Eto Eto

Privacy Policy

Last updated: March 2025

1. Who We Are

Eto (eto.tools) is operated by ETO, a sole trader business (toiminimi) registered in Finland, European Union.

For the purposes of the EU General Data Protection Regulation (GDPR), ETO is the data controller for the personal data described in this Privacy Policy, except where otherwise stated (see Section 4 regarding buyer data).

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

2. What Data We Collect

We collect only the data necessary to deliver and improve our services. This section describes each category of data we process.

2.1 Account & Identity Data

When you create an Eto account, we collect:

  • Name and email address
  • Password — stored as a cryptographic hash only; we never store your password in plain text
  • Google account profile (if you sign in with Google) — limited to your name, email address, and OpenID identifier

2.2 Etsy Store Connection Data

When you connect your Etsy shop via OAuth 2.0, we receive and store:

  • OAuth tokens (access token and refresh token) — stored encrypted at rest using the cryptography library
  • Etsy shop ID and seller user ID
  • Shop details: shop name, title, announcement, currency, language, location (country), review statistics, and structured policies
  • Listing data: listing IDs, titles, descriptions, prices, tags, categories, image URLs, and listing images (images may be downloaded and cached locally for editing and publishing purposes), inventory quantities, variants, and listing status
  • Shipping profiles: processing times, delivery times, shipping costs, carrier information

The Etsy OAuth scopes we request are: shops_r, shops_w, listings_r, listings_w, listings_d, transactions_r, transactions_w, email_r, address_r, billing_r, profile_r. These scopes allow us to read and write shop data, listings, and transactions on your behalf.

2.3 Order & Buyer Data

When you use Eto's order management features, we pull order data from Etsy via the API. This data includes personal information of Etsy buyers who have not agreed to Eto's terms:

  • Order ID, order date, and order status
  • Buyer display name, buyer email address, and buyer phone number
  • Buyer shipping address (name, street address, city, state, postal code, country)
  • Items purchased, quantities, prices, and shipping information
  • Gift information (gift status, gift message, gift sender name)
  • Payment method and payment email
  • Messages from buyer, seller, and payment provider

Important: Under GDPR, you (the seller) are the data controller for this buyer data. Eto processes this data solely as a data processor on your behalf. See Section 4 for more details on this relationship.

2.4 AI-Generated Content Data

When you use AI Studio or the Product Hunt Agent, we process:

  • Your inputs: text prompts, product details, and any context you provide for content generation
  • Generated outputs: AI-generated listing titles, descriptions, tags, and product images

AI Studio: Conversations in AI Studio are held in your browser's memory only and are not stored on our servers. Only images you explicitly choose to save are stored (as encoded image data in our database). There is no persistent chat or generation history for AI Studio.

Product Hunt Agent: Agent sessions are stored persistently, including conversation history, session memory, saved product opportunities, and keyword research findings.

Your inputs and relevant product data are sent to third-party AI providers (Google Gemini API and Anthropic Claude API) to generate content. We do not send buyer personal data or your account credentials to AI providers. See Section 5 for details on these data flows.

2.5 Payment & Subscription Data

Subscription billing is handled entirely by Stripe, our third-party payment processor. We store:

  • Stripe customer ID and subscription ID
  • Subscription status, billing period, and plan information
  • Transaction amounts and billing timestamps

We do not store your credit card number, CVV, or full payment credentials. All card details are handled directly by Stripe, which is PCI-DSS certified.

2.6 Usage & Rate-Limiting Data

To enforce subscription limits and improve service reliability, we record:

  • Search logs: timestamps and result counts for Etsy searches and keyword searches you perform
  • Daily usage counters: counts of searches, bulk research sessions, keyword lookups, and other feature usage per day

This data is used for rate-limiting (ensuring fair usage across subscription tiers) and to identify technical issues. It does not include the content of your searches.

