Privacy Policy
Last updated: 2026-05-29
This Privacy Policy explains how String11, LLC handles personal data in connection with the String11 service operated under the LolyBuy brand at lolybuy.com.
1) Operator
String11, LLC, a Delaware limited liability company, operates the LolyBuy service at https://lolybuy.com. Official contact email addresses use the string11.com domain (for example privacy@string11.com). String11, LLC operates the lolybuy.com consumer interface and the string11.com contact channels.
String11, LLC 8 The Green STE A Dover, DE 19901, United States
Contact: privacy@string11.com
2) Data Categories We Process
Based on current implementation and integrations, data categories include:
- Contact/authentication data (for example, email used in Magic login flows; phone number when Magic stores a validated E.164 number and we forward it to Transak as part of on-ramp prefill).
- Transactional-notification data (for example, order-status email dispatch metadata such as lifecycle status, send attempts, and delivery error state).
- Buy-flow order records (for example, email, wallet address, order amounts, provider order identifiers, and notification state stored in our application database when
DATABASE_URLis configured). - Wallet data (wallet addresses used in on-ramp and wallet views).
- Transaction-related metadata (for example, selected assets/amounts, transaction references returned by providers, transfer metadata).
- Technical/network data needed for security and operations (for example, IP-derived rate-limit context and request metadata).
- Support/compliance communications you send to our contact channels.
California notice at collection (CPRA)
For California residents, the categories of personal information we collect are described above. We collect these categories for the business and operational purposes in section 3. We do not sell or share personal information for cross-context behavioral advertising, and we do not use sensitive personal information for purposes that require a “limit the use” right under the CPRA. You may submit privacy rights requests to privacy@string11.com as described in section 7.
3) Why We Process Data
We process data to:
- authenticate users and maintain session security;
- create and operate on-ramp widget sessions;
- render wallet balance/activity views;
- monitor reliability/security and investigate errors;
- respond to support, legal, privacy, and security requests;
- send transactional buy-flow lifecycle notifications (created/pending/completed/failed/expired/refunded) when enabled in product operations;
- comply with legal obligations.
4) Third-Party Processors and Services
The service uses third-party providers that process data in their own systems:
- Transak: fiat-to-crypto transaction/payment execution and related compliance checks for on-ramp flow.
- Magic Labs: authentication/login and related account/session functions.
- Alchemy: blockchain infrastructure/data APIs used for wallet transfer history.
- Wagmi (with public EVM RPC endpoints): client-side tooling used to query chain state for wallet balance display; cookie-based storage may be used for SSR hydration. The current product build does not expose WalletConnect or Reown AppKit wallet-connection modals.
- CoinGecko: market-price API used to display asset price information.
- Resend (when transactional email notifications are enabled): email delivery for buy-flow lifecycle status messages initiated by String11.
- Application database hosting (for example Supabase Postgres or equivalent when
DATABASE_URLis configured): storage of purchase-order and email-job records described in section 2. - Upstash Redis (when
UPSTASH_REDIS_REST_URLand token are configured): distributed rate-limiting metadata for abuse prevention on selected API routes. - Sumsub (optional; when
SUMSUB_*credentials and applicant mapping are configured): short-lived KYC share tokens minted server-side for Transak KYC Reliance to reduce duplicate identity steps in the widget. - Vercel (or equivalent hosting provider): HTTPS delivery, serverless execution, and infrastructure access logs for the deployed application.
Public privacy/terms URLs for these providers (for convenience; always review the live site for the current version):
- Transak: https://transak.com/privacy-policy — https://transak.com/terms-of-service
- Magic Labs: https://magic.link/legal/privacy-policy — https://magic.link/legal/terms-of-service
- Alchemy: https://www.alchemy.com/policies/privacy-policy
- CoinGecko: https://www.coingecko.com/en/privacy
- Resend: https://resend.com/legal/privacy-policy
- Upstash: https://upstash.com/trust/privacy.pdf
- Sumsub: https://sumsub.com/privacy-notice/
- Vercel: https://vercel.com/legal/privacy-policy
We do not claim control over third-party provider decisions or internal processing logic.
5) Cookies and Tracking
The app may use essential cookies and similar storage for service operation, including authentication/session continuity and wallet connection behavior.
