Privacy Policy
Overview
Rufusly is an AI-powered content and intelligence platform for Amazon and Shopify sellers (“Rufusly”, “we”, “us”, “our”). This Privacy Policy explains how we collect, use, store, and protect information when you use our platform at rufusly.ai.
We are committed to handling your data responsibly. We collect only what is necessary to provide our service, we never sell your personal data, and we never use your Amazon seller data to compete with you or share it with other sellers.
Key point on Amazon data: When you connect your Amazon account, we access your selling data solely to generate AI-optimised content and business intelligence for your own use. We request the minimum permissions required, and you can revoke our access at any time from your Amazon Seller Central account.
Data we collect
Account and profile data
When you create a Rufusly account we collect:
- Name and email address
- Password (hashed, never stored in plain text)
- Business name and type (optional, used to personalise outputs)
- Billing address (collected by Stripe, not stored on our servers)
Usage data
When you use the platform we collect:
- Features used, pages visited, and actions taken within the product
- Listing rewrites, image generations, and other job outputs you create
- Credit usage and subscription activity
- Error logs and performance data for debugging
Brand profile data
Brand profiles you create in Rufusly (brand name, product name, accent colours, key claims, target customer, certifications) are stored to personalise your AI-generated content. You can delete brand profiles at any time from your account settings.
Technical data
We collect standard web server logs including IP addresses, browser type, and device type. This data is used for security, fraud prevention, and aggregate analytics only.
Amazon account data
Coming soon: Direct Amazon Selling Partner API (SP-API) connection is launching soon, pending Amazon's developer approval. Today, Rufusly generates content from the product photos and information you upload directly, it does not yet pull data from your Seller Central account. The table below describes the access we will request once this feature goes live, so you know in advance what to expect. This access begins only after you complete a separate, explicit in-product consent step when the feature launches, not automatically from having an account today.
Once available, connecting your Amazon account via SP-API will work as follows:
What access we will request
| API scope | What we access | Why we need it |
|---|---|---|
| Product Listing | Your existing listing content (title, bullets, description), product type attribute schema | To generate AI-optimised rewrites and identify missing required attributes |
| Inventory and Order Management | Active SKUs, FBA stock levels, order counts, sales velocity | To power the bulk attribute editor, inventory risk alerts, and sales trend analysis |
| Brand Analytics / Selling Partner Insights | Search query performance, customer feedback topic summaries, Selling Partner ID and marketplace IDs | To provide keyword intelligence, surface review themes, and identify your account and marketplace |
| Finance and Accounting | Settlement data, fee summaries, reimbursement reports | To calculate profitability and surface unclaimed FBA reimbursements |
| Buyer Solicitation | Order IDs eligible for a review request (no buyer name, email, or contact details) | To submit Amazon-templated review request emails on your behalf, entirely through Amazon's own Solicitations API |
| Buyer Communication, Pricing | Messaging and pricing data tied to your listings | Reserved for related features; not yet active in the product |
How we will handle Amazon data
- Writes only with your approval. We read your Amazon data automatically to power the dashboard, keyword intelligence, and reimbursement alerts. We only ever write back to your Amazon account (publishing a listing change, or submitting review request emails) when you explicitly review and approve that specific action. We never place orders, change bids, or take any action you have not specifically requested.
- No buyer contact data passes through us. Review request emails are submitted directly through Amazon's own Solicitations API using only the order ID. Rufusly never sees, stores, or processes the buyer's name, email address, or other contact details.
- No data sharing with other sellers. Your Amazon selling data is never shared with, sold to, or made accessible to other Rufusly users or third parties.
- No competitive use. We do not use your Amazon data to inform product decisions for competing sellers, or to build competitive intelligence products.
- Data minimisation. We sync only the data required to provide the specific features you use.
- Revoke at any time. You can revoke Rufusly's access through Amazon Seller Central → Apps & Services → Manage Your Apps, or by contacting us directly.
Amazon relationship disclaimer: Rufusly is an independent service provider. We are not affiliated with, endorsed by, or sponsored by Amazon.com, Inc. or its affiliates. Amazon is not responsible for Rufusly's services.
