Privacy Policy

Welcome to RUGS. We respect your privacy and are committed to protecting your personal data. This Privacy Policy describes how we collect, use, and share information when you use our Etsy to Pinterest listing sync service.

RUGS reads your own Etsy shop listings (read-only) and creates Pinterest pins on your behalf via the official Pinterest API. We access only the data necessary to provide this service and never modify your Etsy listings.

• Account information — name, email address, and password (stored in hashed form) when you register.
• Etsy data — shop name, shop ID, product listings, images, prices, and titles imported via the Etsy API using OAuth2.
• Pinterest data — board names and pin details stored via the Pinterest API using OAuth2.
• OAuth tokens — access and refresh tokens for Etsy and Pinterest, stored encrypted in our database.
• Usage data — activity logs, automation rule configurations, and scheduling preferences.
• Technical data — IP address, browser type, session identifiers (via Laravel session cookies).

• To provide content optimization tools (syncing Etsy listings for preview, generating AI-enhanced pin descriptions).
• To authenticate you with Etsy and Pinterest on your behalf via OAuth2.
• To send transactional emails (account confirmation, password reset).
• To maintain activity logs for auditing and troubleshooting.
• To improve the platform based on usage patterns.
• To manage your billing and subscription status.

• Etsy — We connect to Etsy's API to read your shop listings. Your data is governed by Etsy's Privacy Policy.
• Pinterest — We connect to Pinterest's API to create pins on your behalf. Your data is governed by Pinterest's Privacy Policy.
• Stripe — Payment processing is handled by Stripe. We do not store full card numbers. See Stripe's Privacy Policy.
• Cloudflare — We use Cloudflare for network security and performance. See Cloudflare's Privacy Policy.

• All data is stored in an encrypted database. OAuth tokens are additionally encrypted at the application level.
• Passwords are hashed using bcrypt and are never stored in plaintext.
• We use HTTPS (TLS) for all data in transit.
• Access to production data is restricted to authorised administrators only.

• Your account data is retained for as long as your account remains active.
• Upon account deletion, your personal data and OAuth tokens are permanently deleted within 30 days.
• Activity logs may be retained for up to 90 days for audit purposes, then automatically purged.

• Access — You can view and export your data from your account settings.
• Correction — You can update your name and email at any time in Settings.
• Deletion — You can disconnect OAuth accounts at any time. You can delete all your data or your entire account from Settings.
• Portability — You can export all your data as JSON from the Settings page.
• If you are in the EEA or UK, you have additional rights under GDPR/UK GDPR, including the right to lodge a complaint with your local supervisory authority.

• We use strictly necessary session cookies to keep you logged in and protect against CSRF attacks.
• We store your dark mode preference in localStorage, not cookies.
• We do not use advertising or tracking cookies.

• We may update this Privacy Policy from time to time. The effective date at the top of this page will be updated accordingly.
• Significant changes will be communicated via email or an in-app notice.