Privacy Policy

The data controller responsible for your personal data is Profaro. For any privacy-related inquiries, please contact us at privacy@profaro.co.

We collect the following categories of personal data:

• Account data: name and email address provided during registration or via Google OAuth.
• Subscription & billing data: payment method details and billing history, processed securely by Stripe. We do not store full card numbers.
• Usage data: the Amazon seller IDs you choose to monitor, the products found, and your notification preferences.
• Technical data: IP address, browser type, operating system, and session data collected automatically when you access our service.
• Communication data: emails we send you (alerts, receipts, support replies) and any messages you send us.

We process your data on the following legal grounds:

• Performance of a contract (Art. 6(1)(b)): to provide the monitoring service you subscribed to.
• Legitimate interests (Art. 6(1)(f)): to improve our service, prevent fraud, and ensure security.
• Legal obligation (Art. 6(1)(c)): to comply with financial and tax regulations (e.g. issuing receipts).
• Consent (Art. 6(1)(a)): for optional marketing communications, which you may withdraw at any time.

• To create and manage your account.
• To run the seller monitoring service and deliver new-product alerts.
• To process payments and manage your subscription.
• To send transactional emails (alerts, receipts, password resets).
• To respond to support requests.
• To detect and prevent fraudulent or abusive activity.
• To comply with legal obligations.

We do not sell your personal data. We share data only with the following sub-processors, strictly to operate the service:

• Supabase — database and authentication (EU data residency available).
• Stripe — payment processing. Subject to Stripe's own Privacy Policy.
• Resend — transactional email delivery.
• Vercel — cloud hosting and infrastructure.

All sub-processors are contractually bound to process your data only on our instructions and in accordance with GDPR.

Some of our sub-processors may store or process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data to an equivalent standard.

• Account data: retained for as long as your account is active, and for up to 30 days after deletion.
• Billing records: retained for 7 years to comply with tax and accounting obligations.
• Product & monitoring data: retained while your account is active. Deleted within 30 days of account closure.
• Technical/log data: retained for up to 90 days for security and debugging purposes.

If you are located in the EEA, you have the following rights:

• Right of access (Art. 15): request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): request deletion of your data ("right to be forgotten").
• Right to restrict processing (Art. 18): request that we limit how we use your data.
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@profaro.co. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

We use the following types of cookies:

• Strictly necessary: session cookies required for authentication and security. These cannot be disabled.
• Preference cookies: to remember your language preference.

We do not use advertising or tracking cookies. You can control cookies through your browser settings.

We implement technical and organisational measures to protect your data, including encryption in transit (TLS), row-level security on our database, and access controls. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security but we strive to use industry-standard protections.

Our service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice in the app. Continued use of the service after the effective date constitutes acceptance of the updated policy.

For any questions or to exercise your rights, contact us at: privacy@profaro.co.