Last updated: July 12, 2026
1. Who We Are
Hortibase ("we", "us", or "our") operates the Hortibase websites, business platform, APIs, and related services (collectively, the "Service").
For the purposes of applicable data protection law, including the EU General Data Protection Regulation ("GDPR"), Hortibase is the controller of personal data processed through the Service, unless stated otherwise.
Questions about this policy or your data rights: [email protected]. You can also reach us through the Contact page.
2. Scope
This Privacy Policy applies to personal data we process when you:
- visit the public website at hortibase.com;
- create or use an account on the business platform at app.hortibase.com;
- contact us by email or through support channels;
- use APIs, integrations, or other Hortibase services that reference this policy.
This policy does not apply to third-party websites, services, or platforms that you connect to Hortibase or reach through links on the Service. Those services are governed by their own privacy policies.
3. Personal Data We Collect
The data we collect depends on how you use the Service.
3.1 Account and profile information
If you register for or use the Platform, we may collect:
- name and email address;
- password (stored in hashed form, never in plain text);
- account and organization details, such as company name, account type, country, and workspace settings;
- role, permissions, and team membership information;
- optional security settings, such as two-factor authentication configuration;
- login and account activity metadata, such as last login time.
3.2 Business and product data you submit
If you manage brands, products, documents, integrations, or other catalog content, we process the information you submit to provide the Service. Some of this information may relate to identifiable individuals (for example, contact details in organization records or support communications). You are responsible for ensuring you have a lawful basis to provide that information to us.
3.3 Communications
If you contact us, we process the information you provide, such as your name, email address, company, message content, and any attachments or context needed to respond.
3.4 Technical and usage data
When you use the Service, we may automatically collect:
- IP address and approximate location derived from it;
- browser type, device information, operating system, and language preferences;
- pages viewed, actions taken, timestamps, and referral URLs;
- session identifiers, authentication tokens, and security logs;
- API request metadata and integration activity where applicable.
3.5 Cookies and similar technologies
We use cookies and similar technologies to operate the Service, keep you signed in, remember preferences such as locale, protect against abuse, and maintain session state. See Section 10 for more detail.
3.6 Public site tools
Certain calculators and tools on the Public Site run locally in your browser. As stated on those pages, input data for those tools is not sent to our servers unless a specific feature clearly says otherwise.
3.7 Data we do not sell
We do not sell your personal data. We also do not use personal data for third-party advertising profiles.
4. How We Use Personal Data
We use personal data to:
- provide, operate, maintain, and improve the Service;
- create and manage accounts, workspaces, and team access;
- authenticate users, enforce security controls, and prevent fraud or abuse;
- process subscriptions, billing, and support requests;
- send transactional messages, such as verification emails, invitations, password resets, and service notifications;
- sync and deliver product data through integrations and APIs you enable;
- monitor performance, diagnose errors, and protect the integrity of the Service;
- comply with legal obligations and enforce our Terms of Service;
- respond to inquiries and communicate with you about the Service.
5. Legal Bases for Processing
Where GDPR applies, we rely on one or more of the following legal bases:
- Contract: processing necessary to provide the Service you request, manage your account, or perform our agreement with you.
- Legitimate interests: operating, securing, and improving the Service, preventing abuse, and communicating about relevant account activity, where those interests are not overridden by your rights.
- Consent: where required, such as for optional communications or non-essential cookies, when we ask for it separately.
- Legal obligation: where we must retain or disclose data to comply with applicable law.
6. How We Share Personal Data
We may share personal data with:
- Service providers and processors that help us run the Service, such as hosting providers, cloud storage, email delivery, error monitoring, database, search, queue, and infrastructure vendors. These providers may process data only on our instructions and subject to appropriate safeguards.
- Integration partners you connect to your account, such as e-commerce platforms or ERP systems, when you choose to sync data.
- Professional advisers, such as lawyers or accountants, where reasonably necessary.
- Authorities or third parties when required by law, court order, or to protect rights, safety, and security.
- Business transferees in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality protections.
We may also publish or display business and product information you submit where that content is intended to be public on the Public Site or shared with authorized users of the Platform.
7. International Transfers
Hortibase is a European project and we aim to process personal data in the European Economic Area ("EEA") or other jurisdictions with adequate protections where possible.
If personal data is transferred outside the EEA, we use appropriate safeguards required by applicable law, such as Standard Contractual Clauses or equivalent mechanisms, unless a valid derogation applies.
8. Data Retention
We retain personal data only for as long as necessary for the purposes described in this policy, unless a longer period is required or permitted by law.
In general:
- account and workspace data is kept while your account is active and for a reasonable period afterward;
- support communications are retained as needed to resolve requests and maintain records;
- security, audit, and billing records may be kept longer where required for compliance, dispute resolution, or fraud prevention;
- backups may persist for a limited period after deletion from active systems.
When data is no longer needed, we delete or anonymize it where feasible.
9. Security
We apply technical and organizational measures designed to protect personal data, including access controls, encryption in transit, encryption for sensitive data at rest where appropriate, and monitoring for unauthorized activity.
No online service can guarantee absolute security. You are responsible for safeguarding your credentials and configuring team access appropriately.
10. Cookies and Similar Technologies
We use cookies and similar technologies for purposes such as:
- keeping you signed in;
- maintaining session and security state, including CSRF protection;
- remembering preferences such as language or locale;
- supporting product comparison and other visitor features on the Public Site;
- measuring reliability and diagnosing errors.
You can control cookies through your browser settings. Disabling essential cookies may prevent parts of the Service from working correctly.
If we introduce non-essential analytics or marketing cookies in the future, we will update this policy and, where required, request consent before using them.
11. Your Rights
Depending on your location, you may have the right to:
- access the personal data we hold about you;
- request correction of inaccurate data;
- request deletion of personal data, subject to legal exceptions;
- request restriction of processing in certain circumstances;
- object to processing based on legitimate interests;
- receive a portable copy of data you provided, where applicable;
- withdraw consent at any time, where processing is based on consent;
- lodge a complaint with your local supervisory authority.
To exercise these rights, contact [email protected]. We may need to verify your identity before responding.
If you are in the EU, you can find your supervisory authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
12. Marketing Communications
We may send service-related messages about your account, security, billing, or material changes to the Service. These are part of operating the Service and are not promotional in nature.
If we send optional marketing communications, you will be able to opt out using the instructions in the message or by contacting us.
13. Children
The Service is not directed to children under 18, and we do not knowingly collect personal data from them. If you believe a child has provided personal data to us, contact us and we will take appropriate steps to delete it.
14. Automated Decision-Making
We do not use personal data to make solely automated decisions that produce legal or similarly significant effects on you, unless we clearly disclose otherwise and provide the rights required by law.
Some product or data-quality features may use automated processing to organize, validate, or suggest content, but these do not replace human review where verification or approval is required by the Service.
15. Changes to This Policy
We may update this Privacy Policy from time to time. If changes are material, we will provide notice by posting the updated policy on the Service and updating the "Last updated" date, or by other reasonable means such as email for registered users where appropriate.
Continued use of the Service after the effective date of an updated policy constitutes acknowledgment of the update, except where applicable law requires explicit consent.
16. Contact
Privacy and data protection inquiries: [email protected]
Sales: [email protected]
Related documents: Terms of Service and Data Principles.