Privacy Policy

This Privacy Policy explains how Win Mata (ဇလပ်ဝါ) (ဇလပ်ဝါ) collects, uses, stores, and shares personal information when you use our customer website at https://winmata2customer.vercel.app (the "Site"), including when you browse products, create an account, place orders, upload payment proofs, or contact support.

Last updated: May 20, 2026. By using the Site, you acknowledge this policy. This document reflects how our application is built and operated; it is not legal advice.

The Site is operated by Win Mata (ဇလပ်ဝါ) (ဇလပ်ဝါ), a bakery and wholesale business based in Mandalay, Myanmar.

For privacy questions, use the contact details in the "Contact us" section below or in the site footer.

We collect information you provide directly, information generated when you use the Site, and limited technical data from your device and third-party services.

• Account and authentication: email address, password (handled by Firebase Authentication—we do not store your password in plain text), display name, and email verification status when you register with email and password.
• Google sign-in: when you sign in with Google, we receive your Google account identifier, email address, name, profile photo URL, and whether your email is verified. Google OAuth is used under the openid, email, and profile scopes.
• Profile and delivery: name, phone number, street address, region, city, township (Myanmar address fields), saved delivery addresses, wishlist items, reward points, discount eligibility, join date, and last login time stored in our user database.
• Orders and payments: order items, quantities, prices, totals, delivery address and phone, selected manual payment method (such as bank account details shown at checkout), installment or payment history, and payment proof images you upload. We do not process credit or debit cards on the Site; payments are verified manually using bank transfer or QR methods.
• Support chat: when you use in-site support chat while logged in, we store your user identifier, name, email, avatar, message content, timestamps, and read status.
• Browsing and cart: product views and cart contents may be stored in your browser (localStorage) so your cart persists between visits.
• Session: if you sign in with Google, we set an httpOnly session cookie (auth-session) containing your user id, email, name, and optional profile picture URL for up to seven days.
• Analytics: when enabled, we send page views (including page path and query string), product and commerce events (such as view item, add to cart, begin checkout, purchase), and sign-in events to Firebase Analytics (Google Analytics). When you are logged in, your Firebase user id may be associated with analytics events.
• Affiliate map: the affiliates page displays business partner shop locations, addresses, and contact details from our catalog. We do not collect your device location for that map.
• Technical data: IP address, browser type, device information, and similar data may be collected automatically by Firebase, Google, or content delivery networks when you load the Site.

We use personal information for the following purposes:

• Creating and managing your account and keeping you signed in.
• Processing orders, arranging delivery, and communicating about your orders.
• Verifying manual payments using the proof images and payment details you submit.
• Providing customer support through chat and responding to inquiries.
• Applying verified-customer discounts, rewards, and related account features shown in your profile.
• Improving the Site, understanding how it is used, and measuring commerce activity through analytics.
• Maintaining security, preventing abuse, and enforcing our terms of use.

Where applicable, we rely on the following bases to process your personal information:

• Performance of a contract: processing orders, delivery details, and payments you initiate.
• Legitimate interests: operating and securing the Site, verifying payments, providing support, and using analytics to understand and improve our services, balanced against your rights.
• Consent: where you voluntarily provide information (for example, optional profile fields or support messages) or where consent is required by law.

We do not sell your personal information. We share data only as needed to run the Site, with service providers that process data on our behalf, or when required by law.

• Google: OAuth sign-in, optional Google Analytics via Firebase Analytics, and Google Fonts loaded through our hosting framework. Google's privacy policy applies to their services: https://policies.google.com/privacy
• Firebase / Google Cloud: authentication, Firestore database, cloud storage (including payment proof images and product media), and related infrastructure. Data is processed under Google's terms and privacy policy.
• OpenStreetMap and Cloudflare: map tiles and Leaflet assets on the affiliates page may load from tile.openstreetmap.org, cdnjs.cloudflare.com, and related hosts when you view the map.
• Affiliate listings: partner shop names, addresses, phone numbers, and locations displayed on the affiliates page are business contact information from our catalog, not your personal data as a customer.

The Site uses cookies, browser storage, and similar technologies as follows:

• auth-session (cookie): essential for Google sign-in sessions; httpOnly; SameSite=Lax; up to seven days; contains user id, email, name, and optional profile picture URL.
• Firebase Authentication: session tokens managed by Firebase when you are signed in.
• localStorage (winmata_cart): stores your shopping cart on your device until you clear it or remove items.
• sessionStorage (analytics_pending_google_login): short-lived flag used once after Google redirect to record a sign-in analytics event.
• Analytics cookies and identifiers: when NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID is configured, Firebase Analytics / Google Analytics may set cookies or use similar identifiers. We do not currently show a separate cookie consent banner; analytics runs when that measurement id is enabled.

We retain personal information for as long as your account is active, as needed to fulfill orders and support obligations, and as required for payment verification, accounting, or legal compliance.

Order records, payment proofs, and support chat history may be kept for a reasonable period after completion so we can resolve disputes, audit payments, and improve service. We do not publish fixed deletion schedules in the application code; retention follows business and legal needs.

We use industry-standard measures including HTTPS, httpOnly session cookies, and Firebase security rules to protect data. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Depending on applicable law, you may have rights to access, correct, delete, or restrict use of your personal information, or to object to certain processing.

• Profile: you can review and update much of your account information in the Profile section while signed in.
• Sign out: logging out clears your Google session cookie on the Site; Firebase sign-in state is managed through Firebase Authentication.
• Analytics: site-wide analytics is only active when our Firebase measurement id is configured in the deployment environment.
• Requests: to ask about access, correction, or deletion of your data, contact us using the details below. We do not currently offer an automated account-deletion button in the customer app.

The Site is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us data, contact us and we will take appropriate steps to delete it.

Our service providers (including Google and Firebase) may process and store information on servers located outside Myanmar, including in the United States and other countries. Those providers are contractually or terms-bound to protect data according to their policies.

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. Continued use of the Site after changes means you accept the updated policy.

For privacy-related questions or requests about your personal information, contact Win Mata (ဇလပ်ဝါ):

You can reach us at: Email: winmataapp@gmail.com Phone: +959252000707 Address: 125x126 street, 63/B, Pyigyitakon, Mandalay, Myanmar