Skip to content

Legal

Privacy Policy

Last updated: 7 July 2026

This policy explains what data foliascore (“we”) collect when you use foliascore (foliascore.com), why we collect it, where it's stored, and what you can do about it. If anything here is unclear, email hello@foliascore.com.

Who we are

foliascore is a bookkeeping and inventory tool for Etsy sellers, operated by FOLIASCORE PTE. LTD. (UEN 202623136N), a Singapore private limited company.

For all data-protection matters, FOLIASCORE PTE. LTD. acts as the controller of your personal data, and hello@foliascore.com is the designated data-protection contact (our contact point for Singapore PDPA purposes). Email that address for any privacy question, data request, or complaint.

What we collect

  • Account details. Your email address. If you sign up with Google, we also receive your name and profile picture from Google so we can show them in the app.
  • Etsy OAuth tokens. Access tokens we use to fetch your shop's orders, listings, fees, refunds, and ad spend. They're encrypted at rest. foliascore only reads this data — it never writes anything back to your Etsy shop, and never changes your listings, prices, inventory quantities, or orders.
  • Your shop data. Orders, listings, fees, refunds, and ad spend that we pull from Etsy, plus any expenses, materials, or product costs you enter yourself.
  • Buyer data on your orders. Your Etsy orders include your buyers' names and ship-to addresses. See Etsy buyer data below for how that's handled.
  • Product analytics. Which features you use, in the app — see Product analytics below.
  • Support communication. If you email us, we keep your message so we can reply and follow up.

What we don't collect

  • No Google Analytics, no Meta/Facebook Pixel, no advertising trackers, no retargeting pixels.
  • No bank credentials — foliascore never asks for your bank login and never connects to your bank.
  • No Etsy username or password — we use Etsy's OAuth flow, so your Etsy password never touches our servers.
  • No third-party data brokers. We don't buy, sell, or rent personal data.
  • No payment card details (none are collected during beta — see Payments below).

Product analytics

We use PostHog (United States) inside the application to record which features get used — button clicks, page views — keyed to an internal user ID, not your email. PostHog is only loaded for visitors outside the EU/EEA and UK; if you're in those regions, PostHog is never initialised and no analytics cookie is set for you. We don't use analytics for advertising and we never sell this data.

The marketing site (foliascore.com) uses Plausible instead, which is cookieless and doesn't identify individual visitors.

Service providers we use

We rely on a small set of providers to run foliascore. They process your data on our behalf, under their own data-processing agreements:

  • Supabase (United States, AWS us-east-1) — our database and authentication — this is where your account and shop data are stored.
  • Vercel (United States) — hosts the marketing site and the application; standard server logs (IP, timestamp, requested URL) are retained for short periods for abuse prevention.
  • Etsy — the OAuth connection and shop-data sync.
  • Google — Sign in with Google, and Google Sheets export via the Sheets API (limited to files foliascore creates, scope drive.file). We only receive the data Google chooses to share at sign-in. foliascore's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy (developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.
  • PostHog (United States) — product analytics inside the app.
  • Plausible — cookieless marketing-site analytics.
  • Sentry (United States) — error monitoring, so we can find and fix crashes.
  • Resend — transactional email (sign-in links, account notices).
  • Stripe — the payment processor that will handle subscription payments when paid plans launch. No payment data is collected during beta.
  • Upstash (United States, AWS us-east-1) — rate limiting and API-abuse protection. Processes short-lived rate-limit counters — internal shop IDs and request paths for signed-in routes, plus client IP addresses for our webhook limits — that expire after 60 seconds; no account or financial content.
  • Cloudflare — two things. Storage (R2) for our nightly encrypted database backups: each backup is encrypted before it leaves our infrastructure, so Cloudflare never sees its contents, and it's deleted after 14 days. And bot protection (Turnstile) on the sign-in, sign-up, and password-reset forms — it processes your IP address and browser signals to tell humans from bots, no account content.

We keep this list current and will give notice before adding a new provider.

Payments

foliascore is free during the beta and no payment data is collected. When paid plans launch, payments will be handled by Stripe. Your card details will go directly to Stripe — foliascore never stores or sees your full card number.

Etsy buyer data

When foliascore syncs your orders, it stores the buyer's name and ship-to address so you can fulfil and account for orders. It never contacts your buyers and never markets to them. For this buyer data, you (the seller) are the data controller and foliascore acts as your processor. If one of your buyers contacts us about their data, we route the request to you, since you control it. Business users who need a Data Processing Addendum can request one at hello@foliascore.com.

Cookies

The marketing site (foliascore.com) sets no cookies — we use Plausible for aggregate analytics there, which is cookieless and doesn't identify individual visitors. The application (app.foliascore.com) sets:

  • One essential session cookie (Supabase Auth) to keep you signed in. This is required for the app to work and isn't used for tracking.
  • One product-analytics identifier (PostHog), keyed to an internal user ID — not your email. This is not essential, and it is only set for visitors outside the EU/EEA and UK. If you're in the EU, EEA, or UK, PostHog is never loaded and no analytics cookie is set for you at all.

There are no advertising cookies, no retargeting pixels, no Meta/Facebook Pixel, and no Google Analytics.

To opt out of analytics: block or delete cookies in your browser settings, or send a Global Privacy Control / Do Not Track signal, which we honour where technically feasible. You can also email hello@foliascore.com and we'll disable analytics for your account. Blocking the essential session cookie will sign you out.

Where your data is stored, and international transfers

Your data is hosted in the United States (Supabase Postgres in AWS us-east-1). Our other service providers (Vercel, Sentry, PostHog, Resend, Stripe) are also US-based; Google's Drive/Sheets API is multi-region. If you're in the EU/EEA, the UK, or Singapore, this means your personal data is transferred to the United States.

For EU/EEA and UK users, we rely on each provider's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) as the safeguard for that transfer. For Singapore PDPA cross-border purposes, we rely on the comparable-protection commitments in each provider's data-processing agreement. We're completing the full inventory of those contractual annexes as part of our preparation for paid plans.

Legal basis for processing (EU/UK users)

  • To run the product (your account, shop sync, dashboards, inventory): performance of our contract with you (GDPR Art. 6(1)(b)).
  • Security, abuse prevention, error logging: our legitimate interests in keeping the service safe and working (Art. 6(1)(f)).
  • Product analytics (PostHog): not applicable — PostHog is not loaded for EU/EEA/UK visitors, so no legal basis for analytics processing is required for those users.
  • Legal/tax records: compliance with a legal obligation (Art. 6(1)(c)).

How long we keep it

We keep your account and shop data until you delete your account. When you delete your account, we remove your data from our live systems within 30 days, and your Etsy OAuth tokens within 24 hours. Encrypted backups roll off within 14 days. Server logs are retained for up to 30 days. Aggregated, anonymised statistics may be kept indefinitely.

If you disconnect your Etsy shop, we delete the data we synced from Etsy — orders, listings, fees, and ads history — immediately; your own entered data (products, materials, recipes, inventory history) is kept until you delete your account.

For our analytics and error-monitoring providers: your PostHog person record is deleted when you delete your account. Sentry stores no user-keyed information from foliascore — we don't send personal data with error events, and we don't identify you to Sentry — so there is no per-user record to delete; error events age out according to Sentry's own retention.

Your rights

You can ask us to access, correct, or delete your data at any time by emailing hello@foliascore.com. Depending on where you live, you have specific rights — and we honour them wherever you live:

  • United States (California — CCPA/CPRA): the right to know what personal information we collect, to delete it, to correct it, and to opt out of any “sale” or “sharing.” We respond within 45 days. See California and Do Not Track below.
  • EU/EEA and UK (GDPR / UK GDPR): access, rectification, erasure, portability, restriction, objection, and the right to withdraw consent. You also have the right to lodge a complaint with your local supervisory authority.
  • Singapore (PDPA): access and correction of your personal data, and the right to complain to the PDPC. hello@foliascore.com is the data-protection contact.

We respond within 30 days for GDPR/PDPA requests and within 45 days where CCPA applies. We won't discriminate against you for exercising any of these rights.

A self-serve in-app data export is on our roadmap; until it ships, email us and we'll handle the export manually.

California (CCPA/CPRA) and Do Not Track

California residents have the right to know what personal information we collect, to delete it, to correct it, and to opt out of any “sale” or “sharing.” We do not sell your personal information. We use PostHog for analytics; in case that constitutes “sharing” under California law, any user can disable analytics by emailing hello@foliascore.com. We honour browser Global Privacy Control / Do Not Track signals where technically feasible.

Data breaches

If we suffer a data breach that's likely to cause significant harm or that affects a notifiable number of individuals, we will notify Singapore's PDPC within 3 calendar days of assessing it, notify affected users without undue delay, and — for EU/EEA and UK users — notify the relevant supervisory authority within 72 hours as required by GDPR. If the breach involves Etsy member data accessed through the Etsy API, we will also notify Etsy at dpo@etsy.com and the affected seller within 24 hours of discovering it, as required by Etsy's API Terms of Use.

Children

foliascore is a business tool. We don't knowingly collect data from anyone under 18. If you believe someone under 18 has signed up, email us and we'll delete the account.

Changes to this policy

If we make a meaningful change to this policy, we'll email active users before it takes effect. Smaller changes will be reflected in the “Last updated” date at the top of this page.

Contact

Questions, requests, or concerns: hello@foliascore.com.