[{"data":1,"prerenderedAt":757},["ShallowReactive",2],{"header:help":3,"footer:default":67,"story:navigation\u002Fsearch:help":250,"story:help\u002Fcategories":288,"story:help\u002Farticles\u002Fprivacy-and-security-considerations":314,"no-guide:privacy-and-security-considerations":59,"article:\u002Fhelp\u002Farticles\u002Fprivacy-and-security-considerations":517,"story:contact":538,"help:tree:9fbfdb0b-8d62-4bb0-ac00-5e1e3e7d8e5a":727,"_apollo:default":756},{"name":4,"created_at":5,"published_at":6,"updated_at":7,"id":8,"uuid":9,"content":10,"slug":57,"full_slug":58,"sort_by_date":59,"position":60,"tag_list":61,"is_startpage":24,"parent_id":62,"meta_data":59,"group_id":63,"first_published_at":64,"release_id":59,"lang":65,"path":59,"alternates":66,"default_full_slug":59,"translated_slugs":59},"Help Center Header","2024-08-09T18:06:34.939Z","2024-10-21T21:58:39.217Z","2024-10-21T21:58:39.232Z",10082752,"3e9b88f7-c163-4657-a2f2-62532d600fad",{"_uid":11,"link":12,"badge":16,"items":17,"title":13,"buttons":50,"new_tab":24,"submenu":51,"alignment":13,"component":52,"badge_link":53,"top_menu_items":56},"e5645a1a-f991-40e8-8d67-e40ebc082b5a",{"id":13,"url":13,"linktype":14,"fieldtype":15,"cached_url":13},"","story","multilink","Help Center",[18,27,34,39,44],{"_uid":19,"link":20,"title":23,"new_tab":24,"submenu":25,"component":26},"5cbe2861-1f49-4166-97da-a4dddd8105e3",{"id":21,"url":13,"linktype":14,"fieldtype":15,"cached_url":22},"4c0a2d99-ec30-4579-8ef1-6bf5564d4839","help\u002Fcategories\u002F","Articles",false,[],"header___item",{"_uid":28,"link":29,"title":32,"new_tab":33,"component":26},"1c8edeb5-b9e9-4cb8-b1c6-c1f292f7d7cd",{"id":13,"url":30,"linktype":31,"fieldtype":15,"cached_url":30},"https:\u002F\u002Fwiki.foxycart.com\u002F","url","Documentation",true,{"_uid":35,"link":36,"title":38,"new_tab":33,"component":26},"8d7df70e-f087-4da0-b616-6f0e9a5af35c",{"id":13,"url":37,"linktype":31,"fieldtype":15,"cached_url":37},"https:\u002F\u002Fapi.foxycart.com\u002F","API Documentation",{"_uid":40,"link":41,"title":43,"new_tab":33,"component":26},"f76e7944-23d5-4652-87e4-cdae79272762",{"id":13,"url":42,"linktype":31,"fieldtype":15,"cached_url":42},"https:\u002F\u002Fstatus.foxy.io\u002F","System Status",{"_uid":45,"link":46,"title":49,"new_tab":24,"component":26},"0de16771-4c84-466c-a1da-d8568113c71f",{"id":47,"url":13,"linktype":14,"fieldtype":15,"cached_url":48},"01e4e370-f9b9-45af-8fa9-f15540699b0d","contact","Contact Us",[],[],"header",{"id":54,"url":13,"linktype":14,"fieldtype":15,"cached_url":55},"4a679eb7-662d-4ea4-a976-5a2acbf0b663","help\u002F",[],"help-header","navigation\u002Fhelp-header",null,20,[],10082747,"71b81c2e-5e09-48a1-a397-a3c72fcd344a","2022-09-21T14:50:25.655Z","default",[],{"name":68,"created_at":69,"published_at":70,"updated_at":71,"id":72,"uuid":73,"content":74,"slug":243,"full_slug":244,"sort_by_date":59,"position":245,"tag_list":246,"is_startpage":24,"parent_id":62,"meta_data":59,"group_id":247,"first_published_at":248,"release_id":59,"lang":65,"path":59,"alternates":249,"default_full_slug":59,"translated_slugs":59},"Default Footer","2024-08-09T18:06:59.024Z","2025-09-04T06:24:46.223Z","2025-09-04T06:24:46.241Z",10082753,"e59e67ac-248a-482f-84a1-53d4f318186a",{"_uid":75,"about":76,"logos":77,"socials":82,"sections":108,"component":225,"cta_title":226,"bottom_links":227,"cta_subtitle":241,"cta_button_link":242,"cta_button_text":183},"830983f5-c4c4-43c8-b150-86a5e3fa6dc8","Foxy’s hosted cart & payment page allow you to sell anything, using your existing website or platform.",[78],{"id":79,"alt":13,"name":13,"focus":13,"title":13,"filename":80,"copyright":13,"fieldtype":81},14760,"https:\u002F\u002Fa-us.storyblok.com\u002Ff\u002F1001040\u002Fx\u002F3b030847ec\u002Fb-corp.svg","asset",[83,90,96,102],{"_uid":84,"icon":85,"link":86,"name":88,"component":89},"faf0a618-ea94-42ea-9182-03be18c43216","fa-facebook",{"id":13,"url":87,"linktype":31,"fieldtype":15,"cached_url":87},"https:\u002F\u002Fwww.facebook.com\u002Ffoxycart","Facebook","footer___social",{"_uid":91,"icon":92,"link":93,"name":95,"component":89},"14309c18-7e79-423e-b375-34555bac0811","fa-instagram",{"id":13,"url":94,"linktype":31,"fieldtype":15,"cached_url":94},"https:\u002F\u002Fwww.instagram.com\u002Ffoxy_io","Instagram",{"_uid":97,"icon":98,"link":99,"name":101,"component":89},"8f7fe7cf-0dd3-4596-8334-226ea466716a","fa-linkedin",{"id":13,"url":100,"linktype":31,"fieldtype":15,"cached_url":100},"https:\u002F\u002Fwww.linkedin.com\u002Fcompany\u002Ffoxycart.com","LinkedIn",{"_uid":103,"icon":104,"link":105,"name":107,"component":89},"90a675b4-dd97-40b5-be09-00a87223d4c5","fa-youtube",{"id":13,"url":106,"linktype":31,"fieldtype":15,"cached_url":106},"https:\u002F\u002Fwww.youtube.com\u002Fuser\u002Ffoxycart","Youtube",[109,139,184,206],{"_uid":110,"name":111,"items":112,"component":138},"82849945-282f-488c-b18d-a8d2252f514a","Company",[113,120,126,132],{"_uid":114,"link":115,"title":118,"new_tab":24,"component":119},"1f699ab1-938b-4d9d-9825-aabcbe6f57fe",{"id":116,"url":13,"linktype":14,"fieldtype":15,"cached_url":117},"63634293-a749-4226-9439-9f38ee6dcda0","about-us","About Us","footer___menu_items",{"_uid":121,"link":122,"title":125,"new_tab":24,"component":119},"b26b00f1-a0e7-4be2-8ab3-428b8cc841f8",{"id":123,"url":13,"linktype":14,"fieldtype":15,"cached_url":124},"26cb7c55-faed-4a77-a291-1552d4111b3e","how-foxy-works","How Foxy Works",{"_uid":127,"link":128,"title":131,"new_tab":24,"component":119},"b40c68a0-1ceb-4226-9515-6176534f61fe",{"id":129,"url":13,"linktype":14,"fieldtype":15,"cached_url":130},"dc6657d7-7f4f-4c0d-b781-e971b038ee26","for-good","Foxy For Good",{"_uid":133,"link":134,"title":137,"new_tab":24,"component":119},"3ad0c134-bef9-4fff-b891-e09f16109036",{"id":135,"url":13,"linktype":14,"fieldtype":15,"cached_url":136},"23cae210-baf4-4588-9862-d09f4f52ccd2","brand-assets","Brand Assets","footer___section",{"_uid":140,"name":141,"items":142,"component":138},"a6805fa8-ac60-47f1-b8f0-f27aded0afbe","Product",[143,149,155,161,167,173,179],{"_uid":144,"link":145,"title":148,"new_tab":24,"component":119},"b39c8a4e-2383-486f-b76a-11fbb15d8134",{"id":146,"url":13,"linktype":14,"fieldtype":15,"cached_url":147},"bb04690f-fe98-4ce6-80be-05b950f2364f","features\u002F","Features",{"_uid":150,"link":151,"title":154,"new_tab":24,"component":119},"64f8a41f-c181-433d-bc0a-fc94e71ecbf6",{"id":152,"url":13,"linktype":14,"fieldtype":15,"cached_url":153},"c450c58d-761d-48c0-a9af-0b064611689b","pricing","Pricing",{"_uid":156,"link":157,"title":160,"new_tab":24,"component":119},"6e0b287f-fd8c-4146-9e0e-0ab0b5c9ce3c",{"id":158,"url":13,"linktype":14,"fieldtype":15,"cached_url":159},"fab20ad9-e76a-4947-b709-3a6fdfa88028","blog\u002Fcategories\u002Fproduct-updates","Product Updates",{"_uid":162,"link":163,"title":166,"new_tab":24,"component":119},"47e5a074-a6b5-4f1c-8c2f-89a2ae9f83eb",{"id":164,"url":13,"linktype":14,"fieldtype":15,"cached_url":165},"d2c83612-d611-47f3-a3b4-ca7fe08540b8","changelogs\u002F","Changelogs",{"_uid":168,"link":169,"title":172,"new_tab":24,"component":119},"b5c08774-542f-4ffd-b357-c94d674488b9",{"id":170,"url":13,"linktype":14,"fieldtype":15,"cached_url":171},"08876121-0df3-4ed9-aa11-902b3e41cd02","whats-next","What's Next",{"_uid":174,"link":175,"title":178,"new_tab":24,"component":119},"9c2704ed-6d9f-43e1-9e67-c8d91c083288",{"id":176,"url":13,"linktype":14,"fieldtype":15,"cached_url":177},"056a7857-b18f-4025-8f97-91a38fc19bc8","compare\u002F","Compare",{"_uid":180,"link":181,"title":183,"new_tab":24,"component":119},"5f2db35b-674b-406a-8fa7-d246633af9fe",{"id":13,"url":182,"linktype":31,"fieldtype":15,"cached_url":182},"https:\u002F\u002Fadmin.foxy.io\u002Fsign-up","Try Foxy Free",{"_uid":185,"name":186,"items":187,"component":138},"63fa1f29-4252-4640-9922-fe310e69e54a","Security",[188,194,200],{"_uid":189,"link":190,"title":193,"new_tab":24,"component":119},"1158ddb6-9eb0-466f-8eb6-7ca2ae66c8b8",{"id":191,"url":13,"linktype":14,"fieldtype":15,"cached_url":192},"1f58fb2c-8681-4742-b6e8-09999beae9f6","security-contact","Security Contact",{"_uid":195,"link":196,"title":199,"new_tab":24,"component":119},"9a79c54a-6022-4dfd-854b-766f5e4703ba",{"id":197,"url":13,"linktype":14,"fieldtype":15,"cached_url":198},"55cbfcc3-425a-4261-8037-54e919851d2d","pci","PCI Compliance",{"_uid":201,"link":202,"title":205,"new_tab":24,"component":119},"0b85f5b6-9534-4071-b323-b39d053dd4d7",{"id":203,"url":13,"linktype":14,"fieldtype":15,"cached_url":204},"c3ac0fe3-83e2-4879-afbd-d4c83e1590df","help\u002Farticles\u002Four-official-domains-public-code","Domains & Codebases",{"_uid":207,"name":208,"items":209,"component":138},"998ded67-d107-49f4-8154-ca6be51671ec","Support",[210,213,216,219,222],{"_uid":211,"link":212,"title":16,"new_tab":24,"component":119},"594ffd35-3049-4004-bb08-0db568ebd819",{"id":54,"url":13,"linktype":14,"fieldtype":15,"cached_url":55},{"_uid":214,"link":215,"title":32,"new_tab":33,"component":119},"0a1a55ab-a985-4f9d-8b42-26da714d0c1c",{"id":13,"url":30,"linktype":31,"fieldtype":15,"cached_url":30},{"_uid":217,"link":218,"title":38,"new_tab":33,"component":119},"61e0b7c8-aadf-419b-a339-b3ccabc65bf4",{"id":13,"url":37,"linktype":31,"fieldtype":15,"cached_url":37},{"_uid":220,"link":221,"title":43,"new_tab":33,"component":119},"fd67a89e-1c54-4d31-94b5-64be999062d6",{"id":13,"url":42,"linktype":31,"fieldtype":15,"cached_url":42},{"_uid":223,"link":224,"title":49,"new_tab":24,"component":119},"231a6f71-e996-4ad4-b033-d4d5542f34f0",{"id":47,"url":13,"linktype":14,"fieldtype":15,"cached_url":48},"footer","Get started with our *unlimited free trial*.",[228,235],{"_uid":229,"link":230,"text":233,"component":234},"f0b77210-2632-45a2-8436-e57cad84d01a",{"id":231,"url":13,"linktype":14,"fieldtype":15,"cached_url":232},"60ba16a2-c1f4-485f-b978-8d2eeeafbf5a","terms-of-service","Terms of Service","footer___bottom_links",{"_uid":236,"link":237,"text":240,"component":234},"4bd497b0-993f-4b4d-a5b7-8a49c7c8fec9",{"id":238,"url":13,"linktype":14,"fieldtype":15,"cached_url":239},"332302b9-1d18-4016-b9c8-9b33c72d782b","privacy-policy","Privacy Policy","No credit card required.",{"id":13,"url":182,"linktype":31,"fieldtype":15,"cached_url":182},"default-footer","navigation\u002Fdefault-footer",50,[],"11006268-07f9-41e9-96f3-c51fb723399d","2022-09-21T20:39:02.357Z",[],{"name":251,"created_at":252,"published_at":253,"updated_at":254,"id":255,"uuid":256,"content":257,"slug":279,"full_slug":282,"sort_by_date":59,"position":283,"tag_list":284,"is_startpage":24,"parent_id":62,"meta_data":59,"group_id":285,"first_published_at":286,"release_id":59,"lang":65,"path":59,"alternates":287,"default_full_slug":59,"translated_slugs":59},"Search","2024-10-21T22:08:54.973Z","2025-05-26T09:17:25.790Z","2025-05-26T09:17:25.804Z",13592003,"14cbc359-9ac1-4a7a-a8de-ad4ac8ef26d4",{"_uid":258,"name":251,"indices":259,"summary":13,"component":279,"primary_image":280},"5e4a56e8-76f1-4790-b3a7-70f1be97d042",[260,265,269,274],{"key":261,"_uid":262,"icon":13,"name":263,"component":264},"all","c12a3210-7323-4273-8217-5215e52efe84","All","index",{"key":266,"_uid":267,"icon":268,"name":23,"component":264},"help_center_article","5acff080-95e4-44d3-8dcf-1b19720af382","fa-file-alt",{"key":270,"_uid":271,"icon":272,"name":273,"component":264},"help_center_guide","b8fbc206-c083-471e-a1f0-0ebeb90a669d","fa-book","Guides",{"key":275,"_uid":276,"icon":277,"name":278,"component":264},"blog_post","23419e83-2e56-4c4c-8a05-9fd1b3c9a9bd","fa-file-image","Blog