Privacy Policy

1. Introduction

Welcome to Bulktify ("we", "us", or "our"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our B2B wholesale SaaS platform.

This policy applies to all information collected through our website at bulktify.com, our platform services, and any related services, sales, marketing, or events (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

2. What Data We Collect

We collect several types of information from and about users of our Services:

2.1 Information You Provide

• Account Registration: Name, email address, business name, phone number, business address, tax identification number
• Business Information: Product catalogs, inventory data, customer lists, order history, pricing information
• Payment Information: Credit card details, billing address (processed securely by our payment processors (Stripe and/or AcceptBlue) - we do not store full card numbers)
• Communications: Contact form submissions, support tickets, email correspondence, chat messages
• Profile Information: Profile photos, company logos, preferences, notification settings

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent on platform, click patterns
• Device Information: IP address, browser type, operating system, device identifiers
• Location Data: Approximate geographic location based on IP address
• Cookies & Similar Technologies: Session cookies, authentication tokens, analytics cookies (see Cookie Policy for details)

2.3 Information from Third Parties

• Email Validation: Email deliverability scores and validation status from Emailable
• Payment Data: Transaction success/failure information from Stripe and/or AcceptBlue
• OAuth Authentication: Profile information when you sign in with Google (name, email, profile picture)

3. How We Use Your Data

We use the information we collect for the following purposes:

3.1 Service Delivery

• Creating and managing your account
• Providing access to platform features and functionality
• Processing orders and transactions
• Sending transactional emails (order confirmations, password resets, invoices)
• Providing customer support and responding to inquiries

3.2 Billing & Payments

• Processing subscription payments and AI credit purchases
• Generating invoices and receipts
• Detecting and preventing fraudulent transactions
• Managing refunds and chargebacks

3.3 Platform Improvement

• Analyzing usage patterns to improve features and user experience
• Training AI models to enhance product description generation and image creation
• Conducting research and development for new features
• Monitoring platform performance and reliability

3.4 Communication

• Sending important service announcements and updates
• Marketing communications about new features and promotions (with your consent)
• Requesting feedback through surveys (with your consent)
• Responding to your comments and questions

3.5 Security & Compliance

• Protecting against unauthorized access and security threats
• Detecting and preventing fraud, spam, and abuse
• Complying with legal obligations and responding to lawful requests
• Enforcing our Terms of Service and other agreements

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds under GDPR Article 6:

4.1 Contract Performance (Article 6(1)(b))

We process your data to fulfill our contractual obligations when you subscribe to our Services. This includes account management, service delivery, billing, and customer support.

4.2 Consent (Article 6(1)(a))

We process your data with your explicit consent for marketing emails, optional analytics cookies, and AI feature usage. You can withdraw consent at any time.

4.3 Legitimate Interest (Article 6(1)(f))

We process your data for legitimate business interests such as fraud prevention, platform security, product improvement, and internal analytics. We balance these interests against your privacy rights.

4.4 Legal Obligation (Article 6(1)(c))

We process your data to comply with legal requirements such as tax regulations, data breach notifications, and responding to lawful requests from authorities.

5. Data Sharing & Third-Party Services

We share your information with trusted third-party service providers who assist us in operating our platform. All providers are contractually bound to protect your data and use it only for specified purposes.

5.1 Service Providers

• Resend - Email delivery (transactional and marketing emails)
  Data shared: Recipient emails, email content, sender information
  Privacy policy: https://resend.com/legal/privacy-policy
• Emailable - Email validation and verification
  Data shared: Email addresses for validation
  Privacy policy: https://emailable.com/privacy
• Firebase / Google Cloud - Database, authentication, hosting
  Data shared: All user data (encrypted at rest and in transit)
  Privacy policy: https://firebase.google.com/support/privacy
• Vercel - Application hosting and analytics
  Data shared: Page views, performance metrics, anonymized IP addresses
  Privacy policy: https://vercel.com/legal/privacy-policy
• Stripe - Payment processing
  Data shared: Payment information, billing details (hosted directly by Stripe)
  Privacy policy: https://stripe.com/privacy
• AcceptBlue - Payment processing (ACH bank transfers, credit card processing)
  Data shared: Payment information, billing details, bank account information
  Privacy policy: https://www.acceptblue.com/privacy-policy
• OpenAI / Google Gemini - AI services (product descriptions, image generation)
  Data shared: User prompts, product data (no personally identifiable information)
  Privacy policies: OpenAI, Google Gemini
• Sentry - Error tracking and monitoring
  Data shared: Error logs, stack traces (no PII)
  Privacy policy: https://sentry.io/privacy/

5.2 Legal Disclosures

We may disclose your information if required to do so by law or in response to:

• Valid legal requests from law enforcement or government authorities
• Court orders or subpoenas
• Enforcement of our Terms of Service
• Protection of our rights, property, or safety, or that of others

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. You will be notified of any such change via email or prominent notice on our platform.

6. How Long We Keep Your Data

We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy:

6.1 Active Accounts

Your account data is retained for as long as your account remains active. You can delete your account at any time from your account settings.

6.2 Financial Records

Transaction records, invoices, and payment data are retained for 7 years to comply with tax and accounting regulations.

6.3 Application Logs

Server logs, error logs, and security logs are retained for 30 days and then automatically purged.

6.4 Email Validation Cache

Email validation results from Emailable are cached for 90 days to improve performance and reduce API costs.

6.5 Closed Accounts

After you close your account, we retain your data for 30 days (grace period for reactivation) and then permanently delete all personal data, except financial records required by law.

6.6 Marketing Data

If you unsubscribe from marketing emails, we retain your email address on a suppression list to ensure we don't contact you again, unless required for service-related communications.

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

7.1 GDPR Rights (EU/EEA/UK/Switzerland)

• Right to Access (Article 15): Request a copy of all personal data we hold about you
• Right to Rectification (Article 16): Correct inaccurate or incomplete data
• Right to Erasure / "Right to be Forgotten" (Article 17): Request deletion of your personal data
• Right to Restriction of Processing (Article 18): Limit how we use your data
• Right to Data Portability (Article 20): Receive your data in a machine-readable format (JSON/CSV)
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent for marketing or optional data processing at any time

7.2 CCPA Rights (California Residents)

• Right to Know: Request disclosure of what personal information we collect, use, disclose, and sell
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of the sale of personal information (we do not sell your data)
• Right to Non-Discrimination: Equal service and pricing regardless of privacy rights exercise

7.3 How to Exercise Your Rights

To exercise any of these rights, please contact us:

• Email: support@bulktify.com
• Subject Line: "Privacy Rights Request"
• Response Time: We will respond within 1 month (may extend to 3 months for complex requests)

Identity Verification: For security, we may ask you to verify your identity before processing your request. This protects your data from unauthorized access.

No Fee: Exercising your rights is free, unless your requests are excessive, repetitive, or manifestly unfounded.

8. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our platform. Cookies are small text files stored on your device that help us remember your preferences and provide secure authentication.

8.1 Types of Cookies We Use

• Essential Cookies: Required for authentication, session management, and security (cannot be disabled)
• Analytics Cookies: Track usage patterns to improve our platform (can be disabled via browser settings)
• Preference Cookies: Remember your language, theme, and settings (can be disabled)

For detailed information about cookies we use, including names, purposes, and durations, please see our Cookie Policy.

8.2 Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies may prevent you from using certain features of our platform. See our Cookie Policy for browser-specific instructions.

9. International Data Transfers

Bulktify operates globally, and your data may be transferred to, stored, and processed in countries outside your country of residence, including the United States.

9.1 EU-US Data Transfers

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure adequate protection for cross-border data transfers through:

• Standard Contractual Clauses (SCCs): Approved by the European Commission for transfers to third countries
• Cloud Provider Certifications: Google Cloud (Firebase) and Vercel maintain GDPR compliance and ISO 27001 certifications
• Technical Safeguards: Encryption in transit (TLS 1.3) and at rest (AES-256)

9.2 Data Processing Locations

• Primary Hosting: United States (Google Cloud / Firebase, Vercel)
• Payment Processing: Stripe and AcceptBlue (payment processing infrastructure)
• Email Services: Resend (United States)

For more information about our cloud providers' compliance certifications:

• Google Cloud Compliance
• Vercel Security & Compliance

10. Children's Privacy

Bulktify is a B2B platform intended for use by businesses and professionals. Our Services are not directed to individuals under the age of 13 years old (or 16 in the EU).

We do not knowingly collect personal information from children. If we discover that we have collected data from a child without proper parental consent, we will delete that information immediately.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@bulktify.com, and we will take steps to delete such information.

11. Security Measures

We implement industry-standard security measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction.

11.1 Technical Safeguards

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Secure Authentication: Firebase Authentication with multi-factor authentication (MFA) support
• Access Controls: Role-based access control (RBAC) with least-privilege principle
• Firewall Protection: Firestore Security Rules enforce tenant isolation and data access policies
• Rate Limiting: Protection against brute-force attacks and spam

11.2 Organizational Safeguards

• Regular Audits: Periodic security reviews and penetration testing
• Employee Training: Staff trained on data protection and security best practices
• Incident Response: Documented procedures for security breaches and data incidents
• Third-Party Vetting: All service providers undergo security assessments

11.3 Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities within 72 hours as required by GDPR Article 33. Notifications will include details about the breach, affected data, and remedial actions taken.

Note: While we use reasonable security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform features. When we make material changes, we will notify you by:

• Email Notification: Sent to your registered email address at least 30 days before changes take effect
• Platform Notification: Prominent banner on your dashboard
• Updated "Last Updated" Date: At the top of this page

Continued Use: Your continued use of our Services after the changes take effect constitutes your acceptance of the updated Privacy Policy.

Review Recommendation: We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Supervisory Authority: If you are in the EU/EEA and believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with your national Data Protection Authority. Find your authority at https://edpb.europa.eu/about-edpb/board/members_en.