TextileCost
Legal

Privacy Policy

We built TextileCost inside a real export house and we know what a cost sheet is worth. Your data belongs to you. This document explains exactly what we collect, why, and what you can do with it.

1. Who we are

TextileCost is a cloud costing platform for textile manufacturers and exporters, operated by TextileCost(“TextileCost”, “we”, “us”, or “our”). Our registered contact is hello@textilecost.com.

This Privacy Policy applies to the TextileCost web application (app.textilecost.com), the marketing website (textilecost.com), and any related edge functions and services.

2. Data we collect

2.1 Account and workspace data

When you sign up or accept a team invitation, we collect:

  • Email address and hashed password (stored by Supabase Auth)
  • Company name and workspace slug (e.g., acme-garments.textilecost.com)
  • User role within your workspace (Admin, Merchandiser, Photographer, Pattern Master)
  • Onboarding preferences: base currency, style prefix, costing defaults
  • Workspace branding settings: logo, custom product name

2.2 Business and costing data

The core of the service is the data you enter to cost your styles. This includes:

  • Style numbers, article names, descriptions, seasons, and order quantities
  • Fabric rows: GSM, width, construction, rate per metre/kg, consumption, wastage percentage
  • CMT costs: cutting, stitching, other operations, and quantity-based rates
  • Manufacturing, overhead, and additional cost fields
  • Markup, bill discount, commission, shrinkage, and profit margin percentages
  • Exchange rates and FX buffer percentages at the time of quoting
  • Edit history (which user changed which field, and when)
  • Tags you apply to styles for filtering and organisation

2.3 Uploaded media

  • Style photographs uploaded by your team (stored in Supabase Storage)
  • Pattern files uploaded by pattern masters (stored in Supabase Storage)

2.4 Buyer data

  • Buyer company names, contact email addresses
  • Per-buyer currency preferences, default FOB ports, and default cost assumptions

2.5 Email and communication data

  • Sender name and email address configured for enquiry emails
  • Internal CC email addresses for outgoing enquiry emails
  • Resend API key (stored encrypted; used only to send on your behalf)
  • Custom email domain and DNS verification records
  • Invitation tokens (expire after 7 days)

2.6 Usage and technical data

  • IP addresses and browser/device type (captured by Supabase and Vercel infrastructure)
  • Error logs and edge function invocation logs (retained for up to 7 days by Supabase)
  • Session tokens stored in browser localStorage (cleared on sign-out)

3. How we use your data

We use the data listed above solely to provide and improve the TextileCost service:

  • Authentication and access control: to verify your identity and enforce workspace-level isolation so one company never sees another’s data.
  • Costing calculations: to compute totals, summaries, and currency-converted prices in real time.
  • Document generation: to build buyer-ready PPTs and Excel exports entirely client-side in your browser; no costing data is sent to our servers during generation.
  • Enquiry emails: to send emails to your buyers on your behalf using your configured Resend sender, or our default sender if you have not set one up.
  • Transactional emails: email verification on signup, team invitation emails, and password-reset flows.
  • Backup and export: to let you download a complete ZIP of all your data at any time from the Data Management page.
  • Service improvement: aggregate, anonymised usage patterns (e.g., how many styles a workspace costs per month) may inform product decisions. We never sell individual data.

4. Data sharing with third parties

We do not sell your data. We share data only with the infrastructure providers that make the service work:

ProviderWhat they receiveWhy
Supabase (US / EU)All structured data, uploaded files, auth tokensDatabase, storage, and authentication hosting
Resend (US)Recipient email, sender config, email bodySending transactional and enquiry emails
Vercel (US / Edge)IP address, request headers, static assetsFrontend hosting and CDN delivery

Each provider is bound by its own data processing agreement and, where applicable, standard contractual clauses for cross-border transfers.

5. Enterprise mode: your data stays with you

If you use the Enterprise plan (Bring Your Own Supabase), your costing data, style photos, pattern files, and all business records are stored exclusively in your own Supabase project. TextileCost servers never receive or touch your business data in this mode. We store only the routing information (your workspace hostname and the URL of your Supabase project) to direct your browser to the correct database.

In Enterprise mode, you are also the data controller for your own Supabase instance. You should review Supabase’s privacy policy and data processing terms as they apply to your self-hosted or cloud instance.

6. Data retention

  • Active workspaces: data is retained for as long as your subscription is active.
  • After cancellation: we retain your data for 30 days after your subscription ends, giving you time to export a backup. After 30 days, workspace data is permanently deleted.
  • Deletion requests: you may request immediate deletion at any time by emailing hello@textilecost.com. We will confirm deletion within 14 business days.
  • Invitation tokens: automatically expire and are purged after 7 days.
  • Edge function logs: retained for 7 days by Supabase infrastructure, then automatically deleted.

7. Your rights

Regardless of where you are located, you have the right to:

  • Access: request a copy of all data we hold about you and your workspace.
  • Export: download a full ZIP backup from the Data Management page at any time, without needing to contact us.
  • Correction: update your account details, costing data, and buyer records directly in the app at any time.
  • Deletion: request deletion of your account and all associated data. Email us at hello@textilecost.com.
  • Portability: the one-click backup export is designed specifically to give you a machine-readable copy of everything.
  • Objection: object to any processing not strictly necessary for service delivery.

If you are in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data protection law, you also have the right to lodge a complaint with your local supervisory authority.

8. Security

  • All data is transmitted over TLS/HTTPS. No plain-text connections.
  • Passwords are hashed by Supabase Auth (bcrypt); we never see or store plain-text passwords.
  • Row-Level Security (RLS) policies on every database table enforce that queries return only data belonging to your company_id. It is architecturally impossible for one workspace to read another’s data.
  • The Supabase service-role key (which bypasses RLS) is never exposed to the browser. All privileged operations go through authenticated edge functions only.
  • Resend API keys you configure are stored encrypted in our database.
  • Storage buckets for photos and pattern files are access-controlled by company path segments; cross-company file access is not permitted.

Despite these measures, no internet service is 100% secure. If you discover a vulnerability, please disclose it responsibly at hello@textilecost.com.

9. Cookies and local storage

TextileCost uses browser localStorage (not tracking cookies) to persist your Supabase session token between page loads. This token is scoped to your workspace subdomain. We do not use advertising cookies, third-party trackers, or analytics pixels on the application.

The marketing website (textilecost.com) may use first-party cookies for session management only. We do not run Google Analytics or any third-party analytics service on the marketing site.

10. Children’s privacy

TextileCost is a professional B2B application for garment manufacturers and exporters. It is not directed at children under 16. We do not knowingly collect data from anyone under 16.

11. Changes to this policy

We will post changes to this page and update the “Last updated” date below. For material changes, we will notify workspace admins by email at least 14 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance.

12. Governing law

This Privacy Policy is governed by the laws of India, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 (as applicable). For EEA/UK users, we also comply with the General Data Protection Regulation (GDPR) and UK GDPR as they apply to international data transfers.

13. Contact

Questions, data requests, or concerns about this policy: