Legal

Privacy Policy

Effective May 2, 2026

Opterra Systems, LLC, an Oregon limited liability company ("Company," "we," "us," or "our"), operates the Sellary platform, website, and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use the Service, whether as a seller ("you" or "Seller") or as a buyer interacting with a Seller's checkout experience ("Buyer").

This policy describes how we handle your information. We encourage you to read it carefully. For questions, contact us at legal@sellary.app.

1. Information We Collect

1.1 Information You Provide

Account Information: When you register, we collect your name, email address, and password. If you upgrade to a paid plan, we collect billing information through our payment processor, Stripe.
Workspace and Business Information: Business name, store settings, product listings, and inventory data you enter into the Service.
Integration Credentials: API keys and OAuth tokens for third-party services (Meta, Stripe, Shippo) that you connect to Sellary. These are encrypted at rest in our production systems.
Shipping Information: Sender addresses, package dimensions, and carrier preferences you configure for label creation.
Communications: Messages you send to us via email or support channels.

1.2 Information Collected from Buyers

When Buyers interact with Seller checkout links generated by Sellary, we collect:

Contact Information: Name, email address, and phone number (if provided).
Shipping Address: Street address, city, state, postal code, and country for order fulfillment.
Payment Information: Payment details are collected and processed directly by Stripe. We do not store full credit card numbers, CVVs, or bank account details on our servers.

Our Role. The Company acts as the data controller (or "business" under the CCPA) for: Seller account and billing data, platform security and fraud prevention, aggregated product analytics, support communications, and legal compliance. With respect to Buyer order and checkout data, the Company acts as a data processor (or "service provider" under the CCPA) when processing that data solely on behalf of the Seller for order fulfillment, shipping, and payment processing. For the Company's own platform purposes — such as preventing fraud, resolving disputes, and enforcing our Terms — we act as a controller for Buyer data as well. Sellers are responsible for their own privacy practices and for ensuring they have a lawful basis to collect Buyer data through the Service.

1.3 Information Collected Automatically

Usage Data: Pages visited, features used, actions taken, session duration, and timestamps.
Device and Browser Data: IP address, browser type, operating system, and device type.
Cookies and Similar Technologies: We use essential cookies for authentication and session management. See Section 7 for details.

1.4 Information from Third Parties

Social Media Platforms: When you connect Facebook or Instagram, we receive your account ID, page names, profile information, and live video comment data as authorized through the Meta OAuth flow.
Payment Processor: Stripe provides us with transaction status, payment confirmations, and payout information.
Shipping Provider: Shippo provides carrier rates, tracking information, and label status updates.

2. How We Use Your Information

We use personal information to:

Provide, maintain, and improve the Service
Process claims from live video comments, manage inventory, and generate checkout links
Process payments through Stripe and create shipping labels through Shippo on your behalf
Send transactional communications (account verification, password resets, billing receipts, order notifications)
Provide customer support and respond to your inquiries
Monitor for abuse, fraud, and violations of our Terms of Service
Generate aggregated, anonymized analytics to improve the Service (e.g., claim conversion rates, average fulfillment times)
Comply with legal obligations and enforce our rights

3. How We Share Your Information

We do not sell your personal information. We share information only as follows:

3.1 With Third-Party Service Providers

Provider	Purpose	Data Shared
Stripe	Payment processing	Buyer name, email, payment details
Shippo	Shipping label creation and tracking	Buyer name, shipping address, package details
Meta (Facebook/Instagram)	Live video comment ingestion	OAuth tokens (encrypted), page/account IDs

3.2 With Sellers (for Buyer Data)

Buyer information (name, email, shipping address, order details) is shared with the Seller whose checkout link the Buyer used. Sellers are responsible for their own compliance with applicable privacy laws regarding Buyer data.

3.3 For Legal Reasons

We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

3.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you before your information becomes subject to a different privacy policy.

4. Data Retention

Account Data: Retained for as long as your account is active. Upon account deletion, we remove your personal data within 30 days, except where retention is required by law (e.g., billing records for tax purposes).
Buyer Data: Retained as needed for order fulfillment, dispute resolution, fraud prevention, and legal compliance, and in any case for no longer than the duration of the associated Seller account. When a Seller account is closed, Buyer data is deleted or de-identified within 30 days, subject to legal retention requirements.
Live Video Comments: Comment data from Facebook and Instagram live streams — which is publicly posted content on those platforms — is retained for the duration of the associated show and for 90 days thereafter for claim verification and dispute resolution, then automatically purged.
Integration Tokens: Encrypted OAuth tokens are deleted promptly when you disconnect an integration.
Backups: Data may persist in encrypted backups for up to 30 days after deletion from production systems.
De-Identified and Aggregated Data: We may de-identify or aggregate personal information so that it can no longer reasonably identify you. De-identified and aggregated data is not personal information and may be retained and used for any lawful business purpose, including product analytics and benchmarking. We will not attempt to re-identify de-identified data except as permitted by law or to test our de-identification processes.

5. Data Security

We implement industry-standard security measures to protect your information:

Encryption in transit: All data transmitted to and from the Service is encrypted using current TLS standards.
Encryption at rest: Sensitive data, including integration credentials, is encrypted at rest using industry-standard authenticated encryption.
Password security: Passwords are hashed using modern one-way algorithms. We never store passwords in plaintext.
Access controls: Database and system access is restricted to authorized services and personnel through role-based controls and token-based authentication.
Infrastructure: Our infrastructure is hosted on cloud providers that maintain recognized security certifications.

While we take reasonable precautions, no method of transmission or storage is 100% secure.

Breach Notification. In the event of a security breach that results in unauthorized access to your personal information, we will notify affected users and, where required, applicable regulatory authorities in accordance with applicable law.

If you discover a security vulnerability, please report it to legal@sellary.app.

6. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Access: Request a copy of the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your personal information, subject to legal retention requirements.
Data Portability: Request your data in a structured, machine-readable format.
Objection: Object to processing of your data for specific purposes.
Withdrawal of Consent: Where processing is based on consent, you may withdraw it at any time.

How to Exercise Your Rights. To submit a privacy request, email us at legal@sellary.app. We will verify your identity before processing your request — this may include confirming your email address or matching account information. California residents may designate an authorized agent to submit requests on their behalf; we may require the agent to provide written authorization and verify the requestor's identity directly.

We will respond to your request within 45 days. If we need additional time, we will notify you of the extension and the reason within the initial 45-day period.

Appeals. If we deny your request in whole or in part, we will explain the reason. You may appeal by emailing privacy@sellary.app within 30 days of the denial. We will respond to your appeal within 60 days.

6.1 California Residents (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: You can request details about the categories and specific pieces of personal information we have collected about you.
Right to Delete: You can request that we delete your personal information, subject to certain legal exceptions.
Right to Correct: You can request that we correct inaccurate personal information.
Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
Right to Non-Discrimination: We will not deny you service, charge different prices, or provide a different quality of service because you exercised your CCPA rights.

To exercise any of these rights, follow the process described above in Section 6. California-specific requests are subject to the same 45-day response period, identity verification, and appeal process. For information about how long we retain different categories of data, see Section 4 (Data Retention).

7. Cookies and Tracking Technologies

We use the following types of cookies:

Essential Cookies: Required for authentication, session management, and security. These cannot be disabled.
Functional Cookies: Remember your preferences and settings (e.g., theme, default filters).

We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site behavioral advertising.

8. Children's Privacy

The Service is intended for users who are at least 18 years old, as described in our Terms of Service. We do not direct the Service to children under 13 and do not knowingly collect personal information from children under 13. Sellers may not use the Service to knowingly collect personal information from children under 13 without verifiable parental consent as required by the Children's Online Privacy Protection Act (COPPA). If you believe a child under 13 has provided us with personal information, please contact us at legal@sellary.app and we will delete it promptly.

9. International Data Transfers

Your information is processed and stored in the United States, where the Company and its primary infrastructure providers operate. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States. We apply the same security and privacy protections described in this policy regardless of where data is stored.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice within the Service at least 30 days before the changes take effect. The "Effective date" at the top of this page indicates when the policy was last revised.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: legal@sellary.app
Or through your account settings within the Service