Privacy Policy

This policy describes what kurdoff.com actually collects and stores — no more, no less. Data controller: Barmaan Trading Company (BTC), Erbil, Kurdistan Region of Iraq — info@barmaan.co.

Last updated:

1. Data we store

When you create an account we store:

  • Your email address and/or phone number, an optional username, and your name if you give one
  • Your password — never in plain text, only as a scrypt hash that cannot be reversed
  • Verification timestamps (when your email or phone was confirmed), your account role and status
  • If you sign in with Google or Facebook: your name, email address and the provider's account identifier — we never receive your Google/Facebook password
  • One-time login codes — stored only as a SHA-256 hash, valid for 5 minutes and deleted automatically
  • When the shop opens: your orders and delivery addresses, which this policy will list here in detail

2. Cookies and local storage

We keep this list short because the real list is short:

  • Session cookie (authjs.session-token) — a signed token that keeps you logged in; strictly necessary
  • Language cookie (NEXT_LOCALE) — remembers the language you chose
  • Theme and color palette (kurdoff-theme, kurdoff-palette) — saved in your browser's localStorage only; they are never sent to our servers
  • No advertising cookies and no third-party analytics scripts at present; if that ever changes, this page changes first

3. How we use your data

To sign you in and keep your account secure; to process and deliver orders and handle returns; to answer your support messages; to send one-time codes and essential account emails; and to meet legal obligations. We do not sell personal data, and we do not send marketing email unless you explicitly subscribe.

4. Who else sees your data

Only service providers that make the platform work, and only what they need:

  • Email delivery (Resend) — sends one-time codes and account emails to your address
  • Hosting and database infrastructure (Vercel, MongoDB Atlas) — where the site runs and data is stored
  • Google / Facebook — only if you choose to sign in with them; they tell us who you are, not the reverse
  • Vendors — when you order, the selling vendor receives what is needed to fulfil your order (name, delivery address, phone)

5. Retention and deletion

Account data is kept while your account is active. One-time codes self-destruct after 5 minutes. To delete your account and personal data, email info@barmaan.co from your registered address — we honour deletion requests unless a legal duty (e.g. transaction records) requires keeping specific data.

6. Security

Passwords are hashed with scrypt, one-time codes with SHA-256; codes expire in 5 minutes and allow only a few attempts. Traffic is encrypted with HTTPS, and access to production data is limited to those who operate the platform.

7. Your rights

You can ask what data we hold about you, correct it, or have it deleted — write to info@barmaan.co. Name, email and password can also be managed from your account page.

8. Children

KurdOff accounts are intended for adults (18+) or minors under a guardian's supervision. We do not knowingly collect data from children; if you believe a child has registered, contact us and we will remove the account.

9. Changes and contact

When our data practices change — for example, when the shop and payments launch — this page is updated first and the date at the top changes. Privacy questions: info@barmaan.co.