Legal & Compliance
Effective: May 26, 2026 · Next review: May 26, 2027 · Pythias Technologies, LLC
Pythias Technologies, LLC ("Pythias," "we," "us," or "our") is committed to protecting the personal and business data of our clients, their customers, our employees, and our vendors. This Data Protection Policy establishes the principles, standards, and responsibilities that govern how data is collected, stored, accessed, transmitted, retained, and disposed of across all Pythias systems and operations.
This policy applies to all Pythias employees, contractors, and service accounts that access any system or data controlled by Pythias. It is reviewed and updated at least annually, or whenever a material change in operations or applicable law requires it.
1
This policy covers all personal and business-sensitive data processed by Pythias, including but not limited to:
Client account information (company name, contact details, billing information)
End-customer order data ingested from marketplace integrations (ShipStation, TikTok, Etsy, Kohl's, Walmart, Shopify)
End-customer shipping addresses and fulfillment records
Employee and contractor credentials, contact information, and access logs
API keys, OAuth tokens, and integration credentials stored in environment configuration
Design files, product images, and production assets uploaded by or on behalf of clients
Analytics and behavioral data collected from website visitors
2
All data handled by Pythias is assigned one of the following classification levels, which determines acceptable storage, access, and transmission controls:
Credentials, API keys, OAuth tokens, passwords (hashed), encryption keys, and payment-adjacent data. Must never be logged, transmitted in plaintext, or stored outside of secured environment configuration (.env files outside version control or a secrets manager).
End-customer PII (name, address, email, phone) from order data; client billing details; internal financial records. Accessible only to employees with a documented business need. Must be encrypted at rest and in transit.
Client account information, production analytics, design assets, and operational data. Accessible to Pythias employees and the client who owns the data. Not to be shared externally without authorization.
Marketing content, published blog posts, pricing pages, and other information intentionally made available on pythiastechnologies.com.
3
Pythias collects only the data necessary to deliver its services. We apply the following principles:
Purpose limitation — data is collected for a specific, explicit, and legitimate purpose and not processed in a manner incompatible with that purpose.
Data minimization — we collect only what is necessary for the stated purpose; we do not retain fields we do not use.
Accuracy — we take reasonable steps to keep data accurate and, where inaccurate, to correct or delete it promptly.
Transparency — clients and website visitors are informed of what data is collected and why through our Privacy Policy at /privacy.
4
Role-based access
All Pythias platform accounts are assigned a role (administrator, production, viewer) that determines what data and functionality they can access. Access is granted on a least-privilege basis — users receive only the permissions required for their job function. Administrator access is restricted to named individuals and reviewed quarterly.
Credential management
All user passwords are hashed with bcrypt (minimum cost factor 12) and never stored in plaintext.
API keys and OAuth tokens are stored in environment variables, never hardcoded in source code.
Environment configuration files (.env, .env.local) are excluded from version control via .gitignore and are never committed to any repository.
Integration credentials (e.g., marketplace API keys) are stored per-environment and rotated at least annually, or immediately upon suspected compromise.
Employee offboarding
When an employee or contractor leaves, their platform accounts are disabled within one business day of departure. Any shared credentials they had access to are rotated within five business days.
5
Database — all production data is stored in MongoDB Atlas (cloud-hosted, AWS us-east-1). Atlas enforces encryption at rest (AES-256) and in transit (TLS 1.2+). Database access is restricted by IP allowlist to Pythias server IPs.
File storage — production assets and images are stored in Wasabi S3-compatible object storage. Buckets are configured for server-side encryption. Public-read ACLs are applied only to assets intended for public display.
Application servers — applications run on PM2-managed Node.js clusters. Server access is restricted to authorized personnel via SSH key authentication only.
Backups — MongoDB Atlas automated backups are retained for 7 days. Application code is version-controlled in a private Git repository.
Logging — application logs are stored locally and rotated. Logs must not contain passwords, API keys, or full PII fields (e.g., full credit card numbers). Shipping addresses in logs are acceptable for order tracing purposes.
6
All data transmitted between clients and Pythias services uses HTTPS (TLS 1.2 or higher). HTTP is redirected to HTTPS on all endpoints.
Inter-service communication within the Pythias platform uses authenticated API calls with token-based authorization.
Webhook payloads from third parties (e.g., Google Lead Forms, marketplace order hooks) are validated using shared secrets or signature verification before processing.
Data is never transmitted to third parties outside of documented integrations without written authorization.
7
Pythias uses the following categories of third-party processors. All are governed by their own data processing agreements and privacy policies:
MongoDB Atlas (database hosting) — SOC 2 Type II certified, GDPR-compliant
Wasabi Technologies (object storage) — S3-compatible, encrypted at rest
ShipStation (shipping integration) — order data shared to generate shipping labels
Marketplace APIs (TikTok Shop, Etsy, Kohl's, Walmart, Shopify, Acenda) — order and listing data exchanged per each platform's developer agreement
Google (Analytics GA4, Ads lead forms) — governed by Google's data processing terms
OpenAI (AI text and image generation) — prompts may include design names and product descriptions; no PII is intentionally included in prompts
We do not authorize sub-processors to use client data for their own purposes beyond providing the contracted service.
8
Order data — retained for 3 years to support fulfillment disputes, chargebacks, and marketplace audits, then deleted.
Client account data — retained for the duration of the client relationship plus 1 year after termination, then deleted upon written request or automatically.
Website analytics — session analytics retained for 24 months; Google Analytics data is governed by GA4's retention settings (configured to 14 months).
Contact form and lead data — retained until the inquiry is resolved or the contact opts out, with a maximum of 2 years.
Application logs — rotated on a rolling 30-day basis unless an active incident requires longer retention.
Terminated employee accounts — disabled immediately; personal data removed within 30 days of departure.
Data deletion requests from clients or their end-customers are processed within 30 days of written request to [email protected].
9
What constitutes an incident
A data protection incident includes any confirmed or suspected unauthorized access, disclosure, alteration, or destruction of Restricted or Confidential data — including lost or stolen devices with access to Pythias systems, compromised credentials, or unintended data exposure.
Response steps
Contain — immediately revoke affected credentials, restrict access, or take the affected service offline if necessary.
Assess — determine the scope and nature of data affected within 24 hours.
Notify — inform affected clients within 72 hours of confirmed breach. If end-customer PII was exposed, clients are provided with sufficient detail to fulfill their own notification obligations.
Remediate — address root cause, implement additional controls, and document the incident and resolution.
Review — conduct a post-incident review within 14 days to update controls and prevent recurrence.
Reporting
Any employee or contractor who discovers or suspects a data incident must report it immediately to the company owner. Do not attempt to investigate alone or delay reporting to avoid embarrassment — early reporting minimizes harm.
10
Every person with access to Pythias systems is responsible for:
Using only their own credentials to access systems — never sharing passwords or API keys with others.
Locking or logging out of systems when stepping away from a workstation.
Reporting suspected phishing, malware, or unauthorized access attempts immediately.
Not downloading or copying Confidential or Restricted data to personal devices or unauthorized cloud services.
Following this policy and asking when uncertain — "I wasn't sure" is not a defense for a preventable breach.
Violations of this policy may result in access revocation, termination of contract or employment, and referral to appropriate legal authorities.
11
This policy is reviewed at least annually (next review: May 26, 2027) and updated whenever:
A new data category or integration is added that materially changes our data handling
A significant security incident occurs
Applicable law or a client contract requires changes
The company undergoes a material operational change
The current version of this policy is always available at pythiastechnologies.com/data-protection. Employees and contractors are notified of material changes via email.
12
Questions about this policy, data handling practices, or to submit a data deletion or access request, contact us at:
Pythias Technologies, LLC
21440 Melrose Ave, Southfield MI 48075
(844) 579-8442
[email protected]
© 2026 Pythias Technologies, LLC · All rights reserved
