Privacy Policy

Last updated: May 4, 2026

TrueMargin (“TrueMargin,” “we,” “us,” or “our”) provides e-commerce profit intelligence software that connects to e-commerce platforms (including Amazon Selling Partner API, Shopify, eBay, Walmart, TikTok Shop) and financial accounts (via Plaid) to surface true profit per product, channel-level P&L, and expense categorization. This Privacy Policy explains what data we collect, how we use it, how we protect it, and your rights.

Plain-English summary: We collect the data you authorize us to collect from your e-commerce and financial accounts. We use it only to power your TrueMargin dashboard. We never sell it. We never share it with advertisers. Data is encrypted at rest and in transit. You can delete your account and all associated data at any time.

1. Information We Collect

1.1 Information you provide directly

Account info: name, business name, email address, password (hashed via bcrypt), billing address.
Payment info: handled by Stripe. We do not store full card numbers.
Cost-of-goods-sold (COGS) and other manually entered product cost data.
Support correspondence.

1.2 Information we collect from connected platforms (with your authorization)

Amazon Selling Partner API (SP-API): orders, order items, fees, Settlement Reports, FBA inventory, refunds/returns, and advertising spend reports. Connected via OAuth (Login with Amazon). We store an encrypted refresh token; we never receive your Amazon password.
Shopify, eBay, Walmart, TikTok Shop, and other platforms: orders, fees, line items, refunds, and advertising data — all via OAuth APIs.
Plaid (financial expense tracking): bank and credit card transactions (for expense categorization only). Plaid handles credentials; we never see them.

1.3 Information collected automatically

Device, browser, and IP address (used for security, abuse prevention, and audit logging).
Usage analytics (page views, feature engagement) — aggregate, not sold.
Cookies for session management and minimal analytics.

2. How We Use Information

To provide the TrueMargin product: calculating profit, displaying dashboards, surfacing alerts and insights.
To run scheduled syncs against your authorized e-commerce APIs.
To process subscriptions and billing.
To improve the product (in aggregate, never per-customer data sale).
To communicate service and security updates.
To meet legal, audit, and tax obligations.

We do not sell your data, share it with advertisers, or use Amazon Information (defined in §4) for any purpose other than serving you.

3. How We Protect Information

3.1 Encryption

In transit: TLS 1.2 or higher for all connections. HSTS enforced.
At rest: AES-256 encryption on the database (Supabase managed Postgres). Sensitive credentials (e.g., SP-API refresh tokens) additionally encrypted at the column level using pgsodium/Supabase Vault.

3.2 Access controls

Row-Level Security (RLS) enforces per-tenant isolation in Postgres — sellers can only access their own records.
Production access is limited to a small named set of engineers; access is logged and reviewed.
Multi-factor authentication required for all administrative accounts.
Secrets are stored in encrypted environment variables, never in source control.

3.3 Monitoring and incident response

Application and access logs are retained for at least 90 days.
We monitor for anomalous access patterns and rate-limit violations.
In the event of a security incident affecting your data, we will notify affected customers within 72 hours of confirmed discovery.

4. Amazon Information (SP-API Data)

“Amazon Information” means any data obtained directly or indirectly from Amazon through the Selling Partner API, including Personally Identifiable Information (PII) of your Amazon customers. We treat Amazon Information with the following commitments:

We use Amazon Information solely to provide the TrueMargin service to the seller who authorized us.
We do not share Amazon Information with any third party except subprocessors strictly necessary to operate the service (see §6).
We do not use Amazon Information for advertising, retargeting, or any data-resale activity.
PII is retained only as long as required to provide the service. Customer-level PII (buyer names, addresses) from Amazon orders is encrypted at rest and accessible only to the seller who owns it.
Amazon Information is deleted within 30 days of account termination unless retention is required by law.
Our handling of Amazon Information complies with the Amazon Acceptable Use Policy and Data Protection Policy. See our Data Processing Addendum for additional detail.

5. Data Retention

Active customer data is retained for the duration of your subscription.
If you cancel, data remains for up to 30 days to allow account reactivation, then is permanently deleted (encrypted backups purged within 90 days).
You can request immediate deletion at any time by emailing privacy@truemarginhq.com.
Aggregated, fully anonymized usage statistics may be retained indefinitely.

6. Subprocessors

We use a small number of trusted infrastructure providers to operate the service:

Supabase (database + authentication) — US-region hosting.
Vercel (application hosting and CDN).
Stripe (subscription billing).
Plaid (bank/credit card expense aggregation, only if you connect a financial account).
Resend / transactional email provider (account and security email).

Each subprocessor is contractually bound by data protection terms equivalent or stricter than those described here.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access: request a copy of personal data we hold about you.
Correction: request that we correct inaccurate data.
Deletion: request that we delete your data.
Portability: request a machine-readable export of your data.
Objection / restriction: object to or restrict certain processing.
Withdrawal of consent: revoke an OAuth authorization at any time from your account settings or directly with the platform (e.g., Amazon Seller Central → Apps and Services → Manage Your Apps).

To exercise any of these rights, email privacy@truemarginhq.com. We respond within 30 days.

8. International Transfers

TrueMargin is operated from the United States. If you access the service from outside the U.S., your data is transferred to and processed in the U.S. We rely on Standard Contractual Clauses with subprocessors where applicable.

9. Children

TrueMargin is not directed at children under 16. We do not knowingly collect data from children.

10. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated by email and posted here with an updated date. Continued use of the service after a change constitutes acceptance of the revised Policy.

11. Contact

For privacy questions, data requests, or to report a security concern: