Rufusly
Legal

Privacy Policy

Last updated: 9 July 2026  ·  Effective immediately

Overview

Rufusly is an AI-powered content and intelligence platform for Amazon and Shopify sellers (“Rufusly”, “we”, “us”, “our”). This Privacy Policy explains how we collect, use, store, and protect information when you use our platform at rufusly.ai.

We are committed to handling your data responsibly. We collect only what is necessary to provide our service, we never sell your personal data, and we never use your Amazon seller data to compete with you or share it with other sellers.

Key point on Amazon data: When you connect your Amazon account, we access your selling data solely to generate AI-optimised content and business intelligence for your own use. We request the minimum permissions required, and you can revoke our access at any time from your Amazon Seller Central account.

Data we collect

Account and profile data

When you create a Rufusly account we collect:

  • Name and email address
  • Password (hashed, never stored in plain text)
  • Business name and type (optional, used to personalise outputs)
  • Billing address (collected by Stripe, not stored on our servers)

Usage data

When you use the platform we collect:

  • Features used, pages visited, and actions taken within the product
  • Listing rewrites, image generations, and other job outputs you create
  • Credit usage and subscription activity
  • Error logs and performance data for debugging

Brand profile data

Brand profiles you create in Rufusly (brand name, product name, accent colours, key claims, target customer, certifications) are stored to personalise your AI-generated content. You can delete brand profiles at any time from your account settings.

Technical data

We collect standard web server logs including IP addresses, browser type, and device type. This data is used for security, fraud prevention, and aggregate analytics only.

Amazon account data

Coming soon: Direct Amazon Selling Partner API (SP-API) connection is launching soon, pending Amazon's developer approval. Today, Rufusly generates content from the product photos and information you upload directly, it does not yet pull data from your Seller Central account. The table below describes the access we will request once this feature goes live, so you know in advance what to expect. This access begins only after you complete a separate, explicit in-product consent step when the feature launches, not automatically from having an account today.

Once available, connecting your Amazon account via SP-API will work as follows:

What access we will request

API scopeWhat we accessWhy we need it
Product ListingYour existing listing content (title, bullets, description), product type attribute schemaTo generate AI-optimised rewrites and identify missing required attributes
Inventory and Order ManagementActive SKUs, FBA stock levels, order counts, sales velocityTo power the bulk attribute editor, inventory risk alerts, and sales trend analysis
Brand Analytics / Selling Partner InsightsSearch query performance, customer feedback topic summaries, Selling Partner ID and marketplace IDsTo provide keyword intelligence, surface review themes, and identify your account and marketplace
Finance and AccountingSettlement data, fee summaries, reimbursement reportsTo calculate profitability and surface unclaimed FBA reimbursements
Buyer SolicitationOrder IDs eligible for a review request (no buyer name, email, or contact details)To submit Amazon-templated review request emails on your behalf, entirely through Amazon's own Solicitations API
Buyer Communication, PricingMessaging and pricing data tied to your listingsReserved for related features; not yet active in the product

How we will handle Amazon data

  • Writes only with your approval. We read your Amazon data automatically to power the dashboard, keyword intelligence, and reimbursement alerts. We only ever write back to your Amazon account (publishing a listing change, or submitting review request emails) when you explicitly review and approve that specific action. We never place orders, change bids, or take any action you have not specifically requested.
  • No buyer contact data passes through us. Review request emails are submitted directly through Amazon's own Solicitations API using only the order ID. Rufusly never sees, stores, or processes the buyer's name, email address, or other contact details.
  • No data sharing with other sellers. Your Amazon selling data is never shared with, sold to, or made accessible to other Rufusly users or third parties.
  • No competitive use. We do not use your Amazon data to inform product decisions for competing sellers, or to build competitive intelligence products.
  • Data minimisation. We sync only the data required to provide the specific features you use.
  • Revoke at any time. You can revoke Rufusly's access through Amazon Seller Central → Apps & Services → Manage Your Apps, or by contacting us directly.

Amazon relationship disclaimer: Rufusly is an independent service provider. We are not affiliated with, endorsed by, or sponsored by Amazon.com, Inc. or its affiliates. Amazon is not responsible for Rufusly's services.

