Privacy Policy

1. Introduction and Effective Date

This Privacy Policy is effective as of April 27, 2026 and supersedes all prior versions. We may revise this Privacy Policy from time to time as described in Section 16 (Changes to This Policy).

The data controller for purposes of the EU General Data Protection Regulation ("GDPR") and the United Kingdom General Data Protection Regulation ("UK GDPR") is SE Solutions LLC d/b/a OpSyncPro, with a mailing address of 2130 N 89th Street, Milwaukee, WI 53226, United States.

2. Definitions

• Personal Data means any information relating to an identified or identifiable natural person.
• User means any person who accesses or uses the Services, including account holders and authorized users acting on behalf of an account holder.
• Services has the meaning given above and includes all features, integrations, and APIs we operate.
• Third-Party Platforms means external systems that you authorize OpSyncPro to access on your behalf, including but not limited to Amazon, Google, Meta, TikTok, eBay, Stripe, AfterShip, Keepa, and ManyChat.
• Platform Data means data that we retrieve from a Third-Party Platform on your behalf or that is generated through your use of the Services.
• Sub-processor means a third-party vendor we engage to process Personal Data in connection with the operation of the Services.

3. Information We Collect

3.1 Account Information

When you register for an account, we collect your email address, a salted hash of your password (we never store your password in plaintext), and your display name. If you sign up through a third-party identity provider, we receive the basic identity claims that provider exposes (typically email and a stable user identifier).

3.2 Usage and Log Data

When you use the Services, our infrastructure automatically records technical information including your Internet Protocol (IP) address, browser user-agent string, device characteristics, request paths, response status codes, request and response timestamps, and feature interaction events. We use this data to operate, secure, and improve the Services.

3.3 Cookies and Similar Technologies

We use only essential, first-party session cookies required to keep you signed in and to maintain session integrity. We do not set advertising cookies, cross-site tracking cookies, or third-party marketing pixels. If we ever introduce non-essential cookies in the future, we will update this Privacy Policy and present a consent control before any such cookie is set.

4. Third-Party Platform Data

When you connect a Third-Party Platform to the Services, you authorize OpSyncPro to access, retrieve, store, and process Platform Data on your behalf. The integrations below describe what data we access, why, the scopes or roles requested, retention, deletion path, and encryption notes for each platform.

4.1 YouTube (YouTube Data API v3)

When you connect YouTube, we use the YouTube Data API v3 to upload videos, manage video metadata, and read public statistics for content you own. We request OAuth scopes limited to youtube.upload and youtube.readonly. Refresh tokens are stored encrypted at rest. By using the YouTube features of the Services, you also agree to be bound by the YouTube Terms of Service.

Retention: OAuth tokens are retained until you disconnect the integration. Video metadata cached by us is retained for the life of the account or until deletion is requested.

Deletion path: You can disconnect YouTube at any time in Settings → Integrations. You may also revoke OpSyncPro from your Google Account permissions page.

4.2 Google Gmail (Read-Only)

When you connect Gmail, we request the gmail.readonly scope to read messages from your inbox solely for the purpose of extracting order, receipt, and shipment information from supported retailers. We do not send email on your behalf, do not modify your inbox, and do not access messages outside of supported sender patterns.

Retention: Extracted order and receipt records are retained for the life of the account. Raw message bodies are processed in memory and are not persisted.

Deletion path: Disconnect Gmail in Settings → Integrations and revoke at the Google Account permissions page.

4.3 Instagram (via Facebook Login)

For Instagram Business and Creator accounts linked to a Facebook Page, we use Facebook Login with the scopes instagram_basic, instagram_content_publish, instagram_manage_comments, instagram_manage_messages, pages_show_list, pages_read_engagement, and business_management. We use these to publish content you author, retrieve insights for your own posts, and relay direct messages on your behalf.

Retention: Access tokens are encrypted at rest and retained until you disconnect. Direct message bodies are retained for 90 days then auto-purged. Comment threads are retained for the life of the account.

Deletion path: Disconnect in Settings → Integrations, or remove the OpSyncPro app from your Facebook Business Integrations. Removing the app sends us a deletion signal that we honor automatically.

4.4 Instagram Direct (Business Login for Instagram)

For Instagram accounts that authorize directly through Instagram Business Login (without a Facebook Page), we request the scopes instagram_business_basic, instagram_business_content_publish, instagram_business_manage_comments, and instagram_business_manage_messages. Functionality and retention mirror Section 4.3.

Deletion path: Disconnect in Settings → Integrations or remove OpSyncPro from your Instagram authorized apps.

4.5 Facebook Pages

When you connect a Facebook Page, we request pages_show_list, pages_read_engagement, pages_manage_posts, pages_manage_engagement, and pages_messaging. We use these scopes to publish posts, read engagement metrics, and relay Page messages on your behalf. Page access tokens are encrypted at rest.

Retention & deletion: Same as Section 4.3.

4.6 Threads

For Threads, we request the scopes threads_basic and threads_content_publish. We use these to publish text and media posts that you author within the Services.

Deletion path: Disconnect in Settings → Integrations.

4.7 TikTok

For TikTok, we use the TikTok Content Posting API and request the scopes user.info.basic, video.publish, and video.upload. We use these to publish videos that you author within the Services. Refresh tokens are encrypted at rest.

Deletion path: Disconnect in Settings → Integrations or revoke OpSyncPro from your TikTok account’s connected apps list.

4.8 Amazon Selling Partner API (SP-API)

When you connect your Amazon Seller Central account, we request access via Amazon’s Selling Partner API to retrieve order, inventory, listing, financial, and reporting data for your own seller account. We may also retrieve buyer-facing order information that contains personally identifiable information about Amazon buyers ("Buyer PII") solely for the purpose of operating shipment, customer-service, and tax-related features that you have enabled.

Buyer PII isolation and retention: Buyer PII is stored in dedicated, access-restricted tables, encrypted at rest, and is automatically purged within thirty (30) calendar days of receipt unless a longer retention period is required to fulfill an active customer-service obligation. Buyer PII is never used for any purpose other than fulfilling the order or transaction it relates to, and is never shared with any party other than Amazon (where applicable) and the sub-processors listed in Section 6.1.

Deletion path: Disconnect in Settings → Integrations. You may also revoke OpSyncPro’s authorization in Amazon Seller Central under Apps & Services.

4.9 Amazon Ads

When you connect Amazon Ads, we request OAuth scopes advertising::campaign_management and advertising::reporting. We use these to retrieve PPC performance metrics, campaign metadata, and to surface optimization suggestions within the Services. We do not modify campaigns without your explicit instruction.

Deletion path: Disconnect in Settings → Integrations.

4.10 eBay

When you connect eBay, we use the eBay Trading, Inventory, and Finding APIs with the OAuth scopes required to read your listings, post and revise listings, and read messages. We use these to power listing management, repricing, and inventory synchronization features.

Retention: Listings, message threads, and order data are retained for the life of the account. OAuth tokens are encrypted at rest.

Deletion path: Disconnect in Settings → Integrations or revoke OpSyncPro from your eBay account’s authorized applications.

4.11 Stripe

We use Stripe, Inc. ("Stripe") to process subscription payments. When you provide a payment method, your payment card primary account number ("PAN"), card verification value ("CVV"), and full track data are submitted directly from your browser to Stripe and never traverse our servers. We receive only payment metadata (e.g., the last four digits of the card, brand, expiration month and year, billing ZIP, customer ID, payment intent ID, and outcome). This keeps OpSyncPro out of PCI DSS cardholder-data scope.

Deletion path: Cancel your subscription via Settings or by emailing support@opsyncpro.io. Stripe’s retention of payment records is governed by Stripe’s own privacy policy.

4.12 AfterShip

We use AfterShip to receive carrier shipment-tracking events for orders that you have ingested into the Services. AfterShip receives only the tracking number and carrier identifier and returns shipment-status events. No customer name, address, or contact information is sent to AfterShip.