2.7 Analytics Data

We use analytics services to understand how our platform is used and to improve it:

  • PostHog: We track feature usage events (such as "store connected," "search started," "agent session created") with basic properties. This data is used for product improvement and is associated with your account
  • Google Analytics: We use Google Analytics (measurement ID: G-1XM7TDT466) to collect aggregate site traffic data such as page views and general traffic patterns. Google Analytics uses cookies and may collect your IP address, which Google processes according to its own privacy policy

2.8 Stored API Keys

You may optionally provide your own API keys for integrated services (such as Google Gemini, TrackTaco, Printify, or Pushover). These keys are stored encrypted at rest and are used solely to make API calls on your behalf.

2.9 Media Files

AI-generated images you choose to save are stored as encoded data in our database (hosted on Railway). Listing images downloaded from Etsy for editing or publishing purposes are cached temporarily. Any media file uploads are stored on Railway's persistent storage infrastructure.

2.10 Technical Data

For Virtual Assistant (VA) accounts: We log IP addresses, user agent strings (browser type and operating system), and session identifiers for security auditing purposes. This allows store owners to monitor VA activity on their accounts.

For regular user accounts: We do not actively log IP addresses or browser information. Standard server access logs may temporarily contain this information as part of normal web server operation, but we do not store, process, or analyze it.

  • Session identifiers and login timestamps
  • Error logs for debugging and incident response

3. How We Use Your Data

We process your data for the following purposes, each with a lawful basis under GDPR Article 6:

3.1 Service Delivery (Legal Basis: Contract Performance — Art. 6(1)(b))

  • Creating and managing your account
  • Connecting to and synchronizing with your Etsy shop
  • Managing your listings, inventory, and orders
  • Generating AI-powered content via AI Studio and the Product Hunt Agent
  • Processing your subscription and billing

3.2 Rate Limiting & Service Integrity (Legal Basis: Legitimate Interest — Art. 6(1)(f))

  • Enforcing subscription-tier usage limits (daily search counters, feature access)
  • Preventing abuse and ensuring fair access for all users

3.3 Product Improvement (Legal Basis: Legitimate Interest — Art. 6(1)(f))

  • Analyzing feature usage patterns via PostHog to understand which features are used and identify issues
  • Monitoring site traffic via Google Analytics to understand overall platform performance

You may object to processing based on legitimate interest at any time (see Section 9).

3.4 Security (Legal Basis: Legitimate Interest — Art. 6(1)(f))

  • Detecting and preventing unauthorized access, fraud, and technical issues
  • Maintaining error logs for debugging and incident response

3.5 Legal Compliance (Legal Basis: Legal Obligation — Art. 6(1)(c))

  • Complying with tax, financial, and regulatory obligations
  • Responding to lawful requests from authorities

3.6 Analytics Cookies (Legal Basis: Consent — Art. 6(1)(a))

Google Analytics is a third-party script that sets cookies on your browser to measure page views and traffic patterns. Under EU law (ePrivacy Directive), non-essential cookies like these require your consent before being placed. See Section 8 for details on the specific cookies used.

4. Data We Receive About Third Parties

4.1 Etsy Buyer Data

Order data imported from Etsy contains personal information of Etsy buyers (names, email addresses, phone numbers, shipping addresses) who are not users of Eto and have never agreed to our terms.

Under GDPR:

  • You (the seller) are the data controller for buyer data. You determine the purposes and means of processing this data (order fulfillment, shipping, customer communication)
  • Eto is the data processor. We process buyer data solely to display order information to you within the Eto dashboard and to enable features you use (such as supplier share links)
  • We do not use buyer data for any purpose other than providing the order management service to you
  • We do not share buyer data with any third party, except where you explicitly instruct us to (e.g., when you create a supplier share link)
  • We do not send buyer personal data to AI providers

4.2 Supplier Share Links

Eto allows you to create time-limited share links to provide order details (including buyer name, shipping address, and item information) to your suppliers. When you create a supplier share link:

  • You are choosing to share buyer personal data with a third party (your supplier)
  • You are responsible for ensuring this sharing is lawful under GDPR and complies with Etsy's buyer data policies
  • Share links expire according to the duration you select (24 hours, 7 days, 30 days, or no expiry)

5. Who We Share Data With

We do not sell your personal data. We share data with the following third-party service providers, solely to deliver our services:

5.1 Etsy, Inc. (USA)

Etsy is both a data source and data destination. We read your shop data, listings, and orders from Etsy, and write listing updates back to Etsy on your behalf. All data exchange occurs through the Etsy API using your authorized OAuth tokens. Governed by Etsy's API Terms of Use.

