Last updated: May 30, 2026

1. Purpose and scope

This policy describes how NutraChurn protects the data and systems used to operate its business, including data accessed through third-party platforms (Shopify, TikTok Shop, Amazon) and any internal tools NutraChurn builds for its own use. It applies to all NutraChurn systems, devices, and personnel. NutraChurn is a single-operator US business; controls are implemented proportionate to that scale.

2. Data we handle and data classification

NutraChurn processes its own business data and classifies it as follows:

  • Public — marketing content, public product listings.
  • Internal — sales metrics, finance/settlement, product and affiliate performance used for internal reporting.
  • Sensitive / Personal — limited buyer information contained in order data.

Sensitive/Personal data receives the strongest protections in this policy and is accessed only when required for order and sales reporting. NutraChurn does not sell or rent personal data and does not share it with third parties except the service providers required to operate the business.

3. Access control (least privilege)

  • Access to business systems, credentials, and data is restricted to authorized NutraChurn personnel on a need-to-know, least-privilege basis. At present this is the founder only.
  • Credentials are not shared. Each integration uses its own credentials.
  • Access is revoked promptly when no longer required.

4. Credential and secret management

  • API keys, secrets, and access tokens are stored in environment variables or access-controlled local configuration, never hard-coded in source code.
  • Secrets are excluded from version control.
  • OAuth 2.0 is used for platform authorization; refresh tokens are stored securely and rotated as required by the provider.

5. Security baseline for daily operations

All company devices enforce:

  • Full-disk encryption at rest (FileVault).
  • Automatic screen lock requiring a password.
  • Strong, unique passwords managed via a password manager.
  • Multi-factor authentication (MFA) on all business accounts that support it (Shopify, TikTok, Google, email).
  • The operating system firewall and network (router) firewall enabled.

6. Encryption (in transit and at rest)

  • All API and web traffic uses HTTPS/TLS (in transit).
  • Business data and exports are stored only on full-disk-encrypted, password-protected company devices (at rest).

7. Network protection

Business data is processed on a dedicated, firewalled endpoint operating behind a NAT/router firewall, isolated from any other users or untrusted networks. The operating system application firewall is enabled to monitor and block unauthorized network connections.

8. Vulnerability and threat management

  • Automatic operating system and software security updates are enabled and patches are applied promptly.
  • Application dependencies are kept up to date.
  • NutraChurn monitors security advisories from its platform providers and acts on any that affect its systems.

9. Third parties

NutraChurn uses reputable platform providers (Shopify, TikTok Shop, Amazon) that maintain their own security programs. NutraChurn does not transfer data to unvetted third parties and does not use subcontractors to process this data.

10. Data retention and deletion

Data is retained only as long as needed for business operations and reporting, is deleted on request, and is deleted in full at the end of any contractual relationship under which it was obtained.

11. Incident response

Roles: the founder is the responsible owner for security incidents and the point of contact (cole@nutrachurn.com). On any suspected or identified compromise of credentials or data, NutraChurn will:

  1. Revoke and rotate the affected credentials immediately.
  2. Disconnect the affected integration.
  3. Notify the affected platform(s) (including TikTok Shop) and any impacted individuals as required, without undue delay.
  4. Review and remediate the root cause before restoring access.

12. Personal data protection and data subject requests

NutraChurn maintains a current public privacy policy (nutrachurn.com/policies/privacy-policy) and this internal policy, both reviewed periodically. NutraChurn will assist sellers, TikTok Shop, and end users with requests to access, update, or delete personal data.

13. Data protection contact

The appointed person responsible for data protection is the founder, reachable at cole@nutrachurn.com.

14. Review

This policy is reviewed periodically and updated as NutraChurn's systems and integrations change.