Retention: Tracking events are retained for the life of the parent order record.

4.13 ManyChat

If you connect a ManyChat workspace, we exchange a per-workspace API key with ManyChat to relay direct-message conversations and to send affiliate links to subscribers who opt in. We receive ManyChat subscriber identifiers, message content for active conversations, and webhook events. We do not retrieve subscriber lists or marketing audiences from ManyChat. Per-workspace API keys are encrypted at rest.

Deletion path: Remove the API key in Settings → Integrations or rotate it within your ManyChat workspace.

5. How We Use Your Information

We use the information described above for the following purposes:

• Operating the Services — authenticating you, executing the actions you instruct (publishing posts, repricing listings, importing orders), and serving you a working application.
• AI-driven features — we use third-party large-language-model providers (Anthropic and, on legacy code paths, OpenAI) to extract structured data from receipts and emails, to enrich product catalogs, and to generate operational recommendations. We submit only the minimum content needed to fulfill the request, and we do not authorize these providers to use your content to train their public models.
• Analytics and product improvement — aggregated, de-identified analysis of feature usage, error rates, and performance.
• Security and abuse prevention — detecting unauthorized access, abuse, fraud, and violations of our Terms of Service.
• Transactional communications — sending account, billing, security, and service-status emails. We do not send marketing email without your prior opt-in.
• Compliance — meeting legal, regulatory, tax, and accounting obligations.

6. How We Share Your Information

6.1 Sub-processors

We engage the following sub-processors to operate the Services. Each is bound by a written data processing agreement ("DPA") that requires confidentiality, security, and use limited to providing services to OpSyncPro:

We will update this list when we add or remove sub-processors and will provide reasonable notice of material changes through this Privacy Policy.

6.2 No Sale of Personal Data; No Advertising Third Parties

We do not sell, rent, license, or trade your Personal Data. We do not share Personal Data with advertising networks, data brokers, audience exchanges, or behavioral-advertising vendors. We do not use Platform Data to build advertising profiles.

6.3 Legal Disclosures

We may disclose information when we have a good-faith belief that disclosure is necessary to (i) comply with a subpoena, court order, or other valid legal process; (ii) enforce our Terms of Service or investigate suspected fraud or abuse; (iii) protect the rights, property, or safety of OpSyncPro, our users, or the public; or (iv) facilitate a corporate transaction such as a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor commitments made in this Privacy Policy.

7. Data Retention

We retain different categories of data for different periods, summarized below:

Where applicable law requires a longer retention period, or where data is subject to a legal hold (e.g., active litigation), we will retain the affected data for the period required and no longer.

8. Encryption and Security

We implement administrative, technical, and physical safeguards designed to protect your information:

• Encryption at rest. Application databases run on Supabase with AES-256 disk-level encryption. OAuth refresh tokens are additionally encrypted at the application layer with AES-256-GCM using a server-side key (SOCIAL_TOKEN_ENCRYPTION_KEY). Inbox direct-message bodies are encrypted at the application layer with AES-256-GCM using a separate server-side key (SOCIAL_MESSAGE_ENCRYPTION_KEY). Encryption keys are managed in our hosting providers’ environment-variable systems and are rotated when personnel access changes.
• Encryption in transit. All public endpoints require Transport Layer Security (TLS) 1.2 or higher. Internal service-to-service calls run over Railway private networking where supported.
• Access controls. Tenant data is isolated in PostgreSQL using Supabase Row-Level Security policies that constrain every read and write to the authenticated user. Administrative access requires two-factor authentication.
• Vulnerability management. Dependencies are scanned and updated regularly. Application errors are routed to a private error channel for triage.

No method of electronic transmission or storage is one hundred percent secure. While we use commercially reasonable measures to protect your information, we cannot guarantee absolute security.

9. Your Rights and Choices

• Access. You may request a copy of the Personal Data we hold about you by emailing privacy@opsyncpro.io. A self-service Data Subject Access Request (DSAR) endpoint is on our roadmap.
• Deletion. You may delete your account and associated Personal Data at any time. See /data-deletion for the in-app, email, and Meta-callback deletion paths.
• Portability. You may request a structured, machine-readable export of your account data (JSON) by emailing privacy@opsyncpro.io.
• Correction. You may correct inaccurate Personal Data through Settings or by emailing privacy@opsyncpro.io.
• Disconnect a Third-Party Platform. You may disconnect any integration at any time in Settings → Integrations. Disconnecting revokes the OAuth grant and deletes the stored tokens on our side.
• Opt-out of marketing. We do not send marketing email by default. If we ever introduce optional marketing communications, every such message will include an unsubscribe link.

10. Data Deletion

For full instructions on deleting your account and associated data — including the in-app self-service flow, email request path, Meta data-deletion callback, timeline commitments, and what we retain after deletion — see our Data Deletion page.

11. Children’s Privacy

The Services are intended for users who are at least eighteen (18) years of age and are not directed to children under thirteen (13). We do not knowingly collect Personal Data from children under thirteen. If we learn that we have collected Personal Data from a child under thirteen, we will delete that information promptly. If you believe a child has provided us with Personal Data, please contact privacy@opsyncpro.io.

12. International Data Transfers

OpSyncPro is operated from the United States, and the Services and most sub-processors are hosted in the United States. If you are located outside the United States, your information will be transferred to, stored in, and processed in the United States, where data-protection laws may differ from those of your jurisdiction.

For transfers of Personal Data of users in the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses ("SCCs") and equivalent UK and Swiss safeguards as the lawful transfer mechanism, supplemented by the technical and organizational measures described in Section 8.

13. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"), gives you the following rights:

• Right to know what categories of Personal Data we collect, the sources, the purposes, and to whom we disclose it.
• Right to delete Personal Data we have collected from you, subject to enumerated exceptions.
• Right to correct inaccurate Personal Data.
• Right to opt out of sale or sharing of Personal Data. We do not sell or share Personal Data as those terms are defined under the CCPA.
• Right to limit use of sensitive Personal Data. We do not use sensitive Personal Data for purposes beyond those permitted without an opt-in.
• Right to non-discrimination for exercising any of the foregoing rights.

To exercise any of these rights, email privacy@opsyncpro.io with the subject line "California Privacy Request." We will verify your identity using account credentials before responding. We will respond within forty-five (45) calendar days, with one extension of up to forty-five (45) additional days where reasonably necessary.

14. EU and UK Privacy Rights (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights with respect to your Personal Data:

• Access a copy of the Personal Data we hold about you.
• Rectify inaccurate or incomplete Personal Data.
• Erase ("right to be forgotten") your Personal Data, subject to enumerated exceptions.
• Restrict processing while a dispute or correction request is being resolved.
• Port your Personal Data to another controller in a structured, commonly-used, machine-readable format.
• Object to processing based on legitimate interests.
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with a supervisory authority in the country of your habitual residence, place of work, or place of the alleged infringement.

Our lawful bases for processing under GDPR Article 6 are: (i) contract — processing necessary to deliver the Services you request; (ii) legitimate interest — security, fraud prevention, error monitoring, and product improvement; (iii) consent — AI-driven features applied to your content and any future optional marketing communications; and (iv) legal obligation — tax, accounting, and audit requirements.

To exercise any of these rights, email privacy@opsyncpro.io. We will respond without undue delay and within thirty (30) calendar days.

15. Breach Notification

We maintain a security incident response process. In the event we confirm a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify affected users without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, consistent with the standard set forth in Article 33 of the GDPR. Notifications will describe the nature of the breach, the categories and approximate number of affected records, the likely consequences, and the measures we are taking in response.

16. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — meaning changes that expand the categories of Personal Data we collect, the purposes of processing, or the recipients of disclosure — we will provide at least thirty (30) calendar days’ advance notice by email and through an in-app notice before the change takes effect. The "Last Updated" date at the top of this Privacy Policy reflects the most recent revision.

17. Contact Information