Privacy Policy

• Who runs Feedrou: Peter Atef Gerges Hanna, an individual based in Latvia, operating the Feedrou service.
• What Feedrou does: Feedrou is a product feed management platform. We connect to your e-commerce store, transform your product catalog, and deliver it to advertising channels like Google Merchant Center, Meta Catalog, and others.
• What we collect about you: account details, billing details, the integration credentials you give us, technical logs, and the product data from the stores you connect.
• What we don't sell: we do not sell your personal data and we do not sell your customers' product data.
• You're in control: you can access, export, or delete your account and data at any time.
• Questions: contact us at [email protected].

Feedrou ("Feedrou", "we", "our", "us") is operated as a sole-proprietor service by:

Peter Atef Gerges Hanna
Krišjāņa Valdemāra iela 61, LV-1010, Rīga, Latvia

Contact for privacy matters: [email protected]

For users in the EU/EEA/UK, references to "GDPR" mean Regulation (EU) 2016/679 and, where applicable, the UK GDPR. Because the operator is established in Latvia, no separate EU representative under Article 27 GDPR is required.

This policy explains how we handle personal data in connection with:

• The Feedrou website at feedrou.com.
• The Feedrou web application (the "Service") accessed at feedrou.com and its subdomains (e.g. app.feedrou.com).
• Email and other communications with us.

This policy covers two different roles we play under data protection law:

• Controller for personal data about you — the person who signs up and uses Feedrou (your name, email, account settings, billing, support correspondence, technical logs about your use of the Service).
• Processor for personal data that may be contained in the product catalogs and shop data you push through the Service. That data belongs to your business and, ultimately, to your end customers; we process it on your instructions to perform the Service. A Data Processing Agreement (DPA) is available on request at [email protected] and governs that relationship.

4.1 Account data (you give it to us)

When you create a Feedrou account, we collect:

• Your name and email address.
• A hashed password (if you sign up with email + password) or your authentication provider identifier (if you sign in via Google or another OAuth provider).
• Your project / organization name and team membership.
• Optional profile details you choose to add (e.g. preferred timezone).

4.2 Billing data (you give it to us via our payment processor)

When you subscribe to a paid plan, our payment processor (Polar, acting as our Merchant of Record) collects the data necessary to process payment, including your billing name, billing address, tax identifiers, and payment method details. Feedrou itself does not store full card numbers. Polar may share with us:

• Your subscription status (active / canceled / past due).
• The subscription tier and billing period.
• Invoice metadata (amount, currency, date, invoice ID).
• Tax / VAT information needed for our own bookkeeping and compliance.

Polar's privacy policy is at https://polar.sh/legal/privacy.

4.3 Integration credentials (you give them to us)

To pull product data from your store and push feeds to advertising channels, you give us credentials such as:

• API tokens or admin tokens for Shopify, Magento, WooCommerce, OpenCart, BigCommerce and similar e-commerce platforms.
• API keys for search indices (e.g. Algolia).
• OAuth refresh tokens for advertising channels (e.g. Google Merchant Center, Meta Commerce). These tokens are issued by the channel, not by us, after you authorize Feedrou through that channel's OAuth flow.

These credentials are stored encrypted at rest on our own infrastructure. OAuth tokens for advertising channels are stored by a self-hosted instance of Nango that we operate on the same EU infrastructure as the rest of the Service. We only use these credentials to perform the Service you asked us to perform.

4.4 Product and shop data (you direct us to process it)

To generate and deliver feeds, we read data from your connected stores. This data is about your products and your store — it generally does not contain personal data about your end customers. However, it may incidentally contain personal data if your product titles, descriptions, or vendor metadata include names, contact info, or other identifiers.

Examples of data we process from your store:

• Product titles, descriptions, prices, images, identifiers (SKU, GTIN, MPN), variants, inventory levels, categories, tags, vendor / brand fields.
• Store metadata: store name, URL, currencies, locales.

We act as a processor for this data. We use it solely to perform the Service — generating feeds, mapping categories, and delivering output to the destinations you configure.

4.5 Technical and usage data (we collect automatically)

When you use the Service, we automatically collect:

• IP address, user agent, browser type, operating system.
• Session identifiers and authentication cookies (see section 13).
• Pages viewed, features used, and timestamps of those events.
• API request logs, including timestamps and outcomes of feed generation runs.
• Error reports and crash diagnostics (handled via Sentry — see section 7).

We do not currently use a separate product analytics tool. If we add one in the future, this policy will be updated and the new provider listed in section 7 before that processing begins.

4.6 Communications

If you contact us by email or support form, we keep a record of the correspondence and any files you attach so we can respond and improve the Service.

4.7 What we do not collect

• We do not buy personal data from data brokers.
• We do not knowingly collect data from children under 16.
• We do not require sensitive categories of data (race, religion, health, etc.) and we ask you not to upload them via product fields or support tickets.

For users in the EU/EEA/UK, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)) — to provide the Service you signed up for, including processing your store data and delivering feeds.
• Legitimate interests (Art. 6(1)(f)) — for service operation, security, fraud prevention, and direct communications with existing customers about features they already use. We balance these interests against your rights and you can object at any time (see section 11).
• Consent (Art. 6(1)(a)) — for optional marketing emails and any non-essential cookies. You can withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation (Art. 6(1)(c)) — for tax records, accounting, and responding to lawful requests from authorities.

When we process product data on your behalf as a processor, the legal basis for that processing is your (the customer's) instructions, and you remain responsible for having a legal basis to send that data to us. The terms are set out in our DPA.

We share personal data only with the categories of recipients listed below, and only to the extent necessary for the purposes set out above.

7.1 Subprocessors and service providers

We use the following service providers to operate Feedrou. Each acts under a written data processing agreement and is bound to use data only for the purposes we instruct.

An up-to-date list of subprocessors is available on request at [email protected]. We will notify customers in advance of any new subprocessor, and you may object as described in our DPA.

7.2 Destinations you connect

When you wire a destination (Google Merchant Center, Meta, Bing, Pinterest, etc.), you authorize us to send your product feed to that destination. Those destinations then act as independent controllers of the data they receive, governed by their own policies. We are not responsible for how those destinations use the data once received.

7.3 Google API services and Limited Use

When you connect a Google service to Feedrou (Google sign-in or Google Merchant Center), we access Google user data only through Google's official APIs and only with the scopes you grant.

• For Google sign-in: your name, email address, and Google account ID, used to create and authenticate your Feedrou account.
• For Google Merchant Center: your Merchant Center account metadata and the data sources Feedrou creates on your behalf to deliver product feeds.

We use this information solely to provide the features you have explicitly enabled. We do not share Google user data with third parties for advertising, profiling, or any purpose unrelated to the Service. OAuth refresh tokens are stored encrypted by our self-hosted Nango instance on EU infrastructure (Hetzner, Germany) and are deleted within 30 days of you disconnecting the integration. You can revoke Feedrou's access at any time from your Google Account settings at https://myaccount.google.com/permissions or by disconnecting inside Feedrou.

Feedrou's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

7.4 Legal requirements

We may disclose personal data if required by law, court order, or other lawful request, or to protect our rights, property, or safety, or those of our users or the public.

7.5 Business transfers

If the Feedrou service is sold or transferred to another operator, we will notify you before personal data is transferred and becomes subject to a different privacy policy.

7.6 What we do not do

• We do not sell your personal data.
• We do not share your personal data for cross-context behavioral advertising.
• We do not use your store's product data to train AI models for other customers or third parties.

Feedrou is operated from Latvia and hosted on EU infrastructure. The majority of processing happens inside the EU. Some subprocessors (notably Polar and, depending on region availability, the AI providers) are located in the United States. Where we transfer personal data outside the EU/EEA/UK, we rely on:

• Adequacy decisions issued by the European Commission, where available.
• Standard Contractual Clauses (SCCs) approved by the European Commission, combined with supplementary measures (encryption at rest and in transit, access controls, contractual restrictions).
• Your explicit consent, in the limited cases where no other basis applies.

You can request a copy of the safeguards in place by emailing [email protected].

If you delete your account, all data tied to it is removed within 30 days, except where we are legally required to retain it (e.g. tax records) or need to retain it for legitimate purposes such as fraud prevention or to defend legal claims.

• Encryption in transit via TLS for all communication with the Service.
• Encryption at rest for production databases and file storage.
• Integration credentials and OAuth tokens are encrypted with separate keys.
• Access to production systems is restricted and protected by SSO and 2FA.
• Background jobs and infrastructure are isolated per customer project.
• Backups are encrypted and retained for 30 days.
• Administrative access is logged and reviewed periodically.

No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify the relevant supervisory authority and, where required, you, within the timelines required by applicable law (within 72 hours under GDPR).

Depending on where you live, you have some or all of the following rights:

• Access — get a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — ask us to delete your data ("right to be forgotten").
• Restriction — ask us to limit how we use your data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests, including any profiling.
• Withdraw consent — for processing based on consent, at any time.
• Complain to a supervisory authority — for users in the EU/EEA, this is the data protection authority in your country of residence. The supervisory authority for Feedrou is the Data State Inspectorate of Latvia (Datu valsts inspekcija), at https://www.dvi.gov.lv.

To exercise any of these rights, email [email protected]. We will respond within 30 days. We may need to verify your identity before acting on a request.

You can also delete your account from inside the Service at Account → Delete account, which initiates the deletion process described in section 9.

Users in California (CCPA / CPRA)

California residents have additional rights, including the right to know what personal information we have collected, the right to delete, the right to correct, and the right to opt out of the sale or sharing of personal information. As stated above, we do not sell personal information and we do not share it for cross-context behavioral advertising. To exercise these rights, email [email protected].

The Service includes AI-assisted features such as automatic attribute mapping and product category mapping. These features:

• Process sample product data from your connected stores via Anthropic and/or OpenAI to generate mapping suggestions.
• Produce suggestions, not final decisions — a human (you or your team) reviews and saves the result.
• Do not result in legal or similarly significant automated decisions about any individual.

If we ever introduce a feature that does involve solely automated decision-making producing significant effects on individuals, we will tell you and explain your rights under Art. 22 GDPR.

Anthropic and OpenAI's API terms include commitments not to use data submitted via their APIs to train their models. We do not use your data to train AI models for other customers or third parties.

We use a small number of cookies and similar technologies:

• Strictly necessary cookies for sign-in, session continuity, and security (required — you cannot opt out and still use the Service).
• Functional cookies that remember your preferences.

We do not currently use third-party analytics or advertising cookies. If we add a product analytics tool in the future, we will update this policy and, where required, present a cookie banner with consent options before that processing begins.

You can manage cookies via your browser settings.

Feedrou is a B2B product not intended for individuals under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please email [email protected] and we will delete it.

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top, and for material changes we will notify you by email or via the Service before they take effect. Continued use of the Service after a change constitutes acceptance of the updated policy.

For any question, request, or complaint about this policy or our handling of your data:

Peter Atef Gerges Hanna
Krišjāņa Valdemāra iela 61, LV-1010, Rīga, Latvia
Email: [email protected]