Svora is a small, independent tool built for Square merchants. We take privacy seriously
because we're the kind of people who read privacy policies too.
Here's exactly what we collect, what we don't, and why.
If you sign up for updates on the site or any of the tool pages, we store your email address. We use it only to notify you about new features. You can unsubscribe anytime with one click and your email is deleted on request.
When you connect your Square account, Square issues an access token. This token is used to read and update your catalog on your behalf.
For the Chrome extension: your token is stored in your browser only (chrome.storage.local). It never touches our servers.
For the web app (Importer, Catalog): your token is stored in your session on our server (hosted on Railway in the US) for the duration of your session. It is cleared when you disconnect or your session expires.
We never store your Square token permanently in a database.
If you choose to import item photos from Google Drive, you connect your Google account. We request read-only access to Drive files you explicitly select. Your Google token is stored in your session only and cleared when your session ends. We never store it permanently.
When you upload a CSV, that data is held in your session on our server while you work. You can edit, add rows, delete rows, and export at any time during your session. When your session ends the data is cleared. We do not store your menu data permanently.
Photos you upload for items are processed on our server and pushed to Square, then cleared from our server. We do not store copies of your photos permanently.
Photos you attach to modifier lists in Svora are stored in our database linked to your Square merchant ID. These photos are displayed in Svora only and are never pushed to Square. You can delete them at any time.
We use Square's official OAuth 2.0 API. When you connect, you approve specific permissions directly with Square. You can revoke Svora's access anytime from your Square Dashboard under Connected Apps.
We use Google OAuth for Drive photo imports only. You can revoke access anytime from your Google Account settings under Third-party apps.
Our server runs on Railway, hosted in the United States.
When the Description Writer launches, item names and descriptions will be sent to Google's Gemini API to generate rewrites. No personal data is sent. We will update this policy before that feature goes live.
We do not use any advertising networks, analytics platforms, or data brokers.
Session data (tokens, CSV uploads, photos): cleared when your session ends.
Email addresses: kept until you unsubscribe or request deletion.
Modifier photos: kept until you delete them or request account deletion.
You can:
To request data deletion, use our contact form and select "Data deletion request" from the dropdown.
If we make material changes to this policy we will update the date at the top and notify email subscribers. We will never make changes that reduce your privacy protections without clear notice.
Questions about privacy? Use our contact form.