Privacy Policy
1. Introduction
This Privacy Policy explains how Podheaven collects, uses, shares, and protects personal data when you use our service at podheaven.ai (the "Service"). It applies to account holders, waitlist signups, and visitors to our marketing site.
We aim to be straightforward: we collect what we need to run the Service, we don't sell your data, and we give you control over it.
2. Who we are (data controller)
The data controller for personal data processed through the Service is:
- Legal entity: {{Legal entity}}
- Registered address: {{Registered address}}
- Contact: hello@podheaven.ai
3. Data we collect
3.1 Account data
- Email address — used to identify your account and send service-related communication.
- Password — stored only as a bcrypt hash. We never store passwords in plaintext and cannot recover them.
3.2 Integration credentials
- Etsy OAuth access tokens — issued by Etsy when you connect your shop. Used to authenticate API calls to Etsy on your behalf. Stored encrypted at rest.
- Printify API key — pasted by you once when connecting Printify. Used to fetch product blueprints and create products. Stored encrypted at rest.
You can revoke these credentials at any time by disconnecting the integration in your account settings, or by revoking access directly within Etsy or Printify.
3.3 Listing content
Designs, titles, tags, descriptions, mockups, and other content you upload or create within the Service in order to publish listings to your Etsy shop.
3.4 Billing data
- Stripe customer ID and subscription status — stored to manage your subscription.
- We do not store credit card numbers or other payment-instrument details. All card data is collected and processed by Stripe under their PCI-DSS-compliant infrastructure.
3.5 Waitlist signups
If you sign up to our waitlist before the Service launches, we collect:
- Your email address.
- Optional product-type interest (e.g. apparel, posters) you select.
- A timestamped snapshot of the consent text shown to you at signup, so we can demonstrate the basis for contacting you.
3.6 Product analytics
We use PostHog to collect product-analytics events such as page views and feature interactions:
- Before login: events are anonymous and identified only by a device-level identifier.
- After login: events are linked to your user ID so we can understand how identified users use the Service.
3.7 Server logs
For security, abuse prevention, and debugging we automatically log:
- IP address
- User agent (browser / device)
- Request path and timestamp
Server logs are retained for 30 days.
4. How we use your data
We use personal data to:
- Provide and operate the Service, including authenticating you, connecting to your Etsy and Printify accounts, and publishing listings on your behalf.
- Process payments and manage subscriptions through Stripe.
- Send service-related communication (signup confirmations, billing notifications, security notices, important product changes).
- Provide customer support when you contact us.
- Improve the Service through product analytics and debugging.
- Protect the Service from fraud, abuse, and security incidents.
- Comply with legal obligations (e.g. tax, accounting, lawful requests).
- Notify waitlist signups about product launch and major milestones.
We do not sell personal data. We do not use personal data for advertising or share it with advertising networks.
5. Legal bases for processing (GDPR)
Where the General Data Protection Regulation (GDPR) applies, we rely on the following legal bases:
- Contract (Art. 6(1)(b)): processing necessary to provide the Service to you under our Terms of Service, including authentication, integration with Etsy/Printify, and billing.
- Legitimate interests (Art. 6(1)(f)): security, abuse prevention, debugging, product analytics, and service improvement. We balance these interests against your rights and freedoms.
- Consent (Art. 6(1)(a)): waitlist signup and any optional analytics/cookies where consent is required by law. You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)): retention of billing records for tax and accounting compliance, and responding to lawful requests.
6. Sharing & subprocessors
We share personal data only with the third parties listed below, each in their stated role. We do not sell personal data and do not share it with advertising networks.
| Subprocessor | Purpose | Data shared |
|---|---|---|
| Etsy | Marketplace integration — publishing listings to your Etsy shop. | Listing content (designs, titles, tags, descriptions, mockups) transmitted via official OAuth API. |
| Printify | Print-on-demand fulfillment integration — creating products in your Printify account. | Product blueprints, designs, and mockup data transmitted via Printify API. |
| Stripe | Payment processing and subscription management. | Customer email and billing details required for subscription processing. Card data is collected directly by Stripe. |
| Vercel | Hosting infrastructure. | All traffic and stored data passes through Vercel's infrastructure as part of operating the Service. |
| Resend | Transactional email delivery. | Email address and the content of signup confirmations, waitlist double opt-in, and billing notifications. |
| PostHog | Product analytics. | Anonymous events pre-login; identified events linked to your user ID post-login. |
Each subprocessor processes data under their own privacy and security commitments. We have data-processing arrangements in place with subprocessors where required by law.
We may also disclose personal data:
- To comply with legal obligations or respond to lawful requests from authorities.
- To enforce our Terms of Service or protect the rights, property, or safety of Podheaven, our users, or others.
- In connection with a merger, acquisition, reorganization, or sale of assets, in which case the recipient will be bound by privacy commitments at least as protective as this Policy.
7. International data transfers
Some of our subprocessors (including Stripe, Vercel, Resend, and PostHog) are located outside the European Economic Area (EEA) or may process data in such locations. Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent mechanisms provided by the subprocessor.
8. Cookies & tracking
We use a minimal set of cookies:
- Session cookie — a JWT used for authentication. Set as
httpOnly,Secure,SameSite=Lax. Strictly necessary for the Service to function. - PostHog analytics cookies — used to record anonymous device-level identifiers and product-analytics events.
We do not use advertising cookies or third-party tracking cookies for advertising purposes.
You can control cookies through your browser settings. Blocking the session cookie will prevent you from being able to log in.
9. Data retention
- Account data — retained while your account is active. Deleted within 30 days after account closure, except that some logs may be retained for up to 90 days for fraud and abuse investigation.
- Waitlist signups — retained until launch plus 12 months to send product-update notifications, after which they are deleted (or earlier if you ask us to delete them).
- Stripe billing records — retained in accordance with Stripe's compliance requirements and applicable tax law (typically 7 years).
- Server logs — 30 days.
If we are legally required to retain data for longer (for example to comply with tax, accounting, or anti-fraud obligations), we will retain it for the period required and then delete it.
10. Security
We apply industry-standard technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS) for all traffic to and from the Service.
- Encryption at rest for sensitive credentials such as Etsy OAuth tokens and Printify API keys.
- Passwords hashed with bcrypt; plaintext passwords are never stored.
- Access controls limiting which team members can access production data, on a need-to-know basis.
- Logging and monitoring for unusual activity.
No system is fully secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected users without undue delay.
11. Your rights
If the GDPR or equivalent law applies to you, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Deletion ("right to be forgotten") — request deletion of your personal data, subject to legal retention obligations.
- Portability — receive your data in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
- Restriction of processing — ask us to limit how we process your data in certain circumstances.
- Objection — object to processing based on legitimate interests, including for analytics.
- Withdraw consent — where processing is based on consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Lodge a complaint — with your local data-protection supervisory authority. In Norway this is Datatilsynet (datatilsynet.no).
To exercise any of these rights, contact us at hello@podheaven.ai. We will respond within the timeframes required by applicable law (typically within one month). We may need to verify your identity before fulfilling the request.
12. Children
The Service is intended for users who are at least 18 years old. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact hello@podheaven.ai and we will take appropriate steps to delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. For material changes, we will provide advance notice by email and/or prominent in-app notice. The "Effective date" at the top reflects the latest version. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
14. Contact
Questions about this Privacy Policy or your data? Contact us:
- Email: hello@podheaven.ai
- Legal entity: {{Legal entity}}
- Registered address: {{Registered address}}