Privacy Policy

Promocodes Labs Inc. provides Promocodes, a promo-code SaaS platform for merchants. This Privacy Policy explains how we collect, use, and disclose information when you visit our marketing site or use our dashboard, APIs, claim links, webhooks, documentation, and related services.

We refer to those products and services together as the Service. This notice applies to information we process for our own business purposes and explains our role when we process end-user information on behalf of merchants.

We collect the following categories of information:

• Account information from Google sign-in. Promocodes currently supports Google-only sign-in through Google Identity Services. We receive your name, email address, and profile picture from the Google ID token.
• Workspace data you create. This includes organizations, projects, campaigns, promo codes, API key metadata, webhook endpoint URLs that merchants configure, and related Service settings.
• Usage and log data. We collect server logs and API request metadata, including timestamps, IP addresses, endpoints, status codes, device and browser information, and related diagnostic data.
• Billing information. Billing is handled by a third-party payment processor. We do not store full payment card numbers.
• End-user emails submitted through claim links. Claim links are public pages where a merchant's end users submit their email address to receive a promo code. We process that information on the merchant's behalf, as described in section 5.

We use information to:

• provide, operate, secure, and maintain the Service;
• authenticate users and manage accounts, sessions, and access;
• detect, prevent, and investigate abuse, fraud, and security risks;
• provide support and respond to requests;
• process billing, subscriptions, invoices, and related notices;
• send service communications, including security, account, and product notices; and
• understand usage and improve the product.

Where privacy laws require a lawful basis, we rely on contract performance to provide the Service, legitimate interests to secure and improve the Service, legal obligations where we must keep records or respond to lawful requests, and consent where applicable.

We use strictly necessary cookies to provide the Service. This includes pc_access and pc_refresh, which are HttpOnly session cookies used solely for authentication, and a theme preference used to remember your display choice.

We do not currently use advertising cookies or cross-site tracking cookies. If that changes, we will update this notice and any required consent mechanisms first.

Promocodes acts as a controller for merchant account, usage, and billing data that we process for our own business purposes. This includes account information, workspace settings, authentication data, usage logs, support communications, and billing records.

Promocodes acts as a processor or service provider for end-user email addresses captured through merchants' claim links. For that information, the merchant decides why and how the data is processed, and we process it on the merchant's behalf to provide the Service.

End users should direct privacy requests to the merchant they redeemed a code with. We will assist merchants in honoring those requests as required by applicable law and our agreements with them.

A data processing addendum and subprocessor list are forthcoming: [TODO_LEGAL_SUBPROCESSOR_LIST].

We may disclose information in the following ways:

• Service providers and subprocessors. We work with providers that support hosting, payment processing, email delivery, security, operations, and support. They process information under contract.
• Legal compliance. We may disclose information when required to comply with law, legal process, or government requests.
• Protecting rights and safety. We may disclose information to protect the rights, property, safety, or security of Promocodes, our users, end users, or others.
• Business transfers. If Promocodes is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, with notice where required.

We do not sell personal information and do not share personal information for cross-context behavioral advertising.

We retain account data for the life of the account and for a reasonable period after deletion when needed for security, backup, support, legal, or business purposes.

Server logs are retained for a limited operational window. End-user claim emails are retained according to the merchant's instructions and account lifetime. Billing records are retained as required by law. Backups age out on a schedule.

We use technical and organizational measures designed to protect the Service, including HttpOnly authentication cookies, encrypted transport using TLS, access controls, and secrets management.

No method of transmission or storage is 100% secure. If you believe you have found a security issue, contact us at [TODO_LEGAL_CONTACT_EMAIL].

We may process information in countries other than where you are located. Those countries may have privacy laws that differ from the laws in your location.

Where required, we rely on appropriate safeguards for international transfers, such as Standard Contractual Clauses.

Depending on where you live, you may have rights under GDPR, UK, US state, or other privacy laws. These may include the right to access, correct, delete, restrict, or receive a copy of your information, to object to certain processing, to withdraw consent where processing is based on consent, and to complain to a supervisory authority.

US state privacy laws may provide rights to know or access personal information, delete personal information, correct inaccurate personal information, and opt out of sale or sharing. We do not sell personal information and do not share it for cross-context behavioral advertising.

To exercise privacy rights for merchant account data, email [TODO_LEGAL_CONTACT_EMAIL]. We may verify your identity before responding. Authorized agents may submit requests where law allows. We will not discriminate against you for exercising your privacy rights.

If you are an end user who submitted an email address through a merchant's claim link, please direct your request to the merchant you redeemed a code with. We will assist that merchant in responding as required.

The Service is for businesses and is not directed to children under 16. We do not knowingly collect personal information from children under 16.

If you believe a child has provided personal information to us, contact us at [TODO_LEGAL_CONTACT_EMAIL] so we can take appropriate steps to remove it.

We may update this notice from time to time. When we do, we will post the updated notice here with a new "Last updated" date.

If we make material changes, we will notify you by email, dashboard notice, or another reasonable method.

Contact Promocodes Labs Inc. at [TODO_LEGAL_ENTITY_ADDRESS] or email [TODO_LEGAL_CONTACT_EMAIL].