Privacy Policy.
Effective date: 27 May 2026. Version 1.0.
This Privacy Policy describes how Penkin Grigorii, a sole proprietor with primary place of business in the Republic of Serbia (the "Operator", "we", "us"), collects, uses, and protects personal data when you ("you", "the Customer") use OxusNow ("the Service"). We are the data controller for the personal data described below.
1. What we collect
| Category | Examples | Why |
|---|---|---|
| Account data | Email, hashed password, workspace name, sign-up date. | Authenticate you, run your account. |
| Marketplace credentials | Your own SP-API / eBay Trading API tokens, encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256). | Push listings to your seller account on your behalf. |
| Customer Content | Product images you upload, generated assets, workflow definitions, run logs. | Execute the Service you asked for. |
| Usage telemetry | Login timestamps, workflow run counts, credit usage, error logs. | Bill you correctly, debug your issues, improve product quality. |
| Payment data | Handled entirely by Paddle (our merchant of record). We see only the last 4 digits of card, billing country, and subscription state. | Process subscriptions. |
2. What we do NOT do
- We do not train AI models on your data. Your images, generations, and workflows are processed only to execute the workflow you requested.
- We do not sell or rent your personal data to anyone.
- We do not share your marketplace credentials or images with advertising networks or data brokers.
- We do not store your full payment-card details. Paddle handles that.
3. Where your data lives
OxusNow's primary infrastructure is hosted in the European Union:
- Relational database (PostgreSQL) — Hetzner Cloud, Falkenstein, Germany.
- Analytics database (MongoDB) — Hetzner Cloud, Falkenstein, Germany.
- Asset storage — Cloudflare R2, EU region.
- AI inference — Nebius (EU) for text/vision models; RunPod Serverless (EU-RO-1, Romania) for image generation.
- Email transactional — currently we send no marketing email. Operational email (password reset, billing notices) is sent via Paddle infrastructure.
- Payments — Paddle.com Market Limited (Malta-based merchant of record).
When you upload an image, it is uploaded to Cloudflare R2 in the EU, then fetched by our backend (EU) for any AI processing on Nebius (EU) or RunPod (EU). No customer data leaves the EU as part of normal operation.
4. Legal basis (GDPR)
We process personal data under one of the following bases:
- Contract — to provide the Service you signed up for (Art. 6(1)(b) GDPR).
- Legal obligation — invoicing, accounting, anti-fraud (Art. 6(1)(c)).
- Legitimate interest — fraud prevention, security monitoring, product analytics (Art. 6(1)(f)).
5. Retention
- Active accounts: retained for the lifetime of your subscription.
- Closed accounts: Customer Content kept for 30 days for export, then permanently deleted.
- Billing records: retained for 7 years to meet Serbian / EU tax law.
- Server logs: 90 days.
6. Your rights
You have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate data.
- Erasure — delete your account and associated personal data ("right to be forgotten").
- Portability — export your workflows and Customer Content in machine-readable format.
- Restriction / objection — limit how we use your data.
- Withdraw consent — where processing is consent-based.
- Complain — to your local data-protection authority.
To exercise any of these rights, email penkin.gr@gmail.com. We respond within 30 days.
7. Cookies & local storage
OxusNow uses strictly necessary cookies / localStorage only:
auth-token— your JWT session token. Required to keep you signed in.oxus-canvas-sidebar-open-cats— your canvas sidebar layout preference.
We do not use third-party advertising trackers. We do not have a cookie banner because we do not set any non-essential cookies.
8. Security
We employ industry-standard controls: TLS in transit, encryption at rest for marketplace credentials (Fernet AES-128), password hashing with bcrypt (cost 12), Postgres row-level security for multi-tenant isolation, and Kubernetes-namespaced workload isolation. SOC 2 Type II is in progress.
9. Sub-processors
The Operator engages the following sub-processors to deliver the Service:
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Compute & database hosting | Germany (EU) |
| Cloudflare, Inc. | Asset storage (R2), CDN, DNS | EU edge |
| Nebius B.V. | LLM & vision-model inference | EU |
| RunPod, Inc. | GPU image-generation inference | Romania (EU) |
| Paddle.com Market Limited | Payment processing, merchant of record | Malta (EU) |
10. Children
OxusNow is a B2B service intended for adults. We do not knowingly collect data from anyone under 18. If you believe a minor has used the Service, contact us to delete the account.
11. Changes
Material changes to this Policy will be announced by email and in-product notice at least 30 days before they take effect.
12. Contact
Privacy or data-protection enquiries — penkin.gr@gmail.com.