Privacy Policy

Effective: February 19, 2026

Information We Collect

We collect information you provide directly when you create an account, set up your business, and use our services. We also collect certain information automatically when you interact with Legitski.

Account Information

  • Name and email address
  • Password (stored only as a bcrypt hash; we never store or have access to your plain-text password)
  • Google account identifier if you sign in with Google

Business Information

  • Business name and settings (tax configuration, receipt preferences, logo, printer configuration)
  • Stripe customer identifier for payment processing

Operational Data

  • Inventory items, categories, and stock levels
  • Sales, receiving, returns, adjustments, and related operation logs
  • Customer records (name, email, phone, address, notes, spending history)
  • Supplier records (name, email, phone, address, contact person, tax ID)
  • Purchase orders
  • Referral program participation and referral codes

How We Use Your Information

We use the information we collect to provide, maintain, and improve Legitski. Specifically, we use your information to:

  • Operate and deliver the inventory management, point-of-sale, supplier management, and reporting features you use
  • Process payments and manage your subscription
  • Authenticate your identity and secure your account
  • Send transactional communications such as password reset emails and subscription confirmations
  • Provide real-time synchronization across your devices and team members
  • Track referral program eligibility and award bonus subscription days
  • Analyze usage patterns in aggregate to improve our service (we do not sell personal data)

Data Storage and Security

Your data is stored in a PostgreSQL database hosted on Railway, a cloud infrastructure provider with data centers in the United States. We implement the following security measures:

  • Passwords are hashed using bcrypt before storage
  • Authentication uses JSON Web Tokens (JWT) transmitted via httpOnly cookies, which are not accessible to client-side scripts
  • Access tokens expire after 15 minutes; refresh tokens expire after 7 days
  • Password reset tokens are single-use and time-limited
  • All data is transmitted over HTTPS

While we implement industry-standard security practices, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data.

Third-Party Services

Legitski integrates with the following third-party services to deliver its functionality. Each service has its own privacy policy governing how it handles your data.

  • Stripe — Processes subscription payments. We store only your Stripe customer identifier; Stripe handles all payment card data directly.
  • Google OAuth — Provides sign-in via Google. We receive your name, email, and Google account identifier.
  • Cloudinary — Stores uploaded images such as business logos.
  • Railway — Hosts our database infrastructure.

We do not share your personal data with third parties for advertising or marketing purposes.

Cookies and Authentication

Legitski uses cookies strictly for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

  • Access token cookie — An httpOnly, secure cookie containing a short-lived JWT that authenticates your requests. Expires after 15 minutes.
  • Refresh token cookie — An httpOnly, secure cookie used to obtain new access tokens without requiring you to log in again. Expires after 7 days.
  • Theme preference — A local storage value (not a cookie) that remembers your selected color theme.

Because these cookies are essential to the operation of the service, Legitski does not function without them while you are logged in.

Data Retention

We retain your data for as long as your account remains active. Specific retention periods apply to certain data types based on your subscription plan:

  • Operation history (sales, receiving, returns, adjustments) is retained according to your plan's limits
  • Inventory logs are retained according to your plan's log retention period
  • If you delete your account, we will remove your personal data within 30 days, except where we are required by law to retain it

Aggregated, anonymized data that cannot identify you may be retained indefinitely for service improvement purposes.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you
  • Correction — Request that we correct inaccurate data
  • Deletion — Request that we delete your personal data
  • Export — Request your data in a portable format
  • Restriction — Request that we limit how we process your data

To exercise any of these rights, contact us at legitskiapp@gmail.com. We will respond to your request within 30 days.

Children's Privacy

Legitski is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at legitskiapp@gmail.com.

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable law. When we make significant changes, we will notify you by posting the revised policy on this page and updating the effective date at the top. We encourage you to review this page periodically.

Contact Us

If you have questions or concerns about this privacy policy or our data practices, you can reach us at:

legitskiapp@gmail.com