1. Who we are
Product Agent is operated by Luke Mortensen, an Australian sole trader trading as Product Agent (ABN 24 738 128 250), Queensland, Australia. Contact support@productagent.app for privacy enquiries, access or correction requests, deletion requests, or complaints.
2. Information we collect
- Account data: name, email, Firebase user ID, profile image when supplied, authentication provider, verification state, account access state, workspace membership, and roles.
- Testing-access requests: name, Google Play account email, optional business or organisation name, business type, approximate monthly item volume, current or intended store channels, notes, consent, request status, source page, and notification status.
- Workflow content: original and processed product photos, item groups, barcode or SKU values, product identity evidence, capture settings, queue state, listing drafts, review decisions, destinations, and delivery results.
- Connected-store data: store names and identifiers, OAuth state, encrypted connector credentials, authorisation scope, selected products, delivery data, and connector diagnostics.
- Billing and entitlement data: Google Play product and order identifiers, subscription and purchase status, verification results, credit grants, reservations, usage, refunds, reversals, and reconciliation state. Product Agent does not receive your complete payment-card details from Google Play.
- Device, usage, and diagnostics: app version, platform, device and network diagnostics, security and App Check signals, crash reports, performance events, workflow telemetry, abuse-prevention metadata, IP address in server or hosting logs and rate-limiting records, and operational errors. Testing-access request records do not store the requester’s IP address or user-agent string.
- Communications: support emails, deletion requests, privacy complaints, security reports, testing-access correspondence, and commercial enquiries.
- Legal acceptance: accepted Terms and Privacy versions, server timestamp, app version, platform, authentication provider, and acceptance surface.
3. How we use information
- Authenticate users, create and secure accounts, and maintain personal or workspace scope.
- Assess testing-access requests, manage closed-testing capacity, contact requesters, and provide invitation or onboarding steps where access is available.
- Capture, store, process, transform, identify, review, generate, export, and deliver requested product-listing content.
- Operate connected stores and destinations with the authority granted by the user.
- Verify purchases, manage listing credits, reconcile subscriptions, prevent fraud, and provide billing support.
- Maintain queue recovery, diagnose failures, monitor reliability, enforce security controls, and improve service operation.
- Respond to support, legal, privacy, deletion, security, and commercial requests.
- Comply with law, protect rights and safety, resolve disputes, and enforce agreements.
4. Service providers and sharing
We disclose information only as reasonably needed for the requested workflow, service operation, support, security, billing, legal compliance, or a business transfer with appropriate safeguards.
- Google and Firebase: Authentication, Firestore, Cloud Storage, Cloud Functions, Hosting, App Check, Crashlytics, Google Sign-In, and Google Play billing. Testing-access requests are stored in backend-only Firestore records.
- AI and image processing: providers such as OpenAI, PhotoRoom, fal.ai, and Reve may receive selected photos, derivatives, prompts, or product context needed for the requested feature.
- Connected destinations: eBay, Shopify, WooCommerce, and other destinations receive content and metadata when the user connects and selects them.
- Communications and operations: Mailgun or another configured email provider, support personnel, security providers, and professional advisers may receive limited information needed for notifications and their role.
- Legal and safety: information may be disclosed in response to valid legal process or where reasonably necessary to prevent fraud, abuse, harm, or unlawful conduct.
Product Agent does not sell personal information or customer workflow content and does not use it for cross-context behavioural advertising. Provider handling is also subject to provider contracts and privacy terms; this policy does not claim that a provider never uses data for model improvement unless a binding arrangement confirms it.
5. International processing
Product Agent’s primary Firebase Functions region is Australia, but Google, AI providers, marketplaces, and support infrastructure may process information in Australia, the United States, and other countries where they or their subprocessors operate. Privacy protections in another country may differ from Australia. We use provider terms, access controls, and other reasonable safeguards appropriate to the service and information.
6. Security
Measures include authenticated Firebase access, App Check, server-side privileged operations, workspace-aware authorisation, encrypted transport, protected credential storage, bounded connector requests, short-lived signed asset access where appropriate, account-deletion safeguards, and restricted backend audit collections. No system is perfectly secure. Protect your device and credentials and report concerns promptly.
7. Retention
We retain information while needed to provide the selected workflow, maintain account and billing state, secure the service, support recovery, resolve disputes, comply with legal obligations, and enforce agreements. Actual periods vary with item state, plan, workspace, connected destination, support activity, backup lifecycle, and legal requirements.
- Account and workflow data is deleted or de-identified when no longer reasonably needed, subject to operational recovery and lawful retention.
- Testing-access requests and related correspondence are retained while the request, testing access, or follow-up remains relevant, then deleted or de-identified when no longer reasonably required for testing administration, security, disputes, or legal obligations.
- Google Play and financial transaction records may be retained as needed for tax, accounting, fraud prevention, chargebacks, and disputes.
- Minimal legal-acceptance audit records are retained for six years after account closure, subject to legal review and any active legal hold. They exclude photos, address, and IP address.
- Records subject to a dispute, security investigation, or legal hold may be retained until the matter and applicable retention period end.
8. Account and data deletion
Delete an account in the Android app through Account > Data & Privacy > Delete Account, or use the public Account Deletion page if you cannot access the app. Deletion removes the Firebase account and app-controlled associated data such as profile data, photos, items, listing metadata, credentials, preferences, credit state, and workspace records controlled by the account, except for narrowly retained records described above.
Deleting Product Agent does not cancel a Google Play subscription. Cancel renewals separately through Google Play.
9. Access, correction, complaints, and choices
You may request access to or correction of personal information, ask questions, request deletion, or make a privacy complaint by emailing support@productagent.app. Include enough information to identify the account and request; we may verify identity before acting. We aim to acknowledge complaints promptly and respond within 30 days.
If you are dissatisfied after giving us a reasonable opportunity to respond, you may contact the Office of the Australian Information Commissioner or another regulator available under applicable law.
10. Website, children, and policy changes
The public website does not intentionally use advertising, third-party analytics, or non-essential cookies. Firebase Hosting and network providers may create ordinary request and security logs. The testing-access form uses server-side validation, a non-visible spam field, origin checks, and rate limiting; it does not currently load a third-party CAPTCHA. If tracking technologies are introduced, this policy and any required consent mechanism will be updated before they are enabled.
Product Agent is intended for business users aged 18 or older and is not directed to children. We may update this policy as the service, providers, or law changes. Version au-privacy-v1 remains the authenticated app acknowledgement version because this form notice concerns an optional pre-account website request and does not change authenticated app processing. Material changes to the authenticated app-data contract will be communicated and may require renewed acceptance.