HIGH FOCUS Amazon Sourcing App

Privacy Policy

Last updated: May 13, 2026

1. Introduction

This Privacy Policy describes how High Focus Professional LLC ("we," "us," or "our") collects, uses, stores, and shares information when you use our website and services (the "Service"), including the platform available at sourcing.highfocusofficial.com.

By using the Service, you agree to the collection and use of information as described in this Policy. If you do not agree, please discontinue use of the Service.

2. Information We Collect

We collect information you provide directly, data generated by your use of the Service, and limited data from third-party services you authorize.

Account information

  • Email address and display name (required to create an account).
  • Password (stored as a one-way bcrypt hash — we cannot recover your plaintext password).
  • Profile photo, if you choose to upload one.
  • Passkey / WebAuthn credential data, if you register a biometric or hardware key.

Amazon seller account data (only if you connect your Amazon account)

  • Amazon Seller ID and store name, retrieved via the Amazon Selling Partner API ("SP-API") after you authorize the connection.
  • An SP-API OAuth refresh token, stored in AES-GCM encrypted form. This token allows the Service to query Amazon's APIs on your behalf. It is never transmitted to third parties and is deleted when you disconnect your Amazon account.
  • Product, pricing, fee, and restriction data retrieved from Amazon APIs in response to your in-app requests. This data is processed in real time and may be cached briefly to reduce API load.

Usage and activity data

  • Records of features you use (product analyses, catalog searches, keyword searches, offer lookups) aggregated as monthly usage counts. This data is used to enforce plan quotas and to improve the Service.
  • Wholesale prices and product identifiers (ASINs, UPCs) that you submit for analysis. This data is processed to return results and is not retained beyond the session cache.

Payment and billing data

  • Stripe customer ID and subscription status. All payment card details are collected and stored directly by Stripe, Inc. — we never see or store your card number, CVV, or full billing address.
  • Subscription plan tier, billing period, and trial end date.
  • Records of promo code redemptions.

Technical and log data

  • Server logs may include IP addresses, request timestamps, HTTP method and path, and error details. These are retained for security and debugging purposes.
  • Browser-side data stored in localStorage (saved product lists, appearance preferences) remains on your device and is not transmitted to our servers.

3. How We Use Your Information

  • Provide the Service: authenticate your account, process your requests, return product analysis results, and display your preferences.
  • Billing and subscriptions: create and manage your Stripe subscription, enforce usage quotas, and process payments.
  • Security and abuse prevention: detect and prevent fraud, unauthorized access, and violations of these Terms.
  • Service communications: send transactional emails (password resets, account notices). We do not send marketing emails without your opt-in consent.
  • Rate limiting: enforce per-user and per-endpoint request limits to protect service stability.
  • Service improvement: analyze aggregate, anonymized usage patterns to improve features and performance.
  • Legal obligations: comply with applicable laws, respond to lawful requests from authorities, and enforce our Terms.

4. Third-Party Service Providers

We share data with the following third-party providers solely to operate the Service. Each provider has its own privacy policy and data processing terms.

  • Amazon (SP-API / PA-API): When you connect your Amazon seller account, we submit API requests to Amazon using your OAuth token. Amazon's Privacy Notice governs how Amazon processes data on its end.
  • Stripe, Inc.: Processes all payment card transactions. Stripe receives your email address and payment information. See Stripe's Privacy Policy at stripe.com/privacy.
  • Resend: Delivers transactional emails (password reset links, account notices). Resend receives your email address for delivery purposes.
  • Upstash: Provides serverless Redis used for per-user rate limiting. Upstash may process hashed user identifiers and request metadata.
  • Railway: Hosts the Service's application and database infrastructure. Railway operates the servers on which your account data is stored.
  • OpenAI (optional): If AI-powered features are enabled, product analysis data may be submitted to OpenAI's API to generate insight text. Data submitted to OpenAI is governed by OpenAI's usage and privacy policies. No personally identifiable account information is sent to OpenAI.

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

5. Data Retention

  • Account data is retained for as long as your account exists. If you delete your account, we will delete or anonymize your personal data within a reasonable period, except where retention is required by law (e.g., tax records, fraud prevention).
  • Usage records are retained for up to 13 months to support billing disputes and quota management.
  • API response cache entries expire automatically (typically within 24 hours) and are not linked to identifiable individuals.
  • Logs are retained for up to 90 days for security and debugging purposes.
  • Amazon OAuth tokens are deleted immediately when you disconnect your Amazon account from Settings.

6. Security

We implement technical and organizational measures appropriate to the sensitivity of your data, including:

  • AES-GCM encryption for stored Amazon SP-API OAuth tokens.
  • bcrypt hashing (cost factor 12) for all stored passwords.
  • HTTPS (TLS) for all data in transit.
  • HMAC-signed state parameters to prevent OAuth CSRF attacks.
  • Per-user rate limiting to prevent brute-force and abuse.

No security measure is perfect or impenetrable. In the event of a security breach affecting your personal data, we will notify affected users as required by applicable law.

7. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data. Contact us to exercise any of these rights; we will respond within the timeframes required by law.

  • Access: request a copy of the personal data we hold about you.
  • Correction: update inaccurate or incomplete information (email, name, and profile image can be updated directly in Settings).
  • Deletion: request deletion of your account and associated personal data, subject to legal retention obligations.
  • Objection / restriction: object to or request restriction of certain processing activities where permitted by law.
  • Portability: request your data in a machine-readable format where technically feasible and legally required.
  • Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

You can disconnect your Amazon account at any time from Settings → Amazon Account, which immediately revokes and deletes the stored OAuth token.

8. Cookies and Local Storage

The Service uses the following browser storage mechanisms:

  • Session cookies: set by NextAuth to maintain your authenticated session. These are httpOnly and secure, and expire when you sign out.
  • Preference cookies: store your UI theme and appearance preferences across sessions. No personal information is stored in these cookies.
  • localStorage: used by the browser to store saved product lists and appearance preferences. This data stays on your device and is not transmitted to our servers.

We do not use advertising cookies, third-party tracking cookies, or analytics pixels.

9. Children's Privacy

The Service is intended for business use by adults. We do not knowingly collect personal data from anyone under the age of 18 (or the applicable age of majority in your jurisdiction). If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

10. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your data may be transferred to, stored in, and processed in the United States or other countries where our service providers operate. By using the Service, you consent to such transfers.

Where required by applicable law (such as the GDPR for users in the European Economic Area), we rely on appropriate legal mechanisms, such as Standard Contractual Clauses, to legitimize international data transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the revised Policy with a new "Last updated" date. Where required by law, we will provide additional notice. Your continued use of the Service after changes take effect constitutes acceptance of the revised Policy.

12. Contact Us

For privacy inquiries, data subject requests, or questions about this Policy, please contact us at info@highfocusofficial.com.

We aim to respond to all privacy-related requests within 30 days.