Legal
Privacy Policy
Effective date: April 9, 2026 · Covers GDPR & CCPA
RetailWatcher (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have over it. It applies to all users of our platform at retailwatcher.app.
1. Data We Collect
Account & Profile Data
- •Email address (required to create an account)
- •Full name (optional)
- •Store name and settings
- •Password (stored as a bcrypt hash — we never store your plain-text password)
- •Subscription plan and billing status (managed by Stripe)
- •Phone number (optional, only if you enable SMS price alerts on Enterprise)
Business Data You Enter
- •Product names, categories, and purchase records
- •Vendor names, contact details, and pricing history
- •Loss events, shrinkage records, and profit goals
- •Team member email addresses and roles
- •Invoice images and PDFs you upload to Invoice Vault
Usage & Technical Data
- •Session data (managed by NextAuth.js, stored as a secure JWT)
- •IP address and browser type (for security and fraud prevention)
- •Pages visited and actions taken within the app (not sold or used for advertising)
Cookies
We use only essential cookies necessary to operate the service — primarily a session cookie to keep you logged in. We do not use advertising, tracking, or analytics cookies. You can disable cookies in your browser, but the service will not function without the session cookie.
2. How We Use Your Data
- •To provide the service: Store, process, and display your inventory, purchase, and financial records.
- •To send alerts: Email you price change notifications via Resend; SMS alerts via Twilio (Enterprise only, requires opt-in).
- •To process payments: Manage subscriptions and billing through Stripe.
- •To power AI features: When you use Scan Invoice, your uploaded file is sent to Anthropic’s Claude AI for data extraction. The file is processed and not stored by Anthropic beyond what is necessary to return results.
- •To send transactional emails: Account confirmations, password resets, team invitations, and security verification codes.
- •To protect security: Detect and prevent fraud, unauthorized access, and abuse.
- •To comply with law: Retain records as required by applicable financial regulations.
We do not sell your data, use it for advertising, or share it with data brokers — ever.
3. Third-Party Services (Sub-Processors)
We share your data with the following trusted service providers only to the extent necessary to operate RetailWatcher:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing & subscription management | Email, billing details |
| Resend | Transactional email delivery | Email address, alert content |
| Twilio | SMS price alerts (Enterprise only) | Phone number, alert content |
| Supabase | Invoice image & file storage | Uploaded invoice files |
| Anthropic (Claude) | AI invoice data extraction | Invoice image/PDF (processed, not retained) |
| Vercel | Application hosting & CDN | Request metadata |
4. Data Retention
- •Your account and all associated business data are retained for as long as your account is active.
- •When you delete your account, all personal and business data is deleted within 30 days.
- •Stripe may retain billing records independently per their legal obligations.
- •Security logs (IP, failed logins) are retained for up to 90 days.
- •Email verification and password reset tokens expire within 10–60 minutes and are deleted after use.
5. Your Rights (GDPR — EU/UK Users)
If you are located in the European Union or United Kingdom, you have the following rights under the GDPR:
- •Right of Access: Request a copy of the personal data we hold about you.
- •Right to Rectification: Correct inaccurate or incomplete data. Most data can be edited directly in your account settings.
- •Right to Erasure: Request deletion of your data (“right to be forgotten”). Use the Delete Account feature in Settings or email us.
- •Right to Portability: Request your data in a machine-readable format (CSV export available in Reports).
- •Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
- •Right to Object: Object to processing based on legitimate interests.
Our lawful basis for processing your data is contract performance (to provide the service you signed up for) and legitimate interests (security, fraud prevention). We do not rely on consent as our basis for core service processing.
6. Your Rights (CCPA — California Residents)
If you are a California resident, you have the following rights under the CCPA:
- •Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, or share.
- •Right to Delete: Request deletion of your personal information, subject to certain exceptions.
- •Right to Opt-Out of Sale: We do not sell your personal information to third parties.
- •Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise any CCPA rights, email us at privacy@retailwatcher.app. We will respond within 45 days.
7. Data Security
We implement industry-standard security measures including HTTPS encryption in transit, bcrypt password hashing, JWT session management, and private Supabase storage buckets for uploaded files. Payment data is handled entirely by Stripe — we never see or store your credit card details. For more detail, see our Security Statement.
8. International Data Transfers
RetailWatcher is operated from the United States. If you are located outside the US, your data will be transferred to and processed in the US and potentially other countries where our sub-processors operate. By using the service, you consent to these transfers. Where required by GDPR, we rely on Standard Contractual Clauses with our sub-processors.
9. Children’s Privacy
RetailWatcher is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with data, contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by email and/or by displaying a notice in the app at least 14 days before changes take effect. The current effective date is always shown at the top of this page.
11. Contact & Data Requests
For privacy questions, data access requests, or to exercise any of your rights, contact our privacy team at: privacy@retailwatcher.app
We aim to respond to all privacy requests within 30 days.