SoldSync

Privacy Policy

Effective: March 19, 2026

1. What We Collect

  • Account data: Your email address and encrypted password hash (managed by Supabase Auth).
  • OAuth tokens: Access and refresh tokens for connected platforms (Shopify, eBay, Etsy). All tokens are stored AES-256-GCM encrypted at rest and are never logged or exposed client-side.
  • Sync activity: Logs of sync events including listing title, source/target platform, status, and latency. Used to power your activity dashboard.
  • Billing data: Managed entirely by Stripe. We store only a Stripe customer ID and subscription status. We never see or store full card numbers.
  • Notification preferences: Your email alert settings.

2. How We Use Your Data

  • To deliver the sync service (detect sales, delist listings).
  • To send transactional emails: welcome, sync failure alerts, no-match alerts, and optional weekly digests.
  • To process billing through Stripe.
  • To display your activity history in the dashboard.
We do not use your data for advertising. We do not sell your data to third parties.

3. Third-Party Services

  • Supabase — database and authentication hosting.
  • Stripe — payment processing.
  • Upstash QStash — async job queuing for sync processing.
  • Resend — transactional email delivery.
  • Vercel — application hosting.
Each of these services has its own privacy policy. We only share data with them as required to operate the Service.

4. Data Retention

Sync logs are retained for 90 days. OAuth tokens are deleted when you disconnect a platform or close your account. Account data is deleted within 30 days of account closure.

5. eBay Account Deletion

We comply with eBay's GDPR-aligned account deletion requirement. If you delete your eBay account, eBay will notify us and we will remove all associated connection data within 30 days.

6. Your Rights

You may request a copy of your data, correction, or deletion by emailing privacy@soldsync.app. You may also delete your account at any time by contacting support.

7. Cookies

We use session cookies required for authentication. We do not use tracking or advertising cookies.

8. Security

OAuth tokens are encrypted with AES-256-GCM before storage. Database access is protected by Row Level Security (RLS) — each user can only access their own data. All connections use TLS.

9. Changes

We will notify you of material changes to this policy by email or in-app notice.

10. Contact

privacy@soldsync.app