Skip to main content

Privacy Policy

Effective Date: March 20, 2026 Last Updated: March 20, 2026

This Privacy Policy describes how Refined Element, LLC ("Company," "we," "us," or "our") collects, uses, and protects your information when you use Lightning Enable.

1. Information We Collect

Account Information

When you create a Lightning Enable merchant account, we collect:

  • Name — your full name or business name
  • Email address — for account communication and order notifications
  • Plan tier — your subscription level

This information is provided directly by you during registration.

Payment Provider Credentials

To connect Lightning Enable to your payment provider, you provide:

  • Strike API Key or OpenNode API Key
  • Shopify Admin API Access Token (if using the Shopify integration)
  • Webhook secrets (for payment notification verification)

These credentials are encrypted at rest using AES-256-GCM encryption. They are only decrypted in memory when processing API requests on your behalf. We never log, display, or transmit your credentials in plaintext.

Subscription and Billing

Subscription payments are processed by Stripe. We do not store your credit card number, bank account details, or other payment method information. Stripe handles all payment data in compliance with PCI DSS. We receive from Stripe:

  • Subscription status (active, cancelled, past due)
  • Stripe customer ID and subscription ID
  • Plan and pricing information

API Usage Data

When you use the Lightning Enable API, we collect:

  • API request metadata — endpoint, HTTP method, timestamp, response status code
  • IP address — of the client making the request
  • User agent — of the client making the request
  • Merchant ID — to scope requests to your account

We do not log request or response bodies that contain sensitive data (API keys, credentials, macaroons, preimages, or customer PII).

Shopify Integration Data

If you use the Shopify L402 integration, we store:

  • Shopify store domain and integration configuration
  • Order metadata — order ID, status, line items, pricing, timestamps
  • Customer shipping information — name, address, email, phone (provided at claim time by the buyer)
  • Claim tokens — for order claim verification

We do not access your Shopify customer database, analytics, or any data beyond what is needed to create orders.

Tracking Technologies

Dashboard (app.lightningenable.com or equivalent): The Lightning Enable dashboard uses server-side rendering (Blazor Server). We do not use cookies, tracking pixels, or third-party analytics within the dashboard application.

Documentation Site (docs.lightningenable.com): We use Google Analytics (gtag.js) on our documentation site with the following configuration:

  • IP anonymization is enabled (anonymize_ip: true)
  • No advertising features are enabled
  • No cross-site tracking is enabled
  • Data is used solely to understand documentation usage patterns (page views, navigation flow)

You may opt out of Google Analytics by:

No other tracking technologies are used on any Lightning Enable property.

2. How We Use Your Information

We use your information solely for:

PurposeData Used
Providing the serviceAccount info, credentials (encrypted), API metadata
Processing paymentsStripe subscription data
Creating Shopify ordersShopify credentials, order data, customer shipping info
Security and fraud preventionIP addresses, user agents, request patterns
Debugging and supportAPI request metadata, error logs (without sensitive data)
Service communicationsEmail address (account notifications, critical updates)
Legal complianceAccount and transaction records as required by law

We do not:

  • Sell, rent, or trade your personal information
  • Use your data for advertising or marketing to third parties
  • Share your data with data brokers
  • Use your payment provider credentials for any purpose other than processing your API requests
  • Access your payment provider account beyond the API scopes you authorize

3. Information Sharing

We share your information only in these limited circumstances:

Service Providers

  • Stripe — processes subscription payments
  • Azure — hosts our infrastructure (API, database, key vault)
  • Vercel — hosts our documentation site

These providers process data only as necessary to provide their services and are bound by their own privacy policies.

Payment Providers

When you make API calls through Lightning Enable, we forward requests to your configured payment provider (Strike or OpenNode) using your encrypted credentials. The payment provider receives only the data necessary to process the specific request (e.g., invoice amount, currency).

Shopify

When creating orders through the Shopify integration, we send order details and customer shipping information to Shopify via their Admin API using your Shopify access token. This data is governed by Shopify's privacy policy and your agreement with Shopify.

We may disclose your information if required by law, legal process, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Sub-Processors

We use the following sub-processors to provide Lightning Enable:

Sub-ProcessorPurposeLocation
Microsoft AzureCloud hosting, database, key managementUnited States (East US)
StripeSubscription billing and payment processingUnited States
VercelDocumentation site hostingUnited States
Google (Analytics)Documentation site usage analyticsUnited States

We will update this list when we add or change sub-processors. Material changes to sub-processors will be communicated via email notification at least thirty (30) days in advance.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

4. Data Security

We implement industry-standard security measures to protect your information:

MeasureDetails
Encryption at restPayment provider credentials encrypted with AES-256-GCM
Encryption in transitAll API traffic over HTTPS/TLS
Database securityAzure SQL with Entra ID authentication, no shared passwords
Key managementEncryption keys stored in Azure Key Vault
Access controlAPI key authentication, tenant isolation (row-level security by MerchantId)
Credential handlingNever logged, never returned in API responses, decrypted only in memory
Rate limitingApplied to public endpoints to prevent abuse

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We retain your data only as long as necessary for the purposes described in this Privacy Policy, subject to the following retention schedule:

Data TypeRetention PeriodJustification
Account information (name, email, plan)Duration of your active account + 12 months after account deletion or terminationLegal compliance, dispute resolution, accounting
Encrypted payment provider credentialsDeleted within 24 hours of revocation or account terminationNo longer needed once access is revoked
API request logs (metadata only)90 days from date of requestSecurity monitoring, debugging, abuse prevention
Shopify order dataDuration of your active account + 12 months (or longer if required by applicable tax or commercial law)Order fulfillment, tax compliance, dispute resolution
Customer shipping information (Shopify)Duration of your active account + 12 monthsOrder fulfillment and dispute resolution
Stripe subscription dataManaged by Stripe per their data retention policyStripe is an independent data controller for billing data
Security event logs (failed auth attempts, rate limit violations)180 daysSecurity monitoring and incident response

Deletion Process

Upon expiration of the applicable retention period, data is permanently deleted using industry-standard secure deletion methods. We do not retain backup copies of deleted data beyond the stated retention periods, except where required by applicable law.

Notwithstanding the foregoing retention periods, we may retain data for longer periods where required by applicable law, regulation, or legal proceeding, including litigation holds, regulatory investigations, or law enforcement requests.

Your Right to Early Deletion

You may request deletion of your account and associated data at any time by contacting privacy@lightningenable.com. Upon receiving a verified deletion request, we will:

(a) Delete or anonymize your account information within thirty (30) days;

(b) Immediately delete your encrypted payment provider credentials;

(c) Retain API request logs and Shopify order data for the remainder of their stated retention periods (as these may be needed for security and legal compliance); and

(d) Confirm deletion in writing.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

All Users

  • Access — request a copy of the personal information we hold about you
  • Correction — request correction of inaccurate information
  • Deletion — request deletion of your account and associated data
  • Credential revocation — revoke payment provider credentials at any time via the dashboard

California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.

  • Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions permitted by law.

  • Right to Correct: You may request correction of inaccurate personal information.

  • Right to Opt Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes. As such, there is no need to opt out, but you may contact us at privacy@lightningenable.com to confirm.

  • Right to Limit Use of Sensitive Personal Information: We collect limited sensitive personal information (account credentials). This information is used solely for providing the Lightning Enable service and is not used for purposes that would trigger the right to limit under CCPA.

  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your rights, contact privacy@lightningenable.com. We will verify your identity before processing your request and will respond within forty-five (45) days as required by law.

You may designate an authorized agent to make a request on your behalf. We may require the authorized agent to provide proof of authorization and may separately verify your identity.

EU/EEA Residents (GDPR)

If you are located in the EU/EEA, you have additional rights under the General Data Protection Regulation:

  • Right to access, rectify, or erase your personal data
  • Right to restrict or object to processing
  • Right to data portability
  • Right to withdraw consent
  • Right to lodge a complaint with a supervisory authority

Our legal basis for processing your data is:

  • Contract performance — providing the Lightning Enable service
  • Legitimate interest — security, fraud prevention, service improvement
  • Legal obligation — compliance with applicable laws

Exercising Your Rights

To exercise any of these rights, contact us at privacy@lightningenable.com. We will respond within 30 days (or sooner as required by law).

7. Children's Privacy

Lightning Enable is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will promptly delete it.

8. International Data Transfers

Lightning Enable infrastructure is hosted in the United States (Microsoft Azure, East US region). If you access the service from outside the United States, your information will be transferred to and processed in the United States.

Transfer Mechanisms

For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on:

(a) Standard Contractual Clauses (SCCs) — as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), incorporated into our Data Processing Agreement; and

(b) UK International Data Transfer Addendum — for transfers from the United Kingdom, as applicable.

Where we use sub-processors (including Azure, Stripe, and Vercel), we ensure that appropriate data transfer mechanisms are in place between us and each sub-processor.

By creating an account and using Lightning Enable, you acknowledge that your data will be processed in the United States and that you have reviewed this section regarding the transfer mechanisms we employ.

Lightning Enable may contain links to third-party websites or services (e.g., Strike, OpenNode, Shopify). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Updating the "Last Updated" date at the top of this page
  • Sending an email notification for significant changes

Your continued use of Lightning Enable after changes take effect constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions or to exercise your rights:

Data Controller: Refined Element, LLC [Street Address] [City], Florida [ZIP] United States