Catalayer Data Privacy and Security: What We Store, How We Protect It

What This Document Covers

Transparent overview of how Catalayer handles your data. Useful if you're evaluating Catalayer for business use, for compliance reasons, or simply want to know what you're signing up for.

What We Collect

Account Information

• Email address (required for account)
• Password (stored only as bcrypt hash, never plaintext)
• Display name
• Country (optional, for regional defaults)

Usage Data

• Searches performed (Source Finder queries, News searches)
• Monitor rules you've created
• Signals you follow
• Alerts delivered + whether you clicked them
• Products you've viewed in Source Finder

Technical Data

• IP address (used for rate limiting + registration abuse prevention)
• Browser user agent
• Session cookie (httponly, secure, samesite=lax)
• Timestamps of activity (for audit + billing)

Payment Data (if subscribed)

• We store: Stripe customer ID, subscription status, plan tier, renewal date
• We do NOT store: credit card numbers, CVV, or any direct card data
• Stripe handles all payment processing directly — we receive only status signals

What We Do NOT Collect

• Browsing history outside Catalayer (except what Source Finder extension explicitly runs against)
• Email contents of external accounts
• Your Amazon Seller Central password (Claim Pilot uses OAuth, read-only)
• Bank account or financial account credentials

How We Use Data

Legitimate Operations

• Deliver alerts + analysis you've requested
• Bill your subscription
• Send account-related emails (verification, password reset)
• Prevent abuse (rate limiting, banning scrapers)

Improving the Product

• Aggregated usage patterns help us tune relevance scoring
• Feedback signals (which alerts you dismiss) train Catalayer AI
• Error reporting helps us find and fix bugs

What We Do NOT Do

• Sell data to third parties
• Use your data to train AI for external clients
• Share individual usage with other users
• Run ads against your profile (we have no ads)

Cookies

One primary cookie: cl_session

• HttpOnly (not accessible to JavaScript, prevents XSS theft)
• Secure (HTTPS only)
• SameSite=Lax (cross-site protection)
• 24-hour expiry by default; 7 days with "Keep me signed in"

Google Analytics cookies (anonymous) for usage statistics. Can be blocked via browser settings without affecting Catalayer functionality.

No tracking cookies for advertising.

Third-Party Integrations

What we use

• Stripe — payment processing
• Resend — transactional emails (verification, password reset)
• Cloudflare — CDN + DDoS protection
• Groq / Anthropic (selectively) — specific AI analysis workloads; data passed is only the story text being analyzed, never your personal info

Data flow to third parties

• Email address → Resend when you register (for verification email)
• Email address + Stripe customer ID → Stripe when you upgrade
• Story text → LLM provider when you request analysis; your user ID is never included in that request

Data retention

Each third party has its own data policy. We don't forward them more data than strictly needed for their function.

Password Security

• Stored as bcrypt hashes (cost factor 12)
• Original password never stored or logged
• Reset requires email verification via 6-digit code
• Minimum 8 characters (we don't enforce complex rules that push users toward weaker-but-memorable alternatives)
• Rate-limited: 5 failed logins triggers 15-min lockout

What if Catalayer's database leaked tomorrow?

Attackers would get email addresses + bcrypt hashes. Bcrypt is designed to make cracking hashes extremely slow (hours per hash per attacker core). Practical impact: low-to-moderate, but you should still use unique passwords per service.

Session Security

• Sessions tied to server-issued tokens, not predictable formats
• Stored server-side in sessions table with user email + IP + timestamps
• Expire automatically after 24h (default) or 7d (if "Keep me signed in")
• Can be invalidated globally via "Log out all devices" in account settings

What if your session cookie leaked

Attacker could use your account until you rotate session (via logout or timeout). Mitigation: use secure browsers, don't share devices, log out on public computers.

Source Finder Extension

The Chrome extension is different from web workspace privacy-wise:

What it does

• Reads product data (title, image URL, price) from the page you're actively viewing, ONLY when you initiate a search
• Sends that data to Catalayer servers for supplier matching
• Displays results

What it does NOT do

• Read every page you visit (we'd never ship that)
• Access cookies from third-party sites (Amazon, eBay, etc.)
• Track browsing history
• Run background scraping

Manifest permissions

• activeTab — access to the currently visible tab only
• storage — local storage for settings
• No tabs permission, no webRequest with blocking, no history access

Inspect yourself: extension is open source-adjacent; request source via [email protected] for security review.

Data Retention

Active accounts

• Account and billing data: retained while account active
• Monitor rules: retained while active
• Alert history: 90 days (then archived, metadata only)
• Search history: 30 days

Deleted accounts

• 30-day grace period (reactivation possible)
• After 30 days: all user data purged from primary systems within 30 days
• Backups rotate within 90 days total
• Stripe retains billing records as legally required (7 years for most jurisdictions)

News articles

• Full article body: 7 days (then stripped, headline + metadata retained for search)
• Catalayer doesn't own news content; we respect source-specified retention when signaled

GDPR / CCPA Rights

If you're in EU / UK / California:

• Access: request a copy of your data ([email protected])
• Correction: update incorrect data via account settings or support
• Deletion: delete account via settings, or email support for full purge
• Export: self-service export (JSON) from account settings
• Restriction: request we limit processing (specific use cases)
• Objection: object to specific processing (e.g., marketing emails)

Response time: 30 days or less per regulation.

Security Measures in Place

Network

• All traffic HTTPS (TLS 1.2+)
• HSTS enforced
• Cloudflare DDoS protection
• Rate limiting at multiple tiers

Application

• HTTP-only session cookies
• CSRF protection on mutating endpoints
• Input sanitization against SQL injection and XSS
• Request signing (X-App-Sig) to deter API automation

Infrastructure

• Hardened server (restricted SSH, firewall, fail2ban)
• Database file permissions restricted
• Regular security patches
• Encrypted backups

Monitoring

• Bot traffic detection + auto-ban
• Unusual activity alerts (honeypot endpoints, path-diversity detection)
• Access logs reviewed weekly

Incident Response

If we detect a security incident:

1. Affected users notified within 72 hours (faster if credential exposure)
2. Public status page updated
3. Post-incident report published within 14 days
4. Any stolen credentials rotated immediately

No historical incidents to date. If we have one, we'll tell you.

Government Requests

If a government (US or foreign) requests your data:

• We comply only with legally binding requests (court order, subpoena, search warrant)
• We notify affected users where legally permitted
• We publish transparency reports annually

To date: zero government requests.

Changes to This Policy

Material changes: users notified via email + platform banner with 30 days notice before taking effect.

Minor wording updates: published, users encouraged but not required to re-read.

FAQ

A: Primary storage is US-based (AWS / DigitalOcean-style infrastructure). EU residents have the right to request data be held in EU-hosted servers (currently migration pending, available on request via support).

A: Same privacy policy would apply to acquirer until they issue a new one with required user notice.

A: Yes — we provide a standard DPA to enterprise customers upon request. Email [email protected].

A: Not currently. A self-hosted / on-prem option is under consideration for enterprise.