Privacy Policy

Privacy Policy

Last updated: 13 April 2026

At a glance: We only store the minimum data required to operate the service: email, password hash, and Stripe customer ID. We support Google OAuth login and two-factor authentication (2FA/TOTP). Third-party analytics cookies (Google Analytics, Microsoft Clarity) are loaded only after you accept the cookie consent banner; Ahrefs Analytics is a cookieless script that runs on all visits. IP addresses are recorded on security-sensitive endpoints (signup, login, password reset, affiliate applications) for abuse prevention; we do not use them for tracking or advertising. Payments and invoicing are handled by Stripe. Email communications are sent via Resend. Data is stored in the European Union unless otherwise stated.

1. Data Controller

The data controller for your personal data is:

For any questions regarding the processing of personal data or to exercise your rights, you can contact us at the email address above.

2. Data We Collect

2.1 Required Data

  • Email address: used to create your account, communicate with you, and send important service-related notifications.
  • Password hash: we only store an encrypted version of your password for authentication. We do not have access to your password in plain text.
  • Stripe customer ID: identifier used to link your account to Stripe payment services for subscription and billing management.

2.2 Optional Data

  • Display name: used exclusively for user interface personalization. You can remove it at any time from your profile.

2.3 Authentication Data

  • TOTP secret (2FA): if you enable two-factor authentication, we securely store the TOTP secret needed to generate verification codes. You can disable 2FA at any time from your profile.
  • Google OAuth data: if you sign in via Google, we receive your name, email, and profile picture from your Google account. We do not store your Google password.

2.4 Billing Data

We do not collect or store credit card details or complete billing information locally. All payment data is handled by Stripe, which collects and stores billing and invoice data on our behalf in compliance with PCI DSS.

2.5 Usage Data

We collect minimal information about service usage to ensure operation and security:

  • Account creation timestamp
  • Last login timestamp
  • Authentication and security logs (retained for 30 days)

Important note on IP addresses and analytics:

  • IP addresses are recorded on security-sensitive endpoints (signup, login, password reset, affiliate applications) for abuse prevention and rate limiting; we also store the IP that was used at account registration for fraud detection.
  • We log basic server-side page views (path + IP + User-Agent) for traffic analytics, kept for 90 days.
  • Google Analytics and Microsoft Clarity are loaded only after you accept cookies in our consent banner; they may set their own cookies and process your IP address according to their own policies.
  • Ahrefs Analytics is a cookieless SEO/site-audit analytics script that loads on all visits and forwards your IP to Ahrefs for traffic measurement.
  • None of this data is used for tracking, profiling, or advertising on our side.

2.6 User-Generated Content

  • Testimonials: if you submit a testimonial, we store the text, uploaded photo (optional), and your GDPR consent. Approved testimonials may be displayed publicly on our website.
  • Cancellation feedback: if you cancel your subscription, we collect the reason for cancellation to improve the service.
  • Brand reports: if you report a brand with intellectual property issues, we store the report and any attachments (screenshots/PDF).
  • Referral code: if you participate in the referral program, we store your referral code and referral relationships.

2.7 Affiliate Applications (no account required)

If you submit a public affiliate application via /affiliate, we collect: email address, name, the promotion channels you select, your audience-size bracket, the strategy text you write, your IP address and User-Agent at the time of submission. We use this data only to (a) review and respond to your application, (b) prevent abuse, and (c) onboard you into the affiliate program if approved. Legal basis: Art. 6(1)(b) GDPR (steps prior to a contract at your request) plus Art. 6(1)(f) (legitimate interest in fraud prevention). Retention: approved applications are kept for the lifetime of the affiliate account; rejected or unanswered applications are kept for review purposes and can be deleted at any time on request by emailing contact@profit-scanner.com.

3. How We Use Your Data and Legal Basis

We process your personal data for the following purposes and on the following legal bases:

3.1 Account Management

  • Purpose: Create and manage your account, authenticate you, and provide access to the service.
  • Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) - necessary to provide the requested service.
  • Data used: Email, password hash, display name (optional).

3.2 Billing and Payments

  • Purpose: Manage subscriptions, process payments, and provide access to features of the selected plan.
  • Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) - necessary to fulfill contractual obligations.
  • Data used: Stripe customer ID, subscription information.
  • Third parties involved: Stripe (PCI DSS compliant payment processor).

3.3 Service Communications

  • Purpose: Send account confirmation emails, password resets, subscription notifications, and other essential communications for service operation.
  • Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) - necessary to provide the service.
  • Data used: Email address.

3.4 Security and Troubleshooting

  • Purpose: Protect the service from unauthorized access, detect and prevent fraud, resolve technical issues.
  • Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) - protection of service security and integrity.
  • Data used: Authentication logs, login timestamps, minimal security information.

3.5 Legal Compliance

  • Purpose: Fulfill legal obligations, including those related to retention of accounting and tax records.
  • Legal basis: Legal obligation (Art. 6(1)(c) GDPR).
  • Data used: Billing and subscription data (handled by Stripe).

