Privacy Policy

The controller responsible for processing within the meaning of the GDPR is:

We have not appointed a Data Protection Officer because we are not legally required to do so. For data-protection enquiries please use the contact details in section 01.

Account data. Email address and Firebase authentication identifier when you sign in with Google. We process this data to provide your user account.

Sign-in via Google (Firebase Authentication).When you sign in via “Sign in with Google”, data is exchanged between your browser and Google. Google transmits your verified email address and a unique user identifier to us. We do not receive access to your Google password. Use of this sign-in method is voluntary; an alternative sign-in method is not currently offered.

eBay connection data. An encrypted OAuth access and refresh token for your eBay seller account, your eBay seller username, and the eBay marketplace identifiers you enable. Tokens are stored AES-256-GCM-encrypted at rest.

Listing & offer data.A mirror of the listings on the marketplaces you enable (title, price, image URL, identifiers) and a record of every offer we send on your behalf (buyer eBay username, listing identifier, discount, status, timestamps). This data originates from eBay’s public APIs.

Billing data. A Stripe customer identifier, a Stripe payment-method reference (token), account status and a ledger of monthly settlement amounts (offers closed, net revenue, fee charged). We do not store full payment-card details. Those live with Stripe.

Server & log data.When you access our service, technically required data is transmitted to our hosting provider: IP address, date and time of access, requested resource, transferred data volume, HTTP status code, referer URL, browser and operating system information. This data is held in the hoster’s server logs for at most 30 days and then deleted or anonymised.

Operational logs. Worker job logs (with PII redaction applied), error reports including stack traces and the URL/route at which an error occurred, and basic request metadata. We do not run web analytics or marketing trackers.

We process the data above for the following purposes:

• Providing the service. Running your account, sending offers, processing payments. Legal basis: performance of a contract (Art. 6 (1) (b) GDPR).
• Operating & securing the service. Error monitoring, fraud and abuse prevention, ensuring API integrations behave correctly. Legal basis: legitimate interest (Art. 6 (1) (f) GDPR) in keeping the service available, secure, and reliable.
• Compliance with legal obligations. Tax records and invoicing where required by law. Legal basis: legal obligation (Art. 6 (1) (c) GDPR).
• Compliance with third-party platform requirements. Handling the eBay-mandated marketplace-account-deletion webhook to maintain the platform integration. Legal basis: legitimate interest (Art. 6 (1) (f) GDPR).

Processors. The following providers process personal data on our behalf and only on our instructions:

• Google Ireland Ltd. / Google LLC. Firebase Authentication, Firebase Data Connect (managed PostgreSQL on Cloud SQL), Cloud Run, Cloud Logging, App Hosting. Data is stored in the EU region europe-west4 (Netherlands). Contractual basis: GDPR-compliant Data Processing Addendum and EU Standard Contractual Clauses for transfers to Google LLC (USA).
• Functional Software, Inc. (Sentry). Error monitoring. Receives stack traces and request context when something goes wrong. Transfers to the United States are made on the basis of the EU-US Data Privacy Framework adequacy decision; Standard Contractual Clauses apply as a back-stop.

We have entered into Data Processing Agreements with the above processors pursuant to Art. 28 GDPR.

Independent recipients. The following third parties receive data as separate controllers within the meaning of Art. 4 (7) GDPR:

• Stripe Payments Europe, Ltd. (Ireland), for payment processing. Stripe processes full payment- and card-detail data as its own controller; we receive only a customer ID, payment-method reference and billing status. Transfer on the basis of Art. 6 (1) (b) GDPR (contract performance).
• eBay Inc. / eBay GmbHas the upstream source of listing and watcher data. Based on the OAuth token you authorise via eBay’s consent flow we call their APIs on your behalf until you disconnect. eBay processes marketplace data as its own controller. Transfer on the basis of Art. 6 (1) (b) GDPR.

Application data sits in EU data centres (Netherlands, europe-west4). Some recipients may transfer data to the United States. Where the recipient is certified under the EU-US Data Privacy Framework (currently Google LLC and Functional Software, Inc.) the transfer is made on the basis of the European Commission’s adequacy decision. Otherwise we conclude EU Standard Contractual Clauses with the relevant recipients.

Account & eBay connection data. Kept for as long as your account is active. Connection data is deleted when you disconnect eBay; all data is deleted when you delete your account.

Offer history. Retained for as long as your account is active, across all plans. Buyer-identifying fields are auto-anonymised 30 days after an offer is matched to an order.

Billing records. Stripe retains payment data per its own retention policy. Invoice records that we are required to keep for German tax purposes (typically up to 10 years per §147 AO) are kept for the legally mandated period even after account deletion.

Server & log data. Hoster server logs are retained for at most 30 days. Sentry error reports and traces are retained for 30 to 90 days depending on event type and our current Sentry plan.

You have the following rights with respect to your personal data:

• Right of access (Art. 15 GDPR),
• Right to rectification of inaccurate data (Art. 16 GDPR),
• Right to erasure (Art. 17 GDPR); you can also exercise this right directly in the application under Settings → Delete account,
• Right to restriction of processing (Art. 18 GDPR),
• Right to data portability (Art. 20 GDPR),
• Right to object to processing based on legitimate interest (Art. 21 GDPR),
• Right to withdraw consent with effect for the future (Art. 7 (3) GDPR).

To exercise these rights an informal email to support@kholodov.com is sufficient. You also have the right to lodge a complaint with a data-protection supervisory authority (Art. 77 GDPR). You may contact the supervisory authority of your habitual residence, your place of work, or the place of the alleged infringement. The authority competent for us is:

We use only strictly necessary cookies and similar storage mechanisms (e.g. localStorage and IndexedDB used by Firebase Authentication) that are required to operate the service and keep you signed in. Storage is on the basis of §25 (2) no. 2 TDDDG; consent is not required. We do not run Google Analytics, Meta Pixel, or any third-party advertising or tracking scripts.

eBay OAuth tokens are encrypted with AES-256-GCM before being written to the database. Transport is HTTPS-only. Database access is restricted to the application service account. Tenant isolation is enforced both in queries (every read and write is keyed on the authenticated user’s identifier) and at the application layer.

We comply with eBay’s Marketplace Account Deletion / Closure Notification Workflow. Once eBay notifies us that an account has been deleted, we cascade-delete all data associated with that account from our systems, including tokens, listings, offer history and billing records. This processing serves both our obligations under the eBay Developer Program and the right to erasure under Art. 17 GDPR.

No automated decision-making within the meaning of Art. 22 GDPR, including profiling, takes place. The automated sending of offers is performed solely on the basis of rules you configure and produces no legal effect concerning you and does not similarly significantly affect you.

We may update this policy as the product evolves or as legal requirements change. The effective date at the top of the page tracks the latest revision. Material changes will be posted in the dashboard at least 30 days in advance.