Privacy Policy

We collect the following types of information:

• Account information — your name and email address when you register.
• Listing data — titles, descriptions, prices, photos, and other details you enter into the Service.
• Marketplace connection data — OAuth access tokens used to connect to third-party marketplaces (such as eBay) on your behalf. We never store your marketplace passwords or login credentials. For extension-based marketplaces, the extension uses your existing browser session.
• Billing information — your subscription status and billing history, processed by Stripe. We do not store your full card details.
• Usage data — pages visited, features used, and actions taken within the Service, used to improve the product.

We use the information we collect to:

• Provide, operate, and improve the Service.
• Import, publish, and manage your listings across marketplaces on your behalf.
• Process subscription payments through Stripe.
• Send important account-related communications (e.g., receipts, security alerts).
• Respond to your support requests.
• Comply with applicable laws and regulations.

We do not sell your personal data to third parties.

To interact with third-party marketplaces (Poshmark, Mercari, eBay, Depop, Facebook Marketplace, and others) on your behalf, we use credentials and tokens you authorize. These credentials are stored securely and used solely to perform actions you request within the Service.

Each marketplace has its own privacy policy governing how your data is handled on their platform. We encourage you to review those policies.

This section specifically and exclusively describes the data practices of the "Sell The Flip — List Everywhere" browser extension (the "Extension"), in accordance with the Chrome Web Store Developer Program Policies and User Data Policy. It comprehensively discloses what user data the Extension collects, how that data is used, how it is stored and handled, and all parties with whom it is shared.

Single purpose

The Extension has a single purpose: to read listing content you have already created in your Sell The Flip account and auto-fill the listing forms on supported resale marketplaces (Poshmark, Mercari, eBay, Depop, Facebook Marketplace, and Whatnot) so that you can cross-post that listing without re-typing it. The Extension does nothing outside of this purpose.

1. What user data the Extension collects or accesses

The Extension accesses only the data described below. Each item lists the type of data, the Chrome Web Store data category it corresponds to, and the source from which it is obtained.

• Sell The Flip authentication token (category: Authentication information) — read from the selltheflip.com web app to identify you as a logged-in Sell The Flip user. This is an opaque session token, not a password.
• Marketplace session cookies (category: Authentication information) — read only on the supported marketplace domains listed above to confirm you are logged in before attempting a post. The Extension never reads cookies from any other website.
• Your listing content from selltheflip.com(category: Website content) — title, description, price, category, condition, tags, shipping info, and photos of listings you have already created in your Sell The Flip account. Fetched from the Sell The Flip backend only when you trigger a cross-list action.
• Active marketplace listing form contents(category: Website content) — on supported marketplace pages only, a content script reads and writes the listing form fields (e.g. the title input, description textarea, photo upload) so the Extension can auto-populate them. No other content on those pages is read.
• Sale-status of your listings (category: Website content) — for marketplaces that do not offer server-side sale webhooks (Poshmark, Mercari, Depop), the Extension periodically calls the marketplace's own read-only product endpoint for items you have listed through Sell The Flip to check whether they are still available, and reports "sold" status back to Sell The Flip so your inventory stays accurate.

2. How the Extension uses that data

• The Sell The Flip authentication token is used solely to authenticate requests to the Sell The Flip backend on your behalf (fetching your listings, reporting sold status).
• Marketplace session cookies are used solely to verify you are logged in on the target marketplace and to make the requests the marketplace requires for posting on your behalf. They are never sent to Sell The Flip's servers or to any third party.
• Listing content from selltheflip.com is used solely to fill the corresponding fields of the marketplace listing form in your active browser tab.
• Active form contents are used solely to write listing values into the form and, where the marketplace requires it, to submit the form. Existing form contents are read only to detect whether a field has already been filled so the Extension does not overwrite manual edits.
• Sale-status data is used solely to mark a listing as sold inside Sell The Flip so the user can manage their inventory across marketplaces.

The Extension does not use any data for advertising, user profiling, behavioral tracking, training of machine-learning models, or any purpose unrelated to the single purpose stated above. The Extension does not sell, rent, or transfer any user data to any third party.

3. How the Extension stores and handles that data

• Authentication token — stored locally on your device in chrome.storage.local. It is never transmitted to any party other than the Sell The Flip backend (over HTTPS) and is cleared when you log out of Sell The Flip or uninstall the Extension.
• Marketplace session cookies — not stored by the Extension. They remain in the browser's own cookie store managed by the marketplace website, exactly as they would be without the Extension. The Extension only reads them in memory at the moment of a posting action and discards them immediately afterward.
• Listing content fetched from Sell The Flip — held only in the Extension's service-worker memory for the duration of a single posting action, then discarded. It is not written to chrome.storage or any other persistent location on your device.
• Form contents read from marketplace pages — not stored. Used only in-memory during the posting action and discarded when the action completes.
• Sale-status results — not stored locally. A "sold" flag is sent to the Sell The Flip backend over HTTPS and is then discarded from the Extension.
• Encryption in transit — all communication between the Extension and Sell The Flip's backend, and between the Extension and the marketplaces, is performed over HTTPS (TLS).
• Retention — data the Extension holds on your device is retained only for as long as needed to complete the action you triggered (other than the authentication token, which persists until logout/uninstall). Data sent to the Sell The Flip backend follows the "Data Retention" section of this Privacy Policy below.

