Privacy Policy

MD SOFTWARE L.L.C-FZ / Fluxera LLC, a Free Zone Limited Liability Company registered at 5842+74 Dubai, United Arab Emirates, and Fluxera LLC, registered at 75 E 3rd St, Ste 7, Sheridan, WY 82801, USA (collectively "SellStein," "we," "us," "our") are the data controllers responsible for processing your personal data when you use our Service.

For privacy inquiries, data access requests, or to exercise your data protection rights, contact our Data Protection team at: privacy@sellstein.com.

Account Data: Name, email address, password hash (bcrypt), and optional profile information when you create an account.

Business Data: Business name, description, products, orders, customer records, invoices, and other operational data you enter into the platform.

Usage Data: Log data including IP address, browser type and version, device information, pages visited, feature usage patterns, and timestamps. Collected for security monitoring, fraud prevention, and service improvement.

Payment Data: We do not store credit card numbers or bank account details. Payment processing is handled by third-party processors (e.g., Stripe, PayPal, cryptocurrency processors) under their own privacy policies and PCI DSS compliance.

API Keys: Third-party API keys you provide are encrypted at rest using AES-256-GCM encryption and are only decrypted transiently during API calls.

Communications: Records of support requests, feedback, and other communications with us.

We process personal data under the following legal bases as defined by the EU General Data Protection Regulation:

Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, and fulfill our contractual obligations to you.

Legitimate Interest (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement, analytics, and enforcing our Terms of Service. We conduct balancing tests to ensure our interests do not override your fundamental rights.

Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, regulations, or legal processes.

Consent (Art. 6(1)(a)): Optional marketing communications and non-essential analytics, which you can withdraw at any time without affecting the lawfulness of prior processing.

• Providing, maintaining, and improving the Service
• Processing transactions and managing your account
• AI-powered features (using your configured API keys to call third-party AI services — we do not train AI models on your data)
• Communicating about your account, service updates, and security notices
• Security monitoring, fraud prevention, and abuse detection
• Aggregated, anonymized analytics to improve the Service
• Complying with legal obligations and responding to lawful requests
• Enforcing our Terms of Service and Acceptable Use Policy

We do not sell, rent, or trade your personal data. We do not use your data to train AI models. We do not share your data with data brokers or advertising networks.

We may share data with the following categories of recipients, only to the extent necessary:

Infrastructure Providers: Cloudflare (hosting, CDN, DNS, database, edge compute). Data may be processed at Cloudflare edge locations worldwide. Cloudflare maintains appropriate technical and organizational measures.

AI Providers: When you use AI features, your prompts and relevant business data are sent to the AI provider you configured (e.g., Anthropic) using your own API key. We act as a technical conduit; the AI provider's privacy policy governs their processing.

Payment Processors: Payment processors you connect (e.g., Stripe, PayPal) handle financial transactions under their own privacy policies and PCI DSS compliance.

Legal Requirements: We may disclose data when required by law, subpoena, court order, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to the same privacy commitments.

Your data may be processed outside your country of residence, including in the United States, the European Economic Area, and other jurisdictions where Cloudflare operates edge infrastructure.

Where data is transferred from the EEA/UK to countries not deemed to provide adequate data protection, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Cloudflare's participation in approved transfer mechanisms
• Additional supplementary measures where required

We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account deletion or termination:

• Account data is retained for 30 days to allow for data export and account recovery
• After 30 days, personal data is permanently and irreversibly deleted from our active systems
• Anonymized, aggregated data (which cannot identify you) may be retained indefinitely for analytics
• Data required for legal compliance, fraud prevention, or dispute resolution may be retained for the legally required period

All Users:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data
• Data Export: Download your data through your account settings

EU/EEA/UK Residents (GDPR/UK GDPR):

• Right to access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure / "right to be forgotten" (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object to processing (Art. 21)
• Right to withdraw consent at any time (Art. 7(3))
• Right not to be subject to automated decision-making (Art. 22)
• Right to lodge a complaint with your local supervisory authority

UAE Residents (PDPL): Right to access, correct, and request deletion of personal data in accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.

California Residents (CCPA/CPRA):

• Right to know what personal information we collect, use, disclose, and sell
• Right to delete personal information
• Right to opt out of the sale or sharing of personal information (we do not sell or share your data)
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising your rights

To exercise any of these rights, contact us at privacy@sellstein.com. We will respond within 30 days (or the timeframe required by applicable law).

We use strictly necessary cookies for authentication, session management, and security (e.g., CSRF protection). These cookies are essential for the Service to function and do not require consent.

We do not use third-party tracking cookies, advertising cookies, or cross-site tracking technologies. For full details, see our Cookie Policy.

We implement industry-standard technical and organizational security measures, including:

• HTTPS/TLS encryption for all data in transit
• AES-256-GCM encryption for sensitive data at rest (API keys, credentials)
• Secure password hashing (bcrypt with appropriate cost factor)
• Rate limiting and brute-force protection
• CSRF protection on all state-changing operations
• Regular security reviews and vulnerability monitoring
• Principle of least privilege for internal data access

However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

The Service is not directed at individuals under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately at privacy@sellstein.com and we will promptly delete the data.

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a prominent notice in the Service at least 30 days before the changes take effect. We encourage you to review this policy periodically.

For privacy-related questions, data access requests, or to exercise your rights, contact us at: