Privacy Policy — Colorful AI Apps

About this document. This Privacy Policy explains what information we collect, why we collect it, how we use it, who we share it with, how long we keep it, and the rights you have over it. It applies to the website at www.colorfulaiapps.com and to every application released under the Colorful AI Apps name. Where a specific app handles data differently, we say so in a clearly marked per-app section.

1. Who we are

Colorful AI Apps is operated by [LLC LEGAL NAME — TO BE FILLED IN], a limited liability company organized under the laws of [U.S. STATE — TO BE FILLED IN], with its principal mailing address at [STREET / PO BOX, CITY, STATE, ZIP — TO BE FILLED IN], United States.

For all matters covered by this Privacy Policy, [LLC LEGAL NAME] is the controller of personal information (or, where your jurisdiction uses different terminology, the equivalent role — “business” under the CCPA/CPRA, “data fiduciary” under emerging U.S. state laws, etc.).

You can reach us at:

Privacy & data requests: privacy@colorfulaiapps.com
General contact: support@colorfulaiapps.com
Postal mail: address above; full details on our imprint page.

2. Scope

This policy covers:

The marketing website at www.colorfulaiapps.com.
All Colorful AI apps listed in the applies_to field of this document’s frontmatter and on our apps page, including Colorful Amazon Ads Creator and Integrated Pricing & Inventory.
Any communications you have with us by email or postal mail.

This policy does not cover third-party services we link to, such as Amazon, eBay, Meta, TikTok, Walmart, or our sister site Colorful Vinyl Records. Each of those is governed by its own privacy policy.

3. Information we collect

3.1 Information you give us directly

Account & contact details — when you sign up for an app or email us: name, email address, business name, and any details you choose to include in messages.
Authentication credentials for marketplace platforms — when you authorize one of our apps to access your Amazon, eBay, Meta, TikTok, or Walmart account, we receive an OAuth access token (or equivalent credential) issued by that platform. We do not receive or store your platform password.
App configuration — pricing rules, ad-campaign templates, SKU lists, and similar settings you create inside our apps.
Payment information — when you pay for a paid app, payment is processed by a third-party processor (e.g., Stripe). We receive a transaction reference and the last four digits / brand of the card, not the full card number.

3.2 Information we collect automatically

Server & security logs — your IP address, browser user-agent, the page you requested, the referring page, and the timestamp.
Cookieless analytics — we use Cloudflare Web Analytics on this site, which does not set cookies, does not fingerprint visitors, and does not track you across other sites. See our Cookie Policy for details.

3.3 Information we receive from marketplace APIs

When you connect a Colorful AI app to a marketplace, we receive — only within the scopes you authorize — data such as:

Amazon Selling Partner API: product catalog, inventory levels, orders, advertising campaigns. May include Personally Identifiable Information (PII) about your customers (e.g., shipping address, buyer name) where required for an order-related task.
Amazon Advertising API: campaigns, ad groups, keywords, performance metrics.
eBay Sell APIs: listings, orders, buyer messages.
Meta Commerce APIs: catalog, product listings, ad campaigns.
TikTok Shop API: products, orders, fulfillment status.
Walmart Marketplace API: items, orders, returns.

We only request the minimum scopes each app needs to do the job you’ve asked it to do.

4. How we use information

We use the information described above to:

Purpose	Legal basis (GDPR Art. 6)
Provide the app’s functionality you signed up for	Performance of a contract
Authenticate you and secure our systems	Legitimate interest; legal obligation
Communicate with you about service issues	Performance of a contract
Respond to support requests	Performance of a contract; legitimate interest
Comply with tax, accounting, and legal obligations	Legal obligation
Detect, prevent, and respond to fraud or abuse	Legitimate interest
Improve our apps in the aggregate	Legitimate interest

We do not:

Sell your personal information.
Share your personal information with data brokers or ad networks.
Use your data, or any data we receive from a marketplace API, to train general-purpose machine-learning models.
Send you marketing email without an explicit prior opt-in.

We share information only with the following categories of recipients, and only for the purposes described:

Hosting & infrastructure: Cloudflare, Inc. — hosts this website, terminates TLS, and provides cookieless analytics.
Email: Google LLC (Workspace) — delivers and stores email between you and us.
Marketplace APIs: Amazon, eBay, Meta, TikTok, Walmart — when you’ve authorized one of our apps, we send instructions and receive data through their official APIs as you’ve directed.
Payment processor: Stripe (or equivalent) for paid plans.
Professional advisors: lawyers, accountants, and similar advisors, where required.
Authorities: when we are legally compelled to disclose by valid process, after attempting to give you notice where lawful.

If we engage additional sub-processors, we’ll update this list and note the change in the “last updated” date above.

6. International transfers

We are based in the United States. If you are accessing our site or apps from outside the United States, your information will be transferred to, and processed in, the United States. Where EU/UK/Swiss personal data is transferred to us, we rely on the EU-US Data Privacy Framework (and its UK and Swiss extensions, as applicable) and/or Standard Contractual Clauses as the legal mechanism for transfer.

7. How long we keep information

We keep information only for as long as we need it for the purposes described above, then delete it. Specifically:

Marketing site logs: up to 30 days, then aggregated or deleted.
App configuration you create: for as long as your account is active, plus a short grace period after cancellation in case you return.
Email correspondence: up to two years after our last exchange, unless we need to keep it longer for legal reasons.
Tax / accounting records: for the period required by U.S. federal and state law (typically 7 years).
Amazon Selling Partner API PII (e.g., buyer names, shipping addresses): see Section 13.2 below — retained no longer than 30 days after order fulfillment unless a longer period is required by law (e.g., tax records).

You can ask us to delete your data at any time — see the Data deletion request page.

8. How we protect information

In transit: all traffic to our site and our apps is encrypted with TLS 1.2 or newer.
At rest: marketplace API credentials and any PII are encrypted at rest using strong, current ciphers (AES-256 or equivalent).
Access control: access to production systems and stored data is limited to a minimal set of authorized personnel acting on our behalf, each operating under a confidentiality obligation.
Logging & monitoring: access to systems handling personal data is logged.
Breach notification: if we become aware of a security incident affecting your personal information, we will notify you and the relevant marketplace platform without undue delay, and within any timeframe required by applicable law (typically 72 hours under GDPR; 24 hours where required by Amazon SP-API DPP).

No system is perfectly secure, and we do not guarantee absolute security. We implement reasonable, current safeguards.

9. Your rights

You have the right to:

access the personal data we hold about you;
ask us to correct inaccurate data;
ask us to delete your data;
restrict or object to certain processing;
portability — receive your data in a machine-readable format;
withdraw consent (where consent is the legal basis), without affecting prior processing;
lodge a complaint with your national data protection authority.

9.2 California (CCPA / CPRA)

If you are a California resident, you have the right to:

know what personal information we collect, use, disclose, or share about you, and the categories of sources and recipients;
request deletion of your personal information;
request correction of inaccurate personal information;
opt out of “sale” or “sharing” of personal information — note: we do not sell or share personal information for cross-context behavioral advertising;
limit the use and disclosure of sensitive personal information — note: we do not use sensitive personal information for any purpose beyond providing the service you requested;
non-discrimination for exercising any of these rights.

9.3 Other U.S. state laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other states with comprehensive privacy laws have rights similar to those above. We honor those rights as required by your state’s law. Reach out to privacy@colorfulaiapps.com to exercise them.

9.4 How to exercise your rights

Email privacy@colorfulaiapps.com or use our Data deletion request page. We will respond within the time required by applicable law (typically 30–45 days).

We will need to verify your identity before fulfilling certain requests; usually, replying from the email address associated with your account is enough.

10. Children’s privacy

Our apps and this website are not directed to children under 13 (or, in the EEA/UK, under 16). We do not knowingly collect personal information from children. If we learn that we have, we will delete it. If you believe a child has provided personal information to us, please contact privacy@colorfulaiapps.com.

11. Cookies and tracking

We do not use any third-party advertising or analytics cookies. We use Cloudflare Web Analytics, which is cookieless, does not fingerprint visitors, and does not track you across sites. See our short Cookie Policy for details.

12. Data deletion

To delete your data, follow the steps on the Data deletion request page. Meta and TikTok in particular may direct their users to that page; it is publicly accessible without login.

13. Marketplace platform-specific terms

The clauses below apply specifically when our apps process data received from the named platform. They are in addition to, not instead of, everything above.

13.1 Google API Services User Data Policy — Limited Use

Colorful AI Apps’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We use Google API data only to provide the user-facing features each of our apps describes; we do not transfer Google API data to others unless doing so is necessary to provide and improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users; we do not use Google API data for serving advertisements; and we do not allow humans to read Google API data unless we have your affirmative agreement to view specific messages, doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or for our internal operations and even then only when the data have been aggregated and anonymized.

13.2 Amazon Selling Partner API — Data Protection Policy (DPP)

When a Colorful AI app accesses Amazon Selling Partner API data on your behalf:

PII handling. We treat all Amazon Personally Identifiable Information (e.g., buyer names, shipping addresses, phone numbers, gift messages) as confidential. PII is encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
Retention. PII received from Amazon SP-API is retained for no longer than 30 days after the order has been shipped, delivered, and any return window has closed, unless retention for a longer period is specifically required by tax, accounting, or other applicable law.
Use limitation. We use Amazon SP-API data solely to provide the service you’ve authorized and to comply with applicable law. We do not use it for advertising, resale, profiling, training of general-purpose models, or any purpose unrelated to the requested service.
Access control. Access to systems storing SP-API PII is restricted to a minimal set of authorized personnel under confidentiality obligations, each authenticated with multi-factor authentication.
Sub-processors. We do not transfer SP-API PII to any sub-processor except those listed in Section 5 above, each of which is bound by appropriate data-protection terms.
Incident response. We will notify Amazon and affected sellers within 24 hours of confirming any security incident affecting SP-API data, in accordance with the SP-API Data Protection Policy.
Deletion on request. We will delete your SP-API data within a reasonable period (no more than 30 days) after you cancel the service or otherwise request deletion, except where we are required by law to retain it.

13.3 Meta Platform Terms

When a Colorful AI app uses Meta’s Commerce or Marketing APIs:

We comply with the Meta Platform Terms and Developer Policies.
We do not use Meta data to build, augment, or modify user profiles for advertising elsewhere.
We do not transfer Meta data to data brokers, ad networks, or similar third parties.
We honor user revocation: if you remove our app from your Meta account, we delete the data we received from your Meta account within a reasonable period (no more than 30 days).
Data deletion mechanism. Public, login-free deletion instructions are available at https://www.colorfulaiapps.com/legal/data-deletion.

13.4 TikTok Developer Terms

When a Colorful AI app uses the TikTok Shop API:

We comply with the TikTok Developer Terms of Service and applicable platform documentation.
We use TikTok data only to provide the service you’ve authorized.
We do not sell TikTok data, transfer it to ad networks, or use it to build user profiles outside the requested service.
Deletion process. See Data deletion request.

13.5 eBay Developer Program

When a Colorful AI app uses eBay Sell APIs:

We comply with the eBay API License Agreement.
We retain eBay data only as long as necessary to provide the service, and in any event no longer than required by applicable law.
We do not redistribute eBay-sourced listing or buyer data outside the scope of the service you’ve authorized.

13.6 Walmart Marketplace API

When a Colorful AI app uses the Walmart Marketplace API:

We comply with Walmart’s developer terms and Marketplace Retailer Agreement.
Walmart order and customer data is treated under the same PII rules described in Section 13.2 (encryption, retention, use limitation).

13.7 Shopify Partner Platform

When a Colorful AI app is installed on a Shopify store:

We comply with the Shopify Partner Program Agreement, the Acceptable Use Policy, and the Protected Customer Data Application Requirements where applicable.
Offline access tokens. When the merchant approves the install, Shopify issues us an offline access token bound to the merchant’s shop. We use it only to perform actions the merchant has explicitly authorized. The token is encrypted with AES-256-GCM before storage, with a key held as a Cloudflare Workers secret separate from the Shopify API credentials.
Mandatory webhooks honored. We register and respond to Shopify’s three GDPR mandatory webhooks (customers/data_request, customers/redact, shop/redact) plus app/uninstalled. Receipt of shop/redact results in deletion of all shop-scoped data we hold within the timeframes Shopify requires.
Token deletion on uninstall. When the merchant removes the app, we delete the offline access token immediately on receipt of the app/uninstalled webhook (Shopify normally fires this within seconds of uninstall).
No transfer to ad networks. We do not transfer Shopify data to data brokers or ad networks, and we do not use Shopify data to train general-purpose machine-learning models.
Embedded session tokens. Authentication between the embedded app and our backend uses short-lived Shopify-issued JWTs (App Bridge session tokens), not long-lived cookies.
Deletion mechanism. Merchants and customers can also request deletion at any time via /legal/data-deletion.

14. Changes to this policy

We may update this policy. When we do, we will:

bump the “Last updated” date at the top of this document;
if the change is material, post a notice on the home page or email account holders at least 30 days before the change takes effect.

The current version is always at this URL. Older versions are preserved in our public Git history (see the GitHub repository once published).

15. Contact

Questions, concerns, or requests:

Privacy & data requests: privacy@colorfulaiapps.com
General contact: support@colorfulaiapps.com
Postal mail: see our imprint.