CrochetersHub legal information

Privacy Policy

Last updated: 12 May 2026

This Privacy Policy explains how CrochetersHub processes personal data for its website, marketplace, creator, checkout, shipping, account, communication and community features. It is based on the technical privacy inventory available on 11 May 2026 and is intentionally conservative where implementation details still need verification.

CrochetersHub does not use a client-readable email cookie as an authentication source. Current-user identification is based on the server-side session and the /api/me endpoint.

1. Introduction

CrochetersHub is a public website and marketplace for crochet-related products, patterns, tutorials, creator memberships, tester calls, community interactions and related services. This policy describes the personal data processed when users browse, create accounts, buy or sell items, use creator tools, contact support, subscribe to communications, use chat/community features or interact with shipping, payment and notification services.

2. Controller and Contact Details

The CrochetersHub service is operated under the C-Hub brand. The full legal entity name is still to be confirmed for publication as: [Company legal name].

Published business details currently used on CrochetersHub are: C-Hub, P.IVA 14576610969, Viale Rodi 91, Milano, Italy. Privacy and general contact email: info@crochetershub.com.

3. Scope of This Policy

This policy covers the CrochetersHub production website and related backend services. It does not describe unrelated repositories or separate services unless they are used by CrochetersHub. Provider regions, transfer mechanisms, exact contract terms and several retention periods are marked as to be verified where the inventory did not provide confirmed evidence.

4. Account Authentication and Current-User Identification

CrochetersHub authentication relies on server-side sessions. The browser stores a signed, HTTP-only session cookie named sid; the server resolves the current user from that session and exposes the current account state through /api/me.

The logged_in cookie may exist only as a non-PII user-interface hint. It is not an authorization source. The legacy client-readable email authentication cookie has been removed and must not be reintroduced.

5. Data Categories

Data category Examples Main purposes Sources / notes
Identity and account data Email, username, account type, password hash where applicable, Google identity data, avatar, account status. Account creation, login, profile access, security, account recovery and account-deletion workflows. Provided by the user or by Google OAuth when the user chooses Google sign-in.
Profile and contact data Name, display name, profile information, addresses, phone number, contact form details. Marketplace profiles, shipping, support, phone verification and user communications. Provided by users or collected during marketplace and checkout flows.
Marketplace and user content Product and pattern listings, descriptions, images, files, tutorial metadata, comments, reviews, reports and moderation records. Publishing marketplace content, operating creator tools, moderation, trust and safety, support and dispute handling. Uploaded or generated through CrochetersHub features.
Orders, payments and subscriptions Order details, prices, currencies, buyer/seller metadata, Stripe session/payment/subscription/customer identifiers, refunds and fee audit data. Checkout, payment confirmation, refunds, accounting, fraud prevention, seller payouts, memberships and gift cards. Card details are handled by Stripe-hosted payment flows and are not stored by CrochetersHub.
Shipping and fulfillment data Sender/recipient names, addresses, phone/email where needed, parcel details, service point data, labels and tracking numbers. Rates, labels, delivery, customs where applicable, tracking, delivery support and dispute handling. Shared with shipping providers and carriers where needed to fulfill orders.
Communications and notifications Service emails, newsletter subscriptions, unsubscribe tokens, support messages, chat/message previews, browser push subscription endpoints and keys. Account, order, support, news, marketing where consent applies, chat, tester-call and notification features. Email is sent through configured SMTP/Nodemailer providers; push uses browser push services.
Community, creator and program data Tester calls, applications, messages, media, membership posts, membership direct messages, badges, challenges and referral records. Community participation, creator membership access, tester-call management, referral attribution and platform features. Collected when users choose to use these features.
Technical, security, analytics and audit data Session records, IP or hashed IP where implemented, user agent, page-view logs, referral clicks, audit logs, moderation findings and security events. Security, debugging, abuse prevention, operational analytics, legal compliance and service improvement. Retention and legal classification for several log families are still to be verified.

6. Account, Profile and Login Data

Account data is used to create and manage user profiles, authenticate users, protect accounts, recover passwords, support Google sign-in and distinguish buyer, creator, seller or admin functionality where applicable. Password reset tokens appear to be valid for one hour; exact retention of expired reset records is to be verified.

7. Marketplace, Creator and User-Generated Content

CrochetersHub processes product, pattern, tutorial, creator-membership and community content so users can publish, discover, buy, sell, manage and moderate marketplace activity. Some public content may remain visible while an account is active or until removed through available product, moderation or administrative workflows. Account-wide erasure or anonymization of all user-generated content was not confirmed in the inventory.

8. Orders, Checkout and Payments

Checkout and payment flows use order, item, buyer, seller, currency, fee, refund and Stripe identifier data. Stripe processes card/payment details on Stripe-hosted payment pages. CrochetersHub stores Stripe identifiers and related transaction metadata needed for order fulfillment, refunds, accounting, fraud/security and seller payout operations, but it does not store card numbers or full card details.

9. Shipping and Fulfillment

Shipping data may be shared with Sendcloud, FedEx and carriers used through shipping integrations to calculate rates, select service points, create parcels and labels, handle customs where applicable, track shipments and support delivery issues. Exact subprocessors, provider regions and contractual details are to be verified.

10. Communications, Newsletter and Notifications

CrochetersHub sends service messages for account, verification, password reset, account deletion, orders, shipping, support, chat, membership, tester-call, tutorials and platform notices. Newsletter or marketing communications require the relevant subscription or opt-in flow and must remain controllable through unsubscribe or preference choices where available.

If users enable browser push notifications, CrochetersHub stores push subscription data and sends notification payloads through browser push services such as those operated by the user's browser/platform provider.

11. AI, Moderation and Automated Assistance

The inventory confirms use of OpenAI for several features, including listing tags, listing/product moderation, image moderation, custom order image moderation, membership direct-message moderation, chat/support AI replies, chat translation and language detection. Data sent to OpenAI may include user-generated text, product or pattern metadata, images, support/chat excerpts and moderation content relevant to the feature being used.

Exact OpenAI account settings, data retention controls, DPA status and transfer details are to be verified.

12. Chat, Community and Program Features

Chat and community features may process conversation participants, messages, image URLs, read/typing/pin state, tester-call messages, applications, reports and creator membership interactions. Supabase is used for secure backend chat storage/proxy flows. Legacy direct frontend chat code was identified in the inventory but current chat pages reference the secure wrapper; legacy exposure should be retired or access-controlled after verification.

13. Cookies, Browser Storage and Consent Choices

CrochetersHub uses technical cookies and browser storage for sessions, language, currency, cart/checkout state, referral attribution, newsletter popup state, push prompt state, app-mode behavior and consent choices. Optional analytics, marketing or profiling technologies must remain managed through the cookie banner and preference system.

As of the latest inventory, Google Analytics/Google Tag Manager were configured or allowlisted but not confirmed active at runtime. Meta Pixel, TikTok Pixel and Pinterest Pixel were not confirmed as active. Cookie details are available in the Cookie Policy.

14. Providers and Third Parties

Provider / third party Confirmed role Data involved Region / transfer status Notes
StripeCheckout, hosted payment pages, Connect onboarding, subscriptions, memberships, wallet top-ups, gift cards, refunds and webhooks.Customer email, order/payment metadata, amount/currency, seller Stripe IDs, payment/session/subscription/customer IDs, refund/fee data.Exact entity, region and transfer mechanism to be verified.Card details are entered on Stripe-hosted pages and are not stored by CrochetersHub.
SendcloudShipping rates, service points, parcel creation, labels, tracking and webhooks.Sender/recipient address data, postal code, city, country, carrier/method, parcel, tracking and label data.To be verified.Used for delivery and shipping support.
FedExInternational shipping rates, pickup/dropoff locations, labels and tracking.Sender/recipient names, addresses, phones, emails, parcel/customs details and tracking data.To be verified.Carrier processing may involve international shipment/customs handling.
Google OAuthGoogle sign-in/sign-up.OAuth code/state, Google email, ID, avatar, name and provider data.To be verified.Used only when the user chooses Google authentication.
Google Places / Maps APIsAddress autocomplete, place details and location/map support.Address queries, place IDs, session tokens and location/address search parameters.To be verified.Consent posture for each map/location surface is to be verified.
Google FontsFrontend font loading.Browser request metadata such as IP address, user agent and requested font resources.To be verified.External font loading is confirmed unless fonts are later self-hosted.
YouTube / Google APIsTutorial upload to an official YouTube channel, availability checks and OAuth setup.Tutorial video files, title, description, language, creator username/profile link and video status/errors.To be verified.Used where creator tutorial consent and related workflow apply.
S3-compatible object storage, likely Cloudflare R2Media storage, presigned uploads/downloads and public media URLs.Object keys, media files, content type/size and presigned URL data.Exact provider, bucket region and transfer mechanism to be verified.Provider name must be finalized after runtime/config verification.
Cloudflare / CDN providersCDN assets and possible object-storage/CDN delivery.Browser request metadata for scripts, styles and assets; storage data if R2 is confirmed.To be verified.Includes confirmed Cloudflare-hosted CDN use such as cdnjs.cloudflare.com.
SupabaseSecure backend chat proxy and chat storage.Conversation participants, emails/usernames/types/avatar URLs, messages, images and read/typing/pin state.Project region and transfer mechanism to be verified.Legacy direct frontend client should be retired or access-controlled after verification.
OpenAIAI tagging, moderation, image moderation, chat/support replies, translation and language detection.Listing/product text and images, chat/support excerpts, membership DM text, custom order images and moderation content.To be verified.Processing scope is broader than listing tags and should stay disclosed.
TwilioPhone verification by SMS/Verify.Phone number, verification code/check status and related verification metadata.To be verified.Used when phone verification is enabled/used.
SMTP / Nodemailer mail providerTransactional, service, support, newsletter and notification emails.Recipient email, subject/body, message previews, order/shipping/support details and unsubscribe tokens.Exact SMTP provider, region and transfer mechanism to be verified.Deletion-pending account suppression exists in main mail paths; some route-local/test paths need verification.
Browser push servicesPush notification delivery through browser/platform endpoints.Push endpoint, p256dh/auth keys, notification title/body/url/icon.Depends on browser endpoint provider; to be verified.Browser permission is required before push notifications are used.
jsDelivr, cdnjs/Cloudflare and unpkgFrontend CDN libraries and assets.Browser request metadata and requested resource URLs.To be verified.Confirmed by code/cookie scan as external asset domains.

15. International Transfers and Provider Locations

Some providers may process personal data outside the user's country or the European Economic Area. Exact provider entities, regions, subprocessors, data processing agreements and transfer mechanisms were not fully verified in the technical inventory and are therefore marked as to be verified in this policy.

16. Retention Periods

Data / processConfirmed period or behaviorStatusNotes
Session cookie sid7 days.Confirmed by code.Current user is resolved server-side.
Database session cleanupExpired or revoked sessions older than 30 days are deleted.Confirmed by code/schema.Sessions are revoked on logout/account deletion request.
OAuth state/intent cookies10 minutes.Confirmed by code.Used for Google OAuth flow security.
Language cookie chub_lang365 days.Confirmed by code.User preference.
Newsletter no-popup cookie nl_no_popup365 days.Confirmed by code; runtime to verify.User preference.
Currency cookie currency30 days in normal flow; 7 days in fallback flow.Confirmed by code.User preference.
Referral cookies ref_code / ref_idDefault 90 days.Confirmed by code; runtime to verify.Referral attribution.
Password reset tokenValidity appears to be 1 hour.Confirmed by route logic; row cleanup to verify.Expired token record retention not confirmed.
Account deletion recovery/grace period30 days.Confirmed by code/schema.Account is marked pending deletion during the grace period.
Phone verificationexpires_at, attempts and status fields exist.Retention to be verified.Cleanup period was not found.
Orders, payments, shipping, tax/accounting, refunds and fraud/security recordsRetention period not confirmed.To be verified.Legal/accounting requirements likely apply but exact periods must not be guessed.
Profiles, marketplace content, media, chats, community data, logs, audits and moderation recordsRetention period not confirmed.To be verified.No broad retention schedule was found in the inspected code.

17. Account Deletion

StepCurrent behaviorUser-facing effectStatus
Deletion requestAuthenticated users can request deletion through POST /api/account-deletion/request with confirmation requirements.A deletion request record is created or updated.Confirmed by code/schema.
30-day recovery/grace periodrecover_until is set to requested date plus 30 days.The account enters a pending deletion state during the grace period.Confirmed by code/schema.
Account lock and sessionsLinked account statuses are set to pending_deletion; sessions are revoked and auth cookies are cleared.Most account/API access is blocked except allowed logout/account-deletion paths.Confirmed by code/schema.
Newsletter and email suppressionNewsletter subscriber records are set inactive/unsubscribed and main mail paths suppress most emails to pending/deleted accounts.Service messages are limited to allowed purposes such as security, recovery and account deletion.Confirmed for main paths; route-local/test mail paths to verify.
Recovery or rejectionAdmin rejection can restore account statuses to active where linked.User self-recovery endpoint was not found in inspected code.Admin-mediated recovery confirmed; self-service recovery to verify.
FinalizationAdmin can approve/reject/finalize; a manual/admin due-finalizer route exists.Finalized accounts are marked deleted/completed and newsletter remains unsubscribed.Confirmed; scheduled finalizer not found.
Broad erasure/anonymizationNo broad deletion/anonymization of user rows, orders, chats, media, provider records, storage objects or logs was confirmed.Current deletion is status-based unless handled manually or by a process not found in the inspected code.Not confirmed; to be verified before any stronger claim.

18. Security, Fraud Prevention and Logs

CrochetersHub processes security and audit data to maintain server-side sessions, prevent abuse, moderate content, protect checkout and marketplace operations, investigate reports and support operational reliability. Some page view, referral and audit data may be collected before cookie consent where the code treats the processing as operational or security-related; the exact legal classification and retention for these records are to be verified.

19. Your Rights and Choices

Depending on your location and applicable law, you may have rights to access, correct, delete, restrict, object to processing, port your data or withdraw consent where processing is based on consent. Requests can be sent to info@crochetershub.com. Some data may need to be retained where required for legal, accounting, fraud prevention, dispute, security or operational reasons.

20. Marketing, Newsletter and Optional Cookies

Marketing emails and optional tracking or profiling technologies require the relevant subscription, opt-in or cookie preference choice. Users can manage optional cookie categories through the cookie banner/preference system. Newsletter communications should include unsubscribe or preference options where required.

Open Cookie Policy

21. Children and Age-Related Use

CrochetersHub is not intentionally designed for children. The exact age-gating, parental-consent wording and jurisdiction-specific requirements should be verified with legal counsel before stronger public claims are made. If you believe a child has provided personal data through CrochetersHub, contact info@crochetershub.com.

22. Changes to This Policy

CrochetersHub may update this Privacy Policy when features, providers, retention practices or legal requirements change. Material updates should be reflected on this page and, where relevant, in the cookie banner or preference system before optional analytics or marketing tools are activated.

23. Items Still Under Verification

Some operational and contractual details are still being reviewed and will be updated when confirmed. These include:

We do not state these items more strongly until verification is complete. This policy will be updated where needed to reflect confirmed information.

24. Contact

For privacy questions, rights requests or account-deletion questions, contact CrochetersHub at info@crochetershub.com.