Privacy Policy
Last updated: 2026-05-11 · Version 0.2
Effective date: 2026-05-11
Version: 0.2 (third-party seller-of-record references removed)
Operator: Satsuki Okazaki (sole proprietor), 8F MIEUX Shibuya Building, 5-3 Maruyama-cho, Shibuya-ku, Tokyo 150-0044, Japan
Contact: hello@getpodprofit.com
About this version: This is the v0.1 baseline (revised to v0.2 on 2026-05-11) published in time for the public launch of getpodprofit.com on 2026-06-09. It will be updated to v1.0 before the Excel Template launch on 2026-07-23 to incorporate any feedback from external counsel and to expand AI-related disclosures. We will notify existing accounts by email of material changes.
1. Who we are
PODProfit is operated by Satsuki Okazaki, an individual sole proprietor based in Tokyo, Japan. We provide an estimation calculator and related content for sellers who use Print-on-Demand (POD) marketplaces and fulfilment services.
For all privacy questions, requests, and complaints, please email hello@getpodprofit.com. We will acknowledge receipt within 3 business days and respond substantively within 30 days.
This Privacy Policy applies to:
- The website getpodprofit.com (calculator, blog, public API, marketing pages)
- Paid plans purchased through our checkout (Stripe)
- Email subscriptions delivered via Buttondown
2. Information we collect
We follow a "collect the minimum needed" principle. The categories below are exhaustive — we do not maintain hidden data stores.
2.1 Account information
When you create a Pro or Lifetime account:
- Email address
- Hashed password (we never see your plaintext password — Supabase Auth uses bcrypt)
- Magic link / Google OAuth identifier (depending on sign-in method you choose)
- Timestamp of account creation and last login
2.2 Calculator inputs (privacy by design)
The numbers you type into the calculator (vendor cost, marketplace fees, retail price, etc.) are not stored on our servers by default. They live only in your browser and are discarded when you close the tab.
If you actively choose to save a calculation (Pro feature) or to generate a share link, the relevant input set is stored against your account or as a short hashed identifier in our database. You can delete saved calculations and revoke share links at any time.
2.3 Share-link metadata
When you generate a share link, we store only the short hash and the calculation payload necessary to render the shared view. We do not associate share links with the recipient.
2.4 Payment information
We do not see or store full card details.
- Stripe processes payments for getpodprofit.com plans (Lifetime $149, Pro $9/month, Pro Annual $79/year). We receive the metadata Stripe shares with us: card brand, last 4 digits, billing country, Stripe customer ID, and amount/currency.
2.5 Email subscribers (lead magnet, newsletter)
When you opt in to a lead magnet or our newsletter, Buttondown stores your email address and engagement metadata (open/click events). You can unsubscribe at any time using the link in every email.
2.6 Web analytics
We use Cloudflare Web Analytics, which is cookieless and does not fingerprint visitors. Aggregate traffic data (page views, referrer, country) is collected without individual identification. We do not use Google Analytics, Meta Pixel, or any third-party advertising tracker.
2.7 Server logs and security telemetry
Standard HTTP request logs (IP address, user-agent, path, response status, timestamp) are retained for 14 days for debugging and abuse prevention, then deleted.
2.8 Customer-support correspondence
When you email us, we retain the message thread (sender, subject, body, attachments) for as long as needed to handle the issue and to maintain a service-quality history (typically up to 24 months).
2.9 Contact form submissions
When you submit our website Contact form (/contact), we store the following in our private database (Supabase) so we can reply and so we have an audit trail for refunds, bug reports, and abuse investigation:
- The name (optional) and email address you provide
- Category, subject (optional), and the body of your message
- Your IP address and browser user-agent string at submission time
- If you are signed in, the link to your account
- Submission timestamp, status (new / replied / archived / spam), and our reply text
Default retention: contact-form records are kept for 6 months from the date we replied, after which the record is archived (status flipped to archived) and remains accessible only for the broader 24-month customer-support history (Section 2.8) before deletion. Records classified as spam are kept for up to 6 months for abuse-pattern analysis, then deleted.
Third-party processing: contact-form submissions may be processed by Anthropic as our AI sub-processor (Section 5.1) to draft a reply. This pathway is gated on the post-launch evaluation (target: 2026-06-23) and a human always reviews and edits the draft before sending. Until that gate is passed, no contact-form content is sent to Anthropic.
3. What we do NOT collect
To remove ambiguity:
- No tracking cookies, advertising cookies, or third-party trackers
- No advertising IDs (IDFA, AAID, etc.)
- No marketplace credentials (we never ask for your Etsy/Shopify/Printful/Printify login)
- No live access to your sales data, orders, payouts, or bank accounts
- No precise geolocation
- No biometric data
- No special-category data (race, religion, health, political opinions, etc.)
4. Why we collect each item (legal bases)
For users in the EU/UK we rely on the following legal bases under GDPR Art. 6:
| Purpose | Data | Legal basis |
|---|---|---|
| Authentication, account management | Account info | Contract (Art. 6(1)(b)) |
| Provision of save/share features | Calculator inputs (opt-in) | Contract |
| Payment processing, fraud prevention | Stripe metadata | Contract + legal obligation (tax law) |
| Newsletter and lead magnet delivery | Email + engagement | Consent (Art. 6(1)(a)) |
| Aggregate analytics | Cloudflare Web Analytics data | Legitimate interest (Art. 6(1)(f)) — minimal, no individual ID |
| Security, fraud, abuse prevention | Server logs | Legitimate interest |
| Customer support | Email correspondence | Contract / legitimate interest |
For users in California we rely on the corresponding "business purposes" under the CCPA/CPRA. For users in Japan we comply with the Act on the Protection of Personal Information (APPI), including Article 28 on cross-border transfers.
5. Sub-processors
The following third parties process personal data on our behalf. All have contractual data-processing terms (DPA / SCC) in place.
| Sub-processor | Location | Purpose |
|---|---|---|
| Vercel Inc. | United States | Application hosting |
| Cloudflare, Inc. | United States | DNS, CDN, Workers, cookieless web analytics |
| Supabase Inc. | United States | Database, authentication |
| Stripe, Inc. | United States | Payment processing for getpodprofit.com plans |
| Buttondown, LLC | United States | Email newsletter delivery |
| Anthropic, PBC | United States | AI-assisted drafting of customer-support replies (planned to go live approximately 2026-06-23, pending post-launch evaluation of demand and quality criteria) |
We update this list when we add or replace a sub-processor. Material changes are announced on this page and, where required, by email to active accounts.
5.1 AI-assisted customer support (Anthropic)
We use Anthropic's Claude API to assist with drafting customer-support responses. When you contact us, the contents of your inquiry (including your email body and any quoted attachments you provide as text) may be transmitted to Anthropic for processing as our data sub-processor. Anthropic acts under our instructions and does not train its models on the data we send through the API, per Anthropic's Commercial Terms of Service.
A human (the founder) reviews and edits every AI-assisted draft before it is sent. AI is never used to make automated decisions that produce legal effects on you.
Please do not include sensitive personal data such as government identification numbers, payment card numbers, account passwords, or health information in support emails. If you must share such information, contact us first and we will arrange a secure channel.
6. International data transfers
Our sub-processors are predominantly located in the United States. For personal data originating in the EU/UK, transfers are made under the European Commission's Standard Contractual Clauses (SCCs) (GDPR Art. 46(2)(c)), supplemented by the additional safeguards each sub-processor publishes (encryption in transit and at rest, access logging, sub-processor restrictions). For data originating in Japan, transfers comply with APPI Article 28 (consent-based and equivalent-standards-based transfers).
You may request a copy of the SCCs that apply to your data by emailing hello@getpodprofit.com.
7. Your rights
7.1 EU/UK residents (GDPR / UK GDPR)
You have the right to:
- Access — obtain a copy of the personal data we hold about you (Art. 15)
- Rectification — correct inaccurate or incomplete data (Art. 16)
- Erasure ("right to be forgotten") — request deletion of your account and data (Art. 17). We complete erasure within 30 days of a verified request.
- Restriction — limit how we process your data in certain circumstances (Art. 18)
- Portability — receive your data in a structured, machine-readable format (Art. 20)
- Object — object to processing based on legitimate interest (Art. 21)
- Withdraw consent — for any processing based on consent, at any time
- Complaint — lodge a complaint with your national data-protection authority (the list is published by the European Commission). UK residents may complain to the ICO.
To exercise any right, email hello@getpodprofit.comwith the subject line "Privacy Request". We will verify your identity (typically by confirming control of the account email) and respond within 30 days.
7.2 California residents (CCPA / CPRA)
You have the right to know, the right to delete, the right to correct, the right to limit use of sensitive personal information, and the right to opt out of the sale or sharing of personal information.
We do not sell or share your personal informationwithin the meaning of the CCPA/CPRA. We do not engage in cross-context behavioural advertising. The "Do Not Sell or Share My Personal Information" requirement therefore does not apply, but the disclosure is provided for transparency.
To exercise California rights, email hello@getpodprofit.comwith the subject line "CCPA Request". We do not discriminate against users who exercise their rights.
7.3 Japan residents (APPI)
You may request disclosure, correction, deletion, or suspension of use of your personal information at any time by emailing hello@getpodprofit.com. We manage sub-processors as 委託先 (entrusted parties) and supervise their compliance with APPI obligations.
8. Cookies and similar technologies
We use only strictly necessary cookies for session management on logged-in pages. We do not use:
- Analytics cookies (our analytics provider is cookieless)
- Advertising cookies
- Third-party trackers
- Cross-site tracking pixels
Because we do not deploy non-essential cookies, no consent banner is required under the GDPR ePrivacy Directive (2002/58/EC) or APPI. If we ever introduce non-essential cookies, we will request opt-in consent first.
9. Data retention
| Data | Retention |
|---|---|
| Account (email, plan, login metadata) | Until you delete your account; then up to 30 days for backup recovery, after which it is permanently erased |
| Saved calculations, share links | Until you delete them, or until account deletion |
| Stripe payment records | 7 years (Japanese tax-law requirement) |
| Email subscribers | Until you unsubscribe |
| Server logs | 14 days |
| Customer-support correspondence | Up to 24 months from last activity, then deleted |
| Contact-form submissions (inquiries) | Active records: until status moves to replied. Replied records: 6 months, then archived. Archived records: subject to the 24-month customer-support ceiling. Spam: up to 6 months, then deleted. |
Verified erasure requests are honoured within 30 days. Some records (notably payment records under Japanese tax law) may be retained beyond an erasure request only to the extent strictly required by law.
10. Security
- All traffic is HTTPS-only (TLS 1.2+).
- Passwords are hashed with bcrypt (via Supabase Auth) — we never see plaintext passwords.
- Database access is restricted by Row-Level Security and least-privilege keys.
- Payment card data is fully isolated at Stripe (PCI-DSS Level 1 environment).
- Production access keys are rotated on a documented schedule and stored in a secrets manager.
No security model is infallible. If we become aware of a personal-data breach, we will notify affected users without undue delay and within 72 hours to the extent required by GDPR Art. 33 / 34 and APPI breach-notification rules.
11. Children
The service is not directed to children under 13, and we do not knowingly collect personal data from anyone under 13. If you believe a child has provided personal data to us, please email hello@getpodprofit.com and we will promptly delete it. This commitment is consistent with the United States Children's Online Privacy Protection Act (COPPA).
12. Automated decision-making and AI
We do not use automated decision-making (including profiling) that produces legal or similarly significant effects on you within the meaning of GDPR Art. 22.
AI assistance in our customer-support workflow (Section 5.1) is advisory only and is reviewed by a human before any reply is sent. AI-generated text inside the calculator (such as result summaries or pricing suggestions) is informational and does not affect billing, account status, or access.
13. Third-party trademarks
Etsy, Shopify, Printful, Printify, Stripe, Buttondown, Vercel, Supabase, Cloudflare, and Anthropic are trademarks of their respective owners. PODProfit is an independent tool and is not affiliated with, endorsed by, or sponsored by any of these companies. We reference them solely under nominative fair use to identify the platforms our calculator supports and the providers we rely on.
14. Contact and complaints
| Subject | How to reach us |
|---|---|
| All privacy requests, GDPR / CCPA / APPI rights, breach notifications | hello@getpodprofit.com(subject line: "Privacy Request" / "CCPA Request") |
| Postal address | Satsuki Okazaki, 8F MIEUX Shibuya Building, 5-3 Maruyama-cho, Shibuya-ku, Tokyo 150-0044, Japan |
EU residents may also lodge a complaint with their national data-protection authority. UK residents may contact the Information Commissioner's Office (ICO). Japanese residents may contact the Personal Information Protection Commission (PPC).
15. Changes to this Policy
Material changes will be announced on this page with a new effective date and, for changes that affect existing users' rights, by email to active accounts at least 30 days in advance. Non-material changes (clarifications, typo fixes) may be applied without notice. The current version is always available at https://getpodprofit.com/legal/privacy.
16. Revision history
| Version | Date | Notes |
|---|---|---|
| 0.1 | 2026-06-09 | Initial pre-launch publication. Adds AI sub-processor disclosure (Anthropic), GDPR / CCPA / APPI explicit sections, sub-processor table. To be reviewed against external counsel feedback before v1.0 (target: 2026-07-23). |
| 0.2 | 2026-05-11 | Removes references to a previously named third-party seller-of-record across this Policy (Section 1 scope, Section 2.4 payment information, Section 4 legal-bases table, Section 5 sub-processor table, Section 9 retention table, Section 10 security, Section 13 trademarks). The Excel Template and Benchmark Report products are not yet on sale (planned 2026-07-23 and 2026-08-20); processor-specific disclosures will be reintroduced in a later revision before those products launch. See docs/adr/0002 for context. No other substantive changes from v0.1. |