Privacy Policy

Effective Date: March 1, 2026 · Last Updated: April 26, 2026

ClickSKU ("Company," "we," "us," or "our") respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy describes how we collect, use, disclose, and protect your information when you use the ClickSKU platform (the "Service").

By creating an account or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Full name
Email address
Password (stored in hashed form; we never store plaintext passwords)
Role within your workspace (admin, staff, or social media)
Workspace name and business details

1.2 Payment Information

Payments are processed by Square, Inc., a PCI DSS Level 1 compliant payment processor. ClickSKU does not directly store your credit card numbers. We may receive and store from Square:

Last four digits of your card number and card brand
Billing address
Subscription plan and payment status
Transaction IDs and payment confirmations

1.3 Customer Data (Business Data)

Data you enter into the Service as part of your business operations, including:

Inventory records (SKUs, product titles, quantities, pricing, weights, dimensions)
Sales records (dates, platforms, customer names, order numbers, prices)
Project management data (projects, tasks, comments, activity logs)
Category configurations and custom fields
Marketplace listing status

1.4 Usage Data

We automatically collect certain information when you use the Service, including:

Pages visited and features used
Timestamps of activity
IP address
Browser type, version, and device information
Referring URLs

1.5 Cookies and Similar Technologies

We use cookies and similar technologies for:

Authentication: Session cookies to keep you signed in (essential; cannot be disabled).
Preferences: Remembering your settings and display preferences.

We do not currently use third-party advertising or analytics cookies. If this changes in the future, we will update this policy and provide appropriate notice and consent mechanisms.

2. How We Collect Information

Directly from you: When you create an account, enter data, submit support requests, or communicate with us.
Automatically: Through cookies, server logs, and hosting infrastructure (Vercel).
From third parties: Payment confirmation data from Square.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

Contract Performance: Processing necessary to provide the Service you subscribed to (account data, Customer Data, payment processing).
Legitimate Interest: Usage analytics, security monitoring, service improvement, and fraud prevention.
Consent: Where required by law (e.g., non-essential cookies, marketing communications if offered in the future).
Legal Obligation: Compliance with tax, financial, and regulatory requirements.

4. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain the Service.
Process subscriptions and payments.
Send transactional communications (password resets, subscription confirmations, account notifications).
Respond to support requests and inquiries.
Improve, personalize, and develop new features for the Service.
Monitor for security threats and prevent abuse.
Enforce our Terms of Service.
Comply with legal obligations.

5. How We Share Your Information

We share your information only in the following circumstances:

5.1 Service Providers (Subprocessors)

We use the following third-party service providers to operate the Service:

Provider	Purpose	Data Shared
Supabase	Database hosting, user authentication	Account data, Customer Data (hosted on AWS infrastructure)
Vercel	Web hosting, serverless functions, edge network	Request data, IP addresses, usage data
Square, Inc.	Payment processing, subscription billing	Payment card details, billing information, subscription status
Resend	Transactional email delivery (when configured)	Email addresses, email content
Microsoft Corporation	Encrypted backup storage (OneDrive, US tenant)	Encrypted database backups containing Account and Customer Data

All sub-processors are US-based and bound by Data Processing Agreements. None operate from China, Russia, Iran, North Korea, Cuba, Syria, or Venezuela.

Each service provider is contractually obligated to protect your data and use it only for the purposes we specify.

5.2 Legal Requirements

We may disclose your information if required to do so by law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.3 Business Transfers

If ClickSKU is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

5.4 With Your Consent

We may share your information for other purposes with your explicit consent.

5.5 We Do Not Sell Your Information

We do NOT sell, rent, or trade your personal information to third parties for their marketing purposes. This applies to all users, including California residents under the CCPA/CPRA.

6. Marketplace Integrations

ClickSKU offers optional integrations with third-party marketplace platforms including Etsy, eBay, Shopify, Amazon, and TikTok Shop (collectively, "Marketplace Platforms"). This section explains how we handle data when you connect these accounts.

6.1 How We Connect to Marketplace Platforms

Marketplace integrations use industry-standard OAuth 2.0 authorization. You authorize ClickSKU to access your marketplace account by granting permission directly through the marketplace platform's official login flow. We never ask for or store your marketplace username or password.

6.2 Data We Access from Marketplace Platforms

When you connect a marketplace account, we may access the following data solely to provide the sync features you have requested:

Orders: Order IDs, item details, quantities, sale prices, platforms, and fulfillment status — used to sync sales records into your ClickSKU workspace.
Listings: Product titles, descriptions, SKUs, prices, and inventory quantities — used to sync your ClickSKU inventory with your active marketplace listings.
Inventory levels: Current stock counts on the marketplace — used to detect and resolve discrepancies with your ClickSKU inventory.

We access only the minimum data necessary to provide the features you have enabled. We do not access payment card details, buyer personal information beyond what is required for order sync, or any data unrelated to inventory and order management.

6.3 How We Store Marketplace Credentials

OAuth access tokens and refresh tokens issued by marketplace platforms are encrypted at rest using industry-standard encryption and stored securely in our database (hosted by Supabase on AWS infrastructure). Tokens are used exclusively to fulfill your requests within the ClickSKU platform. They are never shared with third parties, never used for purposes beyond the features you have authorized, and are immediately revoked and deleted when you disconnect the integration.

6.4 Marketplace Data Retention

Order and listing data synced from marketplace platforms is retained as part of your Customer Data and subject to the same retention policy described in Section 7. OAuth tokens are deleted immediately upon disconnecting an integration or upon account termination.

6.5 Revoking Marketplace Access

You may disconnect any marketplace integration at any time from within your ClickSKU workspace settings. Upon disconnection, all OAuth tokens for that platform are immediately deleted from our systems. You may also revoke access directly from your marketplace account's authorized applications settings.

6.6 Etsy Member Personal Information

With respect to any personal information relating to Etsy Members that ClickSKU accesses via the Etsy API, ClickSKU acts as a service provider to the applicable Etsy seller and processes such data only to fulfill the services provided under the Application Terms between ClickSKU and the Etsy seller. ClickSKU processes Etsy Member personal information accessed in connection with the Etsy API in accordance with these Application Terms and all applicable privacy laws.

This includes transparently informing Etsy sellers regarding:

The information collected by ClickSKU through the Etsy integration.
The manner in which such information is used, stored, secured, and disclosed.
The controls that Etsy sellers have over the use, sharing, and access of their information.

ClickSKU does not use Etsy Member personal information for any purpose other than providing the features you have enabled, and does not share such data with third parties except as required to operate the Service (e.g., database hosting via Supabase). Etsy Member data is never sold, rented, or used for advertising or marketing purposes.

For information about how Etsy itself collects and processes data in connection with the Etsy API, please review the Etsy Privacy Policy.

6.8 eBay Buyer Personal Information

With respect to any personal information relating to eBay buyers that ClickSKU accesses via the eBay API (including buyer names, email addresses, shipping addresses, and order details), ClickSKU processes such data solely as a service provider to the applicable eBay seller and only to the extent strictly necessary to provide the order management and inventory sync features you have enabled.

Our practices with respect to eBay buyer data are consistent with eBay's Privacy Notice. Specifically:

eBay buyer personal information is used only to fulfill the order sync and inventory management features within ClickSKU.
We do not use eBay buyer personal information for advertising, marketing, profiling, or any purpose unrelated to order and inventory management.
We do not sell, rent, share, or otherwise disclose eBay buyer personal information to any third party except as required to operate the Service (e.g., database hosting via Supabase on AWS).
We do not store eBay user IDs, passwords, or payment card data.
eBay buyer data accessed through the API is deleted within 30 days of: (a) termination of your eBay integration, (b) account cancellation, or (c) a written deletion request — whichever occurs first.
We implement appropriate technical and organizational security measures to protect eBay buyer data from unauthorized access, destruction, loss, or disclosure.

For information about how eBay itself collects and processes buyer data, please review the eBay Privacy Notice.

