Privacy Policy

This Privacy Policy explains what data retailerapi.com ("retailerapi", "we", "us") collects, why we collect it, how we use it, with whom we share it, and how you can access, correct, export, or delete it. retailerapi is operated by Scepter Software LLC, a Michigan limited liability company.

We are not a marketing platform. We are a product-data API. We do not collect, sell, rent, or share your shoppers' identities, your customers' personally identifiable information, or any data that lets us re-identify the people you serve. Our customer is you, the developer or seller calling our API.

1. Who this applies to

This policy applies to (a) visitors to retailerapi.com, app.retailerapi.com, api.retailerapi.com, and docs.retailerapi.com, (b) signed-up account holders, (c) paid subscribers, and (d) anyone interacting with us by email at addresses ending in @retailerapi.com or @sceptermarketing.com. If you are an end-user of one of our customers' products, our customer is the controller of your data; please refer to their privacy policy.

2. Data we collect

We collect three categories of data:

2.1 Account data

• Email address (required to sign in via magic link)
• Optional name, organization name, billing address
• Hashed passwords are never collected (we do not use passwords; we use magic-link auth)
• OAuth identifiers if you sign in with Google

2.2 Billing data

• Stripe customer ID, subscription ID, plan tier, and invoice history
• The last 4 digits and brand of your card (Stripe stores the full card details, never us)
• Tax-residence country and ZIP for US sales-tax compliance

2.3 Usage data

• Each API call: timestamp, endpoint, identifier queried, response status, latency, and credit cost
• Which API key was used (so we can show you usage in the dashboard)
• Standard server logs (IP address, user-agent, referrer) for security and debugging — auto-purged after 30 days
• Error tracking via Sentry (no IP, no full request body, only stack traces and route names)

3. What we do NOT collect

• Your shoppers' or end-users' identities, names, emails, or any PII
• Buyer purchase histories, browsing histories, or behavioral profiles
• Cross-site tracking cookies (we use only first-party session cookies)
• Health, financial, biometric, location-tracking, or precise-geolocation data
• Children's data (our service is not directed at users under 16)

4. How we use your data

• To authenticate you and authorize access to the API
• To meter your usage against your plan's token quota
• To bill you and send invoices and receipts
• To respond to support requests
• To send service-critical emails (account changes, billing, security)
• To send product updates if you opt in to the newsletter (you can unsubscribe at any time)
• To detect and prevent abuse (rate-limit violations, credential stuffing, fraud)
• To produce aggregate, de-identified usage statistics for our own product roadmap

We do not sell, rent, or share your personal data with advertisers, data brokers, or third-party marketers. We do not use your data to train machine-learning models that benefit any party other than you.

5. Legal bases (GDPR)

If you are in the EEA, UK, or Switzerland, our legal bases are:

• Contract — for account creation, billing, API operation, and support
• Legitimate interest — for security logging, abuse prevention, and product improvement
• Consent — for marketing emails (opt-in only) and analytics cookies (where required)
• Legal obligation — for tax, audit, and law-enforcement requests

6. Your rights

Regardless of jurisdiction, you can: (a) access the personal data we hold about you, (b) correct anything inaccurate, (c) export it in a portable format, (d) delete it subject to our legal-retention obligations, (e) object to processing for legitimate interests, and (f) withdraw any consent you previously gave. Email software@sceptermarketing.com and we will respond within 30 days. EU residents may also lodge a complaint with their national data-protection authority.

California residents have additional rights under the CCPA/CPRA: to know the categories and specific pieces of personal information we collect, to delete personal information, to correct inaccurate information, and to limit the use of sensitive personal information. We do not sell or share personal information for cross-context behavioral advertising; we have not done so in the preceding 12 months. To exercise CCPA rights, email the same address.

7. Sub-processors

We share specific data with the following service providers, each contractually bound to handle it according to applicable law:

• Supabase (database + authentication) — account email, hashed session tokens, usage logs. US/EU regions.
• Stripe (payments) — billing data, card processing. US.
• Resend (transactional email) — email address only, for magic-link delivery and receipts. US.
• Vercel (hosting + edge network) — request logs, IP addresses (auto-purged 30 days). Global.
• Cloudflare (DDoS protection + DNS) — IP addresses for security. Global.
• Sentry (error tracking) — stack traces and route names; no PII or full request bodies.
• Google Analytics (aggregate site analytics, opt-in only) — anonymized IPs only.

We do not use any AI training service that would receive your personal data. Sub-processor changes are announced via the changelog and email notification at least 30 days in advance for paid subscribers.

8. Data retention

• Account data: kept while your account is active; deleted within 30 days of account closure (with a 60-day soft-delete window for accidental closures)
• Billing records: retained 7 years for US tax compliance
• API usage logs: 90 days at row-level granularity, then aggregated to monthly totals
• Server logs: 30 days
• Sentry error reports: 90 days
• Email correspondence: 24 months from last interaction

9. Security

We use TLS 1.3 for all connections, encrypt data at rest in Postgres via AES-256, store API keys hashed (we cannot recover plaintext after creation), enforce hardware MFA for all production console access, and run automated dependency scanning on every deploy. We have not had a known security incident affecting customer data. If we ever do, we will notify affected customers within 72 hours per GDPR Article 33 timing, regardless of jurisdiction.

10. International transfers

Our primary infrastructure is hosted in the United States. If you are in the EEA, UK, Switzerland, or another jurisdiction with cross-border data-transfer restrictions, we rely on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable. A copy of the SCCs and our supplementary measures is available on request.

11. Cookies and tracking

We use first-party session cookies to keep you logged in. We use Cloudflare Turnstile (a privacy-preserving CAPTCHA) to deter bot abuse on public pages — Turnstile does not set tracking cookies. We do not run third-party advertising trackers. If we add analytics, it is opt-in via a banner where required by law (EU/UK/CA).

12. Public product pages

Our public product pages at retailerapi.com/p/<identifier> display third-party retailer pricing data. Visitors to these pages are not logged in and we do not identify them. We track aggregate page-view counts via standard server logs (auto-purged 30 days). Outbound retailer links may carry affiliate tracking parameters — clicking such a link redirects you to the retailer's site, which has its own privacy policy.

13. Changes to this policy

We will post any material changes to this policy on this page at least 30 days before they take effect, and email all paid subscribers when we do. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after a change indicates acceptance of the revised policy.

14. Contact

Privacy questions, data-deletion requests, or concerns: email software@sceptermarketing.com. General support: software@sceptermarketing.com. Postal mail: Scepter Software LLC, c/o Matt Hall, 2844 East Grand River Ave, East Lansing, MI 48823, USA.

See also: Terms of Service.