Costli

Last updated: January 31, 2026

1. Introduction

Costli ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our food cost management platform (the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.

We comply with applicable data protection laws including the General Data Protection Regulation (GDPR) for users in the European Economic Area and the California Consumer Privacy Act (CCPA) for California residents.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Email address (required)
Full name (required)
Phone number (optional)
Profile picture (optional)
Password (stored in encrypted/hashed form)

2.2 Business Information

To provide our services, we collect information about your food business:

Organization Details: Business name, type (bakery, restaurant, catering, etc.), location, team size, and logo
Ingredients: Names, categories, prices, suppliers, and inventory levels
Recipes: Names, descriptions, ingredients, steps, yields, and associated costs
Products & Bundles: Names, SKUs, descriptions, pricing, and profit margins
Packaging & Supplies: Non-food items, costs, and inventory
Sales Data: Transactions, order details, revenue, and customer information (when connected to POS or manually entered)
Expenses: Business expenses, categories, vendors, and receipts
Labor Information: Staff positions, hourly rates, and time entries
Customer Data: Names, contact information, order history, and notes (if using CRM features)
Brand Playbook: Responses to brand identity questionnaire including mission, values, target customers, and business goals

2.3 Usage Information

We automatically collect certain information when you use the Service:

Device Information: IP address, browser type and version, operating system
Usage Data: Pages visited, features used, time spent, and interaction patterns
Analytics Events: Login/logout times, feature usage, onboarding progress

2.4 Payment Information

When you subscribe to a paid plan, payment processing is handled by Stripe. We do not store your credit card numbers or bank account details. We receive and store only:

Stripe customer ID and subscription ID
Subscription plan and status
Payment history (amounts, dates, status)
Billing period dates

2.5 Third-Party Integration Data

When you connect third-party services (such as Square, Shopify, PayPal, Toast, Clover, or Lightspeed), we collect:

OAuth access and refresh tokens (encrypted with AES-256-GCM)
Product catalogs and SKU information from your POS system
Sales transactions and order data
Connection status and sync history

3. How We Use Your Information

We use the information we collect to:

3.1 Provide and Operate the Service

Create and manage your account
Calculate recipe and product costs
Track inventory and generate shopping lists
Process sales data and calculate profit margins
Generate reports, analytics, and business insights
Create SOP documents and Brand Playbook exports
Sync data with connected POS systems

3.2 Communicate with You

Send account-related notifications (password resets, security alerts)
Provide customer support
Send low stock alerts, price change notifications, and profit margin warnings (based on your preferences)
Inform you of updates to the Service or changes to this policy

3.3 Improve the Service

Analyze usage patterns to improve features and user experience
Identify and fix bugs and technical issues
Develop new features based on user needs

3.4 Legal and Security Purposes

Detect, prevent, and address fraud or abuse
Enforce our Terms of Service
Comply with legal obligations

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area, we process personal data based on the following legal grounds:

Contract Performance: Processing necessary to provide the Service you requested
Legitimate Interests: Improving the Service, preventing fraud, and ensuring security
Consent: Where you have given explicit consent (e.g., marketing communications)
Legal Obligations: Compliance with applicable laws and regulations

5. Data Sharing and Disclosure

We do not sell your personal information to third parties.

We may share your information with:

5.1 Service Providers

We use trusted third-party services to operate the Service:

Supabase: Database hosting, user authentication, and file storage
Stripe: Payment processing and subscription management
Nango: Connection management platform for POS integrations such as Square
Vercel: Application hosting and deployment

These providers are contractually obligated to protect your data and use it only for the services they provide to us.

5.2 POS System Providers

When you connect a POS system, we exchange data necessary to provide the integration. Each POS provider has their own privacy policy governing their handling of your data.

5.3 Legal Requirements

We may disclose your information when required by law, such as:

To comply with legal process (subpoenas, court orders)
To respond to government requests
To protect our rights, privacy, safety, or property
To enforce our Terms of Service

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6. Data Security

We implement industry-standard security measures to protect your data:

Encryption in Transit: All data transmitted between you and our servers is encrypted using TLS/SSL
Encryption at Rest: Data stored in our database is encrypted
Token Encryption: POS integration tokens are encrypted with AES-256-GCM
Password Security: Passwords are hashed using industry-standard algorithms
Access Controls: Row-level security ensures you can only access your own organization's data
Multi-Tenant Isolation: Your data is logically separated from other customers
Regular Monitoring: We monitor for security threats and unauthorized access

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service:

Active Accounts: Data is retained while your account is active
Account Deletion: When you delete your account, we delete your data within 30 days, except where required for legal, tax, or audit purposes
Audit Logs: Certain logs (inventory changes, price history) are retained for your records and may be kept longer
Backup Data: Backups may retain deleted data for up to 90 days for disaster recovery purposes

8. Your Rights

8.1 All Users

You have the right to:

Access: View and download your personal data
Correction: Update or correct inaccurate information
Deletion: Request deletion of your account and data
Export: Export your data in JSON or CSV format (available in Settings > Data & Privacy)
Opt-Out: Unsubscribe from marketing communications at any time

8.2 European Economic Area Residents (GDPR)

If you are in the EEA, you also have the right to:

Data Portability: Receive your data in a structured, machine-readable format
Restrict Processing: Request limitation of how we process your data
Object: Object to processing based on legitimate interests
Withdraw Consent: Withdraw consent at any time where processing is based on consent
Lodge a Complaint: File a complaint with your local data protection authority

8.3 California Residents (CCPA)

If you are a California resident, you have the right to:

Know: Request disclosure of the categories and specific pieces of personal information we collect
Delete: Request deletion of your personal information
Non-Discrimination: Exercise your rights without discrimination in service or pricing
Opt-Out of Sale: We do not sell personal information, so this right does not apply

To exercise these rights, contact us at privacy@costli.ai or use the Data & Privacy section in your Settings.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to:

Essential Cookies: Maintain your session, remember login state, and ensure security (required for the Service to function)
Preference Cookies: Remember your settings and preferences
Analytics Cookies: Understand how you use the Service to improve it

You can control cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning properly.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will delete it promptly.

11. International Data Transfers

Your data may be transferred to and processed in countries other than your own, including the United States. We ensure appropriate safeguards are in place, including standard contractual clauses approved by relevant data protection authorities.

12. Third-Party Links

The Service may contain links to third-party websites or services (such as POS provider websites). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy with a new "Last updated" date
Sending an email notification for significant changes
Displaying an in-app notice when you next use the Service

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Privacy Inquiries: privacy@costli.ai
General Support: support@costli.ai

We aim to respond to all privacy-related inquiries within 30 days.