Data Integrity of Connected Key Systems (DICKS)
Data Integrity of Connected Key Systems
A security report card for everyone who can touch your data.
Last Updated 02 June 2026
Last rated: 02 June 2026. Every grade below is my own informed opinion, based on publicly available information as of that date. This is not a formal security audit, and I'm not affiliated with any company listed. Companies change their practices; I review these by hand and re-date the page when I do. Where an independent rater covers a service, I link ToS;DR — a nonprofit that grades online services' terms — so you can compare my read to theirs.
When you buy something here, your data doesn't only sit with me. It passes through the companies that run the store, take the payment, send the email, and measure the traffic. DICKS exists so you can see the security strengths and weaknesses of every one of them and decide for yourself who you trust. Each row links straight to that company's opt-out, deletion, or tracking-control page — including mine.
My notes — the Shopify situation
Here's the part most shops won't tell you. Running on Shopify means a few enterprise-grade data features come switched on by default and built for billion-dollar retailers, not a one-person ceramics shop — and not all of them can be fully turned off. The big one is Shopify's network/fraud intelligence, which pools limited transaction signals across stores to catch fraud. It's useful, it's largely out of my hands, and you can read exactly what it does in Shopify's own disclosure.
What I do control, I've locked down. I keep Google Analytics in measurement-only mode — Google Signals, remarketing, and ad personalization are off, so your visit isn't fed into cross-site ad profiles. Cookies are opt-in: nothing non-essential loads until you say yes. And on my own end, the data I hold lives behind a segmented WPA3 network, full-disk encryption, multi-factor logins, and fast deletion of custom-order photos (the full rundown is in the Private Pact). I can't make Shopify or Google smaller than they are — but I can refuse every unnecessary setting they hand me, and I do.
How the grades work
Each grade is a single letter that weighs five things together:
- Data sensitivity — how personal is what they actually hold about you?
- Necessity — do they need it to serve you, or to monetize you?
- Security — encryption, certifications, end-to-end encryption, data-at-rest protection.
- Transparency — are their policies clear, and how do independent raters score them?
- Your control — how easily can you opt out or delete your data?
| Grade | System | Data it holds | Why | Security highlights | Your control |
|---|---|---|---|---|---|
| A− | Wicked Wicks & More (me) | Name, address, email, order details, custom photos. Sensitive items deleted fast. | Serve you | Segmented WPA3 network, full-disk encryption, MFA, VPN, 3-day photo deletion | Email me |
| A | Proton Mail | Emails you send me (incl. sensitive custom-order messages) | Serve you | End-to-end encrypted, encrypted at rest, Swiss privacy law, open-source | Manage / delete |
| A− | Apple Pay | Payment token only — not your card number or purchase list | Serve you | Device-tokenized, Apple doesn't retain transaction details | Manage |
| B+ | Shopify | Order, account, payment, and browsing data — the store's backbone | Serve you | PCI DSS Level 1, encryption in transit & at rest, GDPR DPA, SOC reporting | Privacy portal |
| B | Judge.me | Your name + review content; email for review requests | Serve you | GDPR-compliant, documented security program, data-processing addendum | Privacy / opt-out |
| B | Square | In-person payment + receipt data at markets | Serve you | PCI DSS compliant, encryption, tokenized card handling | Privacy |
| B− | PayPal | Payment + account data if you pay with PayPal | Mixed | Strong payment security & encryption; broader data-sharing practices | Privacy settings |
| B− | Amazon Pay | Payment + account data if you pay with Amazon | Mixed | Strong security; tied to Amazon's wider data ecosystem | Privacy |
| C+ | Anonymized site analytics. Ad features disabled by me. | Serve them | Excellent infrastructure security; an advertising business at its core | Opt-out add-on · My Activity | |
| C− | Meta / Instagram | Whatever you share by messaging me or arriving via Instagram | Serve them | Secure infrastructure; data-hungry ad model, weaker user control. ToS;DR grades it poorly. | Account controls |
Payment processors are listed for the wallets I accept. I never see or store your full card number regardless of which you choose — see Private Pact → Payments. Grades reflect my assessment of each company's overall data practices, not the security of any single transaction.
✦
Wicked Wicks and More · Handmade in Washington, DC · Stay Wicked