Legal

Privacy Policy

Effective date: January 1, 2026  ·  Last updated: January 1, 2026

1. Introduction and Scope

SKU Republic ("SKU Republic," "we," "us," or "our") operates the website located at skurepublic.com and the SKU Republic print-on-demand automation platform, including all associated features, tools, integrations, APIs, and mobile or web interfaces (collectively, the "Service"). This Privacy Policy ("Policy") explains how we collect, use, retain, share, and protect personal information about you when you access or use the Service, visit our website, communicate with us, or participate in our beta program.

This Policy applies to all users of the Service worldwide, including individuals located in the European Economic Area (EEA), the United Kingdom (UK), Switzerland, Canada, the United States, and all other jurisdictions. Where applicable law requires additional disclosures or grants you specific rights, we address those in the dedicated sections below.

By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with our data practices as described here, please do not access or use the Service. If you have questions before deciding whether to use the Service, you are encouraged to contact us at privacy@skurepublic.com before proceeding.

This Policy does not govern the privacy practices of third-party platforms, marketplaces, or social networks that you connect to your SKU Republic account, such as e-commerce storefronts and social media platforms. We encourage you to review the privacy policies of any third-party services you authorize to interact with SKU Republic.

2. Information We Collect

We collect information in several ways: directly from you when you interact with the Service, automatically as you use the Service, and from third-party platforms when you authorize integrations. The categories below describe what we collect and why.

2.1 Information You Provide Directly

When you register for a waitlist, create an account, use the Service, or communicate with us, you provide information directly to us. This includes:

• Email address. Collected when you join our waitlist, create an account, or contact support. Your email address is used to communicate with you about the Service and, with your consent, to send you product updates and marketing communications.
• Account credentials. When you register for a full account, we collect a username and a securely hashed version of your password. We never store your password in plain text.
• Profile and billing information. Name, business name, billing address, and payment method details provided when subscribing to a paid tier. Payment details are handled by a third-party payment processor; we do not store full card numbers on our systems.
• Product and design data. Design files, images, product titles, descriptions, pricing, tags, category information, and any other content you upload, input, or generate within the Service. This is the core operational data that enables us to produce and publish listings on your behalf.
• Platform configuration settings. Store preferences, publishing rules, template configurations, and other settings you establish within the Service.
• Support communications. Messages, attachments, screenshots, and any other content you submit when contacting our support team or filing a bug report.
• Survey and feedback responses. Information you voluntarily provide when participating in user research, satisfaction surveys, or beta feedback sessions.

2.2 Information Collected Automatically

When you access or interact with the Service, certain information is collected automatically by our systems. This includes:

• Log and access data. IP address, date and time of access, pages or features accessed, referring URL, HTTP status codes, and session duration. This data is collected for security monitoring, fraud detection, and service reliability purposes.
• Device and browser information. Browser type and version, operating system, device type (desktop, mobile, tablet), screen resolution, language settings, and time zone. This helps us ensure compatibility and optimize the Service for your environment.
• Usage and interaction data. Features used, buttons clicked, workflows completed, errors encountered, and time spent on different parts of the Service. This aggregate behavioral data is used to understand how the Service is used and where we can improve.
• Performance data. Page load times, API response times, and error rates associated with your session. Used for monitoring and improving Service performance.
• Cookies and similar tracking technologies. As described in detail in Section 14 of this Policy.

2.3 OAuth Tokens and Platform Authorization Data

A core function of SKU Republic is publishing listings to connected e-commerce and social platforms on your behalf. To do this, we use the OAuth 2.0 authorization protocol, which allows you to grant us limited, revocable access to your accounts on third-party platforms without sharing your passwords with us. When you connect a platform, we receive and securely store an access token (and, where the platform issues one, a refresh token) scoped to only the permissions you authorize. The specific platforms and the nature of access are described in Section 7 of this Policy.

2.4 Information from Third-Party Platforms

When you connect an e-commerce or social media platform to SKU Republic, we may receive certain information from that platform as part of the OAuth authorization flow or as part of syncing your store data. This may include your store name, shop ID, existing product listings, shop policies, and currency or language settings. We use this information solely to operate the integration and provide the Service to you.

3. How We Use Your Information

We use the information we collect for a range of purposes, all of which are necessary to provide a high-quality, reliable, and compliant service. We do not use your personal information for purposes that are incompatible with those listed below, and we do not sell your personal information to third parties for their own marketing purposes.

3.1 Providing and Operating the Service

The primary use of your information is to deliver the Service. This includes processing your uploaded designs and product data, generating listings on your behalf, publishing those listings to connected platforms, managing your account, maintaining your preferences and settings, and ensuring the Service functions correctly and reliably for you.

3.2 AI-Powered Content Generation

SKU Republic uses artificial intelligence technology to write product titles, descriptions, tags, and other listing content. When you initiate a content generation request, relevant product data (such as design metadata, product category, keywords you provide, and any existing listing content) is transmitted to our AI content generation infrastructure. This processing produces draft listing content that you can review, edit, and approve before publication. The full details of this processing are explained in Section 6 of this Policy.

3.3 Publishing to Connected Platforms

We use your product data, generated content, and stored platform authorization tokens to publish listings to the e-commerce and social platforms you have connected. This includes formatting your data to meet each platform's specific requirements, uploading images, setting pricing and inventory attributes, and confirming successful publication.

3.4 Account Management and Authentication

We use your account credentials to verify your identity when you log in, enforce access controls, manage your subscription, and associate your data with your account. Password data is stored only in irreversibly hashed form using modern cryptographic algorithms.

3.5 Transactional and Service Communications

We use your email address to send you information that is necessary for the Service, including account creation confirmations, email verification requests, password reset instructions, subscription receipts and invoices, important notices about changes to the Service, security alerts, and responses to your support requests. These communications are not optional as they are essential to operating your account, though you may close your account at any time to stop receiving them.

3.6 Marketing and Promotional Communications

With your consent, we may send you emails about new features, product updates, beta opportunities, educational content, and other information we believe may be of interest to you as a seller using print-on-demand automation. You can opt out of these marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting us at privacy@skurepublic.com. Opting out of marketing emails does not affect your receipt of transactional service communications.

3.7 Service Improvement and Product Development

We analyze aggregated, de-identified usage data to understand which features are valuable to users, identify friction in workflows, prioritize development work, and improve the overall quality of the Service. We do not use the content of your individual listings, designs, or product data to train our own machine learning models. Improvement analysis is conducted at an aggregate level that does not identify individual users.

3.8 Security, Fraud Prevention, and Abuse Detection

We process certain information, including IP addresses, access patterns, and usage behavior, to detect and prevent unauthorized access to accounts, fraudulent activity, spam, scraping, abuse of our API, and other activities that violate our Terms of Service or applicable law. This processing is in our legitimate interests and is necessary to protect the integrity of the Service and the security of all users.

3.9 Legal Compliance and Regulatory Obligations

We may use and retain information as necessary to comply with applicable laws and regulations, respond to lawful requests from government authorities or law enforcement, enforce our Terms of Service, and defend against legal claims. This includes maintaining records required by tax laws, consumer protection regulations, and data protection legislation.

3.10 Customer Support and Dispute Resolution

When you contact our support team, we use the information you provide, along with relevant account and usage data, to diagnose and resolve technical issues, investigate complaints, and improve our support processes. Support communications may be retained to document the history of an issue and to train support staff.

3.11 Billing and Payment Administration

We use your billing information to process subscription payments, issue invoices and receipts, manage trial periods, process refunds where applicable, and handle billing inquiries. Payment transactions are processed by our third-party payment processor, and we store only the minimal billing record necessary to manage your subscription.

3.12 Onboarding and User Education

We may use information about your account status and usage patterns to send you onboarding guidance, tutorials, and tips designed to help you get maximum value from the Service. This includes identifying if you have not yet completed key setup steps and reaching out to offer assistance.

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and its UK equivalent require us to identify a lawful basis for each category of personal data processing. We rely on the following four legal bases, explained below in detail.

4.1 Performance of a Contract (Article 6(1)(b) GDPR)

The majority of our core data processing is necessary to perform the contract we have with you, namely your agreement to our Terms of Service when you create an account or use the Service. This basis covers: operating your account and authenticating your identity; processing your product and design data to generate listings; publishing listings to connected platforms using your stored authorization tokens; managing your subscription and processing payments; sending transactional service emails such as account confirmations and receipts; and providing customer support in relation to the core Service. Without processing data under this basis, we would be unable to deliver the Service you have requested.

4.2 Legitimate Interests (Article 6(1)(f) GDPR)

We process certain data on the basis of our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. We conduct a legitimate interests assessment before relying on this basis. The legitimate interests we rely on include: maintaining the security and integrity of the Service and protecting against fraud, abuse, and unauthorized access; analyzing aggregated usage data to improve and develop the Service; managing and resolving disputes; and communicating with you about important changes to the Service that are not strictly contractual in nature. You have the right to object to processing based on legitimate interests; see Section 10 for how to exercise this right.

4.3 Consent (Article 6(1)(a) GDPR)

Where we rely on your consent as a legal basis, we will ask for it clearly and separately before processing begins. Consent-based processing currently includes: sending marketing and promotional emails about new features, product updates, and other information of potential interest; placing non-essential analytics cookies on your device; and any other processing we describe to you at the time of requesting consent. You may withdraw your consent at any time without affecting the lawfulness of processing that occurred before withdrawal. Withdrawing consent does not affect processing carried out under other legal bases, such as contract performance. To withdraw consent, use the unsubscribe link in marketing emails or contact us at privacy@skurepublic.com.

4.4 Compliance with a Legal Obligation (Article 6(1)(c) GDPR)

In some circumstances, we are required to process personal data to comply with a legal obligation. This includes retaining financial records and transaction data for the periods required under tax and accounting laws; responding to lawful orders, warrants, and requests from courts, regulators, and law enforcement authorities; fulfilling mandatory data breach notification obligations; and complying with requirements under consumer protection legislation. We process only the minimum data necessary to fulfil each specific legal obligation.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information to third parties for their own commercial purposes. We share your information only in the limited circumstances described below, and in each case only to the extent necessary for the stated purpose.

5.1 Cloud Infrastructure and Hosting Providers

The Service is hosted on infrastructure provided by third-party cloud infrastructure providers. These providers store and process data on our behalf in data centers located in the United States and potentially other regions. Our infrastructure providers are contractually bound to process data only on our instructions, implement appropriate technical and organizational security measures, and not use your data for their own purposes. They are prohibited from disclosing your data to any other party without our authorization except as required by law.

5.2 AI Content Generation Providers

To provide AI-powered listing content, we transmit product data to third-party AI content generation providers via encrypted API connections. These providers process the data you submit in content generation requests (such as product categories, keywords, and design descriptions) to produce draft listing text. We select providers that commit contractually to processing your data only for the purpose of fulfilling our API requests and not for training general-purpose AI models on your content. See Section 6 for more detail on this processing.

5.3 Payment Processing Providers

Subscription payments are processed by third-party payment processors who collect and handle your payment card details. SKU Republic does not receive or store your full card number, card verification value, or other sensitive payment authentication data. Our payment processors are PCI-DSS compliant and contractually prohibited from using your payment information for any purpose other than processing transactions on our behalf.

5.4 Email Delivery Providers

Transactional and marketing emails are delivered through third-party email delivery infrastructure providers. These providers receive your email address and the content of each email solely for the purpose of delivering the message. They do not use this information for their own marketing or analytics purposes under our contractual terms.

5.5 Analytics Providers

We may use third-party analytics services to help us understand how users interact with the Service at an aggregate level. Where we use such services, we configure them to collect anonymized or pseudonymized data and to avoid processing data in a way that identifies individual users. We do not share the content of your product listings or personal account details with analytics providers.

5.6 Connected E-Commerce and Social Platforms

When you instruct SKU Republic to publish a listing, we transmit the relevant product data (including title, description, images, pricing, tags, and inventory attributes) to the platform or platforms you have authorized. This transmission is the core purpose of the Service. Once transmitted, that data is subject to the privacy policy and terms of service of the receiving platform. We are not responsible for how third-party platforms use data after it is transmitted pursuant to your instruction.

5.7 Legal Disclosures and Safety

We may disclose your information to government authorities, law enforcement agencies, or other third parties when we are required to do so by applicable law, court order, or legal process; when we believe disclosure is necessary to prevent harm to a person or property; to enforce our Terms of Service or protect the rights, property, or safety of SKU Republic, our users, or the public; or in connection with an investigation of suspected or actual illegal activity. We will provide you with notice of such disclosure to the extent permitted by law.

5.8 Aggregated and De-Identified Data

We may share aggregated statistical data and de-identified information about our users with third parties for industry research, product benchmarking, or marketing purposes. This data does not contain any personally identifiable information and cannot reasonably be used to identify you.

5.9 No Sale or Misuse of Platform API Data

Data accessed through the APIs of connected platforms is never sold, rented, traded, or shared with data brokers, advertising networks, information resellers, or any third party for commercial purposes unrelated to delivering the Service. Platform API data is used exclusively to fulfill the specific publishing actions you instruct us to take, and for no other commercial purpose. We do not aggregate platform API data across user accounts for sale or exploitation. We operate each integration in full compliance with the developer terms, API use policies, and acceptable use guidelines of the respective platform, and we request only the OAuth permission scopes strictly necessary for the functionality we provide. We do not use platform API data for ad targeting, competitive intelligence, or any purpose prohibited by the originating platform's policies.

6. AI-Powered Features and Data Processing

SKU Republic's core value proposition is the automated generation of SEO-optimized product listing content using artificial intelligence. This section explains in detail how that AI processing works and what it means for your data.

6.1 How AI Content Generation Works

When you request that SKU Republic generate a product title, description, tag set, or other listing content, our systems compile a prompt containing relevant product information. This prompt may include the product category you have selected, any keywords or design descriptions you have provided, the target platform (for example, an online marketplace or a social storefront), and any existing listing content or templates you have configured. This prompt is then transmitted via an encrypted connection to our AI content generation providers, whose language models return draft listing content. That draft is presented to you within the Service for your review, editing, and approval before publication.

6.2 What Data Is Sent to AI Providers

We transmit only the product-level data necessary to generate relevant listing content. We do not intentionally transmit personally identifiable information such as your name, email address, billing details, or platform access tokens to AI content generation providers. The data sent is limited to the product context required to produce a useful listing. Specifically, we send product category and subcategory, design-related descriptions or keywords you provide, any relevant attributes such as size, color, or material, and the intended publishing platform.

6.3 AI Provider Data Use Restrictions

We engage AI content generation providers under contractual terms that restrict the use of data submitted through our API integration. These terms prohibit our providers from using the product data we transmit to train or improve their general-purpose AI models. Data submitted through our API is used solely to fulfill the specific content generation requests we make and is not retained by our providers for purposes beyond fulfilling those requests, subject to any retention periods mandated by their own legal obligations. We review and update our provider agreements as the legal and technical landscape evolves. This prohibition extends to all data sources: product data you upload directly and any data received through OAuth integrations with connected platforms. No platform-sourced data is used to train, fine-tune, evaluate, or improve any AI or machine learning model, whether operated by us or by our service providers.

6.4 Your Control Over AI-Generated Content

AI-generated content is always presented to you as a draft. You retain full control over what is published. You may edit, reject, or replace any AI-generated content before it is submitted to a platform. You can disable AI content generation for specific products or workflows and instead input listing content manually. If you prefer not to use the AI features at all, the Service also supports manual listing creation without AI assistance.

6.5 Accuracy and Human Review

AI-generated content may occasionally contain inaccuracies, inappropriate phrasing, or suggestions that do not reflect your brand. You are responsible for reviewing and approving all listing content before publication. SKU Republic does not warrant the accuracy, completeness, or suitability of any AI-generated content for any particular purpose.

7. OAuth and Platform Integrations

SKU Republic integrates with several major e-commerce marketplaces and social commerce platforms to publish listings on your behalf. Each integration uses the OAuth 2.0 authorization protocol so that you can grant us access without sharing your passwords. Below we describe each integration, the permissions we request, the specific data we receive through the authorization flow, and how we use the access granted.

7.1 Etsy

When you connect your Etsy shop, SKU Republic requests OAuth authorization with the minimum scope necessary to create, read, update, and manage product listings in your Etsy shop. Through the authorization flow, we receive your shop ID, shop name, currency setting, and existing listing data necessary for synchronization. We use this access to publish new listings, update existing listings with revised content, upload listing photographs, set pricing and quantity attributes, and read your shop's existing listings to enable synchronization features. We do not access your Etsy financial or payout data, your buyer transaction history, or your Etsy messages unless you explicitly grant those permissions in a future integration feature.

7.2 Shopify

When you connect your Shopify store, SKU Republic requests access to create and update products and product variants, manage product images, and read your store's existing product catalog. Through the authorization flow, we receive your store URL, store name, currency, language settings, and existing product catalog data. This scope allows us to publish listings and keep them synchronized with your print-on-demand inventory. We do not access customer order data, payment information, checkout configurations, or store financial reports unless required by a specific feature you opt into.

7.3 Pinterest

When you connect your Pinterest business account, SKU Republic requests authorization to create product pins and publish content to your boards. Through the authorization flow, we receive your Pinterest business account ID, board names, and the IDs of boards you designate for publishing. We use this access solely to publish product listings as shoppable pins to boards you designate within the Service. We do not store Pinterest user data beyond what is necessary to perform the publishing action you request. We do not access your Pinterest analytics, personal boards, follower lists, or message inbox. Pinterest data is never sold, shared with third parties, or used for any purpose other than publishing the listings you instruct us to create.

7.4 Instagram and Facebook (Meta)

When you connect your Instagram business account or Facebook business page, SKU Republic requests authorization to publish product catalog items and create posts or product listings on your behalf. Through the authorization flow, we receive your business page ID, page name, and product catalog identifiers for catalogs you authorize. We use this access only to publish SKU Republic-generated listing content to your business presence. We do not access your personal Facebook profile, private messages, friends list, Instagram direct messages, or personal content. Access is limited to your business account's product catalog and publishing permissions. Meta platform data is never sold, shared with advertising networks, or used for any purpose other than delivering the publishing service you have requested.

7.5 TikTok

When you connect your TikTok for Business or TikTok Shop account, SKU Republic requests authorization to create and manage product listings in your TikTok shop catalog. Through the authorization flow, we receive your TikTok shop ID and existing product catalog identifiers. We use this access to publish product listings and keep your catalog synchronized with your other connected storefronts. We do not access your TikTok personal content, follower or following lists, private messages, or content creation history. TikTok platform data is never sold or shared with third parties for any purpose other than delivering the Service.

7.6 Token Storage and Security

OAuth access tokens and refresh tokens are stored encrypted at rest using industry-standard encryption algorithms in our secure infrastructure. Access to stored tokens is restricted to the automated systems that require them to perform platform publishing operations and to a minimal number of authorized engineering staff for debugging purposes, subject to audit logging. Tokens are never transmitted in plain text and are never exposed to other users of the Service.

7.8 Platform Developer Policy Compliance

We develop and maintain our platform integrations in full compliance with the developer terms, API use policies, acceptable use guidelines, and data handling requirements published by each platform we integrate with. We do not use platform APIs for purposes that are prohibited by those platforms' policies, including automated scraping, competitive intelligence gathering, resale of platform data, ad targeting, or any use that would violate a platform's data restrictions. We request only the minimum OAuth permission scopes necessary for the specific functionality we provide. If a platform updates its policies in a way that requires changes to our integration, we update our practices before the effective date of the policy change. Users who connect a platform account represent that they have the right and authorization to grant SKU Republic access to that account under the platform's terms of service.

7.7 Revoking Platform Access

You can disconnect any connected platform at any time from within your SKU Republic account settings. Disconnecting a platform immediately prevents SKU Republic from performing any further actions on that platform. We will delete the stored authorization tokens for that platform within seven days of disconnection. You may also revoke access directly from within each platform's own security settings, which will invalidate the token we hold.

8. Data Retention

We retain different categories of data for different periods, based on the purpose for which the data was collected, our legal obligations, and our legitimate operational interests. We do not retain personal information for longer than is necessary for those purposes. The retention periods below reflect our standard practices as of the date of this Policy.

