Privacy Policy

This Privacy Policy explains what personal information Onelink collects when you use our website and delivery service, why we collect it, how we use and share it, and what rights you have over it. We follow Jamaica's Data Protection Act, 2020 and apply common-sense data minimisation across the board.

• Order information: name, phone number, email address (optional), delivery address, delivery instructions, and items purchased.
• Payment information: we do not store full card numbers. Card data is collected and processed directly by our payment processor (Stripe). We retain the last 4 digits, card brand, and a Stripe-issued payment reference for reconciliation. For Cash on Delivery, no card data is collected at all.
• Device and usage information: IP address, browser type, pages viewed, and other standard server-log data, used to operate the site, prevent fraud, and improve performance.
• Cookies: we use a small number of essential cookies (cart session, age-gate confirmation) and may use anonymous analytics cookies. We do not currently run third-party advertising trackers.
• Age verification:if a rider requests photo ID at delivery, we do not retain a copy of the document — the rider visually confirms age and either completes or refuses the delivery.

• To process, fulfil, and deliver your order.
• To send order confirmations, shipping updates, and delivery notifications via SMS, email, or WhatsApp using the contact details you provided.
• To process payments and refunds, and to detect and prevent fraud.
• To respond to support requests and feedback.
• To meet legal, regulatory, and accounting obligations under Jamaican law.

We share information only with parties who help us deliver the service:

• Payment processing:Stripe (card payments). Stripe handles card data under PCI DSS and its own privacy policy.
• Notifications: Twilio (SMS) and Resend (email) deliver our order messages. They receive your phone number or email plus the message body.
• Delivery riders: we share your name, phone, address, and items so the rider can complete the delivery. Riders are bound by confidentiality obligations.
• Infrastructure providers: our hosting (Vercel, Railway) and database (Supabase) process data on our behalf under their respective security programs.
• Law enforcement: when required by valid legal process or to protect the safety of users, riders, or our staff.

We do not sell your personal information.

We retain order and payment records for the period required by Jamaican tax and consumer-protection law (typically 7 years). Marketing-eligible contact information is retained until you ask us to delete it. Server logs are retained on a rolling 90-day window.

Under Jamaica's Data Protection Act you may request access to the personal data we hold about you, ask us to correct inaccuracies, request deletion (subject to legal retention obligations), or object to certain types of processing. Contact us at privacy@onelink.example and we will respond within 30 days.

We use industry-standard encryption for data in transit (HTTPS/TLS) and at rest (managed Postgres). Access to customer data inside the company is restricted to staff who need it to operate the service. No system is perfectly secure, and we encourage you to use a strong, unique password (when account features apply) and to notify us promptly of any suspected unauthorised use.

Onelink is not intended for anyone under 18. We do not knowingly collect personal information from minors. If you believe a minor has shared information with us, contact us and we will delete it.

We may update this Privacy Policy from time to time. The effective date is shown at the top. Material changes will be communicated through the site or via email where we have one on file.

Questions or requests about your data? Email privacy@onelink.example.