Wagmi-related cookie storage may be used for SSR hydration and client chain reads as described in the Cookie Notice and the governance cookie inventory.
A dedicated cookie notice is publicly available at /legal/cookies.
6) Children
The String11 service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe we have received such information, contact privacy@string11.com.
Where EU/EEA or UK law applies, we do not knowingly offer the service to children under 16 without appropriate parental consent. The service is intended for users who can enter binding agreements under applicable law (typically adults). If you are a parent or guardian and believe your child has provided personal data, contact privacy@string11.com.
7) Legal Bases and Rights Handling
Where GDPR or similar law applies, we rely on the following legal bases for processing performed by String11 (third-party providers apply their own bases in their systems):
| Processing purpose | Typical data | Legal basis (GDPR Art. 6) |
|---|---|---|
| Account authentication and session security | Email, Magic user identifiers, session artifacts | Performance of contract (Art. 6(1)(b)) |
| Buy-flow order creation and status | Email, wallet address, order amounts, provider references | Performance of contract (Art. 6(1)(b)) |
| Transactional lifecycle notifications | Email, order status metadata | Performance of contract (Art. 6(1)(b)); legitimate interests in service communications where permitted (Art. 6(1)(f)) |
| Security, abuse prevention, and rate limiting | IP-derived context, request metadata | Legitimate interests (Art. 6(1)(f)) |
| Support, legal, and compliance requests | Contact details and message content you provide | Legitimate interests (Art. 6(1)(f)); legal obligation where required (Art. 6(1)(c)) |
| Record retention per section 9 | Order and operational records | Legal obligation where required (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) |
Where applicable law provides privacy rights (for example access, deletion, correction, portability, restriction, or objection), requests can be sent to privacy@string11.com. We handle requests in accordance with applicable law and the technical/legal role boundaries of our service and third-party providers. Some data is held only in provider systems (for example Transak payment/KYC records); we will direct you to provider privacy channels when we cannot fulfill a request directly.
California residents may also have rights under the CPRA as described in section 2. We do not sell or share personal information for cross-context behavioral advertising.
8) Data Sharing and Transfer Context
Data is shared with or processed by third-party providers only as needed to operate the service functionality described above. Because providers and infrastructure may operate across jurisdictions, processing/transfers may occur in multiple regions depending on provider architecture.
Where required, we rely on processors’ published terms and applicable transfer mechanisms, which may include standard contractual clauses, data processing agreements, or other safeguards offered by the processor. Processor-specific DPAs and subprocessor lists are available from each vendor’s trust or legal pages linked in section 4.
9) Retention and Security Summary
We retain personal data only as long as needed for the purposes described in this policy, unless a longer period is required by law. Published retention periods for data stored in our application database (when configured) are:
| Data category | Retention period | Notes |
|---|---|---|
email_jobs queue records | 90 days after terminal status (sent or dead-letter) | Operational email dispatch metadata only |
webhook_events deduplication records | 90 days after receipt | Provider webhook ingress dedupe; not a full transaction ledger |
purchase_orders buy-flow records | Up to 7 years after last update | Supports disputes, tax, and compliance; email and other direct identifiers may be anonymized after 3 years on terminal orders while non-identifying order metadata is retained for the full period |
Provider-held data (for example Magic authentication artifacts, Transak payment/KYC records, infrastructure logs) is retained under each provider’s policies. We implement reasonable administrative and technical safeguards, but no online system can be guaranteed completely secure.
Automated purge jobs use the periods above when database storage is enabled.
10) Data Breach Notification
If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will assess the incident promptly, take reasonable steps to contain and remediate it, and notify the relevant supervisory authority within 72 hours where GDPR requires. Where the breach is likely to result in a high risk to you, we will also notify affected individuals without undue delay, unless an exemption applies under applicable law.
US state breach-notification laws may require notice to residents and regulators on different timelines; we will comply with applicable requirements.
Report suspected security incidents to security@string11.com. Privacy-related breach questions: privacy@string11.com.
11) Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects solely within the String11 app beyond what third-party providers (for example, compliance checks in the on-ramp widget) perform under their own policies.
12) Changes to This Policy
We may update this Privacy Policy from time to time with notice through our website and/or service interfaces (including an in-app notice when the published policy version changes). Continued use after updates are posted constitutes acceptance of the updated policy where permitted by law.