Skip to main content
ACOAPHROWUU ACO← Back

Privacy Policy

Last updated: March 25, 2026

1. Who We Are

Aphrowuu ACO (“we,” “us,” or “our”) operates the ACO Dashboard web application at aphrowuu.com and the ACODashboard iOS mobile application (collectively, the “Service”). This Privacy Policy explains how we collect, use, and protect your information when you use our Service.

2. Information We Collect

a) Discord Account Data

When you log in via Discord OAuth, we receive and store:

  • Your Discord user ID, username, and avatar
  • Your Discord guild (server) membership and roles

We use the OAuth scopes identify, guilds, and guilds.members.read. We do not request access to your Discord messages, friends list, or ability to act on your behalf.

b) Checkout Data

Checkout records (product name, site, price, quantity, status, timestamp) are created by our automated checkout bots and associated with your Discord user ID. You do not manually submit this data.

c) Email Scraping Data (IMAP)

If you use the email scraper feature via IMAP, you voluntarily provide IMAP credentials (email address, host, port, username, password) to connect to your own email account. We access your email solely to extract order confirmation data (order numbers, products, prices, shipping status) from supported retailers. We do not read, store, or process any other email content.

d) Google Account Data (Gmail OAuth)

If you connect your Google account for real-time email sync, we request the following OAuth scopes:

  • https://www.googleapis.com/auth/gmail.readonly — Read-only access to your Gmail messages
  • email — Your email address for account association

We use Gmail API access exclusively to detect and parse order-related emails from supported retailers (Walmart, Target, Pokemon Center, etc.). We do not read, store, or process any other email content. Your Google OAuth access and refresh tokens are encrypted with AES-256-GCM before storage and are never exposed to other users or third parties.

You may disconnect your Google account at any time from your profile settings, which immediately revokes our access and deletes your stored tokens.

e) Checkout Profiles

If you use the checkout profiles feature, you may store retailer account credentials and payment card information. All sensitive fields (card numbers, CVVs, passwords) are encrypted with AES-256-GCM before storage and are only decrypted when you explicitly export or view them. We do not use this data for any purpose other than displaying it back to you.

f) Contact & Profile Information

You may optionally provide: name, mailing address, phone number, and contact email through your profile settings. Phone numbers are used exclusively for opt-in product drop alerts via call and SMS.

g) Inventory & Invoice Data

Product inventory items, invoices, and related financial data (purchase cost, revenue, profit) that you create within the Service are stored and associated with your account.

h) Device & Usage Data

We collect your device timezone for date-accurate checkout display and push notification tokens for mobile alerts. We do not use third-party analytics SDKs or advertising trackers.

3. How We Use Your Information

  • Authenticate you and verify your membership status
  • Display your checkout history, inventory, invoices, and statistics
  • Connect to your email account via IMAP or Gmail OAuth (when you opt in) to import order data and track fulfillment status in real time
  • Store and display your checkout profiles with encrypted sensitive fields
  • Send phone alerts for product drops (when you opt in and provide a phone number)
  • Send push notifications to your mobile device (when you opt in)
  • Track package shipments via EasyPost (when enabled)
  • Process product images for display purposes using AI background removal
  • Calculate points, leaderboard rankings, and membership status
  • Allow admins to manage the service (member support, release management)

4. Data Storage & Security

Your data is stored in a PostgreSQL database hosted by Supabase with row-level security policies on all tables. We employ multiple layers of encryption:

  • Google OAuth tokens — Encrypted with AES-256-GCM before storage; decrypted only during authorized API calls
  • Checkout profile sensitive fields (card numbers, CVVs, passwords) — Encrypted with AES-256-GCM; decrypted only when you view or export them
  • IMAP credentials — Stored server-side and used only to authenticate with your email provider during sync operations
  • Mobile auth tokens — Stored in the iOS Keychain (secure enclave); refresh tokens are hashed before server-side storage

We use HTTPS for all data transmission. JWT tokens for mobile authentication are signed with HS256 and expire after 7 days. IMAP connections are routed through encrypted SOCKS5 proxies to protect your credentials from interception.

5. Third-Party Services

We share data with the following services only as necessary to operate the Service:

  • Discord API — Authentication, role verification, and optional DM notifications
  • Google APIs (Gmail) — Read-only email access for real-time order sync (when you connect your Google account)
  • Supabase — Database hosting with row-level security
  • Vercel — Web application hosting
  • Airtable — Encrypted checkout profile storage (when checkout profiles feature is enabled)
  • EasyPost — Package tracking (tracking numbers and destination addresses)
  • Twilio — Phone call and SMS alerts (phone numbers of opted-in users only)
  • Replicate — AI-powered product image processing (product images only; no personal data)

We do not sell, rent, or share your personal information with advertisers or data brokers.

6. Data Retention

We retain your data for as long as your account is active. Checkout records are retained indefinitely for historical tracking. If you leave the Discord server (losing your required role), your dashboard access is revoked, but your data remains unless you request deletion. IMAP credentials can be deleted at any time from your profile settings.

7. Google API Limited Use Disclosure

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Gmail data to detect and parse order-related emails from supported retailers for the purpose of checkout tracking, fulfillment status updates, and order enrichment.
  • We do not use Gmail data for advertising, market research, or any purpose unrelated to the core functionality described above.
  • We do not allow humans to read your email content unless you provide affirmative consent, it is necessary for security purposes, or it is required by law.
  • We do not transfer Gmail data to third parties except as necessary to provide and improve the Service (e.g., extracting tracking numbers for EasyPost registration), with your consent, or as required by law.
  • Google OAuth tokens are encrypted with AES-256-GCM and are never shared with other users or third parties.

8. Your Rights

You may:

  • View and export your data (checkout CSV export, inventory data)
  • Delete your IMAP profiles and stored credentials at any time
  • Disconnect your Google account at any time, which deletes all stored tokens
  • Delete your checkout profiles and all associated encrypted data at any time
  • Update or remove your phone number and contact information
  • Request a complete deletion of your account data by contacting an admin via Discord

9. Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify affected users via Discord DM and/or the Discord server within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the data affected, and steps you can take to protect yourself.

10. Law Enforcement & Legal Requirements

We may disclose your information if required to do so by law, court order, or legal process, or if we reasonably believe that disclosure is necessary to protect our rights, your safety, or the safety of others.

11. Children's Privacy

The Service is not intended for users under the age of 13. We do not knowingly collect information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. Continued use of the Service after changes constitutes acceptance of the revised policy.

13. Contact

For questions about this Privacy Policy or to request data deletion, reach out to an admin in the Aphrowuu ACO Discord server.