Privacy Policy

Effective Date: May 15, 2026 · Last Updated: May 27, 2026

SellerAide ("we," "us," or "our") operates the website at selleraide.com and the SellerAide browser extension distributed through the Chrome Web Store (together, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.

SellerAide is not affiliated with, endorsed by, or sponsored by Amazon.com, Inc., eBay Inc., Etsy, Inc., Walmart Inc., or Shopify Inc. References to those companies in this policy describe the integrations and data flows that may exist when you choose to connect your account with them.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your email address and a password (which we never store in plaintext — only a salted, hashed representation is stored by Supabase Auth). You may optionally provide a display name or business name. We also generate and store a unique user identifier for each account.

1.2 Subscription & Billing Information

Subscription billing is processed by Stripe. We never see or store your full payment card number or CVC. Stripe provides us with a payment-method token, the card type, the last four digits, the expiration date, and the billing address you provided to Stripe, which we use for receipts, fraud prevention, and tax compliance. Stripe additionally stores billing history, invoices, and tax documents on our behalf for record-keeping and accounting.

1.3 Listing & Conversation Data

When you use our AI listing generator, we store your conversation history, product descriptions, generated listings, A+ Content modules, Brand Story carousels, keyword sets, item specifics, validation results, and the quality scores we compute. If you submit a public listing audit without signing in, we may process the listing content you submit to generate audit results without associating that audit with an account, unless you later sign in and choose to save or continue from that audit.

1.4 Brand Assets & Images

If you use the Brand Dashboard, we store the brand metadata you provide (brand name, tagline, mission, voice profile, signature phrases, banned words, brand story) and the visual assets you upload or generate (logos and logo variants, lifestyle photos, packaging photos, infographic source files, mood-board images, and AI-generated mockups). Brand assets are stored in a dedicated Supabase Storage bucket with public, hard-to-guess URLs. Listing images you upload or paste are stored in a separate Supabase Storage bucket. We do not publicly display, redistribute, or use your brand assets for marketing without your explicit written permission.

1.5 Marketplace Integration Data

If you connect an external marketplace account (eBay, Etsy, or — once we have launched the integration — Amazon), we store the data described in the dedicated marketplace sections below (Sections 6, 7, and 8). This typically includes a stable seller/user identifier, a shop or store name, the OAuth scopes you granted, and encrypted OAuth access and refresh tokens. Tokens are encrypted at rest using AES-256-GCM with a key managed in our hosting environment, not in the database itself.

1.6 Browser Extension Data

The SellerAide Chrome extension can read content from Amazon, eBay, and Etsy pages while you are on them, only in response to explicit action you take. For Amazon and eBay product pages, this content is sent to the audit flow and processed transiently. For Etsy seller dashboards (Shop Manager, Orders, and Listings pages), the extension can collect order summaries, listing data, shop statistics, and the underlying HTML snippets for the views you have open. See Section 9 for full extension details, including the third-party data considerations that apply when a seller dashboard contains information about that seller's own customers.

1.7 Pallet Manifest & Inventory Data

If you use the Pallet Manifest tools, we store the manifests you upload (CSV / spreadsheet files containing retailer SKUs, prices, manifest IDs, condition codes, and line items from liquidation lots such as B-Stock, Costco lot manifests, and similar sources) and the derived line items. This data is treated as commercially sensitive and is scoped to your account by row-level security.

1.8 Usage & Analytics Data

We automatically collect usage data including pages visited, features used, listing counts, browser type, device information, IP address, and referring URLs through Google Analytics 4 (GA4) and the Meta Pixel. We also record usage events in our own database for the purposes of enforcing plan limits and rate limits and generating product analytics (e.g., counting listings generated, audits run, AI invocations consumed).

1.9 Feedback Submissions

If you submit feedback via the in-product feedback form, we store the message you wrote, the page URL you were on, and (if you are signed in) your user identifier. Submissions are emailed to our support address through our transactional email provider (Resend).

2. How We Use Your Information

  • Service Delivery: To operate your account, run listing audits, generate listings, store listings and brand information, manage subscriptions, and provide customer support.
  • AI Processing: To send content you provide for AI features (chat-based listing generation, single-shot generation, audit rewrites, AI optimization, brand discovery interviews, AI logo variants, and AI mockups) to the AI providers listed in Section 4. See Section 4 for the full picture of how we use AI providers.
  • Analytics: To understand usage patterns, measure feature performance, and improve the Service.
  • Marketing: To deliver relevant advertising via Meta Pixel, measure ad performance via Google Analytics, and (with your consent) send product updates by email.
  • Affiliate Attribution: If you arrive through an affiliate link, we use Rewardful to attribute your signup or subscription to the referring affiliate for commission payouts.
  • Security & Abuse Prevention: To detect and prevent fraud, abuse, scraping, unauthorized access, and Service degradation. We use Upstash Redis to enforce IP-based and account-based rate limits.
  • Compliance: To comply with applicable laws and respond to lawful requests from authorities.

3. Sub-processors & Third-Party Services

We use the following sub-processors to operate the Service. Each is contractually bound to protect data they process on our behalf. A consolidated list with regions and security attestations is maintained at selleraide.com/subprocessors.

  • Vercel, Inc. (United States) — Application hosting, edge network, and content delivery for the website.
  • Supabase, Inc. (United States, AWS US East) — Authentication, Postgres database, file storage for brand assets and listing images, and database backups.
  • Stripe, Inc. (United States) — Payment processing, subscription management, invoicing, and tax compliance.
  • Google LLC — Gemini API (United States) — AI-powered listing generation, rewriting, optimization, and AI image generation (logo variants, mockups). Processed under the Google Cloud / Vertex AI commercial API terms with no training on customer data.
  • Anthropic PBC — Claude API (United States) — Alternative AI provider for listing generation and rewriting. Processed under Anthropic's Commercial Terms of Service with no training on customer data.
  • Upstash, Inc. (United States) — Redis-based rate limiting; stores IP addresses and user identifiers in short-lived windows.
  • Resend, Inc. (United States) — Transactional email delivery (account emails, feedback handoffs).
  • Google LLC — Google Analytics 4 (United States) — Website analytics and usage tracking.
  • Meta Platforms, Inc. — Meta Pixel (United States) — Advertising conversion tracking and audience building for Facebook and Instagram ads.
  • Rewardful, Inc. (Canada / United States) — Affiliate-program click tracking and attribution.
  • eBay Inc. — Developer API (United States, optional) — When you connect your eBay seller account. See Section 6.
  • Etsy, Inc. — Open API v3 (United States, optional) — When you connect your Etsy seller account. See Section 7.
  • Amazon Services LLC — Selling Partner API (SP-API) (United States, optional, when available) — When you connect your Amazon seller account. See Section 8.

We will notify you and update the list at selleraide.com/subprocessors before adding a new sub-processor that materially changes how your data is processed.

4. Generative AI & How We Use AI Providers

Many of the most useful parts of the Service are powered by large language models and image-generation models operated by third parties. We are explicit about this so you can make informed decisions about what you submit.

  • Which providers we use:By default, we use the Google Gemini API. Anthropic's Claude API is used as an alternative AI provider for certain features. We use Gemini 2.5 Flash Image for AI logo variants and AI mockups. We do not use consumer-grade chat products; we only use the providers' paid commercial API tiers.
  • What is sent: When you use an AI feature, the content required for that feature is sent to the relevant provider — typically your product descriptions, the conversation history of your current chat, the listing fields you are auditing or rewriting, brand voice samples and brand assets (including logo images for AI image generation), and (where applicable) website text the AI is asked to analyze.
  • What is not sent:Your password (we never have it), payment card information, OAuth tokens, the contents of other users' accounts, or buyer data collected via marketplace integrations.
  • No training on your data: Both Google (under the paid Gemini/Vertex AI commercial terms) and Anthropic (under their Commercial Terms of Service) commit that inputs and outputs from their paid APIs are not used to train their models. We do not ourselves use your content to train AI models.
  • No cross-customer aggregation:Each AI request is processed for the authenticated user that initiated it. We do not combine one customer's data with another customer's data to produce a result, and we do not build derivative datasets (training corpora, prompt libraries indexed on customer data, etc.) from your content.
  • Output is "as is": AI output can be wrong, incomplete, or unsuitable for your specific use. You are solely responsible for reviewing it before you publish anything to a marketplace. See the Terms of Service for the full disclaimer.

5. eBay Marketplace Account Connection

SellerAide offers an optional integration that allows you to connect your eBay seller account and send AI-generated listings directly to your eBay drafts. This integration uses eBay's official OAuth 2.0 authorization flow and developer APIs.

  • What we access: When you authorize the connection, we receive permission to create and manage inventory items and offers (draft listings) on your eBay account. We do not access your eBay order history, buyer information, payment details, or any data beyond what is necessary to create listings.
  • What we store: Your eBay User ID and encrypted OAuth tokens (access token and refresh token). Tokens are encrypted at rest using AES-256-GCM.
  • How we use it: OAuth tokens are used solely to create draft listings on your behalf via the eBay API. We do not use your eBay credentials for any other purpose.
  • Token expiry: Access tokens expire after approximately 2 hours and are refreshed automatically. Refresh tokens expire after approximately 18 months and will require you to reconnect.
  • How to disconnect: You can revoke eBay access at any time from your SellerAide account settings. Upon disconnection, we permanently delete your stored eBay tokens within 30 days. You may also revoke access directly from your eBay account under Account Settings → Third-Party Authorizations.
  • eBay account deletion: If you close your eBay account or eBay notifies us that you have revoked access, we will delete all associated tokens and connection data from our systems within 30 days.

6. Etsy Marketplace Account Connection

SellerAide offers an optional integration that allows you to connect your Etsy seller account and send AI-generated listings directly to your Etsy shop as drafts. This integration uses Etsy's official OAuth 2.0 authorization flow with PKCE and Etsy's Open API v3.

  • What we access via the API: When you authorize the connection, we receive permission to read your shop information, look up your shipping and return policies, search Etsy's public listing taxonomy, and create draft listings (with images) on your shop. We do not access your Etsy order history, buyer information, payment details, or messages via the API.
  • What we store: Your Etsy User ID, Shop ID, Shop Name, granted OAuth scopes, and encrypted OAuth tokens (access token and refresh token). Tokens are encrypted at rest using AES-256-GCM.
  • How we use it: OAuth tokens are used solely to create draft listings on your behalf via the Etsy API. Drafts are created in the "draft" state — you must manually activate them on Etsy to make them live.
  • Token expiry: Access tokens expire after approximately 1 hour and are refreshed automatically. Refresh tokens expire after approximately 90 days and will require you to reconnect.
  • How to disconnect: You can revoke Etsy access at any time from your SellerAide account settings. Upon disconnection, we permanently delete your stored Etsy tokens within 30 days. You may also revoke access directly from your Etsy account under Account Settings → Allowed Apps.
  • Etsy account deletion: If you close your Etsy account or Etsy notifies us that you have revoked access, we will delete all associated tokens and connection data within 30 days.
  • No data resale: We do not sell, rent, or share data retrieved via the Etsy API with any third party other than the sub-processors listed in Section 3.
  • Etsy seller-dashboard scraping via the extension: The browser extension can additionally read information from your own Etsy seller dashboard pages. See Section 9 for full disclosure, including how we handle third-party buyer information that may appear on those pages.

7. Amazon Marketplace Account Connection

SellerAide is preparing an optional integration that will allow you to connect your Amazon seller account and import your existing catalog and listings for audit, optimization, and republishing. The integration will use Amazon's official Selling Partner API (SP-API) and Amazon's Login With Amazon (LWA) OAuth flow.

  • Status: Until we publicly announce the launch of this integration in the Service, we do not have any direct connection to Amazon's servers. The Service's current Amazon functionality consists of (a) AI generation of listing content the seller will manually publish to Amazon, and (b) the browser extension's ability to read public Amazon product pages while you are on them.
  • What we will access: Once launched, after you authorize the connection we will use the Catalog Items API, the Listings Items API, the A+ Content Management API, the Product Pricing API, and the Brand Analytics surface of the Reports API to read your existing listings, listing issues, competitive pricing and Featured Offer eligibility data, and Search Query Performance metrics for brand-registered ASINs. With your action, we write updates back via the Listings Items API only — pricing and Brand Analytics data are read-only. We will not request access to buyer information, orders, payment data, financial reports, or fulfillment data.
  • What we will store: The Amazon Selling Partner ID for the seller account you connect, the marketplaces you authorized, the LWA refresh token (encrypted at rest using AES-256-GCM), and cached copies of the data we have retrieved for your account: listing content and catalog enrichment data (up to 18 months), listing issues feed (refreshed on demand), A+ Content modules (24-hour cache), Search Query Performance metrics (7-day cache), and competitive pricing snapshots (7-day cache, used for trend visualization).
  • Pricing data positioning: SellerAide uses Product Pricing API data to surface Amazon's Featured Offer eligibility status and reason codes as diagnostic context. SellerAide does not perform automated repricing — the seller reviews diagnostic information in the UI and decides whether to adjust their offer.
  • Use limitation: Information accessed via SP-API will be used solely to provide listing optimization and analytics to the authorized seller from whom the data was obtained. We will not use it to provide advertising, to benefit any other seller, or to train AI models on cross-seller data.
  • Data segregation: Each seller's Amazon data is logically segregated by user identifier; row-level security policies in our database prevent cross-seller access. Access by SellerAide personnel is limited to backend operations and is logged.
  • Encryption: All data is encrypted in transit (TLS 1.2 or higher) and at rest. LWA refresh tokens are encrypted in our database with AES-256-GCM, and the encryption keys are held in our hosting environment rather than in the database itself.
  • How to disconnect: You will be able to revoke Amazon access at any time from your SellerAide account settings. You may also revoke access directly from Seller Central under Apps and Services → Manage Your Apps.
  • Deletion on disconnect: Upon revocation by you, by Amazon, or upon Amazon's request, we will delete all Amazon Information (including refresh tokens and cached SP-API data) from our systems within 30 days, except where retention is required by applicable law.
  • Geographic location: SP-API data will be processed and stored in the United States (Vercel and Supabase US regions).
  • Security incident notification: If we confirm a security incident affecting Amazon Information, we will notify Amazon at security@amazon.com and the affected sellers within 24 hours of confirmation.
  • Audit logging: We maintain audit logs of access to Amazon Information for at least 12 months.

8. Browser Extension

The SellerAide Chrome extension (the "Extension") is an optional companion tool available on the Chrome Web Store. The Extension supports two distinct kinds of activity:read mode (Section 8.1) where the Extension passively pulls visible page content from supported seller surfaces, and write mode (Section 8.2) where the Extension actively fills a listing form on Facebook Marketplace from a listing you have generated in SellerAide. Both modes require explicit user action; neither runs in the background or monitors your browsing.

8.1 Read Mode — Amazon, eBay, Etsy

  • When it reads: Page content is only read in response to explicit user action — clicking the Extension icon on a product page, or opening a page that is in scope for an enabled feature. The Extension does not monitor your browsing or read pages passively.
  • Amazon and eBay product pages: When you click the SellerAide icon on an Amazon or eBay product page, the Extension reads the visible listing content from that page (title, bullet points, description, item specifics, image URLs, and any visible A+ Content). This content is passed to selleraide.com/audit, processed transiently to generate audit results, and not stored by the Extension itself.
  • Etsy seller dashboard: If you choose to use the Etsy seller-analytics features, the Extension can read information from your own Etsy seller dashboard pages while you are signed into Etsy. This may include shop statistics, listings, orders (including buyer display names and order totals visible on those pages), and the underlying HTML for those views. This data is sent to SellerAide and stored against your account so that you can analyze your own shop. We do not sell, share, or use this data outside of your SellerAide account.
  • Third-party buyer information: Information about your buyers visible on the Etsy dashboard is the personal data of those buyers — not yours and not ours. You are responsible for ensuring that your collection and use of that data, including via SellerAide, complies with your own privacy policy, your contractual obligations to Etsy, and applicable law in your buyers' jurisdictions. We will not use buyer information for advertising, profiling, or any purpose other than displaying it back to you within the Service.

8.2 Write Mode — Facebook Marketplace

Facebook Marketplace has no public seller API for posting personal listings. To let you publish a listing you have generated in SellerAide without copy-pasting field-by-field, the Extension can fill the Facebook Marketplace create-listing form on your behalf. This is the only Facebook feature the Extension provides. It runs only when you explicitly initiate it from within SellerAide and only on the Marketplace create-listing URL.

  • How write mode is invoked: You generate a Facebook listing in SellerAide and click "Send to Marketplace." SellerAide's web app sends the listing payload (title, condition, description, your ZIP code, pickup-only flag, and any image URLs you uploaded to SellerAide) to the Extension via a one-way chrome.runtime.sendMessage call. The Extension stores that payload briefly in chrome.storage.session (a sandboxed per-tab in-memory store that Chrome clears when you close the browser).
  • What Facebook sees: When you open facebook.com/marketplace/create/item and grant the Extension permission to act on Facebook (one-time prompt), the Extension fills the form's text inputs from the stored payload — exactly the same fields you would have typed yourself. The data is written directly into Facebook's form via standard browser DOM events. It does not pass through SellerAide's servers on its way to Facebook.
  • What it does NOT collect from Facebook: The Extension does not read your Facebook profile, friends, messages, feed, marketplace inbox, browsing history on Facebook, payment information, or any other Facebook user data. It only writes into the create-listing form on the one URL listed above.
  • Photos and Publish are always you: The Extension never auto-uploads photos and never auto-clicks Publish. You drop photos onto the form yourself and click Publish yourself. This is by design — both to respect Facebook's anti-automation policies and to keep you in control of what goes live.
  • Manual publish confirmation: After you click Publish on Facebook, you return to SellerAide and click "I published it" so SellerAide can record that the listing went live. This confirmation is purely self-reported — SellerAide cannot verify the listing's status on Facebook's side because Facebook does not expose a seller API for that purpose.
  • Facebook host permission is opt-in: The Extension requests permission to act on Facebook only at the moment you first use the feature. If you do not grant the permission, the Extension cannot interact with Facebook at all. You can revoke the permission at any time from Chrome's extension settings.
  • SellerAide is not affiliated with Meta: SellerAide and the Extension are not affiliated with, endorsed by, or sponsored by Meta Platforms, Inc. or Facebook. "Facebook" and "Facebook Marketplace" are trademarks of Meta Platforms, Inc.

8.3 What the Extension Does Not Do (Across All Modes)

  • What it does not collect: Your general browsing history, search queries, personal information, purchase history, pricing data, or any information about pages other than those for which you have explicitly enabled an Extension feature.
  • Presence detection on selleraide.com: A content script also runs on selleraide.com solely to signal to the web app that the Extension is installed, and to receive listing payloads from the web app when you initiate a write-mode action. No data is read from selleraide.com pages or transmitted in this context.
  • Permissions: The Extension requests only the minimum permissions necessary to perform the features above. The full current list is visible in the Chrome Web Store listing. As of v1.3.0: activeTab, scripting, and storage permissions; required host access for selleraide.com; and optional host access for etsy.com (Etsy read mode) and facebook.com (Facebook write mode), each granted at the moment of first use.

9. Cookies & Tracking Technologies

We use the following cookies and tracking technologies. For details about each cookie, see our Cookie Policy.

  • Essential cookies — Supabase authentication session tokens; CSRF/origin tokens. Required for the Service to function.
  • Payments — Stripe sets __stripe_mid and __stripe_sid on its hosted checkout pages for fraud prevention.
  • Analytics — Google Analytics 4 (_ga, _ga_*) measures site usage.
  • Marketing — Meta Pixel (_fbp, _fbc) measures ad conversions and builds retargeting audiences.
  • Affiliates — Rewardful sets an affiliate-attribution cookie (60-day window) when you arrive through an affiliate link.

For visitors located in the European Economic Area, the United Kingdom, or Switzerland, we are committed to obtaining your prior consent for non-essential cookies (analytics, marketing, affiliate) through a region-aware consent banner. See our Cookie Policy for the current rollout status and the controls available to you in the meantime.

10. Data Retention & Deletion

We retain personal data only as long as needed to provide the Service or as required by applicable law. The table below describes our standard retention periods.

  • Account information — Retained for the life of the account; deleted within 30 days of account deletion (see below).
  • Generated listings, brand information, listing images, brand assets — Retained for the life of the account; deleted within 30 days of account deletion.
  • Conversation history — Retained for up to 12 months after the last interaction in a given conversation, then archived or deleted.
  • Pallet manifests and line items — Retained while the account is active; deleted within 30 days of account deletion.
  • Marketplace OAuth tokens (eBay, Etsy, Amazon) — Retained until you disconnect, the token is revoked, or the marketplace notifies us of revocation; deleted within 30 days of any of those events.
  • Marketplace API data cache (e.g., SP-API catalog/listings) — Retained for no longer than 18 months unless still actively used by you; refreshed periodically; deleted upon disconnection within 30 days.
  • Buyer information visible on the Etsy seller dashboard (via Extension) — Retained while the account is active and the corresponding orders remain in your Etsy account; deleted within 30 days of account deletion. We do not retain such data beyond what is necessary to display it back to you.
  • Anonymous audit submissions — Retained only for short-term operational, security, abuse-prevention, and rate-limiting purposes unless you sign in and choose to save them.
  • Usage events and security logs — Retained for up to 24 months for security and product analytics.
  • Audit logs covering access to marketplace data — Retained for at least 12 months.
  • Payment records and invoices — Retained for 7 years for tax and accounting purposes (jurisdiction-dependent).
  • Backups — Database point-in-time backups are retained by Supabase for the period specified in our hosting plan (typically 7–28 days). Deleted data may persist in backups until backup rotation completes.

Subscription end vs. account deletion: Ending your paid subscription is not the same as deleting your account. If your subscription ends, your account reverts to a read-only state and remains accessible for 90 days; see our Refund & Cancellation Policy for the read-only period. Deleting your account (via account settings or by contacting support) removes personal data within 30 days, except where retention is required by law or for legitimate security and dispute-handling purposes.

11. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — Receive a copy of the personal data we hold about you.
  • Correct — Update inaccurate or incomplete personal data.
  • Delete — Request deletion of your account and personal data.
  • Port — Export your data in a portable format (listings are exportable as PDF or CSV from within the Service).
  • Object / Restrict — Object to certain processing activities, including marketing.
  • Withdraw consent — Withdraw consent at any time for processing that is based on consent.
  • Lodge a complaint — Lodge a complaint with your local data protection authority.

To exercise any of these rights, email support@selleraide.com from the email address on your account. We respond to verified requests within 30 days (or the period required by applicable law).

12. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"), gives you the following rights:

  • Right to Know — Request the categories and specific pieces of personal information we have collected about you over the prior 12 months.
  • Right to Delete — Request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to Correct — Request correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing — We do not sell personal information. We may "share" personal information for cross-context behavioral advertising via the Meta Pixel and Google Analytics; you can opt out via our cookie banner (when offered to your region) or by adjusting the third-party settings linked in our Cookie Policy.
  • Right to Limit Use of Sensitive Personal Information — We do not use or disclose sensitive personal information for purposes other than those expressly permitted under the CCPA without notice.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of these rights.

To submit a request, email support@selleraide.com with "California Privacy Request" in the subject line. We will verify your request using the email address on your account.

13. International Users (GDPR / UK GDPR / Swiss DPA)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data based on:

  • Contractual necessity — To provide the Service you signed up for.
  • Legitimate interests — To operate, secure, and improve the Service.
  • Consent — For non-essential cookies, marketing communications, and certain optional features.
  • Legal obligation — Where required by applicable law.

International data transfers.The Service is operated from the United States. When we transfer personal data from the EEA, the UK, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK's International Data Transfer Addendum, and equivalent Swiss provisions, executed with our sub-processors. Specific sub-processors and the safeguards we rely on are listed on our Sub-processors page.

You have the right to lodge a complaint with your local supervisory authority.

14. Children's Privacy

The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected data from a child under 13, please contact us immediately and we will delete it.

15. Security & Encryption

We take security seriously and implement controls designed to protect your data, including:

  • Encryption in transit: TLS 1.2 or higher across all public endpoints (Vercel terminates TLS 1.3 by default).
  • Encryption at rest: Our Postgres database and file storage are encrypted at rest by Supabase using AES-256. OAuth refresh tokens for marketplace integrations are additionally encrypted at the application layer using AES-256-GCM, with the encryption key held in our hosting environment rather than in the database.
  • Access control: Row-level security policies on every multi-tenant table; least-privilege access for service operations; multi-factor authentication required on administrator accounts.
  • Audit logging: Application logs are forwarded to a centralized log sink and retained for at least 12 months.
  • Sub-processor diligence: All sub-processors are reviewed annually; we prefer providers that hold SOC 2 Type II or equivalent independent attestation.
  • Vulnerability management: Automated dependency scanning, periodic vulnerability review, and a documented patching cadence.

No system is perfectly secure. We continually improve our controls, but we cannot guarantee absolute security.

16. Security Incident Notification

If we confirm a security incident affecting your personal data, we will notify you without undue delay, and in any event within 72 hours of confirmation where required by GDPR.

For incidents involving data accessed via marketplace partner APIs (Amazon SP-API, eBay Developer API, or Etsy Open API), we will additionally notify the relevant partner's security contact (for Amazon: security@amazon.com) within 24 hours of confirmation, in line with each partner's developer agreement.

17. Data Location

The Service is hosted in the United States. Specifically:

  • Application and edge compute: Vercel (US regions).
  • Database and file storage: Supabase (AWS US East).
  • Rate limiting: Upstash Redis (US).
  • Payment processing: Stripe (US, with global processing infrastructure).
  • AI processing: Google Cloud and Anthropic (US).
  • Email: Resend (US).

Where you access the Service from outside the United States, your data is transferred to and processed in the United States, subject to the safeguards described in Section 13.

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date; for significant changes we may also notify you by email or in-product notice. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

19. Contact Us

If you have questions about this Privacy Policy or want to exercise any of the rights described above, contact us at support@selleraide.com.

Our designated Incident Management Point of Contact for security matters can be reached at security@selleraide.com.