Privacy Policy
Last updated: 2026-06-05 Controller: Yas (sole proprietor, eenmanszaak, NL), operating StoreLingo at storelingo.com.
What we collect
| Category | Examples | Purpose |
|---|---|---|
| Account | Email, name (from your Webflow account) | Identify your account, send transactional emails |
| OAuth tokens | Webflow access + refresh tokens (encrypted at rest with AES-256-GCM) | Read your Webflow products and write translated duplicates back |
| Product content | Product names, descriptions, summaries, SKU variants | Translate and store the source + translation pairs |
| Translations | Your translated text, the AI provider that produced it, glossary terms | Display in the panel, publish to Webflow, reuse via Translation Memory |
| Usage | AI characters used per month, sync/publish job logs | Enforce plan limits, billing, debugging |
| Billing | Stripe customer ID, subscription status, plan | Charge subscriptions, manage upgrades |
We do NOT collect: IP addresses (beyond ephemeral request logs), cookies for tracking, browsing data, or any third-party identifiers.
Where data lives
- Primary storage: managed Postgres in the EU (Supabase or Hetzner).
- Stripe handles all card data; we never see card numbers.
- DeepL processes your source text for translation; subject to DeepL's own privacy policy.
- Resend sends transactional email if enabled.
How long we keep it
| Data | Retention |
|---|---|
| Translations and product content | Until you delete the site connection or your account |
| OAuth tokens | Until you uninstall the app or 90 days after subscription cancellation |
| Usage logs | 24 months for billing audit |
| Backups | Encrypted, rotated every 30 days |
Your rights (GDPR)
You have the right to:
- Access your data (request a JSON export)
- Correct or delete your data
- Object to processing
- Data portability (CSV export of translations available in-app)
- Lodge a complaint with your data-protection authority (Autoriteit Persoonsgegevens in NL)
To exercise these rights, email privacy@storelingo.com. We respond within 30 days.
Sub-processors
- Stripe, Inc. (US): subscription billing, payment processing. DPA in place.
- DeepL SE (Germany): AI translation. DPA in place.
- Hetzner Online GmbH (Germany): server infrastructure.
- Supabase Inc. (US, EU region selected): managed Postgres if used. DPA in place.
- Resend, Inc. (US): transactional email. DPA in place.
- Sentry, Inc. (US): error tracking (optional). DPA in place.
Security
OAuth tokens are encrypted at rest with AES-256-GCM. All transit is TLS 1.2+. Database backups are encrypted. Access to production is limited to the sole operator (Yas) via SSH key.
Breach notification
In the unlikely event of a data breach, we will notify affected users via email within 72 hours and, where required, the relevant supervisory authority.