Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address
• Name (optional)
• Company name (optional)

1.2 Usage Data

We automatically collect:

• Log data (IP address, browser type, pages visited)
• Usage statistics (imports performed, rows processed, relay outcomes)
• Device information

1.3 Import Data

When you or your users import data through ImportKit:

• Data is processed in real-time for validation and mapping
• Import data is NOT permanently stored on our servers
• Only metadata (row counts, field names, success/failure counts) is retained for analytics
• When API Destinations are configured, import data is relayed to your specified endpoints and is not retained by us after delivery

1.4 API Destination Credentials

If you use the API Destinations feature (Pro plan):

• Authentication credentials (API tokens, usernames/passwords, custom headers) are stored encrypted using AES-256-GCM encryption
• Credentials are only decrypted at the moment of relay and are never logged or exposed
• Destination URLs and configuration are stored until you delete them

1.5 Payment Information

Payment processing is handled by Lemon Squeezy. We do not store credit card numbers or bank details. We receive:

• Transaction confirmations
• Subscription status
• Billing email address

2. Lawful Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

• Contract performance — Processing necessary to provide the Service you signed up for (Article 6(1)(b))
• Legitimate interests — Usage analytics, security monitoring, and service improvement (Article 6(1)(f))
• Legal obligations — Tax and billing record retention as required by Icelandic law (Article 6(1)(c))
• Consent — Where we use analytics cookies beyond essential service functions (Article 6(1)(a))

3. How We Use Your Information

We use collected information to:

• Provide and maintain the Service
• Process transactions and send billing information
• Send service-related communications (never marketing without consent)
• Monitor and analyze usage to improve the Service
• Detect and prevent fraud or abuse
• Comply with legal obligations

4. Data Sharing

We do NOT sell your personal information. We may share data with:

4.1 Service Providers

• Supabase (EU) — Database and authentication
• Vercel (US/EU) — Hosting and infrastructure
• Lemon Squeezy (US) — Payment processing
• OpenAI (US) — AI-powered field detection (anonymized column names only, never row data)
• Sentry (US) — Error monitoring (no personal data)

4.2 Your API Destinations

When you configure API destinations, we relay your users' import data to those endpoints. This is done at your instruction and under your responsibility as the data controller.

4.3 Legal Requirements

We may disclose information if required by law or to:

• Comply with legal process
• Protect our rights or property
• Ensure user safety

5. Data Security

We implement appropriate security measures including:

• Encryption in transit (TLS/HTTPS for all connections)
• Encryption at rest for stored data, including AES-256-GCM for API credentials
• Row-Level Security (RLS) policies ensuring users can only access their own data
• SSRF protection preventing relay to internal networks
• Regular security assessments
• Access controls and authentication
• Audit logging of sensitive operations

6. Data Retention

7. Your Rights

Under the GDPR and applicable data protection laws, you have the right to:

• Access — Request a copy of your personal data
• Correction — Request correction of inaccurate data
• Deletion — Request deletion of your data ("right to be forgotten")
• Portability — Receive your data in a machine-readable format
• Objection — Object to processing based on legitimate interests
• Restriction — Request restriction of processing in certain circumstances
• Withdraw consent — Where processing is based on consent, withdraw at any time

To exercise these rights, contact us at info@importkit.app. We will respond within 30 days.

8. Cookies

We use cookies for:

• Essential cookies — Required for authentication and core Service functionality. These cannot be disabled.
• Analytics cookies — To understand how you use the Service and improve it. We use privacy-friendly analytics (Umami) that do not track individuals across sites.

You can control non-essential cookies through your browser settings.

9. International Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Children's Privacy

ImportKit is a business-to-business service not intended for children under 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via email or through the Service. The "Last Updated" date at the top of this page indicates when this policy was last revised.

12. Contact Us

For questions about this Privacy Policy or to exercise your data rights:

13. Supervisory Authority

If you are in the European Economic Area and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection authority. In Iceland, this is: