Privacy Policy

This English translation is provided for convenience only; the Italian version is the legally binding text and the Service is governed by Italian law.

This policy describes how ReProfit («the Service») processes users' personal data, pursuant to Regulation (EU) 2016/679 («GDPR») and applicable law.

1. Data controller

The data controller is GM Commerce Group S.r.l. (VAT IT09143370725 · Tax code 09143370725 · REA BA-674527), with registered office at Via Garigliano 9/A, 70022 Altamura (BA), Italia — operating also as YourStoreMatters Agency, of which ReProfit is a service. For any request relating to your data (certified email / PEC): [email protected].

A Data Protection Officer (DPO) has not been appointed, as the conditions of art. 37 GDPR do not apply. The controller is established in the EU, so a representative under art. 27 is not required.

2. What data we collect

• Account data: email address and login credentials (the password is stored in encrypted form by our authentication provider).
• Data you upload or sync: your inventory, purchases and sales (uploaded Excel files and/or data imported from connected marketplaces), including titles, costs, prices, fees and dates.
• Connection tokens: the OAuth tokens of the marketplaces you connect (eBay, Shopify), kept encrypted at rest and used only to read your sales data.
• Payment data: handled by our payment processor (Stripe). We do not store your card details on our systems.
• Technical data: service logs, IP address and information essential to the operation and security of the Service (e.g. abuse limitation).

3. Why we process the data and on what legal basis

• Provide the Service (calculating profits, margins, ROI, capital in stock) — basis: performance of the contract.
• Manage accounts and payments — basis: contract and legal obligations.
• Security and abuse prevention (e.g. rate limiting) — basis: legitimate interest.
• Service communications — basis: contract / legitimate interest.

Where the legal basis is legitimate interest, the interest pursued is ensuring the security, integrity and proper functioning of the Service (including anti-abuse measures): you have the right to object to such processing (see point 7). We do not sell your personal data and do not use it for third-party advertising.

4. Who we share it with (processors)

We rely on providers that process data on our behalf, with adequate safeguards:

• Supabase — database and authentication.
• Vercel — application hosting.
• Stripe — payment processing.
• Sentry — error monitoring and technical diagnostics.
• Upstash — abuse limitation (rate limiting); processes the IP address.
• Cloudflare — anti-bot protection (CAPTCHA) and network infrastructure.
• Brevo — delivery of service and system emails (account confirmation, password reset). Processes your email address. EU-based provider.
• Crisp — customer support chat; processes the messages you send in chat, your email and essential technical data. EU-based provider.
• eBay and Shopify — only for the marketplaces you choose to connect, to import your sales data.
• Groq — AI inference for the in-app assistant; receives only de-identified, aggregate metrics (see point 10).
• Google (Google Analytics and Google Ads) — measurement and ads via Google Consent Mode v2 (advanced mode): Google’s tag loads when the site opens in a denied state, without cookies or identifiers, sending only anonymous, aggregated measurement signals; cookies and full measurement/ads activate only with your consent (statistics → analytics category; ad measurement and personalization → marketing category).
• Microsoft Clarity — usage-experience analytics (usage statistics and interaction maps), enabled only with your consent (analytics category).

5. Transfers outside the EU

Some providers (in particular Supabase, Vercel, Stripe, Sentry, Upstash, Cloudflare, Groq, Google and Microsoft) may process or store data in the United States. Such transfers take place on the basis of the EU-US Data Privacy Framework adequacy decision (where the provider is certified) or, failing that, the EU Commission's Standard Contractual Clauses with supplementary measures. You can request a copy of the safeguards applied by writing to [email protected].

6. How long we keep the data

• Account and uploaded/synced data: for the entire duration of the account; on closure, deleted or anonymized within 30 days (except technical rolling backups).
• Marketplace tokens: revoked and deleted when the marketplace is disconnected or the account is closed.
• Payment/invoicing documents: kept for the period required by Italian tax law (10 years, art. 2220 c.c.).

You may request deletion at any time, subject to statutory retention obligations.

7. Your rights

You have the right of access, rectification, erasure, restriction, portability and objection to processing. To exercise them, write to [email protected]. You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) (www.garanteprivacy.it).

8. Minors

The Service is intended exclusively for adult commercial operators and is not intended for persons under 18 (consistently with the Terms of Service). We do not knowingly collect data of minors; if we become aware that a minor has provided us with data, we will delete it.

9. Cookies

We use essential technical cookies (session, authentication, security and error monitoring), necessary for the operation of the Service and which do not require consent. Analytics cookies (usage statistics) and marketing cookies (campaign measurement) are activated only with your prior consent, given via the banner on first access. You can change or withdraw your choices at any time from the «Cookie preferences» link in the footer; choices are kept for 6 months. We honor the Global Privacy Control signal: if enabled in your browser, marketing cookies remain disabled (opt-out of "sale or sharing" under the CCPA/CPRA for U.S. users). For measurement only, Google’s tag runs in Consent Mode v2 (advanced mode): before your choice it sends only anonymous, cookieless signals; cookies are set only after consent.

10. AI assistant

The Service includes an optional AI assistant that answers questions about your dashboard data in natural language. It runs only when you open it and ask a question. Legal basis: performance of the contract (it is a feature of the Service); you may simply choose not to use it.

To generate answers we send the AI provider only de-identified, aggregate metrics already computed for your dashboard (totals, margins, counts per period). We do not send your individual rows, item titles, any customer or supplier names, notes, SKUs or other free text: free-text labels (categories, sources, statuses, destinations) are replaced with opaque codes (e.g. «Category A») before transmission, and the mapping back to your real labels never leaves your browser.

AI inference is performed by Groq, Inc. (United States) as a processor. The data sent (de-identified aggregates) is processed only to produce your answer and is not used to train models. Transfer to the United States is governed as in point 5.

Answers are generated automatically, may contain inaccuracies and do not constitute tax, legal or accounting advice; the authoritative figures always remain those in the dashboard.

11. Changes

We may update this policy; material changes will be communicated through the Service. The date at the top indicates the last update.

12. Contacts

For any privacy questions: [email protected].