Privacy Policy

The Service is operated by Pricafy (pricafy.com) ("we", "us", "our"), the data controller for the personal data described in this policy.

For any privacy-related question, request, or complaint, you can contact us at: support@pricafy.com.

If your country requires the appointment of a local representative or data protection officer, that appointment will be listed here once formally designated.

Account data: email address, hashed password, preferred language, preferred currency, notification and display preferences, and any optional profile details you choose to provide.

Tracking data: AliExpress product URLs and IDs you submit, price thresholds, alert rules, and other configuration tied to your tracked items.

Technical data: IP address, approximate geolocation derived from IP, browser type and version, operating system, device type, referrer URL, language headers, cookies, and session identifiers.

Usage and log data: requests made to our service, pages viewed, features used, errors, timestamps, and diagnostic information collected automatically by our servers.

Telegram linkage: if you link your account to our Telegram bot (@aliexpressb_bot), we store the mapping between your Telegram user identifier and your account so we can deliver alerts across both channels. The database is shared with the bot.

We do not collect or store payment card numbers, bank account details, or any other payment credentials. All purchases happen on AliExpress; we never process payments.

We do not collect special-category / sensitive personal data such as health data, biometric data, genetic data, precise geolocation, religious beliefs, political opinions, or sexual orientation.

The Service is not directed at children. We do not knowingly collect personal data from anyone under the age of 13 (or 16 in the European Economic Area and United Kingdom).

To provide, operate, and maintain the Service, including account creation, authentication, and displaying the tracked-product dashboard you configure.

To deliver price-drop alerts, availability alerts, and other notifications you explicitly opt into, by email, push, and/or Telegram.

To detect, prevent, and respond to fraud, abuse, scraping, bot traffic, security incidents, and violations of our Terms of Use.

To measure product performance, debug issues, and improve the Service, features, and user experience.

To comply with legal obligations, respond to lawful requests from public authorities, and enforce our Terms of Use.

We may use aggregated and anonymized data derived from usage logs for analytics, benchmarking, research, and product development without further consent, provided the result cannot reasonably be used to re-identify you.

Consent: where you have explicitly opted in, for example when subscribing to email price-drop alerts. You can withdraw consent at any time.

Performance of a contract: to provide the Service you requested when you create an account or configure trackers (Article 6(1)(b) GDPR).

Legitimate interests: to secure the Service, prevent fraud and abuse, measure product usage, and improve features (Article 6(1)(f) GDPR). Where we rely on legitimate interests, we have balanced them against your rights and freedoms.

Legal obligation: to comply with applicable laws, court orders, and lawful regulatory requests (Article 6(1)(c) GDPR).

AliExpress / Alibaba: we send product identifiers and URLs to AliExpress APIs and receive product information (title, price, images, availability, affiliate promotion links). When you click an affiliate link, your interaction is handled by AliExpress under its own privacy policy.

Email provider (Resend): we share your email address and message content so price-drop alerts and transactional emails can be delivered.

Hosting and database provider (Supabase / cloud hosting): stores your account data, tracker configuration, and logs on our behalf under contractual data-processing obligations.

Analytics: we use Google Analytics to understand how visitors use the Service in aggregate. Aggregated and anonymized usage data may be processed for benchmarking and product improvement.

Error monitoring (if enabled): we may use an error-monitoring tool (for example Sentry) to capture crashes and diagnostic stack traces. Personally identifying fields are stripped or hashed before transmission where feasible.

Law-enforcement and regulators: we may disclose data where legally compelled to do so, such as in response to a valid subpoena, court order, or equivalent legal process.

We do NOT sell your personal data to third parties for advertising, and we do not share it with data brokers. "Sell" and "share" are interpreted in the sense used by the California Consumer Privacy Act (CCPA/CPRA).

Essential cookies: required to maintain your session and authentication (JWT stored in httpOnly cookies), to remember security tokens, and to protect against cross-site request forgery. These cannot be disabled without breaking the Service.

Preference cookies: remember your chosen locale, currency, theme (light/dark), and UI preferences. These can be cleared from your browser at any time.

Analytics cookies: set by Google Analytics to measure aggregated traffic. You can clear or block these cookies at any time through your browser settings.

You can review and clear cookies at any time directly from your browser.

Account data: retained for as long as your account is active. After you delete your account, we remove your account data from primary storage, with up to 30 additional days during which residual copies may remain in encrypted backups before they are overwritten.

Tracking data: deleted together with your account. You can also delete individual tracked products at any time from the dashboard.

Logs and technical data: retained for up to 90 days for security, fraud-prevention, and debugging purposes, then deleted or irreversibly aggregated.

We may retain certain data for a longer period where required by applicable law, to resolve disputes, or to enforce our agreements.

Right of access: you can request a copy of the personal data we hold about you.

Right to rectification: you can request that we correct inaccurate or incomplete data.

Right to erasure ("right to be forgotten"): you can request that we delete your personal data, subject to exceptions in applicable law.