6.9 Shopify Merchant and Customer Data

When you connect your Shopify store to ClickSKU, we access the following data solely to provide the inventory sync and order management features you have enabled:

Orders: Order IDs, line items (titles, SKUs, quantities, prices), fulfillment status — used to sync sales records and decrement inventory.
Products: Product titles, SKUs, variant details — used to match Shopify listings to your ClickSKU inventory.
Store owner information: Shop domain and basic store details — used to identify your store connection.

We do not store Shopify customer names, email addresses, shipping addresses, or payment information beyond what is strictly necessary to record an order in your ClickSKU workspace. We do not use Shopify customer data for advertising, profiling, or any purpose unrelated to inventory and order management.

Shopify access tokens are encrypted at rest and deleted immediately when you disconnect the integration or when your account is terminated. Upon receiving a mandatory GDPR redact request from Shopify, all associated order data and connection records are permanently deleted from our systems within 48 hours.

ClickSKU maintains the following mandatory Shopify GDPR webhook endpoints:

/api/shopify/webhooks/customers/data_request — responds to customer data requests
/api/shopify/webhooks/customers/redact — handles customer data deletion requests
/api/shopify/webhooks/shop/redact — deletes all shop data 48 hours after app uninstall

For information about how Shopify itself collects and processes data, please review the Shopify Privacy Policy.

6.10 Amazon Seller Data

When you connect your Amazon Seller Central account to ClickSKU via the Amazon Selling Partner API (SP-API), we access the following data solely to provide inventory synchronization and order management features:

Orders: Amazon order IDs, line items (ASINs, seller SKUs, titles, quantities, prices), fulfillment status, and shipping status — used to sync sales records and decrement inventory.
Product Listings: Product titles, SKUs, and listing details — used to match Amazon listings to your ClickSKU inventory.
Seller Account Information: Selling Partner ID — used to identify your Amazon connection and manage token authorization.

We do not access or store Amazon buyer names, email addresses, shipping addresses, or payment information beyond what is provided in the standard order record. We do not use Amazon data for advertising, marketing, profiling, or training AI models. Amazon data is used exclusively for the inventory and order management features you have enabled.

Amazon OAuth access tokens and refresh tokens are encrypted at rest using industry-standard encryption and deleted immediately when you disconnect the integration or when your account is terminated. Amazon order data is retained in your workspace while your account is active and deleted within 30 days of account cancellation.

ClickSKU complies with the Amazon Services API Developer Agreement, the Amazon Data Protection Policy, and the Amazon Acceptable Use Policy. We request only the minimum API scopes necessary to provide our services (Inventory and Order Tracking, Product Listing). For more information about how Amazon handles data, please review the Amazon Privacy Notice.

6.11 TikTok Shop Seller and Buyer Data

When you connect your TikTok Shop to ClickSKU via the TikTok Shop Open Platform APIs, we access the following data solely to provide the inventory synchronization, order management, listing management, and returns features you have enabled:

Shop information: Shop name, shop ID, region, and authorized scopes — used to identify your TikTok Shop connection.
Orders: Order IDs, line items (titles, SKUs, quantities, prices), fulfillment status, shipping addresses, and tracking numbers — used to sync sales records, decrement inventory, and manage shipping.
Products and listings: Product titles, descriptions, SKUs, variants, categories, inventory levels, and images — used to manage your TikTok Shop listings from ClickSKU.
Returns and refunds: Return requests, refund status, and dispute details — used to track returns within your ClickSKU returns module.
Finance data: Payouts, fees, and settlement information — used for financial reporting and reconciliation within your workspace.

TikTok Shop OAuth access tokens are encrypted at rest using industry-standard AES-256-GCM application-layer encryption (in addition to database-level encryption) and are stored exclusively on US-based infrastructure. Tokens are deleted immediately when you disconnect the integration or when your account is terminated. TikTok Shop order, product, and return data is retained in your workspace while your account is active and deleted within 30 days of account cancellation, and from encrypted backups within 90 days as backup rotation cycles complete.

ClickSKU complies with the TikTok Shop USDS (US Data Security) requirements. All TikTok Shop data — including buyer personal information accessed via the API for fulfillment purposes — is accessed, processed, and stored exclusively within the United States. No TikTok Shop data is transferred to or processed in any restricted jurisdiction (China, Russia, Iran, North Korea, Cuba, Syria, or Venezuela). We do not use TikTok Shop data for advertising, marketing, profiling, or training AI models. TikTok Shop buyer data is used exclusively for the order management and fulfillment features you have enabled.

ClickSKU will cooperate with TikTok Shop and end users to fulfill data subject requests (access, correction, deletion) as required. For information about how TikTok Shop itself collects and processes data, please review the TikTok Privacy Policy.

6.7 Marketplace Platform Privacy Policies

Your use of marketplace integrations is also governed by the privacy policies of the respective platforms. We encourage you to review them:

7. Data Retention

Account Data: Retained while your account is active. After account deletion or cancellation, retained for 30 days (grace period), then permanently deleted.
Customer Data: Retained while your account is active. Deleted after the 30-day post-cancellation grace period.
Payment Records: Retained as required by financial and tax regulations (typically up to 7 years).
Usage/Analytics Data: Retained for up to 24 months, then aggregated or deleted.
Support Communications: Retained for up to 3 years for quality and training purposes.

8. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

Encryption in transit (TLS/HTTPS) for all data transmitted between your browser and our servers.
Encryption at rest for data stored in our database.
Supabase Row Level Security (RLS) policies to isolate organization data.
Role-based access control within the application.
No storage of raw credit card numbers (payment processing handled by Square).
Password hashing using industry-standard algorithms.

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Your Rights

9.1 Rights for All Users

Regardless of your location, you may:

Access and review the personal information we hold about you.
Update or correct inaccurate information through your account settings.
Request deletion of your account and associated data.
Export your Customer Data.

9.2 GDPR Rights (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, you additionally have the right to:

Access: Request a copy of the personal data we process about you.
Rectification: Request correction of inaccurate personal data.
Erasure: Request deletion of your personal data ("right to be forgotten").
Restriction: Request restriction of processing in certain circumstances.
Portability: Receive your personal data in a structured, commonly used, machine-readable format.
Objection: Object to processing based on legitimate interests.
Withdraw Consent: Where processing is based on consent, withdraw consent at any time.
Complaint: Lodge a complaint with your local data protection supervisory authority.

We will respond to GDPR requests within 30 days.

9.3 CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the right to:

Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
Delete: Request deletion of your personal information.
Correct: Request correction of inaccurate personal information.
Opt-Out of Sale/Sharing: We do not sell or share your personal information, so no opt-out is necessary.
Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Limit Use of Sensitive Information: Request that we limit our use of sensitive personal information to what is necessary.

We will respond to CCPA/CPRA requests within 45 days.

9.4 How to Exercise Your Rights

To exercise any of the above rights, contact us at ghemmeinc@gmail.com. We may need to verify your identity before processing your request.

10. International Data Transfers

The Service is hosted in the United States. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For users in the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for data transfers. Our subprocessors (Supabase and Vercel) maintain Data Processing Agreements (DPAs) that include SCCs.

11. Children's Privacy

The Service is not directed to individuals under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under the applicable age, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at ghemmeinc@gmail.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through an in-app notification at least 30 days before the changes take effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically. The "Last Updated" date at the top of this page indicates when the most recent changes were made.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us at:

General support: ghemmeinc@gmail.com
Data Protection Officer (privacy and data subject requests): privacy@clicksku.com
Mailing address: Ghemme Inc, 226 Almeria Ave, Unit #2010, Coral Gables, FL 33134, USA

We will make every effort to respond to your inquiry within a reasonable timeframe (typically within 30 days).

Data breach notification: In the event of a confirmed or suspected security breach involving personal data, we will notify affected users by email within 72 hours and notify applicable regulatory authorities and connected marketplace platforms within statutory timelines.