3.6 Service Update Emails (Default On, Unsubscribe Anytime)

  • Purpose: Keep you informed about important changes to the Profit Scanner service — new features, fixes, known issues, planned maintenance and other product news that affects how you use the platform.
  • Default state: New accounts are subscribed to these update emails by default. You can turn them off at any time, with one click.
  • Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — informing existing users about changes to a paid SaaS tool they actively use. The content is product/service-related and not third-party promotional marketing. You always have the right to object and unsubscribe.
  • Data used: Email address, IP address and browser user-agent at the moment your account is created (audit of when the subscription started), accepted privacy policy version, subscription/unsubscribe timestamps.
  • Email engagement metrics: For every email sent we record events returned by our email provider — sent, delivered, opened, link clicked, bounced, marked as spam — so we can measure reach and remove inactive recipients.
  • Frequency cap: Maximum 2 emails per 24-hour rolling window per user.
  • Unsubscribe: Every email has a one-click unsubscribe link (RFC 8058 List-Unsubscribe-Post). You can also turn the toggle off from your in-app Newsletter page at any moment. Hard bounces and spam complaints unsubscribe you automatically.
  • Retention: Send-event records are kept for up to 1 year for analytics, then deleted automatically. Unsubscribe state is kept indefinitely so we never re-contact you.

4. Cookies and Similar Technologies

We use essential cookies required for the service to function (session cookies). We do not install non-essential analytics or marketing cookies by default.

For detailed information about cookies used, please see our Cookie Policy.

5. Data Sharing with Third Parties

We share your personal data only with the following third parties, and only to the extent necessary to provide the service:

5.1 Stripe

  • Purpose: Payment processing and subscription management.
  • Data shared: Stripe customer ID, subscription information.
  • Legal basis: Performance of a contract.
  • Privacy Policy: https://stripe.com/privacy

5.2 Hosting Providers

Our servers are hosted in the European Union. Data is stored in compliance with EU security standards.

5.3 Resend (Email Communications)

  • Purpose: Sending transactional emails (account confirmation, password reset, subscription notifications, onboarding emails) and the service update emails described in section 3.6.
  • Data shared: Email address, name, message content, opt-in/opt-out events, and email engagement metadata (sent / delivered / opened / clicks / bounces / spam complaints) returned by Resend webhooks.
  • Legal basis: Performance of a contract for transactional emails; legitimate interest (Art. 6(1)(f) GDPR) for service update emails. Right to object via one-click unsubscribe in every message.
  • Data Location: Resend processes email delivery in their infrastructure; their privacy policy describes the safeguards.
  • Privacy Policy: https://resend.com/legal/privacy-policy

5.4 Market Data Providers

  • Purpose: Retrieval of aggregated Amazon product data (prices, rankings, fees) for profitability analysis.
  • Data shared: No personal data — only product identifiers (EAN/ASIN).
  • Legal basis: Legitimate interest (service provision).

5.5 Amazon SP-API (Amazon Seller Data)

  • Purpose: Access to Amazon seller data for advanced profitability analysis and inventory management.
  • Data shared: Amazon authorization tokens, seller data as required by the integration.
  • Legal basis: Explicit consent and performance of a contract.
  • Privacy Policy: Amazon Privacy Notice

5.6 Google (OAuth Authentication)

  • Purpose: Sign-in via Google account (Single Sign-On).
  • Data shared: Authentication handled directly by Google. We receive name, email, and profile picture.
  • Legal basis: Explicit consent.
  • Privacy Policy: https://policies.google.com/privacy

5.7 Cloudflare (CDN and Security)

  • Purpose: Content Delivery Network (CDN), DDoS protection, and web traffic security.
  • Data shared: Web traffic passes through Cloudflare's network. Cloudflare may collect IP addresses and traffic data for security purposes.
  • Legal basis: Legitimate interest (service security).
  • Privacy Policy: https://www.cloudflare.com/privacypolicy/

We do not sell, rent, or share your personal data with third parties for marketing purposes.

6. International Transfers

Your personal data is stored and processed primarily in the European Union. If we transfer data outside the EU, we do so only:

  • To countries with an adequate level of protection recognized by the European Commission, or
  • Using appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.

Stripe may transfer data to the United States in compliance with Privacy Shield or other appropriate safeguards. For more information, see Stripe's Privacy Policy.

7. Data Retention Periods

After the retention period expires, data is securely deleted or anonymized.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

8.1 Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether we process your personal data and to access such data, including a copy of the data.

8.2 Right to Rectification (Art. 16 GDPR)

You have the right to correct inaccurate or incomplete personal data. You can update your display name and email address from your profile.

8.3 Right to Erasure (Art. 17 GDPR - "Right to be Forgotten")

You have the right to request the deletion of your personal data when:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent (if applicable)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

You can request account deletion at any time from your profile page. Deletion will occur after a 7-day grace period to allow you to cancel the request.

8.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing of your data in certain circumstances.

8.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. You can request data export from your profile page.

8.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing of your personal data based on legitimate interest or for direct marketing purposes.

8.7 Right to Withdraw Consent

If processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

8.8 Right to Lodge a Complaint with Supervisory Authority

You have the right to lodge a complaint with the competent data protection authority if you believe that the processing of your personal data violates GDPR. In Italy, the competent authority is the Garante per la Protezione dei Dati Personali. In Romania, the competent authority is the ANSPDCP (National Supervisory Authority).

How to Exercise Your Rights

To exercise any of these rights, contact us at contact@profit-scanner.com. We will respond to your request within 30 days of receipt.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption: Passwords are encrypted using secure algorithms (bcrypt). All communications occur via HTTPS/TLS.
  • Limited Access: Only authorized personnel have access to personal data, and only to the extent necessary to perform their functions.
  • Security Monitoring: We regularly monitor our systems to detect and prevent unauthorized access.
  • Secure Backups: We perform regular data backups with encryption.
  • Compliance: Our service providers (Stripe, hosting) comply with recognized security standards (PCI DSS, ISO 27001).

10. Children

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental/guardian consent, we will immediately delete such data.

11. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

12. Contact

For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data, you can contact us: