Back
Privacy Policy for Kawsty
Last Updated: April 23, 2026
Kawsty ("we," "us," or "our") provides software that helps shop
operators track ingredients, costs, production, waste, labor, and
sales. This Privacy Policy explains what information we collect from
you, from members of your team, and from the third-party services you
choose to connect (including Shopify, Square, Toast, Stripe, BlueCart,
and Google Calendar), how we use that information, and the choices
you have.
By using Kawsty you agree to this Privacy Policy. If you do not
agree, do not use the service.
1. Information We Collect
1.1 Account information
When you sign up we collect your name, email address, and either an
encrypted password or an OAuth identifier if you sign in with Google.
Team owners may invite additional members, in which case we collect
the same information for those members.
1.2 Billing information
Paid plans are billed through Stripe. We do not store your full card
number; Stripe stores payment credentials and we only keep the last
four digits, card brand, billing country, and subscription status.
1.3 Operational data you enter
Recipes, ingredients, product costs, production schedules, daily
schedules, waste records, labor records, and any other data you
voluntarily enter into the product.
1.4 Data from connected integrations
If you connect a third-party system, we receive and store the data
needed to provide the features you have enabled:
• Shopify — with the scopes you approve (read_orders, read_products,
and optionally read_customers) we fetch your order, line-item,
product, and shop metadata. We store an encrypted access token,
your shop domain, aggregated per-order totals (revenue, tax, tips,
discounts, payment gateway names, transaction counts), and the
mappings you configure between Shopify variants and your recipes
or products. We do NOT store Shopify customer names, email
addresses, phone numbers, shipping addresses, or any other
customer personally identifying information.
• Square — aggregated order totals, tender types, catalog items used
for matching, and encrypted access + refresh tokens.
• Plaid — when you choose to link a bank account via "Connect bank"
in Settings → Banks, Plaid returns an access token plus account
metadata (account name, type, last 4 digits of the account number,
and current/available balance). We DO request the "auth" product;
we do NOT request transactions, identity, or income products today.
Plaid's own privacy policy governs what they collect when you go
through Plaid Link, and you can read it at
https://plaid.com/legal/#consumers. All access tokens and cached
balances are encrypted at rest with AES-256-GCM before they touch
our database. We never receive your banking username or password —
those are entered directly into Plaid's interface. This is a
read-only integration; Kawsty cannot initiate transfers. You can
disconnect at any time at /dashboard/settings/banks, which
immediately revokes our Plaid access token and deletes our stored
copy of all Plaid-derived data.
• Toast, Stripe Connect, BlueCart, Google Calendar — only the
minimum data required to power the feature you have enabled.
1.5 Automatically collected data
Browser type, device type, IP address, pages visited within the
dashboard, and error logs for debugging and security. We use standard
server logs and privacy-respecting product analytics. We do not sell
analytics data.
2. How We Use Information
• To provide, operate, and improve Kawsty.
• To display dashboards, analytics, and reports to you and your
team.
• To process payments through Stripe and manage your subscription.
• To send transactional email (sign-in links, receipts, system
notifications) via Resend.
• To respond to your support requests.
• To detect fraud, abuse, and security incidents.
• To comply with legal obligations.
We do not use your data to train AI models, we do not sell it to
third parties, and we do not share it with advertisers.
3. Subprocessors
We share data with the following service providers, each bound by a
data-processing agreement limiting their use to providing services
to us:
• MongoDB Atlas — database hosting
• Vercel — application hosting
• Stripe — payment processing
• Resend — transactional email
• Google OAuth — optional sign-in
• Plaid — only when you explicitly connect a bank account
• Shopify, Square, Toast, Stripe Connect, BlueCart, Google Calendar
— only for integrations you explicitly connect
4. Data Retention
• Account & operational data — retained while your account is
active and for up to 90 days after cancellation, after which it
is deleted or anonymized.
• Shopify integration data — when you uninstall the Kawsty app from
your Shopify store, Shopify sends us an app/uninstalled webhook
and we immediately disable the integration and clear your stored
access token. Shopify also sends a shop/redact webhook 48 hours
after uninstall; on receipt we delete all sales records sourced
from that shop and delete the integration record itself.
• Customer data requests / erasure (GDPR) — we honor Shopify's
customers/data_request and customers/redact compliance webhooks.
Because we do not store Shopify customer personally identifying
information, erasure requests are typically no-ops but are always
acknowledged and logged.
• Plaid (bank connection) data — access tokens and cached balances
are deleted immediately when you disconnect a bank account from
Settings → Banks. Consent records (which we keep for audit) are
marked revoked but retained for 7 years. See
docs/security/DATA_RETENTION_POLICY.md in our repository for the
full retention schedule.
• Backups — encrypted backups are retained for up to 30 days and
then rotated out.
5. Security
All traffic is encrypted in transit with TLS 1.2+. Third-party access
tokens (Shopify, Square, Plaid, and similar) are encrypted at rest
with AES-256-GCM authenticated encryption before being written to the
database. Cached bank balances retrieved from Plaid are encrypted in
the same envelope.
Sensitive actions — linking or disconnecting a bank account,
refreshing balances on demand, and exporting financial data — require
a fresh (< 30 minutes) step-up multi-factor verification via a 6-digit
code emailed to the address on your account.
We follow industry-standard practices for access control, logging,
and vulnerability management. To report a security issue please email
security@kawsty.com — see SECURITY.md in our repository for the full
responsible-disclosure policy.
6. Your Rights
Depending on where you live, you may have the right to access,
correct, export, or delete the personal data we hold about you, or
to object to or restrict certain processing. To exercise any of
these rights, email us at the address below and we will respond
within 30 days.
If you are a Shopify merchant, you can also revoke our access at any
time by uninstalling the Kawsty app from your Shopify admin. This
triggers our automatic cleanup flow described in section 4.
7. Children's Privacy
Kawsty is a business tool intended for adult shop operators and is
not directed at children under 13. We do not knowingly collect
personal information from children. If you are a parent or guardian
and believe that your child has provided us with personal
information, please contact us using the email below.
8. International Transfers
Kawsty is operated from the United States. If you use the service
from another country, you understand that your information will be
processed in the United States.
9. Changes to this Policy
We may update this Policy from time to time. Material changes will
be communicated by email to account owners, or via an in-app notice,
at least 14 days before they take effect. The "Last Updated" date at
the top of this page reflects the current version.
10. Contact Us
Privacy inquiries, data access requests, and GDPR / CCPA requests:
Email: support@kawsty.com
Mailing address: Kawsty, 12 N Cheyenne Ave, Tulsa, OK 74103, USA
For general support, visit https://kawsty.com/contact.
By using Kawsty you consent to the terms of this Privacy Policy.