How we use your data

PurposeLegal basis (UK GDPR)
Providing and operating the Rufusly serviceContractual necessity
Generating AI listing rewrites and product imagesContractual necessity
Processing subscription payments via StripeContractual necessity
Sending transactional emails (receipts, alerts)Contractual necessity
Improving our AI models and product featuresLegitimate interests
Fraud prevention and securityLegitimate interests
Sending product update emails (opt-out available)Legitimate interests / consent
Complying with legal obligationsLegal obligation

We do not sell your personal data. We do not use your data for advertising targeting on other platforms.

Third-party services

ServicePurposeData shared
SupabaseDatabase, authentication, file storageUser accounts, job outputs, brand profiles
VercelApplication hosting and serverless functionsRequest logs, environment variables (no user PII)
Vercel AI GatewayRoutes AI requests to model providers with observabilityPrompts and product data passed through to the selected model
Anthropic (Claude)AI listing generation and text analysisProduct data and prompts submitted for rewriting, no buyer PII. Not used to train Anthropic's models
OpenAI (GPT Image)AI product image generationImage prompts and brand profile fields
Google (Gemini)AI listing analysis and content structuringProduct data and prompts submitted for processing
fal.aiAI product image generation and editingImage prompts and brand profile fields
StripePayment processingName, email, billing address, payment method tokens
ResendTransactional email deliveryName, email address, and email content (receipts, alerts, account notices)

We do not share your data with any third parties beyond those listed above, except where required by law or with your explicit consent.

Storage and security

Your account and job data is stored in the European Union on Supabase infrastructure. All data is encrypted at rest and in transit using TLS 1.2+ encryption.

Some of our third-party processors, including Anthropic, OpenAI, Google, fal.ai, Stripe, and Vercel, are based in or transfer data to the United States. Where this involves an international transfer of personal data outside the UK, we rely on Standard Contractual Clauses, the UK International Data Transfer Addendum, or an equivalent recognised safeguard with that processor.

  • Row-Level Security (RLS) on all database tables, every query is scoped to the authenticated user
  • All API keys stored in server-side environment variables, never exposed to the browser
  • Product data sent to AI models (Anthropic Claude, OpenAI, Google Gemini, fal.ai) never includes buyer names, emails, or other buyer contact details, and all AI processing happens server-side, never in your browser
  • OAuth 2.0 for Amazon account connections, we never store your Amazon password
  • Amazon SP-API tokens stored encrypted in our database
  • Automatic session expiry and token rotation for Amazon OAuth connections

If you become aware of any security vulnerability, please contact us immediately at security@rufusly.ai.

Incident response

In the event of a data security incident involving your personal data or Amazon account data, we will:

  • Investigate and work to contain the incident as promptly as possible, aiming to contain within 4 hours of detection
  • Aim to notify affected users by email within 24 hours of confirming a breach
  • Where required, notify the ICO within 72 hours of becoming aware of the breach, in line with our obligations under UK GDPR
  • Aim to report any incident involving Amazon Selling Partner data to security@amazon.com within 24 hours of detection
  • Provide a written summary of the incident, affected data, and remediation steps to affected users

Our incident response plan, including defined roles and responsibilities, is reviewed every six months.

Data retention

We retain your data for as long as your account is active. When you delete your account:

  • Your profile, brand profiles, and listing history are deleted within 30 days
  • Amazon SP-API tokens are revoked and deleted immediately
  • Generated images and CSV exports are deleted from storage within 30 days
  • Billing records are retained for 7 years as required by UK law
  • Anonymised, aggregated analytics data may be retained indefinitely

You can request immediate deletion of all personal data by emailing hello@rufusly.ai.

Your rights

Under UK GDPR, you have the following rights:

  • Right to access: Request a copy of all personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data
  • Right to restrict processing: Request that we limit how we use your data
  • Right to data portability: Request your data in a machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw any consent given at any time

To exercise any of these rights, email hello@rufusly.ai. You also have the right to lodge a complaint with the ICO at ico.org.uk.

Cookies

Rufusly uses essential cookies only:

  • Authentication cookie: Keeps you logged in during your session (essential, cannot be disabled)
  • Preference cookie: Stores UI preferences such as theme and view settings

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

Children's privacy

Rufusly is a business tool intended for adults aged 18 and over. We do not knowingly collect personal data from children under 18.

Policy changes

When we make material changes, we will notify you by email and update the “Last updated” date at the top of this page. Continued use of Rufusly after the effective date constitutes acceptance of the updated policy.

Contact us

Rufusly

Trowbridge, Wiltshire, United Kingdom

Email: hello@rufusly.ai

Security: security@rufusly.ai