1. Introduction
Descriptra ("we," "us," or "our") operates the website descriptra.com and the web application at app.descriptra.com (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Privacy Policy, you must not use the Service.
2. Information We Collect
2.1 Personal Information You Provide
When you register for an account, we collect:
- Name: Your full name as provided during registration.
- Email address: Used for account identification, authentication, and communication.
- Password: Stored as a one-way cryptographic hash (bcrypt with salt). We never store or have access to your plain-text password.
2.2 Google OAuth Data
If you choose to sign in with Google, we receive from Google:
- Google Account ID: A unique identifier used to link your Google account to your Descriptra account.
- Email address: Your Google email address.
- Display name: Your Google profile name.
We do not receive or store your Google password, contacts, calendar data, or any other Google account information beyond the items listed above.
2.3 Product and Catalog Data
When you use the Service, you may upload or create:
- Product information (titles, descriptions, SKUs, vendor names, product types, keywords, bullet points, meta tags)
- Product images
- Catalog structures and organization
- Content rulesets (brand tone, restricted words, generation instructions)
This data is stored to provide the Service and remains your property at all times.
2.4 Payment Information
Payment processing is handled entirely by our payment processor, Polar.sh. We do not collect, store, or process credit card numbers, bank account details, or other financial payment instruments. We receive from Polar.sh:
- Order confirmation (order ID, purchased tier, product slot count)
- Refund notifications
2.5 Automatically Collected Information
When you access the Service, we automatically collect:
- Log data: IP address, browser type, operating system, referring URLs, pages visited, timestamps, and request duration.
- Usage data: Features used, number of products created, AI generations performed, bulk jobs executed.
- Device information: Screen resolution, language preference, timezone.
2.6 Cookies and Similar Technologies
We use the following cookies and local storage:
- Authentication token (localStorage): A JSON Web Token (JWT) stored in your browser's localStorage to maintain your authenticated session. This token expires after 7 days.
- Language preference (localStorage): Your selected interface language.
- Google Analytics cookies: We use Google Analytics 4 (GA4) to understand how visitors interact with our website. GA4 uses cookies including
_gaand_ga_*to distinguish unique users and sessions. This data is anonymized and aggregated.
We do not use advertising cookies, tracking pixels, or third-party behavioral advertising technologies.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Providing the Service: Creating and managing your account, processing your product data, generating AI content, managing catalogs and rulesets.
- AI Content Generation: Your product data (titles, descriptions, SKUs, images, and associated metadata) is sent to our AI provider to generate content. See Section 5 for details on third-party processing.
- Billing and Credits: Tracking your product slot balance, processing purchases and refunds, maintaining transaction history.
- Communication: Sending transactional emails related to your account (welcome emails, password reset, billing confirmations). We do not send marketing emails unless you explicitly opt in.
- Security: Detecting and preventing fraud, abuse, and unauthorized access. Implementing rate limiting and monitoring for suspicious activity.
- Improvement: Analyzing usage patterns to improve the Service, fix bugs, and develop new features. This analysis uses aggregated, anonymized data.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal basis for collecting and using your personal information depends on the data concerned and the context in which we collect it:
- Performance of a contract: Processing your account data, product data, and payment information is necessary to provide the Service you have requested.
- Legitimate interests: We process usage data and log data for security, fraud prevention, service improvement, and analytics, where these interests are not overridden by your data protection rights.
- Consent: Where we rely on your consent (e.g., optional marketing communications), you may withdraw consent at any time.
- Legal obligation: We may process data where necessary to comply with applicable laws, regulations, or legal proceedings.
5. Third-Party Services and Data Processors
We use the following third-party services to operate the Service. Each processes data only as necessary to fulfill their specific function:
AI Processing Provider
Purpose: AI content generation (product descriptions, titles, keywords, meta tags, data enrichment, image search).
Data shared: Product titles, descriptions, SKUs, vendor names, product types, keywords, bullet points, images (when image-based generation is used), and content ruleset instructions.
Location: United States.
Polar.sh
Purpose: Payment processing for product slot purchases.
Data shared: Your email address, name, and a customer reference ID. Polar.sh independently collects and processes your payment instrument data.
Location: European Union.
Bunny.net
Purpose: Content Delivery Network (CDN) and image storage for product images you upload.
Data shared: Product images.
Location: Global CDN with European headquarters (Slovenia).
Cloudflare
Purpose: DNS management, DDoS protection, and static site hosting for the landing page and web application.
Data shared: Standard HTTP request data (IP addresses, headers) as part of normal web traffic routing.
Location: Global network.
Google (OAuth & Analytics)
Purpose: Google Sign-In authentication and website analytics (GA4).
Data shared: For OAuth: authentication tokens. For Analytics: anonymized usage data, page views, session data.
Location: United States.
Upstash (Redis)
Purpose: Job queue management for background AI processing tasks and rate limiting.
Data shared: Job metadata (product IDs, job status, processing state). No product content is stored in Redis.
Location: European Union.
Neon (PostgreSQL)
Purpose: Primary database for all user, product, and transaction data.
Data shared: All application data as described in Section 2.
Location: European Union (AWS eu-central-1, Frankfurt).
6. Data Storage and Security
6.1 Storage Location
Your data is primarily stored on servers located in Germany (Hetzner VPS, Falkenstein) and the European Union (Neon PostgreSQL in AWS Frankfurt). Product images are distributed globally via Bunny.net CDN with origin storage in the EU.
6.2 Security Measures
We implement the following security measures to protect your data:
- Passwords are hashed using bcrypt with per-user salts (12 rounds). We never store plain-text passwords.
- All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS).
- Authentication uses JSON Web Tokens (JWT) with cryptographically signed payloads and 7-day expiration.
- Webhook signatures are verified using HMAC-SHA256 with timing-safe comparison to prevent forgery.
- API endpoints are protected by rate limiting to prevent brute-force attacks and abuse.
- Server access is restricted by firewall rules (UFW) allowing only HTTP/HTTPS and SSH traffic.
- Database connections use SSL encryption.
- Admin panel access requires a separate ADMIN role verified on every request via database lookup.
- All product update operations include ownership verification to prevent unauthorized access (IDOR protection).
- URL-based image fetching includes SSRF protection blocking private/internal network addresses.
6.3 Incident Response
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
7. Data Retention
- Account data: Retained for as long as your account is active. When you delete your account, all personal data, products, catalogs, rulesets, generation results, credit history, and uploaded images are permanently deleted within 30 days.
- Product data and generated content: Retained for as long as your account is active. Deleted when you delete specific products or your account.
- Transaction records: Retained for up to 7 years after the transaction date to comply with tax and accounting regulations.
- Server logs: Automatically purged after 90 days.
- AI generation results: Retained until you accept, reject, or delete them. Accepted content is stored with your product data. Rejected content is permanently deleted.
8. Your Rights
8.1 GDPR Rights (EEA, UK, Switzerland)
If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete personal data.
- Right to erasure ("right to be forgotten"): Request deletion of your personal data. You can exercise this right by deleting your account in Settings, which triggers permanent deletion of all your data.
- Right to restriction of processing: Request that we limit how we use your data.
- Right to data portability: Request your data in a structured, commonly used, machine-readable format. You can export all your product data as CSV or Excel at any time using the built-in export feature.
- Right to object: Object to processing of your personal data based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, withdraw your consent at any time.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection supervisory authority.
8.2 California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to delete: Request deletion of your personal information.
- Right to opt out of sale: We do not sell your personal information to third parties.
- Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.
8.3 Do Not Track
Our Service does not currently respond to "Do Not Track" browser signals. However, we do not engage in cross-site tracking or behavioral advertising.
9. International Data Transfers
Your data is primarily stored in the European Union (Germany/Frankfurt). However, some data is transferred to the United States for AI processing and Google Analytics. These transfers are conducted under:
- The EU-U.S. Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The data processing terms of our service providers (Google, Cloudflare)
10. Children's Privacy
The Service is not intended for use by individuals under the age of 16 (or 13 where permitted by applicable law). We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without verification of parental consent, we will take steps to delete that information promptly. If you believe we have collected data from a child, please contact us at [email protected].
11. AI-Generated Content and Data Processing
When you use our AI content generation features:
- Your product data is sent to our AI provider for processing.
- We send only the minimum data necessary for generation: product title, description, SKU, vendor, product type, keywords, bullet points, and (optionally) images.
- We do not use your product data to train AI models. Your data is processed solely to generate the requested output and is not retained by the AI provider beyond the duration of the request.
- AI-generated content is stored in our database as "generation results" pending your review. You choose whether to accept or reject each generated item.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:
- Posting the updated Privacy Policy on this page with a revised "Last updated" date.
- Sending an email notification to the email address associated with your account for significant changes.
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: [email protected]
- Website: https://descriptra.com
For GDPR-related inquiries, you may also contact our designated data protection contact at the email address above.