Privacy Policy

1. Introduction

Welcome to Tradejunction ("we," "us," "our," or "Company"). Tradejunction provides a Software-as-a-Service (SaaS) customer relationship management (CRM) platform designed for e-commerce merchants, including Shopify store owners and B2B direct sales businesses.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our services, website, and applications (collectively, the "Services"). By accessing or using our Services, you agree to the terms of this Privacy Policy.

If you do not agree with the terms of this Privacy Policy, please do not use our Services.

Applicability

This Privacy Policy applies to:

• Users who register for and use Tradejunction Services
• Visitors to our website
• Business customers and their authorized users
• Any data processed through our platform

2. Information We Collect

We collect several types of information to provide and improve our Services.

2.1 Account and Profile Information

When you create an account or use our Services, we collect:

• Personal Identifiers: First name, last name, email address
• Authentication Data: Password (encrypted), OAuth credentials (Google, etc.)
• Profile Information: User preferences, onboarding status, avatar images
• Company Information: Company name, business address (street, city, state/province, postal code, country), VAT number, company registration code

2.2 Business and Customer Data

As part of providing CRM services, you may input the following business-related information:

• Customer Records: Customer company names, contact names, email addresses, phone numbers, billing and shipping addresses, VAT numbers, company registration codes, payment terms, customer categories, tags, notes
• Contact Persons: Names, email addresses, phone numbers associated with your customers
• Order Information: Order numbers, product details, quantities, pricing, discounts, tax rates, subtotals, totals, order status, sales notes, tags
• Product Information: Product names, SKUs, descriptions, pricing (purchase and sales prices), inventory levels, supplier information, Shopify links
• Supplier Information: Supplier names, contact details, addresses, product associations, lead times, minimum order quantities
• Financial Records: Invoice details, payment records, payment methods, payment terms, prepayment allocations, account balances
• Documents: Invoices (PDF), packing slips, quotes, and other business documents you generate or upload

2.3 Payment Information

We do not directly collect or store payment card information. Payment processing is handled by third-party payment processors who comply with Payment Card Industry Data Security Standards (PCI DSS). We may collect:

• Payment method type
• Transaction identifiers
• Payment status and history

2.4 Usage and Analytics Data

We automatically collect information about how you interact with our Services:

• Activity Data: Features used, pages viewed, actions taken (e.g., customer viewed, order created, product edited), timestamps, session duration
• Technical Data: IP address, browser type and version, operating system, device type, screen resolution
• Performance Data: Page load times, errors, system diagnostics
• Identifiers: User IDs, company IDs, session IDs, unique device identifiers

Privacy-Conscious Tracking: Our analytics implementation is designed to respect user privacy. We track user actions and feature usage (e.g., "customer_viewed," "order_created") but do NOT track sensitive personal information such as customer emails, order monetary amounts, addresses, or payment details in our analytics events.

2.5 Cookies and Local Storage

We use cookies and similar technologies to maintain sessions, remember preferences, and analyze usage. See Section 9 for detailed information.

2.6 Communications

When you contact us or communicate through our Services:

• Email correspondence
• Support tickets and chat messages
• Feedback and survey responses

2.7 Third-Party Integration Data

If you connect third-party services (e.g., Shopify, accounting software):

• Shopify Data: Product catalogs, inventory levels, order data, customer information synchronized from your Shopify store
• E-commerce Platforms: Data from WooCommerce, Wix, Squarespace, Ecwid integrations
• Accounting Software: Data synchronized with Xero, QuickBooks
• Integration API credentials (encrypted)
• Synchronization logs and status

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Service Provision and Management

• Creating and managing your account
• Authenticating your identity and maintaining session security
• Providing access to CRM features: customer management, order processing, inventory tracking, invoicing, reporting
• Generating documents (invoices, packing slips, quotes)
• Processing and fulfilling your requests
• Synchronizing data with integrated third-party platforms (Shopify, accounting software)

3.2 Business Operations and Communications

• Sending transactional emails related to your account and orders
• Providing customer support and responding to inquiries
• Sending service announcements, updates, and security alerts
• Facilitating team collaboration within your company account

3.3 Marketing Communications (With Consent)

• Sending promotional emails about new features, updates, and offers
• Providing product recommendations and usage tips
• Conducting surveys and requesting feedback

You may opt out of marketing communications at any time using the unsubscribe link in emails or through your account settings.

