Legal

Privacy Policy

Last updated: March 19, 2026

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and a password (stored as a bcrypt hash — we never store plain-text passwords). If you are invited to a team, we also collect the role assigned to you by the account owner.

Amazon SP-API Credentials

If you connect your Amazon Seller Central account, we store your SP-API credentials (refresh token, client ID, client secret, AWS access keys). These are encrypted at rest using AES-256-GCM encryption and are only decrypted when making API calls on your behalf.

Product & Order Data

We import and store product listings, pricing data, order information, and competitive pricing data synced from Amazon via the SP-API. We also store supplier price data collected from publicly available retail websites.

Payment Information

Subscription payments are processed by Stripe. We store your Stripe customer ID and subscription status but do not store credit card numbers, bank account details, or other payment credentials. Stripe's privacy policy governs payment data handling.

Usage Data

We may collect analytics data including pages visited, features used, and general interaction patterns to improve the Service. This data is collected through PostHog and can be opted out of via your browser's Do Not Track setting.

2. How We Use Your Information

  • Provide, maintain, and improve the repricing and supplier monitoring service
  • Process subscriptions and billing through Stripe
  • Monitor supplier prices and push price updates to Amazon on your behalf
  • Send transactional emails: account creation, password resets, billing confirmations, supplier alerts
  • Analyze usage patterns to improve the product (anonymized and aggregated)
  • Enforce our Terms of Service and protect against fraud or abuse
  • Respond to support requests and communicate service updates

3. Data Storage & Security

  • All data is stored in a PostgreSQL database hosted on Railway (United States)
  • SP-API credentials are encrypted with AES-256-GCM using a 256-bit encryption key
  • User passwords are hashed with bcrypt (cost factor 10)
  • All connections use HTTPS/TLS encryption in transit
  • Tenant data is logically isolated via multi-tenant architecture — no cross-tenant data access is possible
  • Automated database backups run daily and are stored in Cloudflare R2 (retained for 30 days)
  • Security headers enforced: HSTS, X-Frame-Options DENY, Content Security Policy, X-Content-Type-Options nosniff

4. Data Sharing & Third Parties

We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes.

Service Providers

We share limited data with the following third-party services necessary to operate the platform:

ServicePurpose
StripePayment processing and subscription management
Amazon SP-APIListing management, pricing, and order sync (on your behalf)
SentryError tracking and application monitoring (no personal data)
CloudflareDNS, CDN, and backup storage
RailwayApplication and database hosting (United States)
ResendTransactional email delivery
PostHogProduct analytics (opt-out available via Do Not Track)

We may also disclose your information if required by law, regulation, legal process, or enforceable government request.

5. Data Retention

  • Account data: retained while your account is active, plus 30 days after deletion to allow retrieval
  • Product and order data: retained while your account is active
  • Price history and repricing logs: retained for 12 months, then automatically purged
  • Supplier price cache: retained for 7 days (rolling window)
  • Database backups: retained for 30 days
  • After account deletion and the 30-day grace period, all your data is permanently and irreversibly removed

6. Your Rights

For All Users

Regardless of your location, you have the right to: access and view the data we hold about you; request correction of inaccurate data; request deletion of your account and all associated data; export your data in a machine-readable format; withdraw consent for optional data processing (analytics).

California Residents (CCPA)

Under the California Consumer Privacy Act, you have the right to know what personal information we collect and how it is used, request deletion of your personal information, opt out of the sale of personal information (we do not sell your data), and not be discriminated against for exercising your privacy rights.

European Residents (GDPR)

If you are located in the European Economic Area, you have additional rights including: the right to data portability, the right to restrict processing, the right to object to processing, and the right to lodge a complaint with your local data protection authority. Our legal basis for processing your data is contractual necessity (providing the service you signed up for) and legitimate interest (improving the service).

How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@repricefy.com. We will respond within 30 days. We may request verification of your identity before processing your request.

7. Cookies & Tracking

  • Session cookies: used for authentication via NextAuth.js. These are essential for the Service to function and cannot be disabled.
  • Analytics cookies: PostHog may set cookies for product analytics. These are optional and can be blocked by enabling Do Not Track in your browser.
  • We do not use third-party advertising cookies or tracking pixels.
  • We do not participate in cross-site tracking or ad networks.

8. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a minor, we will promptly delete that information. If you believe a child has provided us with personal data, please contact us at privacy@repricefy.com.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account at least 30 days before they take effect. The updated policy will be posted on this page with a revised "Last updated" date. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

10. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Prime Store LLC

Richmond, Virginia, United States

Privacy inquiries: privacy@repricefy.com

General support: support@repricefy.com

← Terms of ServiceBack to top