Privacy

Interim policy, plain language. Final text is under counsel review before paid general availability. This is not legal advice.

01What we collect

  • Your email, for magic-link sign-in.
  • API key metadata: a one-way hash, the prefix, and the last four characters. We never store the full key.
  • Per-call usage events: the tool, status, cost, latency, and timestamp. We do not store request bodies beyond the product reference needed to serve and cache the result.

02The product cache

We cache the typed product objects we extract, keyed on public references (a URL or a GTIN). The cache holds factual, publicly available product data. It contains no buyer or end-user personal data. Entries expire on a TTL and can be purged on request.

03How we use data

We use the above only to operate, secure, meter, and bill the API, and to provide support. We do not sell personal data.

04Processors we use

  • Supabase: database and authentication.
  • Vercel: application hosting.
  • Stripe: subscription billing (we never see full card numbers).
  • The public sources we extract from on your behalf, plus search and barcode providers used to resolve a query.

05Retention

Usage events are retained for at least 90 days for billing and abuse prevention. Cache entries follow their TTL (a few days by default, shorter for volatile fields like price). Account data is kept while your account is active.

06Your rights and takedowns

Contact us to access or delete your account data. Rights holders can request removal of cached product data via the takedown form, which purges matching entries promptly.

07Security

Keys are stored only as hashes. Row-level security isolates each account's data, and all traffic is over TLS.

Interim policy. Last updated June 2026. Pending final counsel review before paid GA.