3.4 Analytics and Service Improvement

• Analyzing usage patterns and feature adoption
• Understanding user behavior to improve product design
• Identifying and fixing technical issues
• Conducting research and development for new features
• Measuring service performance and reliability

3.5 Security and Fraud Prevention

• Detecting and preventing unauthorized access
• Monitoring for security threats and suspicious activity
• Enforcing our Terms of Service and policies
• Protecting against fraud, abuse, and illegal activity

3.6 Legal Compliance

• Complying with applicable laws, regulations, and legal processes
• Responding to lawful requests from government authorities
• Enforcing legal rights and defending against claims
• Maintaining accounting and tax records as required by law

4. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR) and other applicable privacy laws, we process your personal data based on the following legal grounds:

4.1 Contract Performance (GDPR Article 6(1)(b))

Processing is necessary to provide the Services you requested and to fulfill our contractual obligations to you, including:

• Account creation and management
• CRM functionality and features
• Customer support
• Service delivery

4.2 Legitimate Interests (GDPR Article 6(1)(f))

We process data based on our legitimate business interests, provided these interests do not override your fundamental rights:

• Improving and developing our Services
• Security and fraud prevention
• Network and information security
• Business analytics and insights
• Direct marketing (where not requiring consent)

4.3 Consent (GDPR Article 6(1)(a))

For certain processing activities, we rely on your explicit consent:

• Marketing communications (where required by law)
• Non-essential cookies and tracking
• Optional data collection

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

4.4 Legal Obligations (GDPR Article 6(1)(c))

We process data to comply with legal obligations:

• Tax and accounting record retention
• Responding to legal requests
• Regulatory compliance

5. Data Sharing and Third-Party Services

We do not sell your personal information. We share data with third-party service providers who assist in operating our Services and only to the extent necessary to provide those services.

5.1 Service Providers and Subprocessors

5.2 E-Commerce and Accounting Integrations

When you connect third-party integrations, we share data necessary for synchronization:

• Shopify: Product data, inventory levels, order information, customer data
• WooCommerce, Wix, Squarespace, Ecwid: Similar e-commerce data synchronization
• Xero, QuickBooks: Financial transaction data, invoices, customers, suppliers

Data sharing occurs only with your explicit authorization when connecting these integrations. You control which integrations to enable.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the successor entity. We will notify you via email or prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.

5.4 Legal Requirements and Protection of Rights

We may disclose your information if required to do so by law or in response to:

• Valid legal processes (subpoenas, court orders, warrants)
• Government or regulatory requests
• Protection of our rights, property, or safety
• Investigation of fraud, security issues, or violations of our Terms of Service
• Emergency situations involving danger to persons or property

5.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you, including:

• Industry benchmarks and statistics
• Usage trends and insights
• Research and analysis

6. Data Security

We implement robust technical and organizational security measures to protect your information:

6.1 Technical Safeguards

• Encryption: Data encrypted in transit using TLS/SSL; data encrypted at rest using industry-standard encryption algorithms
• Authentication: Multi-factor authentication support, secure password hashing (via Supabase Auth)
• Access Controls: Role-based access control (admin and user roles), Row-Level Security (RLS) policies enforcing company-level data isolation
• Network Security: Firewalls, intrusion detection systems, DDoS protection
• Secure APIs: API authentication using JWT tokens, input validation, rate limiting

6.2 Organizational Safeguards

• Access Restrictions: Principle of least privilege—employees and contractors access only data necessary for their roles
• Confidentiality Agreements: All personnel with access to personal data are bound by confidentiality obligations
• Security Training: Regular training on data protection and security best practices
• Incident Response: Documented procedures for detecting, responding to, and reporting security incidents
• Vendor Management: Due diligence and contractual safeguards with third-party service providers

6.3 Data Isolation

• Multi-Tenancy: Company-based data partitioning ensures one company cannot access another's data
• Database Policies: Row-Level Security (RLS) enforces company-level access at the database level
• Session Management: Secure session handling with HTTPOnly cookies and automatic token refresh

6.4 Limitations

While we employ industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

7. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

7.1 Active Accounts

• User and Account Data: Retained for the duration of your active account and use of our Services
• Business Data: Retained as long as your account is active or as needed to provide Services

7.2 Account Closure and Deletion

• Grace Period: Upon account closure or deletion request, your data is retained for 30 days to allow for account recovery or reactivation
• Permanent Deletion: After 30 days, personal and business data is permanently deleted, except as noted below

7.3 Legal and Accounting Records

• Accounting Data: Financial records, invoices, and transaction data are retained for 7 years from the date of the transaction, as required by applicable accounting and tax laws
• Legal Obligations: Data may be retained longer if required by law, regulation, legal process, or to resolve disputes and enforce agreements

7.4 Backups

• Backup Retention: Data in system backups may persist for up to 90 days after deletion from production systems
• Backup Deletion: Backup data is automatically purged according to our backup retention schedule

7.5 Aggregated Data

Aggregated, anonymized, or de-identified data that cannot identify individuals may be retained indefinitely for analytics, research, and service improvement.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Access and Portability

• Right to Access: Request a copy of the personal data we hold about you
• Data Portability: Receive your data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and transmit it to another service provider

8.2 Correction and Updating

• Right to Rectification: Correct inaccurate or incomplete personal information
• You can update most information directly through your account settings

8.3 Deletion and Erasure

• Right to Deletion ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention obligations
• Note: Accounting and financial records may be retained for 7 years as required by law

8.4 Restriction and Objection

• Right to Restrict Processing: Request limitation of processing under certain circumstances (e.g., while disputing accuracy)
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes

8.5 Withdrawal of Consent

• Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time
• Withdrawal does not affect the lawfulness of processing prior to withdrawal

8.6 Opt-Out of Marketing

• Email Preferences: Unsubscribe from marketing emails using the link in each email or through account settings
• Transactional Emails: You cannot opt out of essential service-related emails (e.g., account notifications, security alerts)

8.7 Complaint to Supervisory Authority

• GDPR (EU/EEA): Right to lodge a complaint with your local data protection authority
• CCPA (California): Right to file a complaint with the California Attorney General

8.8 Exercising Your Rights

To exercise any of these rights, please contact us at info@tradejunction.io with:

• Your full name and email address associated with your account
• Description of your request and the right you wish to exercise
• Verification information (we may request additional information to confirm your identity)

We will respond to verified requests within:

• GDPR: 30 days (extendable by 60 days if complex)
• CCPA: 45 days (extendable by 45 days if necessary)

No Discrimination: We will not discriminate against you for exercising your privacy rights.

9. Cookies and Tracking Technologies

We use cookies, web beacons, local storage, and similar technologies to provide, secure, and improve our Services.

9.1 Types of Cookies and Technologies

9.2 Specific Technologies Used

Authentication Cookies (Supabase)

• Purpose: Maintain your logged-in session, verify identity
• Retention: Session-based and persistent (configurable)
• Essential: Yes

PostHog Analytics

• Purpose: Track feature usage, user interactions, product analytics
• Data Collected: User ID, company ID, email, usage events (no sensitive PII)
• Retention: Persistent
• Opt-Out: Available through cookie preferences

Google Analytics

• Purpose: Website traffic analysis, page views, referral sources
• Data Collected: IP address (anonymized), device information, browsing behavior
• Retention: Configurable (up to 26 months)
• Opt-Out: Browser settings, Google Analytics opt-out browser add-on

Local Storage

• Purpose: Column visibility preferences, UI state persistence
• Data Stored: User interface preferences (e.g., customers-column-visibility)
• Control: Clear via browser settings

Session Storage

• Purpose: Temporary state during active session (e.g., table row selections)
• Data Stored: UI state (e.g., customer-row-selection)
• Retention: Cleared when browser tab/window is closed

9.3 Managing Cookie Preferences

You can control cookies through:

1. Cookie Consent Banner: Adjust preferences when first visiting our site (where applicable)
2. Account Settings: Manage analytics and tracking preferences (available in settings)
3. Browser Settings: Most browsers allow you to refuse cookies or delete existing cookies
4. Opt-Out Tools: Google Analytics Opt-out Browser Add-on

Note: Disabling essential cookies may limit functionality and prevent you from using certain features.

9.4 Do Not Track (DNT)

We currently do not respond to Do Not Track (DNT) browser signals, as there is no universally accepted standard for DNT compliance.

10. International Data Transfers

Tradejunction operates globally, and your data may be transferred to, stored, and processed in countries outside your country of residence, including the United States and European Union member states.

10.1 Data Transfer Mechanisms

When transferring personal data internationally, we rely on:

• Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate data protection (e.g., EU-US Data Privacy Framework for participating organizations)
• Standard Contractual Clauses (SCCs): Contracts approved by the European Commission or other relevant authorities ensuring appropriate safeguards
• Data Processing Agreements: Binding agreements with service providers requiring GDPR-equivalent protection

10.2 Service Provider Locations

• Supabase: Data may be stored in US or EU regions (based on configuration)
• Railway: Infrastructure hosted in the United States
• PostHog: Data processing in US or EU (based on configuration)
• Google Analytics: Data processed in the United States
• Resend: Email services operated from the United States

10.3 Your Rights

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the right to request information about the safeguards we use for international data transfers.

11. Email Communications

We send two types of emails: transactional and marketing.

11.1 Transactional Emails

These are essential service-related emails you cannot opt out of:

• Account creation and verification
• Password resets and security alerts
• Order confirmations and updates
• Invoice notifications
• System status and critical updates
• Responses to your support requests

11.2 Marketing Emails

With your consent (where required), we may send:

• Product updates and new feature announcements
• Promotional offers and discounts
• Usage tips and best practices
• Surveys and feedback requests
• Newsletters and educational content

11.3 Opt-Out and Preferences

• Unsubscribe: Click the "Unsubscribe" link at the bottom of any marketing email
• Email Preferences: Manage your communication preferences in account settings
• Frequency: Marketing emails are sent periodically; you can control frequency preferences where available

After opting out, you may still receive transactional emails necessary for account management.

11.4 Email Service Provider

Emails are sent via Resend, a third-party email delivery service. Resend's privacy practices are governed by their own privacy policy.

12. Children's Privacy

Tradejunction Services are not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16.

12.1 Age Restriction

By using our Services, you represent and warrant that you are at least 16 years of age.

12.2 Parental Notice

If you are a parent or guardian and believe your child under 16 has provided us with personal information, please contact us immediately at info@tradejunction.io. We will take steps to delete such information promptly.

12.3 Verification

We may request age verification or parental consent if we have reason to believe a user is under 16.

13. Third-Party Links and Integrations

13.1 External Links

Our Services may contain links to third-party websites, applications, or services (e.g., Shopify, Xero, QuickBooks) that are not operated by us. We are not responsible for the privacy practices of these third parties.

13.2 Integration Privacy Practices

When you connect third-party integrations:

• You authorize data sharing between Tradejunction and the integrated service
• The integrated service's privacy policy governs their collection and use of your data
• You can disconnect integrations at any time through your account settings

13.3 Recommendation

We encourage you to review the privacy policies of any third-party services you interact with through our platform.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.

14.1 Notification of Changes

When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email to the address associated with your account
• Display a prominent notice on our website or within the application
• Request your consent if required by law

14.2 Continued Use

Your continued use of our Services after the effective date of changes constitutes acceptance of the updated Privacy Policy.

14.3 Review

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Tradejunction

Email: info@tradejunction.io

Data Protection Inquiries: For GDPR-related requests or data protection matters, please email info@tradejunction.io

Response Time: We aim to respond to all privacy inquiries within 48-72 hours and to formal data subject requests within the timeframes specified in Section 8.8.