SKUFO
LoginGet Started
Back

Privacy Policy

Last updated: April 18, 2026

This policy describes how FAVTECH, publisher of the SKUFO service, collects, processes, and protects users' personal data, in accordance with Regulation (EU) 2016/679 (GDPR) and the amended French Data Protection Act.

1. Data Controller

The data controller is FAVTECH, publisher of the SKUFO service. Full contact details are available in the legal notice.

Data protection contact: privacy@skufo.io.

2. Data Collected

We process the following categories of data:

  • Account data: first name, last name, email address, company, encrypted password or magic link for authentication.
  • Billing data: company name, address, VAT number, billing history. Banking details are never stored on our servers and are processed by our payment provider.
  • Usage data: technical logs, IP address, user agent, connection timestamps, actions performed in the application.
  • Business data: imported product catalogs, import mappings, connections to Shopify stores (OAuth tokens encrypted at rest).
  • Technical cookies required for the service to operate (session, CSRF, preferences).

SKUFO is not intended to collect special categories of data within the meaning of article 9 of the GDPR (health data, opinions, etc.). Please do not upload such data to the service.

3. Purposes and Legal Bases

PurposeLegal basis
Providing and operating the serviceContract performance (art. 6-1-b GDPR)
Billing and accountingLegal obligation (art. 6-1-c GDPR)
Security, fraud and abuse preventionLegitimate interest (art. 6-1-f GDPR)
Customer support and service-related communicationContract performance
Product improvement and aggregated statisticsLegitimate interest
Marketing communicationsConsent (art. 6-1-a GDPR), revocable at any time

4. Retention Period

  • Account data: throughout the subscription, then up to 12 months after termination for evidentiary purposes.
  • Billing data: 10 years in accordance with the French Commercial Code.
  • Technical and security logs: 12 months maximum.
  • Business data (imports, mappings, connections): deleted on request or within 90 days after account termination.

5. Recipients and Subprocessors

Data is never sold. It is only shared with providers strictly necessary to provide the service, contractually bound (DPA signed in accordance with article 28 GDPR):

  • Scaleway SAS (France, EU) — application and database hosting.
  • Stripe Payments Europe (Ireland, EU) — payment processing and billing.
  • Resend / Postmark (or equivalent) — sending transactional emails (magic links, notifications).
  • Shopify — only the data needed to synchronize catalogs via the Admin API.
  • AI model providers (OpenAI, Anthropic, Mistral or equivalents) — only when the user enables an AI feature, with provider retention set to zero when possible.

6. Transfers Outside the European Union

The main infrastructure is located within the European Union. Some subprocessors (notably AI providers) may be located in the United States. These transfers are governed by the European Commission's Standard Contractual Clauses and, where applicable, by additional security measures (encryption in transit and at rest).

7. Security

  • TLS encryption for all exchanges.
  • AES-256-GCM encryption of sensitive tokens (including Shopify access tokens) before storage.
  • Restricted data access, logged and subject to multi-factor authentication.
  • Encrypted backups, regularly tested.
  • Documented security incident management process.

8. Your Rights

In accordance with articles 15 to 22 of the GDPR, you have the following rights over your data:

  • Right of access and information
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object, particularly to marketing solicitations
  • Right to withdraw consent at any time
  • Right to define directives on the fate of your data after your death

You can exercise these rights by writing to privacy@skufo.io. A response will be provided within a maximum of one month. You also have the right to lodge a complaint with the CNIL (www.cnil.fr).

9. Shopify Compliance

When SKUFO is installed on a Shopify store, we implement the mandatory compliance webhooks:

  • customers/data_request — relays an end customer's data access request to the merchant.
  • customers/redact — deletes any data retained on an end customer of a store.
  • shop/redact — deletes all data from a store 48 hours after uninstallation.

10. Cookies

SKUFO only uses technical cookies strictly necessary for the service to operate (session, CSRF security). No advertising or third-party tracking cookie is set without prior consent. Any audience measurement tools are configured in an exempted manner within the meaning of CNIL recommendations.

11. Changes

This policy may be updated to reflect changes to the service or regulation. The current version is always the one published at this address, with the update date indicated above. In the event of a substantial change, users will be notified by email or through the application.