Privacy Policy

Last updated: 15 April 2026

This policy explains what data Aalto collects, how we use it, and the choices you have. It covers the Aalto website, mobile apps, browser extensions, and backend services. We follow the spirit of GDPR and CCPA for all users, not only those in regulated regions.

1. What we collect

• Account data: email, display name, avatar, and auth credentials handled by Supabase Auth.
• Product saves: the URLs you choose to save and the metadata we extract from them (name, price, brand, images).
• Collections & tags: the structure and labels you create to organise your saves.
• Usage data: minimal server logs (request paths, timestamps, error traces) used to operate and debug the Service.
• Billing data: handled by Stripe. We store a customer ID and subscription status; we do not see card numbers.

2. What the extension collects

The Aalto Chrome extension reads the URL, title, OG tags, JSON-LD, and image URLs of a page only when you click Save. It does not track browsing history, scrape pages in the background, or send data to third parties. It reads Aalto's own auth cookies on the web app domain to resume your session.

3. How we use it

• Run and improve the Service.
• Extract product metadata via our backend and AI providers.
• Send transactional email (sign-up confirmation, billing receipts).
• Prevent abuse and enforce tier limits.

We do not sell your personal data and we do not use it for advertising.

4. Sub-processors

We share minimal, necessary data with the following:

• Supabase (database, auth, file storage, edge functions).
• OpenAI (text embeddings + image description; product metadata only).
• ScrapingBee + Context.dev (page fetching for product extraction).
• Stripe (billing).
• remove.bg (optional background removal for product images).

5. Retention

We keep your data while your account is active. When you delete your account, we delete your products, collections, tags, and uploaded images. Billing records are retained as required by tax law.

6. Your rights

You can export all your data as CSV from the Settings page. You can request correction or deletion of your data at any time by emailing privacy@aalto.app. If you are in the EU/UK you have the right to lodge a complaint with your data protection authority.

7. Security

Data is transmitted over TLS and stored encrypted at rest. Row Level Security policies ensure one user cannot read another user's data. We follow industry-standard practices and disclose material security incidents to affected users promptly.

8. Children

Aalto is not intended for children under 13 (or the age of digital consent in your country). We do not knowingly collect data from children.

9. Changes

We will notify you of material changes by email or in-app. The “Last updated” date at the top of this page always reflects the current version.

10. Contact

Questions or requests? Email privacy@aalto.app.