8.1 Account and Profile Data

We retain your account information, including your email address, account preferences, settings, and profile details, for the duration of your active account. After you close or delete your account, we retain a limited subset of account data for 90 days to facilitate account recovery in the event of accidental deletion or a billing dispute. After 90 days, your account data is permanently and irreversibly deleted from our production systems. Anonymized records of the fact that an account existed may be retained for longer periods in aggregated statistical data.

8.2 Waitlist Email Addresses

Email addresses collected during our beta waitlist program are retained until you create a full account, request removal from the waitlist, or we close the waitlist program, whichever occurs first. If you have not created an account or requested removal within 24 months of joining the waitlist, we will delete your email address from our waitlist records.

8.3 Product and Design Data

Product data, design files, listing templates, and content you create within the Service are retained for the duration of your account. Upon account deletion, all product and design data associated with your account is deleted within 90 days. Note that content already published to connected platforms prior to account deletion remains on those platforms and is governed by their terms of service; SKU Republic cannot remove content from third-party platforms on your behalf after account deletion unless the relevant access token is still valid at the time of deletion.

8.4 OAuth Authorization Tokens

Authorization tokens for connected platforms are retained only as long as the integration is active. Upon disconnecting a platform or deleting your account, the corresponding access and refresh tokens are deleted from our systems within 7 days. We retain no copies of tokens in backups for more than 90 days following deletion.

8.5 Billing and Transaction Records

We retain billing records, subscription history, invoices, and payment transaction records for a minimum of 7 years from the date of the transaction. This retention period is required to comply with financial reporting, tax, and accounting obligations in the jurisdictions where we operate. After the applicable retention period, billing records are permanently deleted or anonymized.

8.6 Server and Access Logs

Server logs containing IP addresses, access timestamps, and request metadata are retained for 12 months for security monitoring, fraud investigation, and incident response purposes. After 12 months, these logs are deleted or aggregated in a form that does not contain personally identifiable information.

8.7 Support Communications

Messages and attachments you submit through our support channels are retained for 3 years from the date of the most recent interaction on a given support case. This retention allows us to reference prior conversations when investigating related issues and to maintain quality assurance records. After 3 years, support tickets are deleted unless they contain information that we are required to retain for legal or regulatory reasons.

8.8 Analytics and Usage Data

Aggregated, de-identified analytics data derived from usage of the Service may be retained indefinitely, as it does not contain personally identifiable information and is used only for product development and business intelligence purposes. Pseudonymized event-level usage data that may allow re-identification is retained for no more than 24 months from collection.

8.9 Backup Systems

Our infrastructure backup systems may retain copies of data for up to 90 days beyond the primary deletion of that data. All backup data is encrypted. We do not restore deleted personal data from backups except in the context of a service outage, security incident, or your account recovery request made within the applicable recovery window.

9. Security Measures

We take the security of your personal information seriously and implement a layered set of technical and organizational controls designed to protect against unauthorized access, accidental loss, alteration, and disclosure.

9.1 Encryption in Transit

All data transmitted between your browser or application and our servers is encrypted using Transport Layer Security (TLS) with modern cipher suites. We enforce TLS on all connections and do not support legacy insecure protocols. API communications with third-party platforms and service providers are also conducted exclusively over encrypted connections.

9.2 Encryption at Rest

Sensitive data stored in our systems, including OAuth authorization tokens, payment-related records, and user credentials, is encrypted at rest using strong encryption algorithms. Database volumes and backup media are also encrypted. Encryption keys are managed using a dedicated key management system and are rotated on a regular schedule.

9.3 Access Controls and Authentication

Access to production systems and databases containing personal data is restricted to a minimal number of authorized personnel whose roles require it. All internal access requires multi-factor authentication. Access rights are reviewed regularly and revoked promptly when an employee's role changes or they leave the organization. We maintain detailed audit logs of all access to production systems containing personal data.

9.4 Password Security

User passwords are never stored in recoverable form. We use a modern adaptive password hashing algorithm with an appropriate work factor to store password hashes, ensuring that even if our database were compromised, passwords could not be trivially recovered. We encourage users to use strong, unique passwords and to enable any multi-factor authentication options we make available.

9.5 Vulnerability Management and Security Testing

We conduct regular security assessments of our codebase, infrastructure, and third-party dependencies. We maintain a process for tracking and remediating known vulnerabilities in a timely manner. We engage independent security researchers through responsible disclosure practices and address reported vulnerabilities promptly.

9.6 Incident Response

We maintain a documented incident response plan for handling suspected or confirmed security incidents, including data breaches. In the event of a breach that affects your personal data and that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by GDPR), and we will notify affected users without undue delay in accordance with applicable law.

9.7 Limitations of Security

Despite our efforts, no system is completely immune from security risks. We cannot guarantee the absolute security of your personal information. If you believe that your account has been compromised or you have identified a potential security vulnerability in our Service, please contact us immediately at privacy@skurepublic.com.

10. Your Rights Under GDPR

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and its UK equivalent grant you comprehensive rights in relation to your personal data. We describe each right below and explain how to exercise it. We will respond to all verifiable rights requests within 30 days of receipt. Where the complexity or volume of requests requires additional time, we may extend this period by up to two additional months and will notify you of the extension and the reason for it.

To exercise any of the rights below, submit a request to privacy@skurepublic.com with sufficient information to verify your identity. We may ask for additional verification to ensure that we are not disclosing or deleting data in response to a fraudulent request.

10.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data along with information about: the purposes of processing; the categories of data involved; the recipients or categories of recipients to whom the data is or will be disclosed; the envisaged retention period; the existence of your other rights (to rectification, erasure, restriction, and objection); your right to lodge a complaint with a supervisory authority; any available information about the source of the data if it was not collected directly from you; and the existence of any automated decision-making, including profiling. The first copy is provided free of charge. For subsequent requests, we may charge a reasonable fee based on administrative cost.

10.2 Right to Rectification (Article 16 GDPR)

You have the right to require us to correct any inaccurate personal data we hold about you and to complete any incomplete personal data, including by providing a supplementary statement where appropriate. You may update much of your account information directly from within the Service. For data that you cannot update yourself, submit a rectification request to privacy@skurepublic.com describing what needs to be corrected and the accurate information.

10.3 Right to Erasure (Article 17 GDPR)

You have the right to request that we delete your personal data in the following circumstances: the data is no longer necessary for the purposes for which it was collected; you withdraw consent on which processing was based and there is no other legal basis; you object to processing based on legitimate interests and we cannot demonstrate overriding legitimate grounds; the data has been unlawfully processed; or deletion is required to comply with a legal obligation. This right is not absolute. We may retain data where necessary to comply with a legal obligation, to establish, exercise, or defend legal claims, or for other limited purposes permitted under applicable law. We will explain if we are unable to fulfill an erasure request and why.

10.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request that we restrict the processing of your personal data in certain circumstances: you contest the accuracy of the data (processing will be restricted while we verify accuracy); the processing is unlawful but you prefer restriction over erasure; we no longer need the data for our purposes but you require it for the establishment, exercise, or defense of legal claims; or you have objected to processing based on legitimate interests and we are assessing whether our interests override yours. When processing is restricted, we will store the data but not otherwise process it without your consent, except for limited purposes such as defending legal claims.

10.5 Right to Data Portability (Article 20 GDPR)

Where processing is based on your consent or on the performance of a contract with you, and processing is carried out by automated means, you have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format. You also have the right to request that we transmit that data directly to another controller where technically feasible. This right applies to data you have actively provided to us (such as your account details and product data) and does not extend to data that is derived or inferred from your use of the Service.

10.6 Right to Object (Article 21 GDPR)

You have the right to object at any time to processing of your personal data that is based on our legitimate interests, including profiling based on legitimate interests. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing is necessary for the establishment, exercise, or defense of legal claims. You have an unconditional right to object to processing for direct marketing purposes, including profiling for direct marketing; we will cease such processing immediately upon receiving your objection.

10.7 Rights Related to Automated Decision-Making (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. SKU Republic does not currently make decisions about you that have legal or similarly significant effects based solely on automated processing without human review. If we introduce such processing in the future, we will update this Policy and ensure the required safeguards are in place.

10.8 Right to Withdraw Consent

Where we rely on your consent as the legal basis for processing, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, use the opt-out mechanism in marketing emails or contact us at privacy@skurepublic.com.

10.9 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal data violates applicable data protection law. In the European Union, you may contact the supervisory authority of the member state where you reside, work, or where the alleged infringement occurred. In the United Kingdom, the relevant authority is the Information Commissioner's Office (ICO). We encourage you to contact us first so that we have the opportunity to address your concern before you escalate to a supervisory authority.

11. Your Rights Under the CCPA (California Residents)

If you are a resident of California, the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), grants you specific rights regarding your personal information. This section describes those rights and how to exercise them.

11.1 Right to Know

You have the right to request that we disclose: the categories of personal information we have collected about you; the specific pieces of personal information we have collected about you; the categories of sources from which we collected the personal information; our business or commercial purpose for collecting, selling, or sharing the personal information; and the categories of third parties with whom we share personal information. You may submit a verifiable request for this information up to twice in any 12-month period.

11.2 Right to Delete

You have the right to request that we delete personal information we have collected from you, subject to certain exceptions. We may deny a deletion request if the information is necessary to: complete the transaction for which the information was collected; detect security incidents or protect against illegal activity; comply with a legal obligation; enable solely internal uses that are reasonably aligned with your expectations; or exercise free speech, ensure another consumer's right to exercise free speech, or exercise another right provided by law.

11.3 Right to Correct

You have the right to request that we correct inaccurate personal information that we maintain about you. Upon receiving a verifiable correction request, we will use commercially reasonable efforts to correct the inaccuracy, taking into account the nature of the information and the purposes of processing.

11.4 Right to Opt Out of Sale or Sharing

We do not sell your personal information to third parties, nor do we share your personal information for cross-context behavioral advertising. Because we do not engage in these activities, no opt-out mechanism is currently required. If our practices change, we will update this Policy and provide a "Do Not Sell or Share My Personal Information" mechanism as required by law.

11.5 Right to Limit Use of Sensitive Personal Information

The CPRA grants you the right to limit the use of sensitive personal information to purposes for which the CPRA does not require limitation rights. SKU Republic does not collect or use sensitive personal information beyond what is reasonably necessary to perform the Service or as otherwise permitted under the CPRA.

11.6 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA or CPRA rights. We will not deny you goods or services, charge you different prices or rates, provide you with a different level or quality of service, or suggest that you may receive a different price, rate, level, or quality of service because you exercised your rights.

11.7 Submitting a California Rights Request

To submit a verifiable CCPA or CPRA rights request, contact us at privacy@skurepublic.com. We will acknowledge your request within 10 business days and respond to the substantive request within 45 calendar days. If we require more time (up to an additional 45 days), we will notify you of the extension and the reason for it.

12. Your Rights Under PIPEDA (Canadian Users)

If you are a resident of Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation govern how we collect, use, and disclose your personal information. This section describes the principles we follow and your rights as a Canadian user.

12.1 Accountability

SKU Republic is accountable for the personal information in its possession. We have designated a privacy contact responsible for overseeing compliance with PIPEDA and for responding to inquiries and complaints. That contact can be reached at privacy@skurepublic.com.

12.2 Identifying Purposes

We identify the purposes for which personal information is collected at or before the time of collection. The purposes for which we collect your personal information are described in Section 3 of this Policy. We will not use or disclose personal information for purposes other than those for which it was collected, except with your consent or as required or permitted by law.

12.3 Consent

We obtain your knowledge and consent for the collection, use, and disclosure of personal information, except where it is not appropriate to do so (for example, in emergencies or for legal investigation purposes). Consent may be express or, where appropriate, implied from your conduct. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, although withdrawal of consent may mean we are unable to continue to provide the Service to you.

12.4 Limiting Collection

We collect only the personal information necessary for the purposes identified in this Policy. We collect information by fair and lawful means.

12.5 Limiting Use, Disclosure, and Retention

We use and disclose personal information only for the purposes for which it was collected, unless you consent to another use or disclosure or we are required or permitted by law to use or disclose it for another reason. We retain personal information only as long as necessary to fulfill the identified purposes and as described in Section 8 of this Policy.

12.6 Accuracy

We take reasonable steps to ensure that the personal information we hold is accurate, complete, and up to date for the purposes for which it is used. You may update your account information directly within the Service or request correction of inaccurate information by contacting us.

12.7 Individual Access

Upon written request, you have the right to be informed of the existence, use, and disclosure of your personal information and to be given access to that information. You may challenge the accuracy and completeness of the information and have it amended as appropriate. To submit an access request under PIPEDA, contact us at privacy@skurepublic.com. We will respond within 30 days of receiving a written request.

12.8 Challenging Compliance

You have the right to challenge our compliance with PIPEDA. Direct complaints or inquiries to our privacy contact at privacy@skurepublic.com. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada.

13. International Data Transfers

SKU Republic is incorporated and primarily operated in the United States. If you access or use the Service from outside the United States, your personal information will be transferred to, processed, and stored in the United States, and potentially in other countries where our service providers maintain infrastructure, each of which may have data protection laws that differ from those of your country of residence.

13.1 Transfers from the EEA, UK, and Switzerland

Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to countries that have not been recognized by the European Commission or the UK government as providing an adequate level of data protection, we rely on appropriate safeguards to ensure that the transfer complies with applicable data protection law. These safeguards include Standard Contractual Clauses (SCCs) adopted by the European Commission, the UK International Data Transfer Addendum, or other approved transfer mechanisms. Copies of the relevant transfer mechanisms are available upon request by contacting privacy@skurepublic.com.

13.2 Transfers from Canada

Personal information transferred from Canada to other countries is subject to the laws of those countries. We take contractual steps to ensure that any personal information transferred outside Canada continues to be handled in accordance with the principles of PIPEDA. By using the Service, you acknowledge that your personal information may be transferred to and processed in jurisdictions outside Canada.

13.3 General Transfer Safeguards

Regardless of where processing occurs, we apply consistent privacy and security standards to all personal information we hold, and we require our service providers and subprocessors to implement equivalent protections. We regularly assess the adequacy of the protections in place for international transfers and update our contractual arrangements to reflect changes in law and best practice.

14. Cookies and Similar Technologies

We use cookies and similar tracking technologies to operate and improve the Service, to authenticate users, and to understand how the Service is used. This section explains what these technologies are, what we use them for, and how you can control them.

14.1 What Are Cookies?

Cookies are small text files that are placed on your device by websites you visit. They are widely used to make websites work efficiently, to remember your preferences, and to provide information to website operators. Similar technologies include web beacons (small transparent images used to track page visits), local storage objects, and session identifiers.

14.2 Strictly Necessary Cookies

These cookies are essential for the Service to function and cannot be switched off in our systems. They are set in response to actions you take, such as setting your privacy preferences, logging in, or filling in forms. Without these cookies, the Service cannot operate. They include:

• Session authentication cookies. Used to maintain your login session while you are actively using the Service. These are session cookies that expire when you close your browser.
• Persistent authentication tokens. If you select "Stay logged in," a persistent cookie stores an encrypted token that allows us to recognize you on your next visit. These expire after a fixed period (typically 30 days) and are refreshed each time you use the Service.
• CSRF protection tokens. Used to prevent cross-site request forgery attacks. These are session cookies that expire when you close your browser.
• Consent preference cookies. Used to remember your cookie consent choices so we do not ask for them on every page visit.

