Privacy Policy | WeSteel AI

At WeSteel AI, we are committed to protecting your privacy and ensuring the security of your personal and business information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our intelligent steel trading platform (the “Service”).

We designed this policy to be transparent and straightforward. If you have any questions, please contact us at privacy@westeel.ai.

1. Information We Collect

1.1 Information You Provide

Category	Examples	Purpose
Account Information	Name, email address, phone number, company name, job title	Account creation, authentication, communication
Billing Information	Payment method details, billing address, tax ID	Payment processing, invoicing, tax compliance
Business Data	Inventory records, customer lists, pricing data, order details, financial records, quotes	Service delivery, AI-powered features, analytics
Communications	Support tickets, emails, feedback, survey responses	Customer support, service improvement

1.2 Information Collected Automatically

Category	Examples	Purpose
Device Information	IP address, browser type, operating system, device identifiers	Security, compatibility, analytics
Usage Data	Pages visited, features used, click patterns, session duration	Service improvement, UX optimization
Log Data	Access timestamps, API calls, error logs, authentication events	Security monitoring, debugging, audit trails
Cookies	Session cookies, preference cookies, analytics cookies	Authentication, personalization, analytics

1.3 Information from Third Parties

We may receive information from third-party services you integrate with, such as payment processors (Stripe), authentication providers, and business tools you choose to connect to the Service.

2. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery: To provide, operate, and maintain the Service, including processing transactions, managing inventory, generating quotes, and fulfilling orders
AI-Powered Features: To power quote automation, pricing recommendations, inventory analytics, and business insights using your Business Data
Account Management: To create and manage your Account, authenticate users, and enforce role-based access controls
Communication: To send transactional emails (order confirmations, invoices), service updates, security alerts, and, with your consent, marketing communications
Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues
Analytics: To understand how the Service is used and to improve performance, features, and user experience
Legal Compliance: To comply with applicable laws, regulations, legal processes, and government requests
Service Improvement: To develop new features, conduct research, and improve existing functionality using anonymized and aggregated data

3. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

3.1 Service Providers

We share information with trusted third-party service providers who assist us in operating the Service, subject to strict data processing agreements. These include:

Infrastructure: Cloud hosting and database services (Supabase, Vercel)
Payments: Payment processing (Stripe)
Email: Transactional and marketing email delivery (Resend)
AI: AI model providers for intelligent features (Anthropic)
Analytics: Usage analytics and error monitoring

3.2 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

3.3 Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such transfer and any choices you may have regarding your information.

3.4 With Your Consent

We may share information with third parties when you have given us explicit consent to do so.

4. Data Security

We implement comprehensive security measures to protect your information:

Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.3)
Access Control: Role-based access controls with principle of least privilege. Multi-tenant data isolation through PostgreSQL Row Level Security (RLS)
Authentication: Secure authentication with support for multi-factor authentication (MFA)
Monitoring: Continuous security monitoring, intrusion detection, and audit logging
Rate Limiting: Edge-level rate limiting to prevent abuse and brute-force attacks
Security Headers: HSTS, Content Security Policy, X-Frame-Options, and other security headers
Audit Trail: Comprehensive activity logging for compliance and forensic analysis
Regular Assessments: Periodic security reviews and vulnerability assessments

5. Data Retention

We retain your information for as long as your Account is active or as needed to provide the Service. Specific retention periods are as follows:

Account Data: Retained for the duration of your Subscription plus 30 days after termination to enable data export
Business Data: Retained for the duration of your Subscription plus 30 days. Available for export upon request
Billing Records: Retained for 7 years to comply with tax and financial regulations
Audit Logs: Retained for 2 years for security and compliance purposes
Analytics Data: Aggregated and anonymized data may be retained indefinitely for service improvement

You may request deletion of your data at any time, subject to our legal retention obligations.

6. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate or incomplete personal information
Deletion: Request deletion of your personal information, subject to legal retention requirements
Portability: Request your data in a structured, machine-readable format
Restriction: Request that we restrict the processing of your personal information
Objection: Object to the processing of your personal information for certain purposes
Withdraw Consent: Where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, please contact us at privacy@westeel.ai. We will respond to your request within 30 days, or as required by applicable law.

7. Cookies and Tracking Technologies

7.1 Types of Cookies We Use

Essential Cookies: Required for the Service to function, including authentication and security. Cannot be disabled.
Functional Cookies: Remember your preferences (e.g., theme, language) to enhance your experience.
Analytics Cookies: Help us understand how the Service is used so we can improve it. Can be disabled.

7.2 Managing Cookies

You can manage cookie preferences through your browser settings or our cookie consent banner. Note that disabling essential cookies may prevent the Service from functioning properly.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. When we transfer data internationally, we implement appropriate safeguards, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements (DPAs) with all sub-processors
Compliance with applicable cross-border data transfer frameworks

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know: You may request details about the categories and specific pieces of personal information we have collected
Right to Delete: You may request deletion of your personal information
Right to Opt-Out: We do not sell personal information. If this changes, we will provide a clear opt-out mechanism
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
Right to Correct: You may request correction of inaccurate personal information

11. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply:

11.1 Legal Basis for Processing

Contract Performance: Processing necessary to provide the Service under our agreement with you
Legitimate Interests: Processing necessary for our legitimate business interests, such as security, fraud prevention, and service improvement
Consent: Processing based on your explicit consent, such as marketing communications
Legal Obligation: Processing required by applicable law or regulation

11.2 Data Protection Officer

For GDPR-related inquiries, please contact our data protection team at dpo@westeel.ai.

11.3 Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not adequately addressed your concerns.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by:

Posting the updated policy on our website with a revised “Last Updated” date
Sending an email notification to the address associated with your Account
Displaying a prominent notice within the Service

Material changes will be communicated at least 30 days before they take effect.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

WeSteel AI — Privacy Team
Email: privacy@westeel.ai
Data Protection Officer: dpo@westeel.ai
Website: westeel.ai