How we use your data
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Providing and operating the Rufusly service | Contractual necessity |
| Generating AI listing rewrites and product images | Contractual necessity |
| Processing subscription payments via Stripe | Contractual necessity |
| Sending transactional emails (receipts, alerts) | Contractual necessity |
| Improving our AI models and product features | Legitimate interests |
| Fraud prevention and security | Legitimate interests |
| Sending product update emails (opt-out available) | Legitimate interests / consent |
| Complying with legal obligations | Legal obligation |
We do not sell your personal data. We do not use your data for advertising targeting on other platforms.
Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication, file storage | User accounts, job outputs, brand profiles |
| Vercel | Application hosting and serverless functions | Request logs, environment variables (no user PII) |
| Vercel AI Gateway | Routes AI requests to model providers with observability | Prompts and product data passed through to the selected model |
| Anthropic (Claude) | AI listing generation and text analysis | Product data and prompts submitted for rewriting, no buyer PII. Not used to train Anthropic's models |
| OpenAI (GPT Image) | AI product image generation | Image prompts and brand profile fields |
| Google (Gemini) | AI listing analysis and content structuring | Product data and prompts submitted for processing |
| fal.ai | AI product image generation and editing | Image prompts and brand profile fields |
| Stripe | Payment processing | Name, email, billing address, payment method tokens |
| Resend | Transactional email delivery | Name, email address, and email content (receipts, alerts, account notices) |
We do not share your data with any third parties beyond those listed above, except where required by law or with your explicit consent.
Storage and security
Your account and job data is stored in the European Union on Supabase infrastructure. All data is encrypted at rest and in transit using TLS 1.2+ encryption.
Some of our third-party processors, including Anthropic, OpenAI, Google, fal.ai, Stripe, and Vercel, are based in or transfer data to the United States. Where this involves an international transfer of personal data outside the UK, we rely on Standard Contractual Clauses, the UK International Data Transfer Addendum, or an equivalent recognised safeguard with that processor.
- Row-Level Security (RLS) on all database tables, every query is scoped to the authenticated user
- All API keys stored in server-side environment variables, never exposed to the browser
- Product data sent to AI models (Anthropic Claude, OpenAI, Google Gemini, fal.ai) never includes buyer names, emails, or other buyer contact details, and all AI processing happens server-side, never in your browser
- OAuth 2.0 for Amazon account connections, we never store your Amazon password
- Amazon SP-API tokens stored encrypted in our database
- Automatic session expiry and token rotation for Amazon OAuth connections
If you become aware of any security vulnerability, please contact us immediately at security@rufusly.ai.
Incident response
In the event of a data security incident involving your personal data or Amazon account data, we will:
- Investigate and work to contain the incident as promptly as possible, aiming to contain within 4 hours of detection
- Aim to notify affected users by email within 24 hours of confirming a breach
- Where required, notify the ICO within 72 hours of becoming aware of the breach, in line with our obligations under UK GDPR
- Aim to report any incident involving Amazon Selling Partner data to security@amazon.com within 24 hours of detection
- Provide a written summary of the incident, affected data, and remediation steps to affected users
Our incident response plan, including defined roles and responsibilities, is reviewed every six months.
Data retention
We retain your data for as long as your account is active. When you delete your account:
- Your profile, brand profiles, and listing history are deleted within 30 days
- Amazon SP-API tokens are revoked and deleted immediately
- Generated images and CSV exports are deleted from storage within 30 days
- Billing records are retained for 7 years as required by UK law
- Anonymised, aggregated analytics data may be retained indefinitely
You can request immediate deletion of all personal data by emailing hello@rufusly.ai.
Your rights
Under UK GDPR, you have the following rights:
- Right to access: Request a copy of all personal data we hold about you
- Right to rectification: Request correction of inaccurate or incomplete data
- Right to erasure: Request deletion of your personal data
- Right to restrict processing: Request that we limit how we use your data
- Right to data portability: Request your data in a machine-readable format
- Right to object: Object to processing based on legitimate interests
- Right to withdraw consent: Withdraw any consent given at any time
To exercise any of these rights, email hello@rufusly.ai. You also have the right to lodge a complaint with the ICO at ico.org.uk.
Cookies
Rufusly uses essential cookies only:
- Authentication cookie: Keeps you logged in during your session (essential, cannot be disabled)
- Preference cookie: Stores UI preferences such as theme and view settings
We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
Children's privacy
Rufusly is a business tool intended for adults aged 18 and over. We do not knowingly collect personal data from children under 18.
Policy changes
When we make material changes, we will notify you by email and update the “Last updated” date at the top of this page. Continued use of Rufusly after the effective date constitutes acceptance of the updated policy.