Distribu

Privacy Policy

Last updated: April 17, 2026

This Privacy Policy describes how Distribu ("we," "us," or "our") collects, uses, and shares information in connection with the Distribu platform and related services (collectively, the "Service"). By using the Service, you agree to the terms of this Policy.

1. Who this policy covers

Distribu is a business-to-business platform. Our direct customers are distributors ("Customers") who use the Service to manage their catalog, orders, and customer relationships. Our Customers, in turn, serve their own buyers ("End Customers") through the Distribu storefront.

This policy applies to:

  • Customer staff— owners, admins, and members of a Customer's Distribu workspace.
  • End Customers— buyers with login access to a Customer's storefront.
  • Visitors — anyone browsing our marketing site at distribu.app.

2. Information we collect

2.1 Information you provide

  • Account information — name, email address, password hash, and role when you create a Distribu workspace or accept an invite.
  • Company information — company name, storefront slug, default tax rate, shipping rate, and return window.
  • Business records — your product catalog, customer records, orders, invoices, returns, refunds, credit notes, and related metadata that you create or import into the Service.
  • Billing information — plan selection and subscription status. Payment card details are handled directly by our payment processor, Stripe, and are never stored on Distribu servers.
  • Support communications — messages you send us via email or the contact form.

2.2 Information collected automatically

  • Log data — IP address, user agent, pages visited, and timestamps. Used for security, rate-limiting, and troubleshooting.
  • Audit log entries — each significant action taken in your workspace (order placed, status changed, API key created, etc.) is recorded with the actor, action, entity, and timestamp.
  • Cookies & similar technologies — a session cookie to keep you logged in, and a CSRF token cookie for security. We do not use third-party advertising or tracking cookies.

2.3 Information from third parties

When you connect a third-party service (for example, Stripe for billing), we receive limited information from that service — such as subscription status and invoice events — necessary to operate the Service.

3. How we use information

We use the information we collect to:

  • Provide, operate, and maintain the Service.
  • Process transactions and send transactional emails (order confirmations, invoices, return notifications, digest emails you opt into).
  • Respond to support requests and communicate with you.
  • Detect, prevent, and investigate fraud, abuse, or security incidents.
  • Comply with our legal obligations.
  • Improve the Service — for example, by analysing aggregated usage patterns to prioritise what we build next.

We do not sell your information, and we do not use your business records to train machine-learning models.

4. How we share information

We share information only as described below:

  • Between Customers and their End Customers. The whole point of the storefront is to let your End Customers see their own orders, invoices, and returns. We route that data accordingly.
  • With service providers. We use vendors to run the Service — hosting (Vercel), database (Neon Postgres), email delivery (Resend), payment processing (Stripe), and error monitoring. These providers access data only to perform work for us and are bound by confidentiality obligations.
  • With your configured webhook endpoints.When you register a webhook, we deliver event payloads to the URL you choose. Review the payloads you'll receive in our webhooks documentation before registering a third-party URL.
  • For legal reasons.We may disclose information if we believe in good faith it's required by law, subpoena, or other valid legal process, or to protect our rights or the safety of others.
  • In a business transfer. If Distribu is acquired, merged, or sells substantially all of its assets, user information may be transferred as part of that transaction. We will notify you of any such change and honour the terms of this Policy.

5. Data security

We take reasonable steps to protect information, including encryption in transit (TLS), encryption at rest, hashed passwords, hashed API keys, HMAC-signed webhooks, scoped API permissions, and role-based access control within each workspace. No system is perfectly secure; we cannot guarantee the security of your data, but we work hard to keep it safe.

6. Data retention

We retain your information for as long as your account is active, as needed to provide the Service, and as required to comply with our legal obligations. When you delete your workspace, we permanently remove your business records and audit log within 30 days, except where retention is required by law (for example, certain tax and billing records).

Individual records (a product, a customer, a return) are deleted when you delete them in the Service, subject to short-lived backups that are rotated on a standard schedule.

7. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete personal information we hold about you, and to object to or restrict certain processing. To exercise any of these rights, email privacy@distribu.app. We will verify your request and respond within the timeframe required by applicable law.

If you are an End Customer, direct data-subject requests to the Customer whose storefront you use. We act as a processor on their behalf and will support their response.

8. International transfers

Distribu is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where our service providers operate. We rely on appropriate safeguards for such transfers where required.

9. Children's privacy

Distribu is a business tool intended for use by adults. We do not knowingly collect personal information from children under 13 (or under 16 where applicable). If you believe a child has provided us with personal information, email privacy@distribu.app and we will delete it.

10. Changes to this policy

We may update this Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice in the Service before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

Questions about this Policy? Email privacy@distribu.app or write to us via the contact page.