Privacy Policy

CycleForge is operated by CycleForge, a company based in the United States. CycleForgebegan as the internal operations system for our own resale business and is now offered as a commercial platform to other resellers. For questions about this policy or your data, contact us at privacy@cycleforge.com.

This policy applies to three groups of people whose information may flow through the Services:

• Customers — the resale businesses that subscribe to CycleForge, and their staff users who sign in to the platform.
• Visitors — people who browse our public marketing website.
• End buyers — the customers of our Customers, whose order information (for example, a shipping name and address) is imported from a connected marketplace so our Customer can fulfill an order. We handle this data on our Customer’s behalf as a processor — see Section 07.

Account & profile information

When a Customer creates an organization and staff accounts, we collect names, email addresses, role assignments, and authentication credentials (passwords are stored only as salted hashes; some staff sign in with a PIN). We also record basic profile and preference settings.

Billing information

Subscriptions are processed by Stripe. We receive billing contact details, plan and subscription status, and the last four digits and brand of a payment card. We do not receive or store full card numbers — those are handled directly by Stripe.

Operational data you create

As you use the platform you generate operational records: inventory items, serial numbers, condition grades, workflow and station configurations, scans, audit logs, and product photos (which are stored on storage you connect or that we provide). This is the day-to-day data that powers your dashboards and stations.

Data from connected accounts

When you connect a marketplace or tool, we import the data needed to run your operation. This is described in Sections 04 and 05.

Device & usage information

We collect standard log and device data (IP address, browser type, pages and features used, timestamps) to operate, secure, and improve the Services. On our marketing site we use privacy-respecting product analytics — see Section 13.

CycleForge only connects to a third-party service when you explicitly authorize it (for example, through that service’s OAuth consent screen) or when you provide credentials. You can disconnect any integration at any time. Depending on what you connect, we may import:

Amazon (SP-API)

Your own Amazon order and order-item data, and — for merchant-fulfilled orders only — the buyer’s ship-to name and address. Read-only. See Section 05.

eBay

Your eBay orders, line items, and buyer shipping details needed to fulfill those orders.

Ecwid / Square

Storefront orders and related fulfillment details.

Zoho

Purchase-order and item catalog data used for receiving.

Zendesk

Support-ticket references linked to warranty and return cases.

Shipping carriers

Tracking numbers and delivery status from carriers such as USPS, UPS, and FedEx.

Google Sheets

Spreadsheet data you choose to sync.

We request the minimum scope needed for each integration and use the imported data solely to provide the Services to you. We do not sell this data and we do not use it to build independent profiles of buyers.

This section describes our use of information obtained through the Amazon Selling Partner API (“Amazon Information”) and supplements the rest of this policy. Our use of Amazon Information complies with the Amazon Acceptable Use Policy and the Amazon Selling Partner API Data Protection Policy.

What we access

• Order & order-item data — order IDs, status, dates, SKUs, quantities, prices, and fulfillment channel, retrieved via the Orders API for your connected Amazon selling account.
• Buyer ship-to information (restricted / PII) — buyer name and shipping address, accessed only through a short-lived Amazon Restricted Data Token (RDT) and only for merchant-fulfilled (MFN) orders that you physically ship. For Amazon-fulfilled (FBA) orders we never request buyer personal information.

How we use it

Amazon Information is used for a single purpose: to let you view and fulfill your own Amazon orders inside your private CycleForge workspace — generating shipping labels, packing, and shipping the order. The Amazon integration is read-only; we do not modify your listings, pricing, or inventory on Amazon.

What we never do

• We never sell, rent, or share Amazon Information with any third party for their own use.
• We never use Amazon Information for advertising, marketing, or to contact buyers.
• We never combine Amazon Information across unrelated sellers; each Customer’s data is isolated to their own organization.

How we protect & retain it

Amazon Information is encrypted in transit (TLS 1.2+) and at rest. Connection credentials and tokens are stored in an encrypted vault using AES-256-GCM. Restricted Data Tokens are requested only at sync time and expire within 60 minutes; we do not cache them. We retain Amazon Information only as long as needed to provide the Services and to meet legal, tax, and accounting obligations, and we delete personally identifiable Amazon Information within 30 days of when it is no longer needed for those purposes — or sooner upon your request or when you disconnect your Amazon account. To request deletion, contact security@cycleforge.com.

