Privacy policy

1. Data controller

[Vorname Nachname], [Adresse]
E-Mail: hello@listwithai.com

2. Collection of personal data

When you visit our website, your browser automatically transmits information (server log files): browser type, operating system, referrer URL, IP address (anonymized), time of request. Legal basis: Art. 6(1)(f) GDPR.

3. Registration and user account

During registration we collect: email address and password (hashed). Authentication is handled by Supabase Auth. Your data is stored on EU servers (Frankfurt). Legal basis: Art. 6(1)(b) GDPR (contract performance).

4. App usage

During usage we process: Uploaded images (for AI analysis, EXIF metadata is stripped), listing data (title, description, price etc.), eBay connection data (OAuth tokens, encrypted with AES-256-GCM). Processing is for contract performance (Art. 6(1)(b) GDPR).

5. Third-party services and data processing

  • Supabase Inc. — Auth, database, storage (EU servers, Frankfurt). Data processing agreement per Art. 28 GDPR.
  • Google LLC (Gemini API) — Image analysis for clothing detection. Data processing agreement per Art. 28 GDPR, EU Standard Contractual Clauses (SCCs).
  • eBay Inc. — Listing creation and publishing. Processing only on explicit user action.
  • Vercel Inc. — Hosting and CDN. EU data processing, DPA in place.

6. Cookies and local storage

The app uses only technically necessary local storage (localStorage) for: authentication, language settings, theme preference, seller default settings, cookie consent. No tracking cookies or analytics tools are used. Legal basis: Art. 6(1)(f) GDPR.

7. Your rights (Art. 15–21 GDPR)

You have the right to:

  • Access to your stored data (Art. 15)
  • Rectification of inaccurate data (Art. 16)
  • Erasure of your data (Art. 17) — in the app under Profile → Delete account
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20) — in the app under Profile → Export data
  • Objection to processing (Art. 21)

Contact: hello@listwithai.com

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

8. Data security

All connections are TLS-encrypted. OAuth tokens are stored encrypted with AES-256-GCM. Row-level security (RLS) on all user data. Passwords are stored exclusively as hashed values (bcrypt). EXIF metadata (incl. GPS) is automatically stripped on upload.

9. Data retention

Your data is stored as long as your account exists. Unpublished drafts are automatically deleted after 90 days of inactivity. Upon account deletion, all personal data, drafts, images and connection data are permanently deleted.

Last updated: March 2026