VowRadar

Legal

Privacy Policy

Last updated: May 4, 2026

1. Data We Collect

We collect the following categories of personal information:

  • Account Data: Name, email address, and hashed password when you register with email; or your Google profile name and email when you use "Sign in with Google."
  • Payment Data: Billing information processed by Stripe. We do not store your full credit card number; Stripe handles all payment card data in compliance with PCI-DSS.
  • Etsy Data: When you connect your Etsy shop, we access your shop profile, listings, orders, reviews, and traffic data through the Etsy API with your explicit OAuth authorization. We only access data you have authorized and only for the purpose of providing the Service.
  • Usage Data: Pages visited, features used, and interaction patterns within the Service. We collect this to improve the Service and detect abuse.
  • Technical Data: IP address, browser type, device type, and operating system. This data is collected automatically when you use the Service.

2. How We Use Your Data

We use your data for the following purposes:

  • To provide, maintain, and improve the Service, including generating listing scores, revenue leak analysis, keyword suggestions, bundle ideas, seasonal recommendations, and cached dashboard reports
  • To process payments and manage your subscription access
  • To send you service-related communications (e.g., purchase confirmations, security alerts)
  • To respond to your support requests and inquiries
  • To detect, prevent, and address fraud, abuse, and security issues
  • To comply with legal obligations

We do not sell, rent, or share your personal data with third parties for their marketing purposes. We do not use your Etsy data for purposes other than providing the Service to you.

3. Third-Party Services

We use the following third-party services that may process your personal data:

  • Google (Sign in with Google): When you use Google Sign-In, Google shares your basic profile information (name and email) with us. This data transfer is governed by Google's Privacy Policy. You may revoke VowRadar's access to your Google account at any time through your Google security settings.
  • Etsy (Etsy Open API): The term 'Etsy' is a trademark of Etsy, Inc. This application uses the Etsy API but is not endorsed or certified by Etsy, Inc. We access your Etsy data through the Etsy API with your explicit OAuth authorization, in compliance with Etsy's API Terms of Use. Etsy OAuth tokens are encrypted at rest.
  • Stripe (Payment Processing): Stripe processes your payment information in compliance with PCI-DSS. We only store a reference to your Stripe customer ID; we do not store your credit card details.
  • Cloudflare (Infrastructure and Zaraz): Cloudflare provides our CDN, DNS, server infrastructure, and privacy-focused tag management through Cloudflare Zaraz. Cloudflare may process IP addresses, HTTP request data, and analytics events for security, performance, and measurement purposes.
  • Google Analytics: We use Google Analytics 4 to understand aggregate site usage, page performance, and feature engagement. Google Analytics helps us improve the Service and is not used by us to sell personal data or run cross-site advertising.
  • Resend (Email Delivery): We use Resend to send transactional emails (purchase confirmations, abandoned cart reminders). Resend processes your email address for delivery purposes only.

Each third-party service operates under its own privacy policy. We encourage you to review their policies.

4. Data Sharing

We may share your data only in the following circumstances:

  • Service Providers: With third-party service providers who perform services on our behalf (as described in Section 3 above), subject to confidentiality obligations
  • Legal Requirements: If required by law, legal process, or governmental request, we may disclose your data
  • Safety: To protect the rights, property, or safety of VowRadar, our users, or the public
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to this Privacy Policy

We do not sell your personal data to advertisers or data brokers.

5. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Cached Etsy data is refreshed on a regular sync schedule and older snapshots are pruned after 90 days. Payment records are retained for 7 years as required by financial regulations. Upon account deletion, we will remove your personal data within 30 days, except where retention is required by law (e.g., financial records, audit logs).

6. Data Security

We implement industry-standard security measures to protect your data:

  • All data in transit is encrypted using TLS 1.2+
  • Etsy OAuth tokens are encrypted at rest using AES-256
  • Passwords are hashed using PBKDF2 with SHA-256 (100,000 iterations)
  • Session tokens are hashed and stored securely
  • Secrets and API keys are stored in Cloudflare Worker encrypted environment variables
  • Access to production systems is restricted and logged

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Cookies & Tracking

We use the following types of cookies:

  • Essential Cookies: A session cookie ("vowradar_session") to maintain your logged-in state. This cookie is HttpOnly, Secure, and SameSite=Lax.
  • OAuth State Cookies: Short-lived cookies (10 minutes) used during the Etsy and Google OAuth flows to prevent CSRF attacks. These are deleted after the OAuth flow completes.
  • Analytics Signals: We use Cloudflare Zaraz and Google Analytics 4 to collect aggregate pageview, device, browser, referrer, and interaction data so we can improve the Service and troubleshoot performance.

We do not sell your personal data or use analytics to run cross-site advertising. We do not use Facebook Pixel or similar advertising pixels.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: You can request a copy of the personal data we hold about you
  • Correction: You can request correction of inaccurate personal data
  • Deletion: You can request deletion of your personal data (subject to legal retention requirements)
  • Portability: You can request your data in a structured, commonly used format
  • Objection: You can object to processing of your data for certain purposes
  • Restriction: You can request restriction of processing in certain circumstances

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

9. GDPR (European Economic Area)

If you are a resident of the European Economic Area (EEA), United Kingdom, or Switzerland, you have the rights described in Section 8 under the General Data Protection Regulation (GDPR). Our legal basis for processing your data includes: (a) performance of a contract (providing the Service you signed up for); (b) consent (where you have provided it, such as connecting your Etsy shop); (c) legitimate interests (improving the Service, security, and fraud prevention); and (d) legal obligations. You have the right to lodge a complaint with your local supervisory authority if you believe our processing of your data violates the GDPR.

10. CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights. You have the right to know what personal information we collect, the right to request deletion of your personal information, the right to opt out of the sale of your personal information (we do not sell your personal information), and the right to non-discrimination for exercising your rights. To submit a verifiable consumer request, please contact us at [email protected].

11. Data Transfers

The Service is hosted on Cloudflare's global infrastructure, which may process data in the United States and other countries. If you are accessing the Service from the EEA, UK, or Switzerland, your data may be transferred to the United States. We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards to ensure your data is protected in accordance with applicable data protection laws.

12. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

13. Deletion

Users can request account deletion and data deletion from their account settings or by contacting us at [email protected]. Upon request, we will delete your personal data within 30 days. Audit logs may be retained where legally or operationally required. When your account is deleted, your Etsy OAuth connection is revoked and we cease all API access to your Etsy data.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a new "Last updated" date at least 30 days before the changes take effect. Your continued use of the Service after the changes become effective constitutes your acceptance of the revised Privacy Policy.

15. Contact

If you have any questions about this Privacy Policy, or wish to exercise your data rights, please contact us at [email protected].