Privacy Policy

At Fytch ("we," "us," or "our"), we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform and services. By using Fytch, you consent to the practices described in this policy.

1. Information We Collect

Account Information

When you create an account, we collect:

• Name (first and last)
• Email address
• Password (stored securely via Supabase Auth -- we never store plaintext passwords)
• Google account information (if you sign up via Google OAuth)

Shopify Store Data

When you connect your Shopify store, we access and store:

• Store name and domain
• Shopify API access tokens (encrypted with AES-256-GCM)
• Product data (titles, descriptions, prices, inventory levels, images, SKUs)
• Order data (order details, line items, customer shipping addresses)

Supplier Connection Data

When you configure supplier connections, we collect:

• Supplier names and contact information
• FTP/SFTP credentials (encrypted with AES-256-GCM before storage)
• API credentials (encrypted with AES-256-GCM before storage)
• File mapping and sync configuration preferences

Usage Data

We automatically collect:

• Sync history and logs (timestamps, success/failure status, records processed)
• Feature usage patterns
• Browser type and device information
• IP address

2. How We Use Your Information

We use your information to:

• Provide, operate, and maintain the Fytch platform
• Synchronize product, inventory, and order data between your suppliers and Shopify store
• Authenticate your identity and secure your account
• Send transactional emails (verification, password resets, sync notifications)
• Improve and optimize the Service based on usage patterns
• Provide customer support and respond to inquiries
• Generate AI-powered product descriptions (when you opt in to this feature)
• Comply with legal obligations

3. Data Storage and Security

We take data security seriously and implement multiple layers of protection:

• Database: Your data is stored in a PostgreSQL database hosted on Supabase with row-level security policies and encrypted connections
• Credential Encryption: All sensitive credentials (FTP/SFTP passwords, API keys, Shopify tokens) are encrypted using AES-256-GCM before storage
• Authentication: User authentication is handled by Supabase Auth with bcrypt password hashing and secure session management
• Transport: All data in transit is encrypted via HTTPS/TLS
• Access Control: Multi-tenant architecture ensures users can only access their own data

4. Third-Party Services

We use the following third-party services to operate the platform:

• Supabase: Database hosting and user authentication. See Supabase Privacy Policy
• Shopify: E-commerce platform integration via their Admin API. See Shopify Privacy Policy
• Google: OAuth authentication and the Gemini API for optional AI-generated product descriptions. See Google Privacy Policy
• Railway: Application hosting infrastructure. See Railway Privacy Policy

We do not sell your personal data to any third parties. Data is only shared with third-party services as necessary to operate the platform.

5. Cookies and Tracking

We use essential cookies for authentication and session management. These cookies are necessary for the Service to function and cannot be disabled. We do not use third-party advertising or tracking cookies. Session tokens are stored securely and expire after a reasonable period of inactivity.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Sync logs and history are retained to help you audit and troubleshoot your workflows. If you delete your account, we will remove your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or resolving disputes).

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data
• Portability: Request your data in a portable, machine-readable format
• Objection: Object to certain processing of your personal data
• Withdrawal of Consent: Withdraw consent where processing is based on consent

To exercise any of these rights, please contact us at hello@fytch.app. We will respond to your request within 30 days.

8. International Data Transfers

Your data may be processed and stored in countries outside your country of residence, including the United States, where our hosting infrastructure is located. By using the Service, you consent to such transfers. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after such changes constitutes your acceptance of the updated policy.