Posts","search",{"id":59,"alt":59,"name":13,"focus":59,"title":59,"source":59,"filename":13,"copyright":59,"fieldtype":81,"meta_data":281},{},"navigation\u002Fsearch",60,[],"11e1fd31-95cd-4fc9-b736-8b8910663e6c","2024-10-21T23:17:05.904Z",[],{"name":23,"created_at":289,"published_at":290,"updated_at":291,"id":292,"uuid":21,"content":293,"slug":307,"full_slug":22,"sort_by_date":59,"position":308,"tag_list":309,"is_startpage":33,"parent_id":310,"meta_data":59,"group_id":311,"first_published_at":312,"release_id":59,"lang":65,"path":59,"alternates":313,"default_full_slug":59,"translated_slugs":59},"2022-09-19T14:42:29.685Z","2024-07-30T18:17:22.506Z","2024-07-30T18:17:22.525Z",2660,{"_uid":294,"icon":13,"name":23,"guides":295,"pinned":24,"summary":296,"category":13,"component":297,"blog_posts":298,"content_hub":24,"icon_custom":299,"case_studies":300,"faq_sections":301,"help_articles":302,"featured_guides":303,"mailbox_category":13,"featured_articles":304,"featured_blog_posts":305,"featured_case_studies":306},"d6dae89a-907a-4bf7-82de-fe2ba875ee6e",[],"Get your questions answered with our browsable knowledge base.","help_center_category",[],{"id":59,"alt":59,"name":13,"focus":59,"title":59,"filename":13,"copyright":59,"fieldtype":81},[],[],[],[],[],[],[],"categories",530,[],2658,"19ebcdd2-027f-47f5-9a5b-a8992c959578","2022-09-19T16:24:39.219Z",[],{"name":315,"created_at":316,"published_at":317,"updated_at":318,"id":319,"uuid":320,"content":321,"slug":509,"full_slug":510,"sort_by_date":59,"position":511,"tag_list":512,"is_startpage":24,"parent_id":513,"meta_data":59,"group_id":514,"first_published_at":515,"release_id":59,"lang":65,"path":59,"alternates":516,"default_full_slug":59,"translated_slugs":59},"Privacy and security considerations","2026-07-16T04:17:13.086Z","2026-07-16T04:30:10.973Z","2026-07-16T04:30:10.996Z",198597972370239,"9fbfdb0b-8d62-4bb0-ac00-5e1e3e7d8e5a",{"_uid":322,"body":323,"name":315,"image":504,"pinned":24,"summary":506,"category":507,"component":266,"related_articles":508},"c2642a5a-4d08-408b-ba68-ac2268b7e8c5",{"type":324,"content":325},"doc",[326,333,340,345,350,355,360,365,370,375,380,385,390,395,400,412,423,428,433,465,470,480,486],{"type":327,"attrs":328,"content":329},"paragraph",{"textAlign":59},[330],{"text":331,"type":332},"Ecommerce involves collecting sensitive customer information, and a few aspects of how that data is handled aren’t always obvious. None of this is meant to alarm you — it’s here so you can make informed decisions for your store.","text",{"type":334,"attrs":335,"content":337},"heading",{"level":336,"textAlign":59},2,[338],{"text":339,"type":332},"Security is everyone’s responsibility",{"type":327,"attrs":341,"content":342},{"textAlign":59},[343],{"text":344,"type":332},"Anybody with access to, or even just knowledge of, an ecommerce site can affect its security — not only the people directly responsible for it. A common example: reusing the same password across your email, your store admin, and other unrelated sites. If any one of those is compromised, an attacker could potentially gain access to the others, including your store, and reroute sales or customer data to themselves.",{"type":327,"attrs":346,"content":347},{"textAlign":59},[348],{"text":349,"type":332},"This isn’t a hypothetical risk reserved for large companies. Sites of any size, including small stores, are routinely probed by bots looking for weaknesses, regardless of how well-known the business is.",{"type":327,"attrs":351,"content":352},{"textAlign":59},[353],{"text":354,"type":332},"Prevention is far cheaper than a breach: data breaches average $150–$200+ per stolen customer record, and state or federal fines can double or triple that figure depending on where your affected customers live and where your business operates. Basic habits — unique passwords, careful handling of admin access, and awareness that security isn’t solely someone else’s job — go a long way toward avoiding that cost.",{"type":334,"attrs":356,"content":357},{"level":336,"textAlign":59},[358],{"text":359,"type":332},"Email address leakage during checkout",{"type":327,"attrs":361,"content":362},{"textAlign":59},[363],{"text":364,"type":332},"Because Foxy’s checkout automatically detects whether a submitted email belongs to a returning customer, it’s possible for someone to enter an email address and learn whether that address has a saved account — the checkout behaves differently for a new email versus a returning one.",{"type":327,"attrs":366,"content":367},{"textAlign":59},[368],{"text":369,"type":332},"This is a common tradeoff across ecommerce generally: the alternative is a much worse checkout experience, where errors can’t specify whether an email or password was wrong, leaving customers unsure which of several email addresses they used. An attacker would still need to already know the email address to test — this isn’t a way to discover your customers’ email addresses at large.",{"type":327,"attrs":371,"content":372},{"textAlign":59},[373],{"text":374,"type":332},"If you’re selling products where customer privacy is especially sensitive, you can avoid this entirely by forcing guest checkout only, so no customer email is ever saved.",{"type":334,"attrs":376,"content":377},{"level":336,"textAlign":59},[378],{"text":379,"type":332},"Personal information in web receipts",{"type":327,"attrs":381,"content":382},{"textAlign":59},[383],{"text":384,"type":332},"Receipt URLs can be loaded without authentication. By default, though, receipts are set up so they aren’t revisitable — during a normal checkout flow, the browser history won’t let someone navigate back to view the receipt again. Any attack that got around this would require privileged access to the browser already, at which point the attacker would have access to everything else too.",{"type":327,"attrs":386,"content":387},{"textAlign":59},[388],{"text":389,"type":332},"A link to the receipt is included in the emailed receipt sent to the customer, but if an attacker has access to that email, they already have access to the same personal information the receipt would show.",{"type":327,"attrs":391,"content":392},{"textAlign":59},[393],{"text":394,"type":332},"If you want stronger control over this, you can configure your receipt template to output no data at all, and\u002For redirect to your own system using Foxy’s outgoing SSO functionality to handle the receipt display yourself.",{"type":334,"attrs":396,"content":397},{"level":336,"textAlign":59},[398],{"text":399,"type":332},"Cart contents and JSONP exposure",{"type":327,"attrs":401,"content":402},{"textAlign":59},[403,405,410],{"text":404,"type":332},"Cart contents persist via a cookie, so on a shared computer, someone else using that machine could see them. If this is a concern, avoid using product options that contain personal information, or use the ",{"text":406,"type":332,"marks":407},"empty=reset",[408],{"type":409},"code",{"text":411,"type":332}," functionality to clear the session entirely where available.",{"type":327,"attrs":413,"content":414},{"textAlign":59},[415,417,421],{"text":416,"type":332},"Separately, the ",{"text":418,"type":332,"marks":419},"\u002Fcart",[420],{"type":409},{"text":422,"type":332}," endpoint accepts JSONP requests without checking an origin or referrer header, meaning a malicious website could potentially read a customer’s cart contents. For this reason, avoid collecting personal information as product options.",{"type":334,"attrs":424,"content":425},{"level":336,"textAlign":59},[426],{"text":427,"type":332},"Sending sensitive information over email",{"type":327,"attrs":429,"content":430},{"textAlign":59},[431],{"text":432,"type":332},"Email is not a secure channel unless it’s encrypted with something like S\u002FMIME or PGP (GPG) — and in practice, almost nobody uses those. Treat all email as fundamentally insecure. A few reasons why:",{"type":434,"content":435},"bullet_list",[436,444,451,458],{"type":437,"content":438},"list_item",[439],{"type":327,"attrs":440,"content":441},{"textAlign":59},[442],{"text":443,"type":332},"Email messages generally aren’t encrypted.",{"type":437,"content":445},[446],{"type":327,"attrs":447,"content":448},{"textAlign":59},[449],{"text":450,"type":332},"Messages pass through multiple intermediate servers on the way to their destination, any one of which could intercept and read them.",{"type":437,"content":452},[453],{"type":327,"attrs":454,"content":455},{"textAlign":59},[456],{"text":457,"type":332},"Many email providers keep backup copies of messages on their servers for months, even after the message is deleted from the inbox.",{"type":437,"content":459},[460],{"type":327,"attrs":461,"content":462},{"textAlign":59},[463],{"text":464,"type":332},"Header information in an email can often identify the sender, even when anonymity is intended.",{"type":327,"attrs":466,"content":467},{"textAlign":59},[468],{"text":469,"type":332},"To put it concretely: a single email containing a credit card number can end up stored on, or passed through, the sender’s computer, the sender’s mail server, backup servers at that provider, roughly 6–12 intermediate mail servers, the recipient’s mail server, the recipient’s helpdesk or CRM system, and the recipient’s computer and phone. If any single one of those points is compromised, that data is exposed.",{"type":327,"attrs":471,"content":472},{"textAlign":59},[473,478],{"text":474,"type":332,"marks":475},"Never send sensitive information over email",[476],{"type":477},"bold",{"text":479,"type":332}," — this includes credit card numbers, passwords, Social Security numbers, or anything else that would be damaging if it fell into the wrong hands.",{"type":334,"attrs":481,"content":483},{"level":482,"textAlign":59},3,[484],{"text":485,"type":332},"A note on TLS\u002FSSL",{"type":327,"attrs":487,"content":488},{"textAlign":59},[489,491,496,498,502],{"text":490,"type":332},"Many mail servers now support TLS (or SSL), which encrypts email ",{"text":492,"type":332,"marks":493},"in transit",[494],{"type":495},"italic",{"text":497,"type":332}," between servers — but not ",{"text":499,"type":332,"marks":500},"at rest",[501],{"type":495},{"text":503,"type":332},". Even when TLS is used, once an email arrives, it’s typically stored unencrypted on the mail server and in the recipient’s email client. Unless you know for certain that both your mail server and the recipient’s support TLS, assume the message isn’t encrypted in transit either.",{"id":59,"alt":59,"name":13,"focus":59,"title":59,"source":59,"filename":13,"copyright":59,"fieldtype":81,"meta_data":505},{},"Privacy and security details worth understanding when running a Foxy store, including email leakage during checkout, receipt visibility, cart contents exposure, and sending sensitive data over email.","805729bf-0e8a-4d3f-92b4-fcc4c825b83a",[],"privacy-and-security-considerations","help\u002Farticles\u002Fprivacy-and-security-considerations",-3210,[],2659,"30ad5135-a612-404c-9bb3-0abada1a404c","2026-07-16T04:20:57.392Z",[],{"html":518,"sections":519,"segments":534},"\u003Cp>Ecommerce involves collecting sensitive customer information, and a few aspects of how that data is handled aren’t always obvious. None of this is meant to alarm you — it’s here so you can make informed decisions for your store.\u003C\u002Fp>\u003Csection id=\"security-is-everyones-responsibility\" data-title=\"Security is everyone’s responsibility\" data-title-node=\"H2\">\u003Chr class=\"my-8\" style=\"margin-left: -48px; margin-right: -40vw\">\u003Ch2 data-anchor-id=\"security-is-everyones-responsibility\">Security is everyone’s responsibility\u003C\u002Fh2>\u003Cp>Anybody with access to, or even just knowledge of, an ecommerce site can affect its security — not only the people directly responsible for it. A common example: reusing the same password across your email, your store admin, and other unrelated sites. If any one of those is compromised, an attacker could potentially gain access to the others, including your store, and reroute sales or customer data to themselves.\u003C\u002Fp>\u003Cp>This isn’t a hypothetical risk reserved for large companies. Sites of any size, including small stores, are routinely probed by bots looking for weaknesses, regardless of how well-known the business is.\u003C\u002Fp>\u003Cp>Prevention is far cheaper than a breach: data breaches average $150–$200+ per stolen customer record, and state or federal fines can double or triple that figure depending on where your affected customers live and where your business operates. Basic habits — unique passwords, careful handling of admin access, and awareness that security isn’t solely someone else’s job — go a long way toward avoiding that cost.\u003C\u002Fp>\u003C\u002Fsection>\u003Csection id=\"email-address-leakage-during-checkout\" data-title=\"Email address leakage during checkout\" data-title-node=\"H2\">\u003Chr class=\"my-8\" style=\"margin-left: -48px; margin-right: -40vw\">\u003Ch2 data-anchor-id=\"email-address-leakage-during-checkout\">Email address leakage during checkout\u003C\u002Fh2>\u003Cp>Because Foxy’s checkout automatically detects whether a submitted email belongs to a returning customer, it’s possible for someone to enter an email address and learn whether that address has a saved account — the checkout behaves differently for a new email versus a returning one.\u003C\u002Fp>\u003Cp>This is a common tradeoff across ecommerce generally: the alternative is a much worse checkout experience, where errors can’t specify whether an email or password was wrong, leaving customers unsure which of several email addresses they used. An attacker would still need to already know the email address to test — this isn’t a way to discover your customers’ email addresses at large.\u003C\u002Fp>\u003Cp>If you’re selling products where customer privacy is especially sensitive, you can avoid this entirely by forcing guest checkout only, so no customer email is ever saved.\u003C\u002Fp>\u003C\u002Fsection>\u003Csection id=\"personal-information-in-web-receipts\" data-title=\"Personal information in web receipts\" data-title-node=\"H2\">\u003Chr class=\"my-8\" style=\"margin-left: -48px; margin-right: -40vw\">\u003Ch2 data-anchor-id=\"personal-information-in-web-receipts\">Personal information in web receipts\u003C\u002Fh2>\u003Cp>Receipt URLs can be loaded without authentication. By default, though, receipts are set up so they aren’t revisitable — during a normal checkout flow, the browser history won’t let someone navigate back to view the receipt again. Any attack that got around this would require privileged access to the browser already, at which point the attacker would have access to everything else too.\u003C\u002Fp>\u003Cp>A link to the receipt is included in the emailed receipt sent to the customer, but if an attacker has access to that email, they already have access to the same personal information the receipt would show.\u003C\u002Fp>\u003Cp>If you want stronger control over this, you can configure your receipt template to output no data at all, and\u002For redirect to your own system using Foxy’s outgoing SSO functionality to handle the receipt display yourself.\u003C\u002Fp>\u003C\u002Fsection>\u003Csection id=\"cart-contents-and-jsonp-exposure\" data-title=\"Cart contents and JSONP exposure\" data-title-node=\"H2\">\u003Chr class=\"my-8\" style=\"margin-left: -48px; margin-right: -40vw\">\u003Ch2 data-anchor-id=\"cart-contents-and-jsonp-exposure\">Cart contents and JSONP exposure\u003C\u002Fh2>\u003Cp>Cart contents persist via a cookie, so on a shared computer, someone else using that machine could see them. If this is a concern, avoid using product options that contain personal information, or use the \u003Ccode class=\"badge bg-soft-danger text-danger\">empty=reset\u003C\u002Fcode> functionality to clear the session entirely where available.\u003C\u002Fp>\u003Cp>Separately, the \u003Ccode class=\"badge bg-soft-danger text-danger\">\u002Fcart\u003C\u002Fcode> endpoint accepts JSONP requests without checking an origin or referrer header, meaning a malicious website could potentially read a customer’s cart contents. For this reason, avoid collecting personal information as product options.\u003C\u002Fp>\u003C\u002Fsection>\u003Csection id=\"sending-sensitive-information-over-email\" data-title=\"Sending sensitive information over email\" data-title-node=\"H2\">\u003Chr class=\"my-8\" style=\"margin-left: -48px; margin-right: -40vw\">\u003Ch2 data-anchor-id=\"sending-sensitive-information-over-email\">Sending sensitive information over email\u003C\u002Fh2>\u003Cp>Email is not a secure channel unless it’s encrypted with something like S\u002FMIME or PGP (GPG) — and in practice, almost nobody uses those. Treat all email as fundamentally insecure. A few reasons why:\u003C\u002Fp>\u003Cul>\u003Cli>\u003Cp>Email messages generally aren’t encrypted.\u003C\u002Fp>\u003C\u002Fli>\u003Cli>\u003Cp>Messages pass through multiple intermediate servers on the way to their destination, any one of which could intercept and read them.\u003C\u002Fp>\u003C\u002Fli>\u003Cli>\u003Cp>Many email providers keep backup copies of messages on their servers for months, even after the message is deleted from the inbox.\u003C\u002Fp>\u003C\u002Fli>\u003Cli>\u003Cp>Header information in an email can often identify the sender, even when anonymity is intended.\u003C\u002Fp>\u003C\u002Fli>\u003C\u002Ful>\u003Cp>To put it concretely: a single email containing a credit card number can end up stored on, or passed through, the sender’s computer, the sender’s mail server, backup servers at that provider, roughly 6–12 intermediate mail servers, the recipient’s mail server, the recipient’s helpdesk or CRM system, and the recipient’s computer and phone. If any single one of those points is compromised, that data is exposed.\u003C\u002Fp>\u003Cp>\u003Cstrong>Never send sensitive information over email\u003C\u002Fstrong> — this includes credit card numbers, passwords, Social Security numbers, or anything else that would be damaging if it fell into the wrong hands.\u003C\u002Fp>\u003C\u002Fsection>\u003Csection id=\"a-note-on-tlsssl\" data-title=\"A note on TLS\u002FSSL\" data-title-node=\"H3\">\u003Ch3 data-anchor-id=\"a-note-on-tlsssl\">A note on TLS\u002FSSL\u003C\u002Fh3>\u003Cp>Many mail servers now support TLS (or SSL), which encrypts email \u003Cem>in transit\u003C\u002Fem> between servers — but not \u003Cem>at rest\u003C\u002Fem>. Even when TLS is used, once an email arrives, it’s typically stored unencrypted on the mail server and in the recipient’s email client. Unless you know for certain that both your mail server and the recipient’s support TLS, assume the message isn’t encrypted in transit either.\u003C\u002Fp>\u003C\u002Fsection>",[520,523,525,527,529,531],{"id":521,"title":339,"level":522},"security-is-everyones-responsibility","H2",{"id":524,"title":359,"level":522},"email-address-leakage-during-checkout",{"id":526,"title":379,"level":522},"personal-information-in-web-receipts",{"id":528,"title":399,"level":522},"cart-contents-and-jsonp-exposure",{"id":530,"title":427,"level":522},"sending-sensitive-information-over-email",{"id":532,"title":485,"level":533},"a-note-on-tlsssl","H3",[535],{"type":536,"content":537},"html","\u003Cp>Ecommerce involves collecting sensitive customer information, and a few aspects of how that data is handled aren’t always obvious. None of this is meant to alarm you — it’s here so you can make informed decisions for your store.\u003C\u002Fp>\u003Ch2>Security is everyone’s responsibility\u003C\u002Fh2>\u003Cp>Anybody with access to, or even just knowledge of, an ecommerce site can affect its security — not only the people directly responsible for it. A common example: reusing the same password across your email, your store admin, and other unrelated sites. If any one of those is compromised, an attacker could potentially gain access to the others, including your store, and reroute sales or customer data to themselves.\u003C\u002Fp>\u003Cp>This isn’t a hypothetical risk reserved for large companies. Sites of any size, including small stores, are routinely probed by bots looking for weaknesses, regardless of how well-known the business is.\u003C\u002Fp>\u003Cp>Prevention is far cheaper than a breach: data breaches average $150–$200+ per stolen customer record, and state or federal fines can double or triple that figure depending on where your affected customers live and where your business operates. Basic habits — unique passwords, careful handling of admin access, and awareness that security isn’t solely someone else’s job — go a long way toward avoiding that cost.\u003C\u002Fp>\u003Ch2>Email address leakage during checkout\u003C\u002Fh2>\u003Cp>Because Foxy’s checkout automatically detects whether a submitted email belongs to a returning customer, it’s possible for someone to enter an email address and learn whether that address has a saved account — the checkout behaves differently for a new email versus a returning one.\u003C\u002Fp>\u003Cp>This is a common tradeoff across ecommerce generally: the alternative is a much worse checkout experience, where errors can’t specify whether an email or password was wrong, leaving customers unsure which of several email addresses they used. An attacker would still need to already know the email address to test — this isn’t a way to discover your customers’ email addresses at large.\u003C\u002Fp>\u003Cp>If you’re selling products where customer privacy is especially sensitive, you can avoid this entirely by forcing guest checkout only, so no customer email is ever saved.\u003C\u002Fp>\u003Ch2>Personal information in web receipts\u003C\u002Fh2>\u003Cp>Receipt URLs can be loaded without authentication. By default, though, receipts are set up so they aren’t revisitable — during a normal checkout flow, the browser history won’t let someone navigate back to view the receipt again. Any attack that got around this would require privileged access to the browser already, at which point the attacker would have access to everything else too.\u003C\u002Fp>\u003Cp>A link to the receipt is included in the emailed receipt sent to the customer, but if an attacker has access to that email, they already have access to the same personal information the receipt would show.\u003C\u002Fp>\u003Cp>If you want stronger control over this, you can configure your receipt template to output no data at all, and\u002For redirect to your own system using Foxy’s outgoing SSO functionality to handle the receipt display yourself.\u003C\u002Fp>\u003Ch2>Cart contents and JSONP exposure\u003C\u002Fh2>\u003Cp>Cart contents persist via a cookie, so on a shared computer, someone else using that machine could see them. If this is a concern, avoid using product options that contain personal information, or use the \u003Ccode class=\"badge bg-soft-danger text-danger\">empty=reset\u003C\u002Fcode> functionality to clear the session entirely where available.\u003C\u002Fp>\u003Cp>Separately, the \u003Ccode class=\"badge bg-soft-danger text-danger\">\u002Fcart\u003C\u002Fcode> endpoint accepts JSONP requests without checking an origin or referrer header, meaning a malicious website could potentially read a customer’s cart contents. For this reason, avoid collecting personal information as product options.\u003C\u002Fp>\u003Ch2>Sending sensitive information over email\u003C\u002Fh2>\u003Cp>Email is not a secure channel unless it’s encrypted with something like S\u002FMIME or PGP (GPG) — and in practice, almost nobody uses those. Treat all email as fundamentally insecure. A few reasons why:\u003C\u002Fp>\u003Cul>\u003Cli>\u003Cp>Email messages generally aren’t encrypted.\u003C\u002Fp>\u003C\u002Fli>\u003Cli>\u003Cp>Messages pass through multiple intermediate servers on the way to their destination, any one of which could intercept and read them.\u003C\u002Fp>\u003C\u002Fli>\u003Cli>\u003Cp>Many email providers keep backup copies of messages on their servers for months, even after the message is deleted from the inbox.\u003C\u002Fp>\u003C\u002Fli>\u003Cli>\u003Cp>Header information in an email can often identify the sender, even when anonymity is intended.\u003C\u002Fp>\u003C\u002Fli>\u003C\u002Ful>\u003Cp>To put it concretely: a single email containing a credit card number can end up stored on, or passed through, the sender’s computer, the sender’s mail server, backup servers at that provider, roughly 6–12 intermediate mail servers, the recipient’s mail server, the recipient’s helpdesk or CRM system, and the recipient’s computer and phone. If any single one of those points is compromised, that data is exposed.\u003C\u002Fp>\u003Cp>\u003Cstrong>Never send sensitive information over email\u003C\u002Fstrong> — this includes credit card numbers, passwords, Social Security numbers, or anything else that would be damaging if it fell into the wrong hands.\u003C\u002Fp>\u003Ch3>A note on TLS\u002FSSL\u003C\u002Fh3>\u003Cp>Many mail servers now support TLS (or SSL), which encrypts email \u003Cem>in transit\u003C\u002Fem> between servers — but not \u003Cem>at rest\u003C\u002Fem>. Even when TLS is used, once an email arrives, it’s typically stored unencrypted on the mail server and in the recipient’s email client. Unless you know for certain that both your mail server and the recipient’s support TLS, assume the message isn’t encrypted in transit either.\u003C\u002Fp>",{"name":539,"created_at":540,"published_at":541,"updated_at":542,"id":543,"uuid":47,"content":544,"slug":48,"full_slug":48,"sort_by_date":59,"position":722,"tag_list":723,"is_startpage":24,"parent_id":59,"meta_data":59,"group_id":724,"first_published_at":725,"release_id":59,"lang":65,"path":59,"alternates":726,"default_full_slug":59,"translated_slugs":59},"Contact","2022-09-23T19:56:58.957Z","2025-05-08T18:24:40.382Z","2025-05-08T18:24:40.392Z",3138,{"seo":545,"_uid":548,"title":549,"action":550,"fields":551,"method":698,"columns":699,"subtitle":713,"component":48,"button_text":719,"submit_title":720,"submit_subtitle":721},{"_uid":546,"title":539,"plugin":547,"description":13},"24ff7574-3bcc-48d2-85b5-e529dfea1cc4","meta-fields","8f54f1da-9d8f-49b2-89e7-840e886491cb","We're here to help.","https:\u002F\u002Fusebasin.com\u002Ff\u002F029f48d65402",[552,557,561,669,672,677,692],{"_uid":553,"name":554,"type":332,"label":555,"options":13,"required":33,"component":556,"placeholder":13},"9a70b226-2036-4f90-a052-b3efa61c5896","name","Name","form___field",{"_uid":558,"name":559,"type":559,"label":560,"options":13,"required":33,"component":556,"placeholder":13},"86ba35be-ff43-4a28-8633-14052a8f6622","email","Email Address",{"_uid":562,"name":563,"type":564,"label":565,"options":566,"required":33,"component":556,"conditions":567,"placeholder":13},"3f827475-492c-4f97-aa1e-2386ac263b6c","topic","select","Topic","Presales, Support, Billing, Partnerships, Order Enquiry, Other",[568,623,633,640,648,656,662],{"_uid":569,"equals":570,"fields":571,"component":622},"e21d97dd-e68e-4fa6-ba97-bc40f3041dde","Order Enquiry",[572],{"_uid":573,"body":574,"type":620,"title":13,"component":621},"b64992bc-6d53-48b8-b7a0-d81e5a062e50",{"type":324,"content":575},[576],{"type":327,"content":577},[578,580,588,590,592,593,597,599,603,611,613,618],{"text":579,"type":332},"We are ",{"text":581,"type":332,"marks":582},"Foxy.io",[583],{"type":584,"attrs":585},"link",{"href":586,"uuid":59,"anchor":59,"custom":587,"target":59,"linktype":31},"http:\u002F\u002FFoxy.io",{},{"text":589,"type":332},", an ecommerce platform powering ecommerce for other merchants. We do not sell products, and are unable to assist with questions about order statuses or refunds for any merchants using our platform. Please contact the merchant you ordered from for assistance. If you’d like to report a store using Foxy for fraudulent practices, please select ‘other’ in the subject.",{"type":591},"hard_break",{"type":591},{"text":594,"type":332,"marks":595},"NOTE:",[596],{"type":477},{"text":598,"type":332}," We are ",{"text":600,"type":332,"marks":601},"not ",[602],{"type":495},{"text":604,"type":332,"marks":605},"Foxy.in",[606,610],{"type":584,"attrs":607},{"href":608,"uuid":59,"anchor":59,"custom":609,"target":59,"linktype":31},"http:\u002F\u002FFoxy.in",{},{"type":495},{"text":612,"type":332},". We are not in any way affiliated with ",{"text":604,"type":332,"marks":614},[615],{"type":584,"attrs":616},{"href":608,"uuid":59,"anchor":59,"custom":617,"target":59,"linktype":31},{},{"text":619,"type":332},", and cannot help in any way with your order from that website.","danger","global___alert","form___condition",{"_uid":624,"equals":625,"fields":626,"component":622},"8765c3e1-25cf-44aa-b8ea-fc6094acf9c3","Presales",[627],{"_uid":628,"name":629,"type":630,"label":13,"options":13,"required":24,"component":556,"conditions":631,"placeholder":13,"default_value":632},"cf464f8e-d643-4f6e-af29-d3abffaf7380","department_email_address","hidden",[],"hello@foxy.io",{"_uid":634,"equals":208,"fields":635,"component":622},"4007b6d8-77e5-421d-bd1e-6f336dd853fb",[636],{"_uid":637,"name":629,"type":630,"label":13,"options":13,"required":24,"component":556,"conditions":638,"placeholder":13,"default_value":639},"7b4c6aa5-a68c-45e0-9ce1-0a36af10c0c2",[],"help@foxy.io",{"_uid":641,"equals":642,"fields":643,"component":622},"1dbb8f11-613d-43cd-9e09-1b94f6e19219","Billing",[644],{"_uid":645,"name":629,"type":630,"label":13,"options":13,"required":24,"component":556,"conditions":646,"placeholder":13,"default_value":647},"a0ac0d1b-bc4f-4a6c-a682-581d450b0b73",[],"help+billing@foxy.io",{"_uid":649,"equals":650,"fields":651,"component":622},"a0a53a50-7172-4a29-ba58-181e38874e12","Partnerships",[652],{"_uid":653,"name":629,"type":630,"label":13,"options":13,"required":24,"component":556,"conditions":654,"placeholder":13,"default_value":655},"7aa011d9-f374-4aed-b5a5-929b54aaf152",[],"partners@foxy.io",{"_uid":657,"equals":570,"fields":658,"component":622},"a4cd431f-25d5-41c7-bfdc-02c908c8fb47",[659],{"_uid":660,"name":629,"type":630,"label":13,"options":13,"required":24,"component":556,"conditions":661,"placeholder":13,"default_value":632},"f5d52168-d6ae-451b-94ee-2ced1cbd28ad",[],{"_uid":663,"equals":664,"fields":665,"component":622},"25aba1ed-eb41-4bbc-aa89-f7a7167ea86e","Other",[666],{"_uid":667,"name":629,"type":630,"label":13,"options":13,"required":24,"component":556,"conditions":668,"placeholder":13,"default_value":632},"f40dfaef-c203-4b71-bf4e-e1b43cef192b",[],{"_uid":670,"component":671},"e9c53a05-f40a-4510-aaf8-bc072a235a0c","form___subject",{"_uid":673,"name":674,"type":675,"label":676,"options":13,"required":33,"component":556,"placeholder":13},"a4c4d385-fff4-4978-99fb-b68cfea623d6","message","textarea","Message",{"_uid":678,"name":679,"type":564,"label":680,"options":681,"required":33,"component":556,"conditions":682,"placeholder":13},"8a3c9f85-f438-427d-9c7a-d7b295a14b5b","existing_user","Are you an existing user?","No, Yes",[683],{"_uid":684,"equals":685,"fields":686,"component":622},"115933d6-262a-4b59-8fa8-579c5ad73de1","Yes",[687],{"_uid":688,"name":689,"type":332,"label":690,"options":13,"required":33,"component":556,"conditions":691,"placeholder":13},"44b6ff23-98f0-4e95-b7f5-c23e06415c2d","subdomain","Store Subdomain",[],{"_uid":693,"name":694,"type":564,"label":695,"options":696,"required":33,"component":556,"conditions":697,"placeholder":13},"922a5cef-3af2-4113-8855-36c7910e3ee3","user_type","What type of user are you?","Developer, Designer, Merchant",[],"POST",[700],{"_uid":701,"text":702,"title":711,"component":712},"7323b90d-a93a-4bf1-baa9-20d0b7ead61b",{"type":324,"content":703},[704],{"type":327,"content":705},[706,708,709],{"text":707,"type":332},"855.369.9227",{"type":591},{"text":710,"type":332},"9:30am-6pm Central M-F","Pre-sales, Sales, & Partnerships","contact___footer_column",{"type":324,"content":714},[715],{"type":327,"content":716},[717],{"text":718,"type":332},"Get in touch to get help from our friendly support team.","Submit","Success!","Your email has been received. We'll get back to you as soon as we can, but it might take a business day. If you don't hear back from us in a timely manner, please check your spam folder to ensure our reply didn't go there.",-80,[],"2fd9fb7d-a48a-4184-acfd-30022d8d6f08","2022-09-23T20:10:45.360Z",[],[288,728],{"name":729,"created_at":730,"published_at":731,"updated_at":732,"id":733,"uuid":507,"content":734,"slug":749,"full_slug":750,"sort_by_date":59,"position":751,"tag_list":752,"is_startpage":24,"parent_id":310,"meta_data":59,"group_id":753,"first_published_at":754,"release_id":59,"lang":65,"path":59,"alternates":755,"default_full_slug":59,"translated_slugs":59},"Security & Policies","2023-01-19T16:27:35.000Z","2026-07-16T04:20:56.886Z","2026-07-16T04:20:56.901Z",28244,{"_uid":735,"icon":736,"name":729,"type":737,"guides":738,"pinned":24,"summary":739,"category":13,"component":297,"blog_posts":740,"content_hub":24,"icon_custom":741,"case_studies":742,"faq_sections":743,"help_articles":744,"featured_guides":745,"mailbox_category":13,"featured_articles":746,"featured_blog_posts":747,"featured_case_studies":748},"e9746086-08b8-4b9e-afb3-5264fdca1ea1","fa-lock-alt","simple",[],"Security information and resources for keeping you and your customers safe.",[],{"id":59,"alt":59,"name":13,"focus":59,"title":59,"filename":13,"copyright":59,"fieldtype":81},[],[],[],[],[],[],[],"security-and-policies","help\u002Fcategories\u002Fsecurity-and-policies",100,[],"e8afb525-b6de-4134-9bf9-63989d71a318","2023-01-19T17:25:33.172Z",[],{},1784176460337]