Right to data portability: you can request a machine-readable export of the personal data you provided.

Right to object / restrict processing: you can object to processing based on legitimate interests, or ask us to restrict processing in certain circumstances.

Right to withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting prior lawful processing.

California residents (CCPA/CPRA): you additionally have the right to know what personal information we collect, the right to opt out of sale or sharing (we do not sell), and the right to non-discrimination for exercising your rights.

Saudi residents (PDPL): you have equivalent rights to access, correct, delete, and object, exercised through the same contact channel below.

To exercise any right, email support@pricafy.com. We will respond within 30 days, or such other period required by applicable law. We may need to verify your identity before acting.

Our servers, hosting providers, and sub-processors may be located in jurisdictions other than your own, including the United States and the European Union. Your data may therefore be transferred to, stored in, and processed in countries with different data-protection standards than your home country.

When we transfer personal data outside the European Economic Area, the United Kingdom, or other jurisdictions with comparable rules, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other mechanisms permitted by applicable law.

By using the Service, you acknowledge that such transfers are a necessary part of delivering a global online service.

We apply reasonable technical and organizational measures to protect personal data, including hashed passwords, HTTPS/TLS in transit, restricted administrative access, and logical separation of environments.

Access to production data is limited to personnel who need it to operate the Service and is subject to authentication and audit logging.

Despite these measures, NO METHOD OF TRANSMISSION OVER THE INTERNET OR METHOD OF ELECTRONIC STORAGE IS 100% SECURE. We cannot guarantee absolute security, and you use the Service at your own risk.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you by email and/or in-app notice within the timeframe required by applicable law (for example, without undue delay and, where feasible, within 72 hours under GDPR Article 33).

We will also notify the competent supervisory authority where required by law.

The fact that we provide a breach notification does not constitute an admission of liability or of fault on our part.

The Service is not directed at children. We do not knowingly collect personal data from anyone under the age of 13, or under 16 in the European Economic Area and the United Kingdom.

If we become aware that we have collected personal data from a child without verifiable parental consent, we will delete that data as soon as reasonably possible.

If you believe a child has provided us personal data, please contact us at support@pricafy.com.

All AliExpress product links on the Service are affiliate links. Click tracking, attribution, and commission measurement are performed by the AliExpress affiliate program, not by us.

We receive only aggregate commission and conversion data from AliExpress. We do not receive personally identifying information about which individual user purchased which product.

Your interaction with AliExpress after you leave our Service is subject to AliExpress's own privacy policy and cookies.

We do not engage in automated decision-making that produces legal effects or similarly significant effects concerning you within the meaning of Article 22 of the GDPR.

We may use automated rules to flag suspected abuse, fraud, bot traffic, or scraping, but no single automated decision results in legal or similarly significant consequences without human review.

The Service contains links to third-party websites, including AliExpress product pages, external articles, and other sources. We are not responsible for the content, privacy practices, or cookies of any third-party website.

When you follow a link away from the Service, this Privacy Policy no longer applies, and the privacy practices of the destination website govern your interaction with it.

We encourage you to read the privacy policy of any third-party website you visit.

We may modify, amend, or replace this Privacy Policy at any time, in whole or in part, at our sole discretion.

For material changes, we will provide reasonable notice by email to registered users and/or via a prominent banner on the Service. Non-material changes will be reflected only by updating the "Last updated" date at the top of this page.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the revised policy. If you do not agree to a revised policy, you must stop using the Service and may delete your account.

This Privacy Policy is supplemented by our Terms of Use, which contain the limitation-of-liability, warranty-disclaimer, and indemnification provisions that apply to the Service as a whole. See our Terms of Use for further provisions.

Except as expressly stated in this Privacy Policy, nothing in this policy creates any independent obligation, warranty, or duty beyond those already set out in the Terms of Use and in applicable mandatory law.

This Privacy Policy, and any dispute arising out of or relating to it or to our processing of your personal data, shall be governed by the laws of [JURISDICTION — TODO: operator to confirm], without regard to conflict-of-laws principles, and subject to any mandatory protections under your local data-protection law.

Disputes shall be brought in the competent courts of [JURISDICTION — TODO: operator to confirm], consistent with the Governing Law clause of our Terms of Use.

For all privacy-related questions, rights requests, or complaints, please email support@pricafy.com.

Please include enough information for us to verify your identity and locate the data you are asking about. We will respond within 30 days, or within such shorter period as required by applicable law.

Users in the European Economic Area have the right to lodge a complaint with their local data-protection authority. A list of national supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

California residents may contact the Office of the California Attorney General or the California Privacy Protection Agency.

Users in Saudi Arabia may contact the Saudi Data and Artificial Intelligence Authority (SDAIA) or the relevant competent authority designated under the PDPL.

We ask that you contact us first at support@pricafy.com so we can try to resolve your concern directly before you escalate to an authority.