Privacy Policy

AutoPOD is operated as a sole-proprietor project based in the United States. The easiest way to reach us is hello@xaeryx.com.

We collect information in three ways:

(a) Information you give us directly

• Account data. When you sign up, we collect your email address and an encrypted password (we never see your plaintext password). If you sign in with a third-party provider (for example Apple or Google, where available), we receive the basic profile information they send us, such as your name and email.
• Onboarding answers. We ask a small number of questions (for example your prior experience selling online) so the app can tailor itself to you. We store these on your user record.
• Content you upload. Any artwork, photos, or text you upload or generate inside AutoPOD to use on your print-on-demand listings.
• Waitlist email. If you submit your email on our landing page, we store it so we can notify you when early access opens.
• Support communications. When you email us or message support, we keep the thread so we can help you and improve our product.

(b) Information from connected third-party accounts

AutoPOD lets you connect external commerce and print-on-demand accounts (for example Etsy, Printful, and Printify) so we can publish listings and check on fulfillment on your behalf. When you connect one of these services:

• We receive an OAuth access token (and, where provided, a refresh token). We store these encrypted at rest and use them only to perform actions you initiate, such as creating a listing or reading your shop’s public profile.
• We receive the shop, listing, and order data that the third party returns for the scopes you approved. For example, Etsy returns your shop name, listing details, and order totals (not buyer payment information).
• We never receive or store your password for any connected service, and you can disconnect any integration at any time from your account settings.

(c) Information we collect automatically

• Device and usage data. Device type, operating system, app version, crash logs, and feature-usage events (for example “user completed onboarding”).
• Approximate location. Derived from your IP address only (country or region level). We do not collect precise GPS location.
• Cookies and similar technologies. On our website, we use a small number of essential cookies for sign-in and security, plus privacy-friendly analytics. We do not use advertising cookies or cross-site tracking.

We use the information above to:

• Operate your account and keep you signed in.
• Deliver the core product — generate designs, draft listing copy, and publish listings to the third-party platforms you connect.
• Personalize trend recommendations based on the categories you choose.
• Send transactional messages (for example sign-in confirmations, payment receipts, and changes to your account).
• Measure how the product is used so we can fix bugs and improve the experience.
• Detect, investigate, and prevent fraud, abuse, and Terms violations.
• Comply with applicable laws and lawful requests.

We do not sell your personal information. We do not use your personal information to train third-party advertising models, and we do not share it with advertisers.

AutoPOD is built on a small number of trusted infrastructure and product partners. Each only receives the data it needs to do its specific job:

• Supabase — authentication, database, and session storage.
• Vercel — website and web-app hosting.
• Railway — API backend hosting.
• Stripe and RevenueCat — payment processing and subscription management. These providers handle your payment card directly; we do not see or store card numbers.
• OpenAI and Ideogram — AI model providers that generate design images and listing copy from the prompts you choose. We do not send them your email, password, or connected-account tokens.
• Etsy, Printful, and Printify — when you connect one of these accounts and ask us to take an action (for example “publish this listing”), we call their API with the OAuth token you authorized.
• Analytics and crash reporting. We use privacy-respecting analytics (such as PostHog) to understand aggregate product usage and crash rates.

We may also disclose information where legally required — for example in response to a valid subpoena, court order, or regulator request — or in connection with a merger, acquisition, or sale of all or part of our business.

We keep your account data for as long as your account is active. If you delete your account, we remove your personal information within 30 days, except where we need to keep a limited subset to comply with tax, accounting, fraud-prevention, or other legal obligations (for example retaining invoices for the period required by tax law). OAuth tokens for connected third-party services are deleted as soon as you disconnect the integration or delete your account.

Depending on where you live, you may have rights under the GDPR, UK GDPR, California Consumer Privacy Act (CCPA/CPRA), or similar laws, including the right to:

• Access the personal information we hold about you.
• Correct information that is inaccurate.
• Delete your personal information.
• Receive a copy of your data in a portable, machine-readable format.
• Object to or restrict certain processing (for example analytics).
• Withdraw consent where processing is based on consent, without affecting prior processing.
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email hello@xaeryx.com from the address on your account. We will respond within the timeframes required by applicable law (generally 30 days).

We use industry-standard safeguards to protect your data, including TLS in transit, encryption at rest for sensitive fields such as OAuth tokens, scoped access controls, and secure credential storage in the mobile app using the device’s secure enclave (iOS Keychain / Android Keystore). No system is perfectly secure, and we cannot guarantee absolute security, but we work hard to minimize risk and notify affected users promptly in the event of a breach, as required by law.

AutoPOD is not directed to children. We do not knowingly collect personal information from anyone under 13 (or under 16 in the EEA and UK). If you believe a child has provided us with personal information, please contact us and we will delete it.

AutoPOD is operated from the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States, which may have data-protection laws that differ from those of your country. Where required, we rely on appropriate legal transfer mechanisms (for example the EU Standard Contractual Clauses) to protect your data.

We may update this Privacy Policy from time to time. When we do, we will change the “Effective” date at the top of this page and, for material changes, give you reasonable prior notice (for example by email or an in-app notice). Your continued use of the Service after the effective date means you accept the updated policy.

Questions, concerns, or requests about this policy or your data can be sent to hello@xaeryx.com.