4. All parties with whom Extension data is shared

The Extension shares data only with the following parties, and only as strictly necessary to perform the action you have triggered:

• Sell The Flip (selltheflip.com) — receives the authentication token (to identify you), and receives sale-status flags for your listings (so your inventory in Sell The Flip stays accurate). No marketplace cookies, no marketplace page contents other than the sale-status flag, and no third-party website data are ever sent to Sell The Flip.
• The target marketplace (Poshmark, Mercari, eBay, Depop, Facebook Marketplace, or Whatnot) — receives the listing content (title, description, price, category, condition, tags, shipping info, photos) submitted to that marketplace as part of creating your listing. This is functionally identical to you typing the listing into the marketplace yourself.
• Amazon S3 (where the marketplace requires it) — some marketplaces (notably Depop) require listing images to be uploaded directly to their own Amazon S3 bucket via a presigned upload URL that the marketplace itself provides. In those cases the Extension uploads image data to S3 on behalf of the marketplace; Sell The Flip has no access to or control over that S3 bucket.

No other party receives data from the Extension. The Extension does not share, sell, rent, or transfer user data to advertisers, analytics providers, data brokers, marketing partners, or any other third party. The Extension does not use user data for any purpose unrelated to its single purpose stated above, and does not use user data to determine creditworthiness or for lending purposes.

5. Data the Extension does NOT collect

• Your browsing history outside the supported marketplace domains and selltheflip.com — the Extension has no permissions on, and never reads anything from, any other website.
• Marketplace passwords or login credentials — the Extension uses the existing browser session you already have on each marketplace and never sees your password.
• Payment information, credit card numbers, bank details, or financial information of any kind.
• Personal communications (email, chat, messaging contents) on the marketplace or anywhere else.
• Health information, location data, contacts, calendars, or any other personally identifiable information beyond what you have voluntarily entered into your Sell The Flip listings.
• Any data for advertising or analytics purposes. The Extension contains no ads and does no third-party analytics or fingerprinting.

This section specifically describes the data practices of the Sell The Flip mobile app for iOS and Android (the "Mobile App"), mirroring the disclosures we make to Apple App Privacy and Google Play Data Safety. The Mobile App offers the same functionality as the web version and, where applicable, the same functionality as the browser extension (cross-posting to cookie-based marketplaces via an in-app web view).

1. Data the Mobile App collects

• Account information — name, email address, and (if you sign in with Apple or Google) the Sign in with Apple / Google identifier. Used for authentication only.
• Listing content — titles, descriptions, prices, photos, categories, and other listing fields you enter or generate inside the Mobile App. Used to create and post your listings on your behalf.
• Photos — the photos you select from your camera or photo library when creating a listing. Photos are uploaded to Sell The Flip's image storage so they can be included in your listings; we do not access any other photos on your device.
• Marketplace session cookies (in-app web view)— for marketplaces that do not provide OAuth (e.g. Poshmark, Mercari, Depop, Whatnot, Facebook Marketplace), the Mobile App opens an in-app web view where you log in directly with that marketplace. The resulting session cookies remain in that web view's cookie store on your device so the Mobile App can post listings on your behalf. They are never transmitted to Sell The Flip's servers.
• Push notification token — an opaque Expo / APNs / FCM token used solely to send you notifications about your own listings (e.g. "your item sold"). It contains no personal information.
• Diagnostics & crash data — anonymized crash reports and performance metrics via Sentry, used solely to identify and fix bugs. No listing content or marketplace credentials are included in crash reports.
• Purchase data — if you subscribe to Sell The Flip Pro through the Apple App Store or Google Play, RevenueCat receives the receipt from Apple/Google and reports your entitlement back to us. We do not see your card number, your Apple ID password, or your Google account credentials.

2. How the Mobile App uses that data

Data collected by the Mobile App is used exclusively to operate the features you have triggered: creating and cross-posting your listings, detecting sales of those listings, sending notifications about your own activity, processing your Pro subscription, and improving reliability via anonymized crash diagnostics. The Mobile App does not use data for advertising, behavioral profiling, third-party marketing, or training of machine-learning models.

