Privacy Policy

Effective date: January 1, 2025

This Privacy Policy explains how CutFlow Systems ("we", "us", or "our") collects, uses, stores, and shares information when you use our service. By using CutFlow Systems, you agree to the practices described in this policy.

1. Information We Collect

We collect the following types of information:

Account information: Your email address and password (stored securely via Supabase Auth; passwords are hashed and never stored in plain text).
Profile data: Optional full name provided during registration, account tier (Free or Pro), and monthly run count.
Usage data: Number of optimization runs performed per month, for the purpose of enforcing Free tier limits.
Payment information: Subscription and billing data processed entirely by Stripe. We do not store your card number, CVV, or other sensitive payment details on our servers.
Optimization input data: Width values, quantities, and other parameters you submit for optimization. These are processed server-side in memory and are not permanently stored.

2. How We Use Information

We use the information we collect to:

Provide and operate the Service, including running optimization calculations.
Process payments and manage your subscription via Stripe.
Send transactional emails such as account confirmation, password reset, and billing receipts.
Enforce usage limits on Free tier accounts.
Improve the product by analyzing aggregate usage patterns (no individual tracking).
Respond to your support requests.

3. Data Storage

We use the following third-party services for data storage:

Supabase: Authentication data (email, hashed password) and profile data (tier, run counts) are stored in Supabase's managed PostgreSQL database. Supabase may store data in EU or US regions depending on your project configuration.
Stripe: Payment method details and billing history are stored by Stripe, a PCI-DSS compliant payment processor. We only store a Stripe customer ID in our database.

Optimization input data (widths, quantities, parameters) is processed entirely in server memory during each request and is not written to any persistent storage.

4. Data Sharing

We do not sell your personal data to third parties. We share data only with the following service providers, and only as necessary to operate the Service:

Supabase — authentication, database, and row-level security.
Stripe — payment processing and subscription management.

We may disclose information if required by law, court order, or governmental authority, or to protect the rights and safety of our users and the public.

5. Cookies

CutFlow Systems uses cookies and browser local storage only for the following purposes:

Session authentication: Supabase stores your session token in localStorage to keep you logged in.
Theme preference: Your dark/light theme choice is stored in localStorage.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

6. Your Rights

You have the following rights with respect to your personal data:

Access: You may request a copy of the personal data we hold about you.
Correction: You may request correction of inaccurate data associated with your account.
Deletion: You may delete your account at any time from the Settings section of the application. This will permanently delete your profile and authentication data.
Portability: You may request an export of your account data.

To exercise these rights or for any data-related inquiries, contact us at privacy@cutflowsystems.com.

7. Data Retention

We retain your account data (email, profile, run counts) for as long as your account is active. When you delete your account, your authentication data is permanently removed from Supabase, and your profile data is deleted via database cascade rules.

Monthly run count history is reset automatically each billing cycle. Stripe retains billing records in accordance with their own data retention policies.

8. Security

We take reasonable measures to protect your personal data, including:

All data transmission is encrypted via HTTPS/TLS.
Passwords are never stored in plain text; Supabase uses bcrypt hashing.
Database access is protected by Supabase Row-Level Security (RLS) policies.
Service role keys and secrets are stored as environment variables, not in code.

No method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security, but we continually work to improve our security practices.

9. Children

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will take steps to delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice in the Service before the changes take effect. The "Effective date" at the top of this page will always reflect the most recent version.

11. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at privacy@cutflowsystems.com.