Privacy Policy
This Privacy Policy describes how Commerce Intelligence Engine (“we”, “our”, “the platform”) collects, uses, stores and protects information when operating its distribution, analytics and affiliate infrastructure. The platform operates as a private operational backend and is not a consumer-facing product.
1. Scope
This policy applies to data processed by the platform when operators connect third-party accounts (such as Pinterest Business, Telegram or webhook endpoints), publish content through approved channels, and measure performance via affiliate links and analytics events.
2. OAuth integrations
The platform uses standard OAuth 2.0 authorization code flow to connect to third-party providers, including the Pinterest Business API. During authorization, the operator is redirected to the provider, explicitly consents to the requested scopes, and is returned to the platform with an authorization code that is exchanged for access and refresh tokens server-side. The platform requests only the minimum scopes required to read the operator’s boards, publish pins, and read analytics for content published by the platform itself.
3. Pinterest API data
When a Pinterest account is connected, the platform may store the Pinterest account identifier, username, profile URL, the list of boards the operator selects for distribution, and metrics for pins published through the platform (impressions, saves, outbound clicks, engagements, CTR). The platform does not collect Pinterest data belonging to other users, does not scrape Pinterest, and does not access content unrelated to the connected account’s own boards and the platform’s own pins. Operators may revoke access at any time from their Pinterest account settings or by disconnecting the integration inside the platform, which deletes the stored tokens.
4. Token storage and encrypted credentials
Access tokens and refresh tokens are encrypted at rest using AES-256-GCMwith a server-side key that is never exposed to the browser. Tokens are decrypted only inside server functions when an outbound API call is made. Refresh-token rotation is handled automatically. Tokens are never logged, never returned to client code, and never transmitted to third parties other than the issuing provider.
5. Analytics and usage metrics
The platform records operational telemetry needed to run the distribution pipeline: job-queue events, publishing outcomes, error logs, and aggregated performance metrics for published content. Where third-party analytics from connected providers (e.g. Pinterest analytics) are retrieved, they are stored in aggregate, attributed to the platform-published asset, and used solely to inform scoring and operator dashboards.
6. Affiliate links and click tracking
The platform mints first-party affiliate redirect URLs that route through a platform-controlled endpoint before forwarding to the destination marketplace. When an end user clicks an affiliate link, the platform records non-identifying metadata such as a hashed IP, user agent, referrer and sub-identifier for attribution. This information is used to measure performance, prevent abuse, and reconcile commissions reported by affiliate networks via signed postbacks. The platform does not build behavioral profiles of end users and does not sell click data.
7. Cookies
The marketing pages (such as this site) use only essential cookies required for navigation and security. The operational application uses cookies and equivalent local storage to maintain authenticated operator sessions. Affiliate redirect endpoints may set a short-lived attribution cookie to reconcile clicks with subsequent conversions. The platform does not use third-party advertising cookies on its own properties.
8. Data retention
Operational logs are retained for as long as needed to operate, debug and audit the system. Click and conversion records are retained for the period required to reconcile affiliate commissions and produce historical analytics. Encrypted provider tokens are retained until the integration is disconnected, after which they are deleted.
9. Data sharing
The platform does not sell personal data. Data is shared only with the third-party providers an operator explicitly connects (e.g. Pinterest, Telegram, affiliate networks) to fulfill the operator’s instructions, and with infrastructure subprocessors strictly necessary to host and run the service.
10. Security
The platform enforces HTTPS in transit, encrypted credentials at rest, server-side scoping of all sensitive operations, signed payloads on public webhook endpoints, and least-privilege access to backend systems. Security findings can be reported to the address below.
11. Compliance with provider terms
The platform’s use of the Pinterest Business API and any other connected provider complies with that provider’s developer terms, rate limits, and acceptable-use policies. The platform does not attempt to circumvent provider authentication, does not perform scraping, and does not use unofficial APIs.
12. User privacy and rights
Where applicable, individuals may request access to, correction of, or deletion of personal data the platform holds about them by contacting the address below. Disconnecting a third-party integration from within the platform deletes the associated tokens and stops further data collection from that provider.
13. Changes to this policy
We may update this policy to reflect operational, legal or regulatory changes. Material changes will be reflected in the “Last updated” date at the top of this page.
14. Contact
Questions about this Privacy Policy or about the platform’s data practices can be sent to privacy@commerceengine.company.