Privacy Policy

1. Data we collect

1.1 Account data

• Your email address (you give it to us to sign in via magic link).
• A Supabase auth user record holding that email, a hashed magic-link nonce, and the timestamp you last signed in.
• No password — we use passwordless email auth.

1.2 Run data

• The eBay storefront URL you submit.
• The tone, audience, listing cap, exclude keywords, markup percentage, and rounding strategy you choose for each run.
• The scraped listing data from the public eBay storefront — titles, descriptions, prices, images, variants. We don't scrape data eBay doesn't make publicly visible.
• The AI-generated rewrites of titles and descriptions.
• The output CSV and processed images, stored on Cloudflare R2 at run completion.

1.3 Payment data

We never see your card number. Stripe handles payment details directly via Stripe Checkout. We store:

• A Stripe customer ID (linking your account to your Stripe-side history).
• The charged amount, currency, and timestamp per run.
• The Stripe payment-intent ID per run, used for refunds + receipts.

1.4 Operational logs

• Per-run event log: phase transitions, durations, error messages, retry counts. Used to surface progress on the run page and diagnose failures.
• Sentry error reports (scrubbed of PII) when something throws.
• Standard server access logs (IP, request path, status code) at Vercel + Modal — retained per their providers' policies.

We do not use third-party analytics scripts (Google Analytics, Segment, Mixpanel, etc). No web fingerprinting; no cross-site tracking.

2. Where it lives

• Supabase (US region) — auth records, run rows, event logs, billing metadata.
• Cloudflare R2 (global edge) — output CSVs, processed images, scraper checkpoints.
• Modal (US workers) — transient run execution. No durable storage; intermediate state flushes to R2 / Supabase as the run progresses.
• Anthropic — title and description text is sent to Claude for rewriting. Anthropic's API policy is no-training-on-API-traffic; we rely on that guarantee. Image bytes are not sent to Anthropic.
• Stripe — payment records (their retention).
• Resend — outgoing transactional email; messages and metadata held per their terms.

3. What we share

We don't sell your data, ever. We share it with the sub-processors above only as needed to deliver the service. Specifically:

• eBay listing text goes to Anthropic for AI rewriting.
• Image URLs go to background-removal services (rembg on Modal, run in our own infrastructure — not third-party).
• Email address goes to Resend so we can send you run-complete notifications and receipts.
• Email + amount goes to Stripe for charge processing.

We don't share your data with marketers, advertisers, or aggregators. There's no "anonymized data" feed we sell to anyone.

4. How long we keep it

• Account record: until you delete it.
• Run rows + event logs: 90 days after the run completes, then automatically purged. Earlier on request.
• Output CSV + images on R2: 30 days, then deleted by lifecycle policy. The download link in your run-complete email expires when the file is deleted; re-run if you need it again (re-runs of unchanged stores are quick — we cache scraped data for 7 days).
• Stripe payment records: held by Stripe per their retention (typically 7 years for tax + dispute purposes). We can't delete these on our side — they're not in our database.
• Sentry error events: 90 days, default Sentry retention.

5. Deleting your data

From your dashboard you can:

• Delete an individual run + its outputs immediately.
• Delete your entire account, which cascades to all your runs, CSVs, images, and event logs. Stripe payment history persists per item 4.

If you'd rather email us than click a button, send a deletion request to hello@storeshift.app from your account email — we'll process within 7 business days.

6. Your rights

Depending on where you live (EU, UK, California, etc), you may have a legal right to:

• Access the data we hold about you.
• Correct it if it's wrong.
• Request deletion (see section 5).
• Object to processing that's based on legitimate interest (anything we do beyond the contract of delivering your conversion).
• Receive a portable copy of your data.

Email us with the request and we'll respond within 30 days. We don't charge for these requests, and we don't require you to log in to make one — your account email is enough proof.

7. Cookies + browser storage

We use the minimum needed to keep you signed in:

• A Supabase session cookie (httpOnly, SameSite=Lax, first-party). Lasts 7 days; refreshed on visit.
• A small bit of localStorage with your preferred tone + audience for the next run, so you don't have to re-pick every time. Cleared when you sign out.

No tracking cookies, no third-party advertising cookies, no fingerprinting.

8. Security

• All traffic is HTTPS. We don't accept HTTP.
• Supabase row-level security restricts each user to their own runs at the database level.
• Service-role keys (which can bypass row-level security) are held only by server processes; never exposed to the browser.
• Modal worker endpoints require a token-pair header; they're not callable directly without it.
• We rotate signing secrets when a contractor's access is revoked, even if the secret hasn't been compromised.

9. Children

Storeshift is a B2B-ish service for resellers running their own businesses. We don't knowingly accept signups from anyone under 18. If we discover an account belongs to a minor, we delete it.

10. Changes to this policy

Material changes — new data collected, new sub-processor, retention extension — get an email to your account address with at least 14 days notice. Non-material changes (typo fixes) take effect on publication. The "Last updated" date at the top of this page is the canonical version date.

Contact

Privacy questions, data requests, or just curious how the sausage is made: hello@storeshift.app. A real person reads it.