Privacy Policy

Last updated: April 8, 2026

LumiPoints ("we," "our," or "us") operates the analytics platform at lumipoints.com and related services (the "Service"). This Privacy Policy explains how we collect, use, store, share, and protect your information.

Please review the privacy policies of our integration partners: Etsy Privacy Policy, Printify Privacy Policy, Printful Privacy Policy.

1. Information We Collect

1.1 Account Information

When you register, we collect:

• Email address — login identifier and account communications.
• Name — displayed in your profile.
• Password — stored as a one-way bcrypt hash (12 salt rounds). We never store plain-text passwords.

If you sign in via Google OAuth, we receive your name and email only. We do not access Google contacts, calendar, or other data.

1.2 Marketplace Data (Etsy)

When you connect Etsy via OAuth 2.0, we request these scopes:

• shops_r — Shop name, listing counts, transaction counts.
• listings_r / listings_w — Listing titles, descriptions, tags, prices, quantities, images, views, favorites, taxonomy, SKUs. Write access used solely for listing creation/editing you initiate.
• transactions_r — Order receipts: amounts, shipping, tax, discounts, payment method, buyer country/city (geographic analytics), status, line items.
• email_r — Buyer email, accessed only where separately authorized, for order matching.
• profile_r — Seller profile for account display.

Data synced periodically (listings 1hr, receipts 30min, reviews 6hr) solely for analytics and listing insights.

1.3 Production Provider Data (Printify / Printful)

Via OAuth 2.0 or Personal Access Token, we access:

• Shop metadata — shop name, ID, status.
• Product catalog — titles, variants, images, blueprints, print providers.
• Order data — production costs, shipping costs, status, fulfillment timestamps, linked marketplace order ID (for cross-provider matching).

Used exclusively to: (a) calculate per-order profit, (b) enable product creation you initiate, (c) display production analytics.

1.4 AI Generation Data

• Text prompts — sent to Google AI (Gemini, Imagen 3, Veo 2) for generation.
• Generated outputs — stored in your gallery.
• Generation metadata — model, format, timestamp, token cost.

Prompts are processed by Google AI per their privacy policies. We do not use your prompts for training.

1.5 Usage and Technical Data

• Page views and feature usage (anonymized).
• Error logs (page URL, error message — no personal data).
• Browser type, OS (standard HTTP headers).
• IP address — for security only, not stored long-term.

1.6 Chrome Extension Data

If you install the LumiPoints Chrome Extension, the following additional data practices apply:

1.6.1 SEO Analysis (no login required)

The extension analyzes publicly visible information on Etsy listing pages (title length, tag count, image count, description length, category depth) locally in your browser. No data is sent to our servers unless you are logged in and choose to save your analysis history.

1.6.2 Profit Overlay (requires connected account)

When you are logged in with a connected Etsy/Printify account, the extension fetches your profit data from our servers to display on Etsy and Printify pages. This uses the same marketplace and provider data described in sections 1.2 and 1.3 above — no additional data is collected.

1.6.3 Anonymized Market Data (opt-in only)

With your explicit consent, the extension collects anonymized market data from Etsy listing pages you visit:

• Collected: Category, price range, review count, average rating, photo count, tag count, shipping type, bestseller/star-seller badge presence.
• NOT collected: Seller names, shop names, email addresses, listing titles, listing URLs, or any personally identifiable information about sellers or buyers.
• Deduplication: A SHA-256 hash of the page URL is used solely to prevent duplicate entries. The actual URL is never stored.
• Rate limits: Maximum 1 data point per listing per day, 100 per user per day.
• Purpose: Aggregated across all participating users to generate anonymous market trends, category insights, and pricing benchmarks available to all subscribers.
• Opt-out: You can disable market data collection at any time via the extension settings toggle. Previously collected data is retained in anonymized, aggregated form.

1.6.4 Extension Permissions

The extension requests access only to www.etsy.com and www.printify.com — it does not request access to all websites. Additional permissions: storage (to store your login token locally), notifications (for order alerts), alarms (for periodic order checks).

1.6.5 Extension Data Retention

• Raw market snapshots: 90 days, then automatically deleted.
• Aggregated market trends: Retained indefinitely (fully anonymized).
• SEO score history: Retained while account is active, deleted with account.

1.6.6 Shop Manager Data (opt-in only)

With your explicit consent (enabled via the "Shop Data Collection" toggle in extension settings), the extension parses data from your own Etsy Shop Manager pages when you visit them:

• Advertising data: Ad spend, clicks, impressions, ROAS, CPC per listing.
• Shop statistics: Visits, views, orders, revenue, conversion rate, search terms, traffic sources.
• Financial data: Revenue, fees breakdown (Etsy fees, processing fees, listing fees, ad fees, shipping labels), tax collected, net payouts.

How it works:

• Data is parsed from the DOM of your Etsy Shop Manager pages as you visit them — we do not use Etsy's API for this.
• Collection occurs only when you are logged into LumiPoints and have explicitly enabled "Shop Data Collection" in extension settings.
• Only data from your own shop is collected — we never collect data from other sellers' shops.
• You can disable collection at any time by turning off the toggle in Settings.
• Monetary values are stored as integers (cents) for precision.

Purpose:

• Provide analytics dashboards for ads performance, traffic trends, and financial overview.
• Calculate ROI and profitability metrics across your shop.
• Identify trends in your shop performance over time.

Data retention and deletion:

• Shop Manager data is retained as long as your account is active.
• When you delete your account, all shop data is permanently deleted (CASCADE delete).
• You can delete all shop data at any time using the "Delete My Shop Data" button in Settings — without deleting your account.
• Deletion endpoint: DELETE /api/extension/shop-manager/data

What we do NOT do with your Shop Manager data:

• We do not sell your shop data to third parties.
• We do not share individual shop data with other users.
• We do not collect your Etsy password or authentication tokens.
• We do not collect data when you browse other sellers' shops.

2. Legal Basis for Processing (GDPR Article 6)

• Contract performance (Art. 6(1)(b)): Providing the Service — account management, sync, analytics.
• Consent (Art. 6(1)(a)): Connecting third-party accounts via OAuth; enabling Shop Data Collection in extension settings. Withdraw anytime by disconnecting or disabling the toggle.
• Legitimate interest (Art. 6(1)(f)): Usage data and error logs to maintain and improve the Service.
• Legal obligation (Art. 6(1)(c)): Tax, accounting, legal compliance retention.

3. How We Use Your Data

• Profit analytics: Matching Etsy receipts with provider costs for per-order P&L.
• Fee estimation: Etsy fees (6.5% transaction, 3%+$0.25 payment, $0.20 listing, ~0.5% regulatory). Estimates — actual may vary.
• Dashboard: Revenue timelines, geographic distribution, conversion funnels, margin charts, per-listing analytics.
• Shop analytics: Ads performance dashboards, traffic trend analysis, financial overviews, and ROI calculations using your opt-in Shop Manager data (section 1.6.6).
• Listing management: Creating/editing listings, matching variants with provider products for per-variant cost analysis.
• AI design: Processing prompts through AI models, facilitating product creation on your provider.
• Service operation: Auth, security, support.
• Improvement: Anonymized usage analysis for bugs and features.
• Communication: Transactional emails, service notifications. No marketing emails without opt-in.

4. Data Sharing and Disclosure

We do not sell, lease, rent, or trade your personal data or merchant data to any third party.

4.1 Sub-Processors

• Neon (neon.tech) — PostgreSQL database, SSL encrypted, US East.
• Hetzner (hetzner.com) — VPS hosting, Hillsboro, Oregon, USA.
• Google AI (Google Cloud) — AI generation prompts only. No personal/financial data sent.
• Google Identity Services — Google Sign-In auth tokens only.

4.2 Production Providers

When you explicitly use product creation, we send design images and product specs to your connected provider. Only at your initiation.

4.3 Legal Disclosure

When required by law, subpoena, court order, or to protect rights/safety.

4.4 Business Transfers

In merger/acquisition, data may transfer. We will notify you before data becomes subject to a different policy.

5. Data Storage and Security

5.1 Infrastructure

• PostgreSQL (Neon) with SSL encryption.
• Dedicated VPS (Hetzner, USA) behind Caddy with auto-HTTPS (TLS 1.2+).
• JWT authentication (15-min expiry, secure refresh token rotation).
• Firewall: only ports 22, 80, 443.

5.2 Application Security

• Passwords: bcrypt with 12 salt rounds.
• OAuth tokens: server-side only — never in frontend, browser storage, or cookies.
• All queries enforce user_id isolation.
• Secrets in environment variables, never in source code.
• Parameterized SQL statements (injection prevention).
• HTTP security headers (HSTS, CSP, X-Frame-Options) via Helmet.

6. Data Retention

6.1 Active Account

• Account data — lifetime of account.
• Marketplace data — while integration connected, refreshed on sync.
• Provider data — while integration connected.
• AI content — until you delete or delete account.
• Usage logs — up to 90 days, then purged.
• Market snapshots (extension) — 90 days, then purged. Aggregated trends retained indefinitely.
• SEO scores (extension) — lifetime of account.
• Shop Manager data (extension) — lifetime of account. Deletable anytime via "Delete My Shop Data" in Settings without deleting your account.

6.2 Disconnection and Deletion

Data retained beyond 30 days only where required by law. Anonymized aggregate data may be retained indefinitely.

Request immediate deletion: [email protected]

7. International Data Transfers

Primary infrastructure is in the United States. If accessing from EU/UK, your data will be processed in the US. Transfers conducted under Standard Contractual Clauses (SCCs) as provided by sub-processors.

8. Your Rights

8.1 GDPR (EU/EEA/UK)

• Access (Art. 15): Request copy of all personal data. Provided in electronic format within 30 days. Shop Manager data viewable in your dashboard.
• Rectification (Art. 16): Request correction. Also editable in account settings.
• Erasure (Art. 17): Right to be forgotten. Delete account or contact us. Erased within 30 days. For Shop Manager data specifically, use the "Delete My Shop Data" button for instant deletion.
• Restriction (Art. 18): Limit processing while verifying accuracy.
• Portability (Art. 20): Receive data in JSON format.
• Object (Art. 21): Object to legitimate-interest processing.
• Withdraw Consent (Art. 7(3)): Disconnect integrations anytime. Disable "Shop Data Collection" toggle to stop shop data collection. Prior processing remains lawful.
• Lodge Complaint: With your supervisory authority.

8.2 CCPA (California)

Rights to: know, delete, opt-out of sale (we do not sell data), non-discrimination.

8.3 Exercising Rights

Contact [email protected]. Response within 30 days (up to 60 for complex requests).

9. Cookies and Tracking

9.1 Cookies Used

• Auth cookie (essential) — JWT token, 15-min expiry, auto-refreshed.
• Refresh token (essential) — 7 days (30 with remember me). HttpOnly, Secure, SameSite=Strict.
• Theme/language (functional) — persistent, local storage.

9.2 Not Used

• No Google Analytics, Mixpanel, Hotjar.
• No advertising/marketing cookies.
• No social media pixels or cross-site tracking.

9.3 Do Not Track

We honor DNT signals. We already do not track beyond essential Service operation.

10. Security Breach Notification

• Users notified within 72 hours (GDPR Art. 33).
• Integration partners (Printify, Printful) within 24 hours (Printify API Terms).
• Supervisory authorities as required by law.
• Includes: breach nature, data affected, user count, consequences, remedial measures.

11. Children's Privacy

Not directed at individuals under 16. We do not knowingly collect data from children. Contact [email protected] if you believe a child provided data.

12. Changes

Material changes: email notification 14 days before effect, in-app notice, updated date.

13. Contact

Email: [email protected]
Website: lumipoints.com
Response: 30 days (rights requests), 48 hours (general).

Terms of Service

Last updated: April 8, 2026

These Terms govern your use of the LumiPoints analytics platform at lumipoints.com ("Service"), operated by LumiPoints ("we," "our," or "us").

1. Description of Service

LumiPoints is an analytics and insights platform for print-on-demand sellers. The Service connects to your authorized marketplace and production provider accounts via OAuth 2.0 to calculate profit metrics and display analytics. LumiPoints is not an order management platform, multichannel listing tool, or fulfillment service.

2. Account Registration

You must create an account. You are responsible for credential confidentiality and all activity under your account.

3. Third-Party Integrations

LumiPoints integrates with Etsy, Printify, and Printful. Your use of those platforms is governed by their terms. You may disconnect any integration at any time.

The Chrome Extension may parse your own Etsy Shop Manager pages (with your explicit consent) to provide analytics dashboards. This parsing reads only data visible to you in your logged-in session and does not access other sellers' data. See our Privacy Policy section 1.6.6 for details.

4. User Responsibilities

Use the Service lawfully. Do not reverse-engineer or exploit. Do not share credentials.

5. AI-Generated Content

AI features powered by third-party models. You are responsible for ensuring generated content complies with applicable laws and platform policies.

6. Token-Based Features

Certain features consume tokens. Non-refundable except as required by law.

7. Data Accuracy

Fee calculations are estimates. We are not responsible for discrepancies between estimated and actual fees.

8. Disclaimers

THE SERVICE IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND.

9. Limitation of Liability

LumiPoints shall not be liable for indirect, incidental, special, consequential, or punitive damages.

10. Merchant Agreement

By connecting a provider: data accessed solely for analytics and product creation; deleted within 30 days of disconnection; revocable anytime; provider not responsible for LumiPoints.

11. Termination

Delete your account anytime. We may suspend accounts violating these Terms.

12. Changes

Material changes communicated 14 days before effect.

13. Governing Law

Province of Ontario, Canada.

14. Contact

Email: [email protected] · Web: lumipoints.com