14.3 Functional Cookies

These cookies allow the Service to remember choices you make, such as your language preference, time zone setting, dashboard layout configuration, and other personalization options. They are set by us and may persist for up to 12 months. You may disable functional cookies in your browser settings, but doing so may affect the usability and personalization of the Service.

14.4 Analytics Cookies

Where you have consented, we may use analytics cookies to collect information about how you use the Service, including which pages you visit most often, where you encounter errors, and how you navigate between features. This information is aggregated and used to improve the Service. Analytics cookies do not identify you as an individual. You can opt out of analytics cookies by adjusting your cookie preferences within the Service or through your browser settings.

14.5 What We Do Not Use Cookies For

We do not use advertising cookies, tracking cookies for cross-site behavioral advertising, or cookies that share your browsing behavior with advertising networks. We do not sell or share cookie data with third-party advertisers. Our use of cookies is limited to the operational and analytical purposes described above.

14.6 Managing and Disabling Cookies

You can control cookies through your browser settings. Most browsers allow you to refuse all cookies, accept only certain cookies, or delete cookies that are already on your device. The help section of your browser should explain how to manage cookie settings. Note that disabling strictly necessary cookies will prevent the Service from functioning correctly; in particular, you will not be able to log in or maintain a session. Disabling optional cookies will not prevent you from using the Service but may limit certain features or personalizations.

15. Children's Privacy

The Service is intended for use by adults, specifically individuals operating or managing e-commerce businesses. The Service is not directed to, designed for, or intended for use by children under the age of 16 (or under the age of 13 in the United States under the Children's Online Privacy Protection Act, COPPA). We do not knowingly collect, use, or disclose personal information from children under these age thresholds.

If you are a parent or guardian and you believe that your child under the age of 16 has provided personal information to us through the Service without your consent, please contact us immediately at privacy@skurepublic.com. We will take prompt steps to verify the report and, if confirmed, to delete the child's personal information from our systems.

We do not have a mechanism to verify the age of users at sign-up beyond our Terms of Service, which require users to confirm that they are at least 16 years of age. If you become aware of a minor using the Service, please notify us immediately.

16. Business Transfers and Corporate Events

SKU Republic may in the future engage in transactions that involve a change in ownership or control of our business, including mergers, acquisitions, asset sales, consolidations, restructurings, or other corporate transactions. In connection with any such transaction, personal information we hold about you may be one of the assets transferred or disclosed during due diligence and may be transferred to, or assumed by, a successor entity as part of the transaction.

If a transaction involves the transfer of personal information, we will take reasonable steps to notify you either by email to the address associated with your account or by posting a prominent notice on the Service before your personal information is transferred and becomes subject to a different privacy policy. We will provide you with advance notice of at least 30 days, where practicable, before the transfer takes effect, to allow you to delete your account or take other action if you object to the new terms.

Any successor entity that receives your personal information as part of a business transfer will be required to honor the commitments we have made in this Policy with respect to data collected prior to the transfer, unless you consent otherwise or applicable law permits different treatment.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time as our practices change, as new features are introduced, or as the law requires. When we make changes, we will revise the "Last updated" date at the top of this page. For changes that materially affect your rights or how we use your personal information, we will provide more prominent notice, which may include an email notification to the address associated with your account, a banner or modal within the Service, or both.

Material changes include, but are not limited to: collecting new categories of personal information; using existing personal information in substantially new ways; changing our data retention periods in a way that is materially less protective; adding new categories of third-party recipients; and any change that reduces the rights you have under this Policy.

We will provide at least 14 days' advance notice before any material change takes effect, except where a shorter period is required by law or to address a security or compliance emergency. If you continue to use the Service after a material change takes effect, your continued use constitutes your acknowledgment of the updated Policy. If you do not agree with a material change, you may close your account before the change takes effect.

We encourage you to review this Policy periodically to stay informed about how we handle your personal information. For users in the EEA and UK, where a material change requires a new legal basis or affects the scope of consent you have previously given, we will obtain fresh consent before processing your data under the new terms.

18. Contact and Data Controller Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, we encourage you to contact us. We are committed to addressing your concerns promptly and transparently.

18.1 Data Controller

For purposes of GDPR, PIPEDA, and other applicable data protection legislation, SKU Republic is the data controller responsible for the personal information you provide when using the Service. As data controller, we determine the purposes and means of processing your personal data.

18.2 Data Processing Agreements

If you use SKU Republic on behalf of a business and you are subject to GDPR, you may request a Data Processing Agreement (DPA) from us by contacting privacy@skurepublic.com. A DPA formalizes the obligations that apply when we process personal data on your behalf as a data processor.

18.3 EU and UK Representative

As a company primarily based outside the EEA and UK, we are in the process of designating a representative within the EEA and UK as required by Article 27 of the GDPR for controllers not established in the EEA. Contact details for our representative will be published in an updated version of this Policy when that appointment is completed. In the meantime, you may contact us directly at privacy@skurepublic.com for all GDPR-related inquiries.

18.4 How to Reach Us

For all privacy-related inquiries, rights requests, complaints, or general questions about this Policy, please use the contact details below. We aim to acknowledge all privacy-related communications within 5 business days and to resolve requests within the timeframes specified in the relevant rights sections of this Policy.