Catalogian ("we," "us," or "our") operates the Catalogian web application and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service.
By accessing or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our practices, please do not use the Service.
2. Information We Collect
We collect the following categories of information:
Account information: When you register, we collect your name and email address through our authentication provider, Clerk.
Feed configuration data: URLs, connection details, and scheduling preferences you provide for product feed sources.
Processed feed data: Change detection results, delta records, and metadata derived from your product feeds (such as hashes, row-level diffs, and timestamps).
Billing information: Payment details are collected and processed by Stripe. We do not store your full credit card number on our servers.
Usage data: Server logs including IP addresses, request timestamps, and API usage metrics necessary for operating and securing the Service.
3. How We Use Your Information
We use the information we collect to:
Provide, maintain, and improve the Service.
Monitor your configured feed sources for changes on the schedules you define.
Generate change detection reports, delta summaries, and alerts.
Process billing and manage your subscription.
Communicate with you about your account, service updates, or support requests.
Detect, prevent, and address technical issues or abuse.
4. Data Storage and Security
Your data is stored on cloud infrastructure using industry-standard services including PostgreSQL databases, Redis caches, and object storage. All data is encrypted in transit using TLS. We implement reasonable administrative, technical, and physical safeguards to protect your information from unauthorized access, alteration, disclosure, or destruction.
No method of electronic storage or transmission is completely secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.
5. Feed Data and Your Content
When you connect a product feed source, Catalogian retrieves and processes the feed data to detect changes. We store processed results (hashes, diffs, and metadata) to provide the Service. Raw feed content is not retained long-term; it is processed and discarded after change detection is complete.
You retain full ownership of your feed data and the content you provide to the Service. We do not sell, license, or share your feed data with third parties.
6. Third-Party Services
We use the following third-party services that may process your data:
Clerk — Authentication and user management. Clerk processes your email address, name, and authentication credentials. See Clerk's Privacy Policy.
Stripe — Payment processing and subscription management. Stripe processes your billing and payment information. See Stripe's Privacy Policy.
PostHog — Product analytics and session insights. PostHog may process usage events, page views, and feature interaction data. See PostHog's Privacy Policy.
We do not use advertising networks or sell your data to third parties.
7. API Access and MCP Integration
Catalogian offers programmatic access through a REST API and an MCP (Model Context Protocol) server. This section describes how data is handled when you use these interfaces.
API keys: You can generate API keys from your dashboard to access the REST API and MCP server programmatically. API keys are stored only as cryptographically hashed values — we never store them in plaintext. You can revoke any API key at any time from your dashboard.
OAuth 2.0: You can authorize third-party applications (including Claude Desktop) to access your Catalogian data via OAuth 2.0 using the Authorization Code flow with PKCE. When you authorize an application, it receives an access token scoped to the permissions you approved (e.g., catalogian:read, mcp:access). Access tokens expire after 1 hour; refresh tokens expire after 30 days. You can revoke OAuth tokens at any time from your dashboard.
MCP server access: When an AI agent or MCP client calls the Catalogian MCP endpoint, it accesses only: (a) the feed sources associated with your authenticated account, and (b) snapshot data, delta events, and change history for those sources. The MCP server does not access the AI client's conversation history, memory, uploaded files, or any data outside your Catalogian account. Each MCP tool call is individually authenticated and access-logged.
Data collected via API/MCP: We collect only the minimum data needed to fulfill each request: the authenticated user's identity, the specific source(s) queried, and server-side access logs (IP address, timestamp, and tool called). No conversation content or AI-generated content is retained by Catalogian.
Third-party AI clients: When you connect Catalogian to an AI assistant (e.g., Claude Desktop), that assistant may send your feed data to its own AI provider for processing. Catalogian does not control how third-party AI providers handle your data. We recommend reviewing the privacy policy of any AI assistant you connect to the Service.
8. Data Retention
We retain your account information for as long as your account is active. Feed configuration and processed change history are retained for the duration of your subscription. If you delete your account or a specific source, associated data is permanently removed within 30 days.
Server logs and usage metrics are retained for up to 90 days for operational and security purposes.
9. Your Rights
Depending on your jurisdiction, you may have the right to:
Access the personal data we hold about you.
Request correction of inaccurate data.
Request deletion of your data.
Export your data in a portable format.
Object to or restrict certain processing of your data.
To exercise any of these rights, please contact us at the address below. We will respond to your request within 30 days.
10. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at: