Privacy Policy

Version 1.0 • Last Updated: January 1, 2025

1. Introduction

InfraCouch ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to compliance with:

  • General Data Protection Regulation (GDPR) - EU
  • California Consumer Privacy Act (CCPA) - USA
  • Other applicable data protection laws

2. Information We Collect

2.1 Information You Provide

When you register and use the Service, we collect:

  • Account Information: Full name, company name, company website, business email address
  • Authentication Data: Email address for email link authentication
  • Product Catalog Data: Product information, specifications, images, and related data you upload
  • Billing Information: Processed securely through Stripe (we do not store full credit card numbers)
  • Communications: Support tickets, feedback, and correspondence with us

2.2 Automatically Collected Information

We automatically collect certain information when you use the Service:

  • Usage Data: Pages viewed, features used, time spent, click patterns
  • Device Information: Browser type, operating system, device identifiers
  • Log Data: IP address, access times, referring URLs
  • Cookies: Session cookies for authentication and functionality (see Section 9)

2.3 Information from Third Parties

We may receive information from:

  • Supabase: Authentication and user management data
  • Stripe: Payment processing and billing information
  • Analytics Providers: Aggregated usage analytics (if applicable)

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Provision

  • Create and manage your account
  • Authenticate users via email links
  • Store and manage your product catalog data
  • Provide API access to authorized parties
  • Process billing and payments

3.2 Service Improvement

  • Analyze usage patterns to improve features
  • Monitor and ensure service performance
  • Develop new features and functionality
  • Conduct aggregated, anonymized analytics

3.3 Communication

  • Send secure email links for authentication
  • Respond to support requests
  • Send service updates and notifications
  • Provide billing and subscription information

3.4 Legal and Security

  • Comply with legal obligations
  • Prevent fraud and abuse
  • Enforce our Terms of Service
  • Protect rights, property, and safety

4. Legal Basis for Processing (GDPR)

For users in the EU/EEA, we process your data based on:

  • Contract Performance: Processing necessary to provide the Service you've requested
  • Legitimate Interests: Service improvement, fraud prevention, security
  • Consent: Where you have given explicit consent (e.g., marketing communications)
  • Legal Obligation: Compliance with laws and regulations

5. Data Sharing and Disclosure

5.1 With Your Consent

Your product catalog data is made available through our API to authorized parties for AI consumption, as outlined in our Terms of Service.

5.2 Service Providers

We share information with trusted third-party service providers:

  • Supabase: Authentication and database services
  • Stripe: Payment processing
  • Cloud Hosting: Infrastructure providers (AWS, Render, etc.)
  • Email Service: Transactional email delivery

These providers are contractually obligated to protect your data and use it only for specified purposes.

5.3 Legal Requirements

We may disclose information if required by law, court order, or to:

  • Comply with legal process
  • Respond to government requests
  • Protect our rights and property
  • Prevent fraud or illegal activity

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5.5 No Selling of Personal Data

We do NOT sell your personal information to third parties.

6. Data Retention

We retain your information for as long as necessary to:

  • Active Accounts: Duration of your account plus reasonable period thereafter
  • Product Data: As long as you maintain your account or as required by contract
  • Billing Records: As required by tax and accounting regulations (typically 7 years)
  • Consent Audit Trails: Permanently for legal compliance
  • Deleted Accounts: 30 days for recovery, then permanently deleted (except as required by law)

7. Data Security

We implement industry-standard security measures:

7.1 Technical Safeguards

  • Encryption in transit (TLS/SSL)
  • Encryption at rest for sensitive data
  • Secure passwordless authentication via email links
  • Regular security audits and updates
  • Access controls and least-privilege principles

7.2 Row-Level Security (RLS)

We use PostgreSQL Row-Level Security to ensure Brands can only access their own data at the database level.

7.3 Limitations

While we strive to protect your data, no method of transmission or storage is 100% secure. You use the Service at your own risk.

8. Your Rights and Choices

8.1 GDPR Rights (EU/EEA Users)

You have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a structured, machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
  • Lodge Complaint: File a complaint with your local data protection authority

8.2 CCPA Rights (California Residents)

You have the right to:

  • Know: What personal information we collect, use, and share
  • Delete: Request deletion of your personal information
  • Opt-Out: Opt-out of sale (though we don't sell data)
  • Non-Discrimination: Not be discriminated against for exercising your rights

8.3 How to Exercise Your Rights

To exercise any of these rights, contact us at:

  • Email: privacy@infracouch.com
  • Account Settings: Manage certain preferences directly in your account

We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA).

9. Cookies and Tracking

9.1 Cookies We Use

  • Essential Cookies: Required for authentication and core functionality (cannot be disabled)
  • Session Cookies: Temporary cookies deleted when you close your browser

9.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Service.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) for EU transfers
  • Adequacy decisions where applicable
  • Compliance with applicable data transfer regulations

11. Children's Privacy

The Service is not intended for children under 16 (or applicable age in your jurisdiction). We do not knowingly collect information from children. If you believe we have collected data from a child, please contact us immediately.

12. Consent Management

We maintain comprehensive consent records including:

  • WHO: Identity (email, name, Supabase user ID)
  • WHAT: Text of consent and version number
  • WHEN: Timestamp of consent
  • WHERE: IP address and user agent
  • HOW: Method of consent (checkbox, signature)

These records are stored in an immutable, append-only audit trail for legal compliance.

13. Data Breach Notification

In the event of a data breach affecting your personal information, we will:

  • Notify affected users within 72 hours (GDPR requirement)
  • Notify relevant authorities as required by law
  • Provide information about the breach and mitigation steps
  • Take immediate action to secure systems and prevent further breaches

14. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to read their privacy policies.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Updating the version number and "Last Updated" date
  • Sending an email to your registered address
  • Displaying a prominent notice in the Service

Your continued use after changes indicates acceptance of the updated policy.

16. Contact Us

For privacy-related questions or to exercise your rights, contact us at:

  • Email: privacy@infracouch.com
  • Data Protection Officer: dpo@infracouch.com
  • Support: InfraCouch Support

17. Supervisory Authority

If you are in the EU/EEA and believe we have not addressed your concerns, you have the right to lodge a complaint with your local data protection authority.

Questions?

Contact us at legal@infracouch.com for any questions about our Privacy Policy.