. Customer data flows through Stripe — we reference it but Stripe is the system of record for payment and customer information.

What we don't store

• Credit card numbers or payment credentials (handled entirely by Stripe)
• Customer passwords (authentication is handled by standard bcrypt hashing)
• Sensitive financial data beyond what's necessary for order display

Data export

You can export your complete data set at any time — product listings, order history, customer information, and storefront configuration. This is available on all plans, including Free. There are no export fees and no restrictions on frequency.

Infrastructure Security

Alkemy's infrastructure is built on modern, audited platforms:

• Hosting: Vercel (SOC 2 Type 2 compliant) for application hosting
• Database: Neon Postgres (encrypted at rest, encrypted in transit)
• Caching: Upstash Redis with TLS connections
• CDN & Storage: Cloudflare Workers and R2 (global edge network, DDoS protection)
• Payments: Stripe Connect (PCI DSS Level 1 certified)
• Shipping: EasyPost and Zonos (encrypted API communications)
• Chargeback Protection: Chargeflow (SOC 2 compliant)

All data in transit is encrypted via TLS 1.3. All data at rest is encrypted using AES-256 or equivalent. API keys and secrets are stored in environment variables, never in source code.

Authentication & Access

Merchant accounts use email/password authentication with bcrypt password hashing. Session management uses secure, HTTP-only cookies with CSRF protection. We plan to support two-factor authentication (2FA) in a future release.

Content Moderation

The Anti-Bot Mafia system uses AI-powered content scanning (via Google Gemini) to review product listings for quality standards. This is an automated system that flags content for review — it does not access, read, or store customer personal data. It examines product images, titles, and descriptions for spam signals, policy violations, and quality compliance.

Third-Party Data Sharing

We do not sell merchant or customer data to third parties. Data is shared only with the service providers necessary to operate the platform (Stripe, EasyPost, Zonos, Chargeflow, Cloudflare) and only to the extent required for those services to function. Each provider has their own privacy policy and security certifications.

Compliance

Alkemy Market is a Canadian company based in Edmonton, Alberta. We comply with Canadian privacy law (PIPEDA) and are committed to meeting GDPR requirements for European merchants and customers. As the platform scales, we will pursue formal certifications including SOC 2 Type 2.

Questions?

If you have questions about our security practices or data handling, contact us at security@alkemy.market.