3. How the Mobile App stores and handles data

• Auth tokens (mobile access & refresh JWTs)— stored in Apple Keychain / Android Keystore via expo-secure-store. Refresh tokens are hashed (SHA-256) before being stored on Sell The Flip's servers.
• Marketplace cookies — held only inside the in-app web view's cookie jar, on your device. Not synced to Sell The Flip.
• Photos — uploaded over HTTPS to Sell The Flip's image storage (Vercel Blob, encrypted in transit and at rest) and to the target marketplace when you choose to cross-post.
• Onboarding selections (seller type, preferred marketplaces) — stored on Sell The Flip's servers so we can personalize your dashboard. Editable at any time from Account settings.
• Encryption in transit — all Mobile App communication with Sell The Flip's backend, with marketplaces, and with payment processors uses HTTPS (TLS).

4. All parties with whom Mobile App data is shared

• Sell The Flip backend — receives your account info, listing content, push token, and onboarding selections.
• Target marketplaces (Poshmark, Mercari, eBay, Etsy, Depop, Facebook Marketplace, Whatnot) — receive the listing content you explicitly choose to cross-post to them, equivalent to typing it in yourself.
• Apple Push Notification service / Firebase Cloud Messaging via Expo — receive your push token for the sole purpose of delivering notifications about your own listings.
• RevenueCat, Apple App Store, Google Play— receive your subscription receipt and entitlement status. Card details are handled entirely by Apple or Google; Sell The Flip never sees them.
• Sentry — receives anonymized crash data and performance traces from the Mobile App. Listing content and authentication credentials are scrubbed from crash reports.
• OpenAI (for AI features only) — receives the listing fields you ask AI to generate or summarize. Per OpenAI's API terms, this content is not used to train models.

No other party receives data from the Mobile App. The Mobile App does not sell, rent, or transfer user data to advertisers, analytics brokers, marketing partners, or any other third party.

5. Data the Mobile App does NOT collect

• Health, fitness, location, contacts, calendars, or browsing history.
• Marketplace passwords or login credentials — you log in to each marketplace directly inside that marketplace's own web view, and we never see the password.
• Payment information (card numbers, bank details) — handled entirely by Apple, Google, or Stripe.

The Service includes AI-powered features such as pricing suggestions, listing optimization, and automated content generation. To provide these features, your listing data (titles, descriptions, categories, and prices) may be sent to third-party AI providers (such as OpenAI). This data is used solely to generate responses for you and is not used to train AI models on your behalf.

We do not send personally identifiable information to AI providers beyond what is contained in your listing content.

We use cookies and similar technologies to maintain your login session and remember your preferences. We do not use tracking cookies for advertising purposes. The following types of cookies may be set:

• Session cookies — required to keep you logged in. These expire when you close your browser.
• Preference cookies — remember your settings across visits.
• Analytics — we use Vercel Analytics to understand aggregate usage patterns. No personally identifiable data is shared with Vercel Analytics.

You can disable cookies in your browser settings, but this may affect your ability to use the Service.

We share your information only in the following circumstances:

• Service providers — trusted third parties that help us operate the Service, such as Stripe (payments), Vercel (hosting), and database providers. These parties are bound by confidentiality obligations.
• Legal compliance — if required by law, court order, or to protect our rights and the safety of our users.
• Business transfers — in connection with a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

We retain your account and listing data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal data within 30 days, unless we are required to retain it by law.

We implement industry-standard security measures to protect your data, including encrypted connections (HTTPS), secure credential storage, and access controls. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

Depending on your location, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data (see below).
• Object to or restrict certain processing of your data.
• Data portability — receive a copy of your data in a structured format.
• Withdraw consent where processing is based on consent.

To exercise any of these rights, contact us at selltheflip@gmail.com. We will respond to verified requests within 30 days.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information:

• Right to Know — You may request that we disclose the categories and specific pieces of personal information we have collected about you, the purposes for which we use it, and the categories of third parties with whom we share it.
• Right to Delete — You may request that we delete your personal information, subject to certain exceptions required by law.
• Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights.

We do not sell your personal information. We do not share personal information with third parties for their direct marketing purposes.

To submit a CCPA request, email us at selltheflip@gmail.com with the subject line "CCPA Request" and include your full name and the email address associated with your account. We will verify your identity before processing your request.

You can delete your account at any time from the Settings page, which will trigger deletion of your personal data within 30 days. Alternatively, you can submit a data deletion request by emailing selltheflip@gmail.com with the subject line "Data Deletion Request".

Note that certain information may be retained as required by law (e.g., billing records for tax compliance) or for legitimate business purposes such as fraud prevention.

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page with an updated date. Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

This Privacy Policy is governed by the laws of the State of California, United States. For questions about data practices specific to your jurisdiction, please contact us.

If you have any questions about this Privacy Policy, please contact us at selltheflip@gmail.com.