Privacy Policy

The data controller responsible for your personal data is Abdelkader settah, a sole trader residing in Algeria, trading as Boilerlykit.

The Service is available to buyers worldwide. Depending on your country of residence, different data-protection laws may apply to our processing of your personal data. Notably:

• For residents of the European Union and European Economic Area, the EU General Data Protection Regulation (GDPR) applies to our processing by virtue of its extraterritorial scope under Article 3(2).
• For residents of the United Kingdom, the UK GDPR and the Data Protection Act 2018 apply on the same basis.
• For residents of Algeria, Algerian Law No. 18-07 of 10 June 2018 on the protection of natural persons with regard to the processing of personal data applies.

Other local privacy laws may also apply depending on where you live. This Privacy Policy is written to meet the standards of the above regimes.

This Privacy Policy applies to personal information we process when you visit the Boilerlykit website, purchase a template, or contact us for support. It does not apply to third-party websites or services you may access through links on our site.

We may collect the following categories of personal information:

• Account and contact details: name and email address you provide when you purchase a template or contact support.
• Order and billing details: transaction identifiers, purchase history, invoice metadata received from Polar. Payment card numbers are processed and stored by Polar and its payment processor; we do not receive or store them.
• Usage and device data: pages viewed, approximate location derived from IP address, browser type, and diagnostic information collected via cookies and similar technologies.
• Support communications: the content of messages you send us and any attachments you choose to provide.

We use personal data to:

• Process purchases and provide access to digital products.
• Send transactional messages (purchase confirmations, support replies).
• Prevent fraud, abuse, and unauthorized access.
• Operate, maintain, and improve our website, templates, and documentation.
• Comply with legal obligations (tax, accounting, law-enforcement requests).

We do not sell personal data and we do not use it for behavioural advertising.

If you are in the EEA or the UK, we process personal data under the following legal bases, depending on the activity:

• Performance of a contract: to deliver purchases and provide support.
• Legitimate interests: to secure the Service, prevent fraud, and improve our products (balanced against your rights).
• Legal obligation: to keep tax, accounting, and compliance records.
• Consent: for non-essential cookies where required by law.

We share personal data with service providers only as needed to operate our business:

• Merchant of Record: Polar Software, Inc. (3500 South DuPont Highway, Dover, DE 19901, United States). Polar processes buyer data at checkout for payment, billing, tax, fraud-prevention, invoicing and customer-support purposes. Polar acts as an independent data controller for this activity under GDPR. For account, API and infrastructure data that Polar holds on our behalf, Polar acts as our processor under a Data Processing Addendum incorporating the European Commission's Standard Contractual Clauses (Module 2) and the UK ICO International Data Transfer Addendum for transfers outside the EEA/UK. Polar's sub-processors include Stripe (payments), AWS, Vercel, Render, Resend, Numeral (tax), ChargebackStop, PostHog, Sentry, Pydantic Logfire and Plain. The current list is at https://polar.sh/legal/sub-processors. Polar's privacy policy: https://polar.sh/legal/privacy-policy. For privacy requests relating to data held by Polar, contact privacy@polar.sh.
• GitHub, Inc. (United States). When you purchase a template, Polar invites the GitHub account you nominate as a collaborator on the corresponding private repository under the `boilerlykit` GitHub organisation. Your GitHub username and the fact of the invitation are processed by GitHub under its own privacy notice.
• Hosting and infrastructure: Railway and Vercel (United States). Serve the website and backend; act as our processors.
• Email delivery: Resend (United States). Delivers transactional emails (order receipts, support replies) on our behalf; acts as our processor.
• Supabase (United States). Hosts our purchase audit log (order IDs, email, amount, status) under a standard data-processing agreement; acts as our processor.

We may also disclose personal data if required by law, to respond to lawful requests from public authorities, or to protect our rights, users, and the public.

We are based in Algeria. Our processors and Polar (our Merchant of Record) are located primarily in the United States. When personal data of EU, EEA or UK residents is transferred outside the EEA/UK, we rely on transfer mechanisms recognised under GDPR Article 46, including the European Commission's Standard Contractual Clauses (SCCs) and the UK ICO's International Data Transfer Addendum (IDTA). Polar's Data Processing Addendum, which incorporates the SCCs (Module 2) and the UK IDTA, is published at https://polar.sh/legal/data-processing-addendum. For Algerian-resident personal data, cross-border transfers are handled in line with Law No. 18-07 and any guidance issued by the Autorité Nationale de Protection des Données Personnelles (ANPDP). A copy of the relevant safeguards is available on request to dpo@boilerlykit.com.

We use the following cookie categories on boilerlykit.com:

• Essential cookies: required for the site to function (session, security, load-balancing). No consent required.
• Preference cookies: remember your choices such as theme (light / dark). Set only after you change a preference.
• Analytics cookies: Vercel Analytics aggregated page-view metrics. Retention up to 90 days.

Checkout overlay cookies. When you initiate a purchase, our checkout overlay loads content from polar.sh and, within it, js.stripe.com. These third-party frames may set cookies under their own domains (not under boilerlykit.com) for transaction, fraud-prevention and receipt-delivery purposes. Those cookies are governed by Polar's and Stripe's respective privacy policies.

You can control cookies through your browser settings and disable non-essential cookies where required. Blocking essential cookies may prevent parts of the site from working.

We use commercially reasonable technical and organisational measures to protect personal data, including TLS in transit, access controls on admin systems, and vendor-selection due diligence. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

We keep personal data only as long as necessary for the purposes set out below:

Subject to applicable law, you have the right to access, correct, delete, or port your personal data; to object to or restrict certain processing; and to withdraw consent where processing is based on consent. To exercise these rights, contact privacy@boilerlykit.com or our Data Protection Officer at dpo@boilerlykit.com.

You also have the right to lodge a complaint with the competent supervisory authority. For Algerian residents this is the Autorité Nationale de Protection des Données Personnelles (ANPDP). For EU residents, you may complain to the supervisory authority of your country of residence or workplace. A list is published by the European Data Protection Board at edpb.europa.eu.

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact privacy@boilerlykit.com and we will delete it.

Our website may link to external sites that we do not operate. We are not responsible for their content, data practices, or privacy policies.

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a new "Last updated" date. Material changes affecting how we use existing personal data will be communicated via email where appropriate.

For privacy-related questions or to exercise your rights, contact privacy@boilerlykit.com. For GDPR-specific requests, write to our DPO at dpo@boilerlykit.com.