We use the information described above to:

• Provide, operate, and maintain the Services and your workspace;
• Import, display, and synchronize your orders and operational records;
• Authenticate users and protect accounts and data;
• Process subscriptions, billing, and refunds;
• Provide customer support and respond to your requests;
• Monitor, debug, secure, and improve the Services;
• Comply with legal obligations and enforce our terms.

We do not sell personal information, and we do not use end-buyer personal information for our own marketing.

For account, billing, and marketing data about our Customers and website visitors, CycleForge acts as a data controller.

For operational data and connected-account data that a Customer brings into the platform — including end-buyer order information from Amazon, eBay, and other channels — CycleForgeacts as a data processor, handling that data on the Customer’s instructions and on their behalf. If you are an end buyer and want to access or delete your information, please contact the seller you purchased from; we will support that seller in responding to your request. Business Customers that require a Data Processing Addendum (DPA) may request one at privacy@cycleforge.com.

We do not sell personal information. We share information only with service providers (“sub-processors”) that help us run the Services, under contracts that require them to protect the data and use it only for us, and as required by law. Our principal sub-processors are:

Vercel

Application hosting and serverless compute.

Neon

Managed PostgreSQL database (encrypted at rest).

Stripe

Subscription billing and payment processing.

PostHog

Privacy-respecting product analytics (marketing site).

Marketplaces & tools

Amazon, eBay, Ecwid/Square, Zoho, Zendesk, Google, and shipping carriers — only for integrations you connect, and only to exchange the data needed for that integration.

We may also disclose information to comply with law, enforce our agreements, protect rights and safety, or in connection with a merger, acquisition, or sale of assets (with notice as required by law). An up-to-date list of sub-processors is available on request.

We retain information for as long as your account is active and as needed to provide the Services. After an account is closed, we delete or de-identify operational and connected-account data within a reasonable period (and, for personally identifiable marketplace data such as Amazon Information, within 30 days of when it is no longer needed), except where we are legally required to retain certain records (for example, billing and tax records). Disconnecting an integration deletes the stored credentials for that connection.

We use technical and organizational measures designed to protect information, including:

• Encryption in transit — all traffic to the Services and to marketplace APIs uses TLS 1.2 or higher.
• Encryption at rest — integration credentials and tokens are stored in an encrypted vault using AES-256-GCM with keys held as protected secrets, separate from source code. The underlying database is encrypted at rest by our database provider.
• Access control — role-based permissions gate sensitive actions, and each Customer’s data is isolated to their own organization.
• Least-data access — we request the minimum scopes per integration and fetch restricted personal data (such as buyer addresses) only when needed to fulfill an order.
• Auditing & monitoring — API calls and sensitive actions are logged for security and troubleshooting.

No method of transmission or storage is perfectly secure, but we work to protect your information and to continually improve our safeguards. If you believe your account or data has been compromised, contact security@cycleforge.com immediately.

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, to object to or restrict certain processing, and to withdraw consent. To exercise these rights, contact privacy@cycleforge.com. We will respond as required by applicable law. We will not discriminate against you for exercising your rights. If you are in the EEA or UK and have an unresolved concern, you may contact your local data protection authority.

You can disconnect any integration at any time from your workspace settings, which removes the stored credentials for that connection. To delete your account and associated data, email privacy@cycleforge.com. We will delete or de-identify your data as described in Section 09, subject to legal retention requirements. End buyers should direct deletion requests to the seller they purchased from; we will assist that seller in fulfilling the request.

We operate in the United States, and our service providers may process information in the United States and other countries. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers of personal information.

Our marketing website uses cookies and similar technologies for essential functionality, to remember preferences, and for privacy-respecting product analytics (we use PostHog to understand how visitors use the site and to run A/B experiments on our messaging). The application uses cookies that are strictly necessary to keep you signed in. You can control cookies through your browser settings; disabling some cookies may affect functionality.

The Services are intended for businesses and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you. Your continued use of the Services after an update means you accept the revised policy.

If you have questions, requests, or complaints about this policy or your information, contact: