Privacy Policy

The controller responsible for processing is:

Account data. Email address and Firebase authentication identifier when you sign in with Google.

eBay connection data.An encrypted OAuth access & refresh token for your eBay seller account, your eBay seller username, and the eBay marketplace identifiers you enable. Tokens are stored AES-256-GCM-encrypted at rest.

Listing & offer data.A mirror of the listings on the marketplaces you enable (title, price, image URL, identifiers) and a record of every offer we send on your behalf (buyer eBay username, listing identifier, discount, status, timestamps). This data originates from eBay’s public APIs.

Subscription data. A Stripe customer identifier, subscription status, plan tier and billing cycle dates. We do not store payment-card details. Those live with Stripe.

Operational logs. Worker job logs (with PII redaction applied), error reports including stack traces and the URL/route at which an error occurred, and basic request metadata. We do not run web analytics or marketing trackers.

We process the data above for the following purposes:

• Providing the service. Running your account, sending offers, processing payments. Legal basis: performance of a contract (Art. 6 (1) (b) GDPR).
• Operating & securing the service. Error monitoring, fraud and abuse prevention, ensuring API integrations behave correctly. Legal basis: legitimate interest (Art. 6 (1) (f) GDPR) in keeping the service available, secure, and reliable.
• Legal & contractual compliance. Tax records and invoicing, where we have a legal obligation (Art. 6 (1) (c) GDPR), and eBay-mandated marketplace- account-deletion webhook handling, which is covered by our legitimate interest in maintaining the platform integration (Art. 6 (1) (f) GDPR).

We use the following sub-processors:

• Google Ireland Ltd. / Google LLC. Firebase Authentication, Firebase Data Connect (managed PostgreSQL on Cloud SQL), Cloud Run, Cloud Logging, App Hosting. Data is stored in the EU region europe-west4 (Netherlands). Contractual basis: GDPR-compliant Data Processing Addendum and EU SCCs where applicable.
• Stripe Payments Europe, Ltd. (Ireland). Subscription billing and payment processing. Stripe is the controller for full card data; we receive only a customer ID and subscription state.
• eBay Inc. / eBay GmbH.The upstream source of listing and watcher data. We hold an OAuth token you authorised via eBay’s consent flow and may call their APIs on your behalf until you disconnect.
• Functional Software, Inc. (Sentry). Error monitoring. Receives stack traces and request context when something goes wrong. Transfers outside the EU are covered by EU Standard Contractual Clauses.

Application data sits in EU data centres (Netherlands, europe-west4). Some processors (Stripe, Sentry, parts of Google) may transfer data to the United States or other third countries. Such transfers are protected by the EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework adequacy decision.

Account & eBay connection data. Kept for as long as your account is active. Deleted when you disconnect eBay (connection data) or delete your account (everything).

Offer history. Retained according to your plan tier: 30 days on Starter, 90 days on Growth, unlimited on Scale and above. Older records are pruned by a scheduled worker.

Billing records. Stripe retains payment data per its own retention policy. Invoice records that we are required to keep for German tax purposes (typically up to 10 years per §147 AO) are kept for the legally mandated period even after account deletion.

Operational logs. Cloud Logging retains worker stdout for 30 days. Sentry error reports and traces are retained for 30 to 90 days depending on event type and our current Sentry plan.

Under the GDPR you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erase your data (Art. 17), available in-app at Settings → Delete account
• Restrict processing (Art. 18)
• Receive your data in a portable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw any consent given (Art. 7 (3))

To exercise these rights, email support@kholodov.com. You also have the right to lodge a complaint with a supervisory authority. The competent authority for our location is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

We use a single first-party session cookie strictly necessary for keeping you signed in. We do not run Google Analytics, Meta Pixel, or any third-party advertising or tracking scripts. No cookie banner is required for strictly necessary cookies under §25 (2) TDDDG.

eBay OAuth tokens are encrypted with AES-256-GCM before being written to the database. Transport is HTTPS-only. Database access is restricted to the application service account. Tenant isolation is enforced both in queries (every read and write is keyed on the authenticated user’s identifier) and at the application layer.

We comply with eBay’s Marketplace Account Deletion / Closure Notification Workflow. When eBay notifies us that an account has been deleted, we cascade-delete all data associated with that account from our systems, including tokens, listings, offer history and subscription records.

We may update this policy as the product evolves or as legal requirements change. The effective date at the top of the page tracks the latest revision. Material changes will be posted in the dashboard at least 30 days in advance.