Security Policy

This Security Policy outlines the technical and organizational measures LORLON employs to protect your data. By leveraging the enterprise-grade infrastructure of Shopify and integrating industry-standard security practices, we aim to provide a safe shopping environment for our customers in the European Union, the United States, and Canada.

Security Policy

Last Updated: 2026.03.26

1. Our Commitment to Digital Trust

At LORLON, protecting your personal information and transaction data is not a one-time task—it is a core business priority. We understand that shopping online requires trust, and we are committed to maintaining that trust through rigorous security standards, continuous monitoring, and transparent communication. This policy covers all data interactions within lorlon.com.

2. Legal & Regulatory Framework

We align our security practices with global data protection and privacy regulations:

  • European Union: We implement "Technical and Organizational Measures" (TOMs) as required by GDPR Article 32 and stay informed on NIS2 Directive standards.

  • United States: We comply with state-level data breach notification laws (including California’s CCPA/CPRA and New York’s SHIELD Act).

  • Canada: We adhere to PIPEDA requirements regarding the reporting of security safeguard breaches.

  • Global Standards: Our payment processing is fully PCI DSS (Payment Card Industry Data Security Standard) compliant through our partnership with [INSERT PAYMENT PROCESSOR].

3. Data We Protect

We apply security measures to the following categories of data:

  • Personal Identification: Names, email addresses, and shipping details.

  • Account Data: Encrypted login credentials and order history.

  • Payment Data: Tokenized transaction information (we do not store full card numbers).

  • Technical Data: IP addresses, browsing behavior, and support communications.

4. Technical Security Measures

Our store is hosted on Shopify, which provides a world-class, secure infrastructure. Key measures include:

  • Encryption in Transit: [YES/NO] Our site uses SSL/TLS encryption (HTTPS) to ensure data traveling between your browser and our servers remains private.

  • Encryption at Rest: Sensitive database information is stored using industry-standard encryption.

  • Infrastructure Security: We benefit from Shopify’s enterprise-grade firewalls, Intrusion Detection Systems (IDS), and specialized DDoS protection.

  • API Integrity: All integrations with third-party apps are conducted through secure, authenticated API connections.

5. Account Security

If you choose to create an account with us:

  • Passwords: We require complex passwords and recommend using a unique password for our store.

  • Automated Protection: Our system implements account lockouts after repeated failed login attempts to prevent "brute-force" attacks.

  • Secure Resets: Password recovery is handled via secure, time-limited email tokens.

6. Payment Security & PCI Compliance

Your financial safety is our top priority.

  • Tokenization: When you enter payment details, they are sent directly to SHOPIFY PAYMENT. We never see or store your full credit card number.

  • PCI DSS Level 1: Our payment infrastructure is certified Level 1 PCI DSS compliant, the highest standard in the industry.

  • Fraud Prevention: We utilize automated fraud analysis tools to identify and flag suspicious transactions before they are processed.

7. Third-Party App & Integration Security

We carefully vet every app we add to our store.

  • Least Privilege: We only grant apps the minimum data access required to perform their function.

  • Vendor Review: We regularly audit our active integrations and permissions to ensure they meet our current security standards.

  • Compliance: We prioritize apps that offer Data Processing Agreements (DPAs) consistent with GDPR and other privacy laws.

8. Internal Access Controls

Internally, we treat your data with the utmost care:

  • Role-Based Access: Access to our store's "admin" panel is restricted to authorized employees on a "need-to-know" basis.

  • Training: Our team receives regular training on data security, including how to identify phishing attempts and social engineering.

  • Revocation: Access to all systems is immediately revoked upon employee offboarding.

9. Data Breach Response Plan

In the unlikely event of a security breach:

  • Detection: We maintain monitoring systems to detect unauthorized access quickly.

  • Notification: * EU: We will notify the relevant Supervisory Authority within 72 hours of becoming aware of a high-risk breach.

    • Canada: We will report "real risk of significant harm" breaches to the Privacy Commissioner as per PIPEDA.

    • USA: We will follow state-specific notification timelines for affected residents.

  • Communication: We will contact affected customers directly via email to provide guidance on protecting their accounts.

10. Vulnerability Disclosure

We welcome reports from security researchers and customers who discover potential vulnerabilities in our store.

  • Reporting: Please send detailed reports to support@lorlon.com.

  • Safe Harbor: We will not pursue legal action against individuals who report vulnerabilities in good faith, provided they do not exploit the data or disrupt our services.

11. Phishing & Social Engineering Awareness

To protect yourself from impersonation scams, please note:

  • We will NEVER ask for your password, credit card number, or full Social Security/Tax ID via email or social media DM.

  • Official Channels: All official emails will come from the lorlon.com domain.

  • Report: If you receive a suspicious message claiming to be from us, please report it to support@lorlon.com.

12. Data Retention & Deletion

We only keep your data for as long as necessary to fulfill your orders or comply with legal tax/accounting requirements.

  • Secure Deletion: Once the retention period expires, data is securely deleted or anonymized.

  • Your Rights: You may request the deletion of your personal data at any time, subject to our legal obligations to retain certain records.

13. Children’s Data Security

We do not knowingly collect or store data from children under the age of 16 in the EU or under 13 in the USA (COPPA). If we become aware that such data has been collected without parental consent, we will take immediate steps to delete it.

14. Changes to This Policy

Security threats evolve, and so do we. We review this policy annually and will update this page to reflect any significant changes in our security posture or international regulations.

15. Contact Our Security Team

For all security-related inquiries, vulnerability reports, or data protection questions, please contact:

LORLON

Email: support@lorlon.com

Response Time: We aim to respond to all security inquiries within 48 business hours.