Privacy Policy

Effective Date: March 1, 2026 · Last Updated: March 1, 2026

ClickSKU ("Company," "we," "us," or "our") respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy describes how we collect, use, disclose, and protect your information when you use the ClickSKU platform (the "Service").

By creating an account or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Password (stored in hashed form; we never store plaintext passwords)
• Role within your workspace (admin, staff, or social media)
• Workspace name and business details

1.2 Payment Information

Payments are processed by Square, Inc., a PCI DSS Level 1 compliant payment processor. ClickSKU does not directly store your credit card numbers. We may receive and store from Square:

• Last four digits of your card number and card brand
• Billing address
• Subscription plan and payment status
• Transaction IDs and payment confirmations

1.3 Customer Data (Business Data)

Data you enter into the Service as part of your business operations, including:

• Inventory records (SKUs, product titles, quantities, pricing, weights, dimensions)
• Sales records (dates, platforms, customer names, order numbers, prices)
• Project management data (projects, tasks, comments, activity logs)
• Category configurations and custom fields
• Marketplace listing status

1.4 Usage Data

We automatically collect certain information when you use the Service, including:

• Pages visited and features used
• Timestamps of activity
• IP address
• Browser type, version, and device information
• Referring URLs

1.5 Cookies and Similar Technologies

We use cookies and similar technologies for:

• Authentication: Session cookies to keep you signed in (essential; cannot be disabled).
• Preferences: Remembering your settings and display preferences.

We do not currently use third-party advertising or analytics cookies. If this changes in the future, we will update this policy and provide appropriate notice and consent mechanisms.

2. How We Collect Information

• Directly from you: When you create an account, enter data, submit support requests, or communicate with us.
• Automatically: Through cookies, server logs, and hosting infrastructure (Vercel).
• From third parties: Payment confirmation data from Square.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you subscribed to (account data, Customer Data, payment processing).
• Legitimate Interest: Usage analytics, security monitoring, service improvement, and fraud prevention.
• Consent: Where required by law (e.g., non-essential cookies, marketing communications if offered in the future).
• Legal Obligation: Compliance with tax, financial, and regulatory requirements.

4. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service.
• Process subscriptions and payments.
• Send transactional communications (password resets, subscription confirmations, account notifications).
• Respond to support requests and inquiries.
• Improve, personalize, and develop new features for the Service.
• Monitor for security threats and prevent abuse.
• Enforce our Terms of Service.
• Comply with legal obligations.

5. How We Share Your Information

We share your information only in the following circumstances:

5.1 Service Providers (Subprocessors)

We use the following third-party service providers to operate the Service:

Each service provider is contractually obligated to protect your data and use it only for the purposes we specify.

5.2 Legal Requirements

We may disclose your information if required to do so by law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.3 Business Transfers

If ClickSKU is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

5.4 With Your Consent

We may share your information for other purposes with your explicit consent.

5.5 We Do Not Sell Your Information

We do NOT sell, rent, or trade your personal information to third parties for their marketing purposes. This applies to all users, including California residents under the CCPA/CPRA.

6. Data Retention

• Account Data: Retained while your account is active. After account deletion or cancellation, retained for 30 days (grace period), then permanently deleted.
• Customer Data: Retained while your account is active. Deleted after the 30-day post-cancellation grace period.
• Payment Records: Retained as required by financial and tax regulations (typically up to 7 years).
• Usage/Analytics Data: Retained for up to 24 months, then aggregated or deleted.
• Support Communications: Retained for up to 3 years for quality and training purposes.

7. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption in transit (TLS/HTTPS) for all data transmitted between your browser and our servers.
• Encryption at rest for data stored in our database.
• Supabase Row Level Security (RLS) policies to isolate organization data.
• Role-based access control within the application.
• No storage of raw credit card numbers (payment processing handled by Square).
• Password hashing using industry-standard algorithms.

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights

8.1 Rights for All Users

Regardless of your location, you may:

• Access and review the personal information we hold about you.
• Update or correct inaccurate information through your account settings.
• Request deletion of your account and associated data.
• Export your Customer Data.

8.2 GDPR Rights (EEA/UK Users)

If you are located in the European Economic Area or United Kingdom, you additionally have the right to:

• Access: Request a copy of the personal data we process about you.
• Rectification: Request correction of inaccurate personal data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Restriction: Request restriction of processing in certain circumstances.
• Portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Where processing is based on consent, withdraw consent at any time.
• Complaint: Lodge a complaint with your local data protection supervisory authority.

We will respond to GDPR requests within 30 days.

8.3 CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Delete: Request deletion of your personal information.
• Correct: Request correction of inaccurate personal information.
• Opt-Out of Sale/Sharing: We do not sell or share your personal information, so no opt-out is necessary.
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Limit Use of Sensitive Information: Request that we limit our use of sensitive personal information to what is necessary.

We will respond to CCPA/CPRA requests within 45 days.

8.4 How to Exercise Your Rights

To exercise any of the above rights, contact us at ghemmeinc@gmail.com. We may need to verify your identity before processing your request.

9. International Data Transfers

The Service is hosted in the United States. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For users in the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for data transfers. Our subprocessors (Supabase and Vercel) maintain Data Processing Agreements (DPAs) that include SCCs.

10. Children's Privacy

The Service is not directed to individuals under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under the applicable age, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at ghemmeinc@gmail.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through an in-app notification at least 30 days before the changes take effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically. The "Last Updated" date at the top of this page indicates when the most recent changes were made.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us at:

• Email: ghemmeinc@gmail.com

We will make every effort to respond to your inquiry within a reasonable timeframe (typically within 30 days).