5.2 Google LLC (USA) — Gemini AI API

We send your text prompts, product details, and listing context to the Google Gemini API for AI text generation, image generation, and product analysis. We do not send buyer personal data or your account credentials. Google processes API requests according to its Gemini API Terms of Service. API inputs are not used to train Google's models.

5.3 Anthropic PBC (USA) — Claude AI API

The Product Hunt Agent may use the Anthropic Claude API for AI-powered analysis and research. We send product data, market research context, and your research prompts. We do not send buyer personal data or your account credentials. Anthropic processes API requests according to its commercial API terms. API inputs are not used to train Anthropic's models.

5.4 Stripe, Inc. (USA) — Payment Processing

We use Stripe to process subscription payments. We share your email address, user identifier, and subscription details with Stripe. Your card details are handled directly by Stripe and never pass through Eto's servers. Stripe is PCI-DSS Level 1 certified.

5.5 Railway Corp (USA) — Hosting & Infrastructure

Our application and database are hosted on Railway's cloud infrastructure. All Eto application data (accounts, listings, orders, encrypted tokens) is stored on Railway's managed PostgreSQL databases with encryption and access controls.

5.6 Google LLC (USA) — Google Analytics

We use Google Analytics to collect aggregate site traffic metrics. Google Analytics may process your IP address and uses cookies (see Section 8). This data is not linked to your Eto account activity.

5.7 PostHog, Inc. (USA) — Product Analytics

We use PostHog to track feature usage events for product improvement. PostHog receives event names (e.g., "search started," "store connected") along with basic properties. Data is sent to PostHog's US servers (us.i.posthog.com).

5.8 Google LLC (USA) — OAuth Authentication

If you sign in with Google, we use Google's OAuth 2.0 service. We request only openid, email, and profile scopes — we do not request access to your Gmail, Google Drive, or other Google services.

5.9 Resend, Inc. (USA) — Transactional Email

We use Resend to send transactional emails (account verification, password resets, notifications). We share your email address with Resend for this purpose.

5.10 WithoutBG — Background Removal

If you use the background removal feature, your image data is sent to the WithoutBG API for processing.

5.11 Legal Requirements

We may disclose your data if required by law, court order, or government regulation, or if necessary to protect our rights, prevent fraud, or ensure the safety of our users.

5.12 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

6. International Data Transfers

Eto is based in Finland (EU), but several of our service providers are based in the United States. When your data is transferred outside the European Economic Area (EEA), we rely on the following safeguards:

  • EU-US Data Privacy Framework (DPF): Where the recipient is certified under the EU-US Data Privacy Framework (applicable to Google, Stripe, Amazon, and other qualifying providers)
  • Standard Contractual Clauses (SCCs): Where the DPF does not apply, we ensure that appropriate Standard Contractual Clauses approved by the European Commission are in place

If the EU-US Data Privacy Framework is invalidated in the future, we will rely on Standard Contractual Clauses and other lawful transfer mechanisms to maintain the protection of your data.

7. How Long We Keep Your Data

We retain your data only for as long as necessary for the purposes described in this policy. The following retention periods apply:

  • Account data: Retained for the duration of your account, plus 30 days after account deletion to allow for account recovery
  • Etsy OAuth tokens: Retained while your store is connected. Deleted immediately when you disconnect your store or delete your account
  • Order and buyer data: Retained for up to 24 months from the order date, after which it is automatically deleted. You may request earlier deletion at any time
  • AI-generated content: Retained for the duration of your account
  • Agent session data: Retained for the duration of your account
  • Usage logs (search logs, daily counters): Retained for 12 months, then automatically deleted
  • Analytics data (PostHog): Retained according to PostHog's data retention policy
  • Stripe billing data: Retained as required by applicable tax and financial regulations (up to 7 years for Finnish tax obligations)
  • Media files and cached images: Retained for the duration of your account

When you delete your account, all data associated with your account is permanently deleted via a cascading deletion, except where retention is required by law.

8. Cookies and Tracking Technologies

We use the following cookies on eto.tools:

8.1 Strictly Necessary Cookies

These cookies are essential for the platform to function and cannot be disabled:

  • eto_session: Session cookie for authentication and maintaining your logged-in state. Expires after 1 week. HttpOnly and Secure in production. SameSite: Lax
  • csrftoken: Cross-Site Request Forgery protection token. Secure in production. Required for the security of form submissions

8.2 Analytics Cookies

These cookies are used for analytics and product improvement:

  • Google Analytics cookies (_ga, _gid, and related cookies): Used to collect aggregate site traffic data. These cookies are set by Google and process data according to Google's privacy policy. You can opt out by installing the Google Analytics opt-out browser extension
  • PostHog cookies: Used for product analytics and feature usage tracking. You can opt out via your browser's cookie settings

You can instruct your browser to refuse all cookies. However, refusing strictly necessary cookies may prevent you from using the platform.

9. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): You can request a copy of the personal data we hold about you
  • Right to Rectification (Art. 16): You can request that we correct inaccurate or incomplete data
  • Right to Erasure (Art. 17): You can request that we delete your personal data. You can do this by deleting your account in Eto's settings, which triggers a complete cascading deletion of all your data
  • Right to Restriction of Processing (Art. 18): You can request that we limit how we process your data in certain circumstances
  • Right to Data Portability (Art. 20): You can request a machine-readable copy of your data
  • Right to Object (Art. 21): You can object to processing based on legitimate interest (such as analytics and product improvement). We will cease processing unless we demonstrate compelling legitimate grounds
  • Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent (such as analytics cookies), you can withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal

To exercise any of these rights, please contact us. We will respond within 30 days of receiving your request, as required by GDPR.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. The Finnish supervisory authority is:

  • Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
  • Lintulahdenkuja 4, 00530 Helsinki, Finland
  • Website: tietosuoja.fi
  • Email: tietosuoja@om.fi

10. Notice for California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

  • Right to Know: You have the right to request what personal information we collect, use, and disclose
  • Right to Delete: You have the right to request deletion of your personal information
  • Right to Opt-Out of Sale: We do not sell your personal information to third parties
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise these rights, please contact us.

11. Notice for United Kingdom Residents

If you are located in the United Kingdom, your personal data is protected by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, which provide rights substantially similar to the EU GDPR rights described in Section 9.

The UK supervisory authority is the Information Commissioner's Office (ICO). You may contact the ICO at ico.org.uk if you have concerns about how we handle your data.

12. Children's Privacy

Eto is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us, and we will take steps to delete that data.

13. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption at rest: All OAuth tokens, API keys, and sensitive credentials are stored using encrypted fields (via the cryptography library)
  • Encryption in transit: All connections to eto.tools are encrypted via HTTPS/TLS. We enforce HSTS (HTTP Strict Transport Security) with a 1-year preload policy
  • Secure session cookies: Session cookies are HttpOnly (inaccessible to JavaScript), Secure (transmitted only over HTTPS), and SameSite=Lax (CSRF protection)
  • Password hashing: Passwords are stored using Django's default PBKDF2 hashing algorithm with a unique salt per user
  • Access controls: Access to production systems is limited to authorized personnel on a need-to-know basis
  • Database security: Our production PostgreSQL database is hosted on Railway with encryption and network access controls

No method of transmission over the internet or electronic storage is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the Finnish Data Protection Ombudsman within 72 hours of becoming aware of the breach, as required by GDPR Article 33
  • Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
  • Document the breach, its effects, and the remedial actions taken

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on this page with a new "Last updated" date
  • Sending an email notification to the address associated with your account for material changes

Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the Service.

16. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your data, please contact us:

The term "Etsy" is a trademark of Etsy, Inc. This application uses the Etsy API but is not endorsed or certified by Etsy, Inc.