Privacy Policy
Last updated: 3 May 2026
1. Introduction
Craftlytics (the "Service") is operated by Michael Melanson ("we", "us", or "our"). We are committed to protecting your privacy and handling your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), and applicable provincial and international privacy legislation.
This Privacy Policy explains what personal information we collect, how we use it, the legal bases for processing, and your rights regarding your data.
2. Information we collect
Account information
When you create an account, we collect:
- Your name
- Your email address
- Your password (stored in hashed form)
Store and sales data
When you connect a third-party marketplace account (such as Ravelry), we import and store data related to your craft business, including:
- Sales transactions and order details
- Product listings and metadata
- Customer information associated with your sales (names, order history)
- Revenue and pricing data
This data is provided to us through the marketplace's API with your authorisation. We only access data that you explicitly grant us permission to retrieve.
Usage and log data
We automatically collect certain technical information when you use the Service, including:
- IP address
- Browser type and version
- Pages visited and features used
- Date and time of access
- User interactions (clicks, navigation) via session replay for error diagnosis
3. Legal basis for processing
We process your personal information under the following legal bases:
Under PIPEDA (Canada)
We collect, use, and disclose your personal information only with your knowledge and consent. By creating an account and using the Service, you consent to the collection and use of your information as described in this Privacy Policy. You may withdraw your consent at any time by deleting your account.
Under GDPR (EEA users)
We rely on the following legal bases under Article 6 of the GDPR:
| Processing activity | Legal basis |
|---|---|
| Providing the Service (account management, data sync, analytics) | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails (password resets, subscription updates) | Performance of a contract (Art. 6(1)(b)) |
| Error tracking and service reliability monitoring | Legitimate interest (Art. 6(1)(f)) — maintaining service quality |
| Fraud detection and abuse prevention | Legitimate interest (Art. 6(1)(f)) — protecting the Service and users |
| Producing aggregate, non-identifying statistics and benchmarks | Legitimate interest (Art. 6(1)(f)) — improving the Service and publishing industry insights |
| Responding to legal requests or obligations | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest, we have assessed that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time (see Your Rights below).
4. How we use your information
We use your personal information to:
- Provide, operate, and maintain the Service
- Generate analytics, reports, and insights about your craft business
- Send transactional emails (account verification, password resets, subscription updates)
- Respond to your requests and provide customer support
- Monitor and improve the Service's performance and reliability
- Detect and prevent fraud or abuse
We do not use your personal information for advertising purposes. We do not sell, rent, or trade your personal information to third parties.
Aggregate data
We may use your data in aggregate, non-identifying form to:
- Provide in-app benchmarks and anonymised comparisons (e.g., average order values, category trends)
- Publish aggregate insights about craft business trends (e.g., blog posts, industry reports)
Aggregate data is combined across many users and stripped of any information that could identify you or your business. No individual user, store, or transaction is identifiable from aggregate statistics.
5. Third-party service providers
We use the following third-party services to operate Craftlytics. Each provider only receives the minimum information necessary to perform its function:
| Provider | Purpose | Data shared |
|---|---|---|
| Ravelry | Marketplace API integration | OAuth tokens; store data is read from Ravelry |
| Stripe | Payment processing | Email address, subscription details |
| PayPal | Payment processing | Email address, subscription details |
| Postmark | Transactional email | Email address, email content |
| Sentry | Error tracking, monitoring, and session replay | IP address, browser info, error context, user interactions (clicks, navigation) |
| Fly.io | Application hosting and storage | All application data (stored in Canada) |
| Cloudflare | CDN and DNS | IP address, request metadata |
6. Data storage and security
Your data is stored on servers located in Canada, hosted by Fly.io. We implement appropriate technical and organisational measures to protect your personal information, including:
- Encryption in transit (TLS/HTTPS)
- Encryption at rest for sensitive data
- Hashed password storage using industry-standard algorithms
- Regular security updates and monitoring
While we take reasonable steps to protect your data, no method of transmission or storage is completely secure. We cannot guarantee absolute security.
7. Cross-border data transfers
Your primary data is stored in Canada. The European Commission has recognised Canada as providing an adequate level of data protection under GDPR Article 45, meaning transfers of personal data from the EEA to Canada are permitted without additional safeguards.
However, some of our third-party service providers may process data outside of Canada:
- Stripe and PayPal process payment information in the United States
- Sentry may process error data in the United States
- Cloudflare may route requests through servers in various countries as part of its CDN
Where your information is transferred to the United States, our service providers participate in the EU-US Data Privacy Framework or rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure your data remains protected.
8. Data retention and deletion
We retain your personal information only for as long as your account is active and as needed to provide the Service.
When you delete your account, all your personal information, store data, and analytics are permanently deleted immediately. We do not retain copies of your data after deletion, except where required by law (for example, in response to a legal proceeding or regulatory inquiry).
9. Your rights
Depending on your location, you have the following rights regarding your personal information:
All users (PIPEDA)
- Access — request a copy of your personal information held by us
- Correction — request correction of any inaccurate or incomplete personal information
- Deletion — delete your account and all associated data
- Withdraw consent — withdraw your consent for data collection and use at any time
EEA users (GDPR)
If you are located in the European Economic Area, you additionally have the right to:
- Data portability — receive your personal data in a structured, commonly used, machine-readable format
- Restrict processing — request that we limit how we use your data while a concern is being resolved
- Object to processing — object to processing based on legitimate interest at any time
- Lodge a complaint — file a complaint with your local data protection supervisory authority
How to exercise your rights
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days (as required by PIPEDA) or within one month (as required by the GDPR).
You may also file a complaint with the Office of the Privacy Commissioner of Canada or, if you are in the EEA, with your local data protection authority.
10. Cookies and similar technologies
The Service uses cookies that are strictly necessary for its operation:
- Session cookies — to keep you signed in and maintain your session
- Security cookies — to protect against cross-site request forgery and other attacks
We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not track you across other websites.
11. Children's privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected personal information from a minor, we will take steps to delete it promptly.
12. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service. Your continued use of the Service after changes take effect constitutes your acceptance of the updated Privacy Policy.
13. Contact
If you have questions or concerns about this Privacy Policy or our privacy practices, please contact our privacy officer:
Michael Melanson
Email: [email protected]