Privacy Policy

Sortaflow (“we,” “our,” or “us”) provides an order management dashboard for Etsy sellers. This Privacy Policy describes how we collect, use, disclose, and protect information when you use our website at sortaflow.com, our web application, our Chrome extension, and any related services (collectively, the “Service”).

By using the Service, you agree to the collection and use of information in accordance with this policy. If you disagree, please discontinue use and contact us to delete your account.

Account Information

When you sign up, we collect your name, email address, and a hashed password (we never store passwords in plain text). If you sign up via Google OAuth, we receive only the profile fields you authorise.

Etsy Store Data

When you connect your Etsy shop, we receive data through the Etsy OAuth 2.0 API under the permission scopes you grant during the connection flow. This may include:

• Order details (buyer name, order contents, shipping address, personalisation notes)
• Product listings (titles, SKUs, images, prices)
• Shop information (shop name, currency, language)
• Shipping carrier and tracking information

We request the minimum scopes needed. We do not request access to your Etsy finances, payment information, or billing details.

Usage Data

We automatically collect limited technical data to operate and improve the Service, including IP address (hashed), browser type, pages visited, and feature interactions. This data is not linked to your identity.

Team Member Data

If you invite team members to your organisation, we collect their email addresses and the role permissions you assign them.

Sortaflow connects to Etsy’s API on your behalf using OAuth 2.0 (PKCE). Here is how that works:

• You authorise Sortaflow on Etsy's own OAuth consent screen. We never see your Etsy password.
• Etsy issues us short-lived access tokens and refresh tokens, stored encrypted in our database.
• Tokens are automatically refreshed before expiry and scoped to exactly the permissions you granted.
• You can revoke access at any time from your Etsy account under Apps & Integrations — this immediately disconnects your shop from Sortaflow.
• Order and listing data is synced periodically and on-demand. We do not cache data beyond what is needed to display your dashboard.

We use the information we collect to:

• Provide, operate, and maintain the Service
• Sync and display your Etsy orders, tags, and fulfilment status
• Send transactional emails (order alerts, pack-mode confirmations, auth codes — never marketing without consent)
• Process subscription payments via Stripe
• Detect and prevent fraud, abuse, and security incidents
• Respond to your support requests
• Improve and develop new features based on aggregated, anonymised usage patterns

We do not use your data to train AI/ML models, sell advertising, or profile you for any purpose beyond operating the Service.

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

Service Providers

We use a small set of trusted sub-processors to operate the Service. Each is bound by data processing agreements and processes data only on our instructions:

Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all assets, your data may be transferred. We will notify you via email and/or a prominent notice on the Service before your data becomes subject to a different privacy policy.

We take security seriously and implement industry-standard measures to protect your data:

• All data is encrypted in transit using TLS 1.2+
• Data at rest is encrypted by our database provider (Supabase / PostgreSQL)
• Etsy OAuth tokens are stored encrypted, never in plain text
• Passwords are hashed with bcrypt (never stored in plain text or reversibly encrypted)
• Row-Level Security (RLS) on all database tables ensures users can only access their own organisation's data
• Admin access requires two-factor authentication (TOTP)
• All admin actions are logged to an immutable audit trail

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please disclose it responsibly by emailing security@sortaflow.com rather than posting it publicly.

We use a minimal set of cookies necessary to operate the Service. We do not use third-party advertising cookies or tracking pixels.

Cookies We Set

• Session cookies — maintain your logged-in state
• Preference cookies — remember UI settings like sidebar state
• CSRF tokens — protect form submissions

What We Don't Do

• We don't use Google Analytics, Meta Pixel, or any ad-network trackers
• We don't fingerprint your browser
• We don't build cross-site behavioural profiles

You can clear cookies at any time via your browser settings. Disabling session cookies will prevent you from logging in.

We retain your data for as long as your account is active or as needed to provide the Service:

• Account data — retained while your account is open
• Etsy order data — retained until you delete your account or disconnect your shop
• Billing records — retained for 7 years as required by financial regulations
• Server logs — 90 days, then automatically purged
• Deleted data — we use soft deletes internally for data integrity; hard deletion occurs within 30 days of your account deletion request

To request full deletion of your account and data, contact us at privacy@sortaflow.com. We will process your request within 30 days.

Depending on your location, you may have the following rights regarding your personal data. We honour all of these regardless of whether your jurisdiction legally requires it:

To exercise any of these rights, email us at privacy@sortaflow.com. We will respond within 30 days (and typically much sooner).

California residents (CCPA): We do not sell personal information. You have the right to know, delete, and opt out of sale — though there is nothing to opt out of.

EEA/UK residents (GDPR): Our legal basis for processing is contract performance (to provide the Service you signed up for) and legitimate interests (security, fraud prevention, service improvement). You have the right to lodge a complaint with your local data protection authority.

The Service is not directed to children under 13 (or 16 where applicable under GDPR). We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it promptly.

We may update this policy from time to time. When we make material changes, we will:

• Update the “Last updated” date at the top of this page
• Send an email notification to all registered users at least 14 days before the change takes effect
• Display an in-app banner for the 14-day notice period

Continued use of the Service after changes take effect constitutes acceptance of the updated policy. If you disagree with the changes, you may delete your account before they take effect.

If you have questions, concerns, or requests about this Privacy Policy or how we handle your data, please reach out: