Privacy Policy

Last updated: May 1, 2026

Smart Lister ("we", "our", or "the Service") is an AI-powered tool that helps online resellers identify items, research market prices, and publish listings to marketplaces such as eBay, Etsy, and Shopify. This Privacy Policy explains what information we collect, how we use it, and the choices you have. By using the Service you agree to the practices described here.

Information we collect

We collect only the information needed to provide the Service:

Account information. Email address and a hashed password (or OAuth identifier from Google) used to authenticate you, plus a session identifier stored in a secure cookie.
Marketplace credentials. When you connect eBay, Etsy, or Shopify, we receive OAuth access and refresh tokens from those providers. Tokens are encrypted at rest using AES-256-GCM with a key controlled by the deployment operator and are used only to act on your behalf within the marketplace you authorized.
Listing content. Photos you upload, AI-generated titles, descriptions, prices, item specifics, and platform publishing status. Photos are stored in Vercel Blob storage; text data is stored in our database.
Marketplace data. Active listings, sold listings, and order data fetched on demand from your connected marketplaces to power the Seller Hub and inventory sync. We do not retain a persistent copy beyond what is needed to keep listings in sync.
Usage and operational logs. Standard server logs (timestamp, request path, response status, IP address) retained for up to 30 days for debugging and abuse prevention.
Billing information. If you subscribe, our payment processor (LemonSqueezy) collects payment method information directly. We never see or store your full card number; we only receive a subscription identifier and status.

How we use information

To authenticate you and keep your session secure.
To run AI identification, market research, and listing generation on the items you upload.
To create, update, and end listings on the marketplaces you connect, on your explicit instruction.
To synchronize inventory across connected marketplaces (e.g. end an eBay listing when the same item sells on Etsy).
To operate, secure, and improve the Service, and to comply with legal obligations.

We do not sell your personal information, and we do not use your listing photos or text to train third-party AI models.

Third-party services

The Service relies on the following third-party processors. Each receives only the data necessary for its function:

Anthropic - receives the photos, item details, and market-research prompts needed to generate identifications, titles, and descriptions. Anthropic does not train on data submitted via API/Claude relay.
eBay, Etsy, Shopify - receive listing and order data when you authorize a connection. Their use of your data is governed by their own privacy policies.
Vercel - hosts the application and stores uploaded images in Vercel Blob.
Turso - hosts the application database (libSQL).
LemonSqueezy - processes payments and subscription billing. Card data is handled entirely by LemonSqueezy and never reaches our servers.
Google- if you sign in with Google, we receive your email and basic profile from Google's OAuth service.

eBay-specific notice

When you connect your eBay account, the Service uses the eBay Browse, Trading, and Taxonomy APIs to read your active and sold listings, fetch category metadata, and create or revise listings on your behalf. We use eBay data solely to power features you have explicitly requested in the Service. We do not republish, resell, or share your eBay data with any third party other than the processors listed above.

Data retention

Account data is kept for as long as your account is active and for up to 30 days after account deletion to allow recovery.
Listing content (photos, text, drafts) is kept until you delete it or close your account.
OAuth tokens are deleted when you disconnect a marketplace or when the provider revokes them.
Server logs are retained for up to 30 days.

Your rights

You have the right to access, correct, export, or delete your personal data. You can:

Disconnect any marketplace at any time from Settings; this revokes our stored OAuth tokens.
Delete individual listings or photos from within the app.
Request full account deletion or a copy of your data by emailing us (see below).
If you are in the EEA, UK, or California, you may have additional rights under GDPR/UK GDPR/CCPA, including the right to object to processing and to lodge a complaint with your supervisory authority.

Security

We use TLS for all connections, hash passwords with industry standard algorithms, and encrypt OAuth tokens at rest with AES-256-GCM. Despite reasonable safeguards, no system is perfectly secure; please use a strong, unique password and notify us promptly if you suspect your account has been compromised.

Children

The Service is not directed to children under 13 (or under 16 in the EEA), and we do not knowingly collect personal information from them. If you believe a child has provided us with personal data, contact us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced in-app and the "Last updated" date above will reflect the change. Continued use of the Service after the change constitutes acceptance of the updated policy.

Contact

Questions, requests, or concerns? Email us at joshuamod@gmail.com.

Information we collect

We collect only the information needed to provide the Service:

Account information. Email address and a hashed password (or OAuth identifier from Google) used to authenticate you, plus a session identifier stored in a secure cookie.

Marketplace credentials. When you connect eBay, Etsy, or Shopify, we receive OAuth access and refresh tokens from those providers. Tokens are encrypted at rest using AES-256-GCM with a key controlled by the deployment operator and are used only to act on your behalf within the marketplace you authorized.

Listing content. Photos you upload, AI-generated titles, descriptions, prices, item specifics, and platform publishing status. Photos are stored in Vercel Blob storage; text data is stored in our database.

Marketplace data. Active listings, sold listings, and order data fetched on demand from your connected marketplaces to power the Seller Hub and inventory sync. We do not retain a persistent copy beyond what is needed to keep listings in sync.

Usage and operational logs. Standard server logs (timestamp, request path, response status, IP address) retained for up to 30 days for debugging and abuse prevention.

Billing information. If you subscribe, our payment processor (LemonSqueezy) collects payment method information directly. We never see or store your full card number; we only receive a subscription identifier and status.

How we use information

To authenticate you and keep your session secure.

To run AI identification, market research, and listing generation on the items you upload.

To create, update, and end listings on the marketplaces you connect, on your explicit instruction.

To synchronize inventory across connected marketplaces (e.g. end an eBay listing when the same item sells on Etsy).

To operate, secure, and improve the Service, and to comply with legal obligations.

We do not sell your personal information, and we do not use your listing photos or text to train third-party AI models.

Third-party services

The Service relies on the following third-party processors. Each receives only the data necessary for its function:

Anthropic - receives the photos, item details, and market-research prompts needed to generate identifications, titles, and descriptions. Anthropic does not train on data submitted via API/Claude relay.

eBay, Etsy, Shopify - receive listing and order data when you authorize a connection. Their use of your data is governed by their own privacy policies.

Vercel - hosts the application and stores uploaded images in Vercel Blob.

Turso - hosts the application database (libSQL).

LemonSqueezy - processes payments and subscription billing. Card data is handled entirely by LemonSqueezy and never reaches our servers.

Google- if you sign in with Google, we receive your email and basic profile from Google's OAuth service.

eBay-specific notice

Data retention

Account data is kept for as long as your account is active and for up to 30 days after account deletion to allow recovery.

Listing content (photos, text, drafts) is kept until you delete it or close your account.

OAuth tokens are deleted when you disconnect a marketplace or when the provider revokes them.

Server logs are retained for up to 30 days.

Your rights

You have the right to access, correct, export, or delete your personal data. You can:

Disconnect any marketplace at any time from Settings; this revokes our stored OAuth tokens.

Delete individual listings or photos from within the app.

Request full account deletion or a copy of your data by emailing us (see below).

If you are in the EEA, UK, or California, you may have additional rights under GDPR/UK GDPR/CCPA, including the right to object to processing and to lodge a complaint with your supervisory authority.

Security