Data Processing Agreement

Effective Date: January 1, 2025 · Last Updated: May 26, 2026 · ProfitTrackStar / www.ProfitTrackStar.com

Plain English summary: This agreement explains how ProfitTrackStar processes data on your behalf as a business tool. We store your business data securely, don't sell it, don't share it with advertisers, and give you full control to export or delete it at any time. This DPA is provided for users who require it for GDPR, CCPA, or other data compliance purposes.

1. Parties and Purpose

This Data Processing Agreement ("DPA") is entered into between ProfitTrackStar ("Data Processor," "we," "us") and you, the user of ProfitTrackStar ("Data Controller," "you"). This DPA forms part of our Privacy Policy and Terms of Service.

ProfitTrackStar is a business management tool for craft sellers. As part of providing this service, we process business data you enter into the application, including product information, order records, customer details, and financial data.

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, including customer names, email addresses, and contact details you store in ProfitTrackStar.
Processing: Any operation performed on Personal Data, including storage, retrieval, use, and deletion.
Data Controller: You — the business owner who determines the purposes and means of processing Personal Data.
Data Processor: ProfitTrackStar — we process Personal Data on your behalf and according to your instructions.
Sub-processor: Third-party services we use to help deliver ProfitTrackStar.

3. Scope of Data Processing

A. Data We Process on Your Behalf

When you use ProfitTrackStar with an account (Starter or Pro plans), we store and process the following data you provide:

Product names, descriptions, pricing, and cost information
Customer names, email addresses, phone numbers, and shipping addresses
Order details, transaction records, and payment method types
Supplier and vendor contact information
Inventory and stock records
Event and craft fair information
Financial summaries and COGS reports

We process this data solely to provide the ProfitTrackStar service to you. We do not use your business data for any other purpose.

B. Data We Collect About You

We also process limited data about you as the account holder:

Email address and hashed password (for authentication)
Subscription plan and billing status
App usage analytics (only with your consent via the analytics opt-in banner)

4. Our Obligations as Data Processor

ProfitTrackStar commits to the following:

Process Personal Data only on your documented instructions and for no other purpose
Ensure all personnel with access to Personal Data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist you in responding to Data Subject requests (access, correction, deletion)
Delete or return all Personal Data upon termination of the service at your request
Provide you with all information necessary to demonstrate compliance with this DPA
Notify you without undue delay if we become aware of a Personal Data breach affecting your data

5. Security Measures

We implement the following security measures to protect your data:

Encryption in transit: All data is transmitted over HTTPS/TLS
Encryption at rest: Data stored in our cloud database (Supabase/AWS) is encrypted at rest
Access controls: Row-Level Security (RLS) ensures users can only access their own data
Authentication: Secure password hashing (bcrypt) and JWT token authentication
Payment security: Payment processing handled by Stripe (PCI-DSS compliant) — we never store card numbers
Minimal access: We follow the principle of least privilege for all internal systems

6. Sub-processors

We use the following sub-processors to deliver ProfitTrackStar. Each is contractually bound to protect your data:

Sub-processor	Purpose	Location	Privacy Policy
Supabase	Database, authentication, and backend infrastructure	USA (AWS)	supabase.com/privacy
Stripe	Payment processing and subscription billing	USA	stripe.com/privacy
Resend	Transactional email delivery	USA	resend.com/legal/privacy-policy
PostHog	Anonymous usage analytics (consent-based)	USA	posthog.com/privacy
Cloudflare	Website hosting, CDN, and DDoS protection	USA (global CDN)	cloudflare.com/privacypolicy

We will notify you of any material changes to our sub-processors by updating this page and, where appropriate, by email.

7. Data Subject Rights

As a Data Controller, you are responsible for honoring the rights of your customers whose data you store in ProfitTrackStar. We will assist you in this process. Your customers may have the right to:

Access: Obtain a copy of their Personal Data you have stored
Correction: Request correction of inaccurate data
Deletion: Request deletion of their Personal Data ("right to be forgotten")
Portability: Receive their data in a machine-readable format
Objection: Object to processing of their Personal Data

To fulfill these requests, you can use ProfitTrackStar's built-in data export and deletion features, or contact us at contact us for assistance.

8. Data Transfers

ProfitTrackStar is operated from the United States. Your data is stored on servers in the United States (AWS via Supabase). If you are located in the European Economic Area (EEA) or United Kingdom, your data may be transferred to and processed in the United States. We rely on our sub-processors' data transfer mechanisms (including Standard Contractual Clauses where applicable) to ensure adequate protection.

9. Data Retention and Deletion

We retain your business data for as long as you maintain an active ProfitTrackStar account. Upon account deletion or termination:

Your business data (products, orders, customers, etc.) is deleted from our active database within 30 days
Backup copies may be retained for up to 90 days before permanent deletion
Billing records required by law (Stripe) may be retained for up to 7 years

You can export all your data at any time using the built-in Export Backup feature (Import/Export tab). To request immediate deletion of your account and all associated data, contact us via our contact page.

10. Breach Notification

In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify you without undue delay — and in any event within 72 hours of becoming aware of the breach. Our notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.

11. Audit Rights

You have the right to request information demonstrating our compliance with this DPA. We will provide relevant documentation upon written request via our contact page. We may charge a reasonable fee for audits that require significant time or resources.

12. Governing Law

This DPA is governed by the laws of the State of Indiana, United States, consistent with our Terms of Service. For users in the European Economic Area, this DPA is also intended to satisfy the requirements of Article 28 of the GDPR.

13. Contact and Data Requests

For any questions about this DPA, data deletion requests, or assistance with Data Subject rights, contact us:

Email: info@profittrackstar.com
Contact form: profittrackstar.com/contact.html
Website: www.profittrackstar.com