Privacy Policy

When you create an account we collect your email address, password (stored as a hash — we never see or store your plaintext password), username, selected plan, and locale-derived currency preference. If you sign up via Google or Apple, we receive your name, email, and profile photo from those providers. During signup and password reset, we send a partial hash (the first five characters of a SHA-1 hash) of your password to the Have I Been Pwned API to check whether it has appeared in known data breaches — your full password is never transmitted.

Data you enter into ResellIQ — item records, descriptions, prices, costs, expenses, receipts, storage maps, order records, and financial summaries — is stored in our database and associated with your account. This data is not accessible to other users unless you make it visible through your public shop profile.

You may upload product photos, a profile avatar, a banner image, and expense receipts. Product images and avatars are stored in publicly accessible storage buckets so they can be displayed on your public shop page and used by the browser extension during cross-listing. Receipt uploads are stored in a private bucket accessible only to you. By uploading product images, you acknowledge that they will be accessible via public URLs.

If you use the public shop feature, your username, avatar, banner, bio, accent colour, social links, listed items, item descriptions, sale prices, and product images are publicly visible at reselliq.app/shop/[your-username]. Purchase cost data is never displayed publicly.

If you connect your Gmail account (available on paid plans), ResellIQ initiates a Google OAuth 2.0 authorisation flow. The consent screen lists the exact scopes we are requesting and the Google Account that will be connected. You can review and revoke this access at any time from your Google Account at myaccount.google.com/permissions or by clicking “Disconnect Gmail” in your ResellIQ settings, which revokes the token with Google and deletes the stored credentials.

We request the following scopes: https://www.googleapis.com/auth/gmail.readonly (read-only access to your Gmail messages and settings, used to search for and read marketplace order emails), https://www.googleapis.com/auth/userinfo.email (your email address, used to identify the connected Google Account inside ResellIQ), and openid (standard OpenID Connect identifier). We never request gmail.send, gmail.modify, gmail.compose, gmail.labels, or full-mailbox access. We do not send, compose, modify, label, archive, or delete any emails on your behalf.

We use this access only to search for and parse order, sale, payout, and shipping confirmation emails from supported marketplaces (currently eBay, Depop, Vinted, Poshmark, Mercari, Grailed, Etsy and Whatnot) and to extract order details such as item names, prices, fees, shipping information, and buyer identifiers so they can be turned into structured sales records inside your ResellIQ dashboard. For low-confidence parses we may temporarily store a sanitised version of the email HTML for review, which is automatically deleted after 30 days. We do not read, store, index, or process emails from senders that are not on our marketplace allow-list. Your Gmail OAuth tokens (access and refresh tokens) are encrypted at rest using AES-256 encryption and are accessible only to authorised server-side processes.

Google API Services User Data Policy — Limited Use disclosure. ResellIQ’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, data obtained from Gmail through Google APIs is used only to provide and improve user-facing features of ResellIQ that are visible in our interface (parsed orders, sales, payouts and associated reporting). We do not use Gmail data to serve advertisements; we do not transfer Gmail data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger or acquisition with appropriate notice; we do not allow humans to read Gmail data unless we have obtained your explicit consent for specific messages, it is necessary for security purposes (such as investigating abuse), required by law, or the data has been aggregated and anonymised; and we do not use Gmail data to develop, improve, or train generalised AI or machine-learning models.

If you connect your eBay account, ResellIQ initiates an eBay OAuth 2.0 authorisation flow. We request only the scopes required to sync your listings, orders, sold-history and selling-account data (including sell.inventory, sell.account, sell.fulfillment, commerce.identity.readonly and the read-only buy/browse scopes). We store the resulting access and refresh tokens encrypted at rest using AES-256 and use them to sync your eBay listings, orders, and sold comparable data. We do not use these tokens to make purchases on your behalf. If you disconnect your eBay account from your ResellIQ settings, we revoke the tokens with eBay and delete your eBay connection data. You can also revoke ResellIQ’s access at any time from your eBay account settings.

The ResellIQ Chrome extension runs only on supported ResellIQ, Vinted, Depop, and eBay UK pages relevant to the workflow you start. Depending on the action you choose, it may receive listing data from your ResellIQ inventory page, read publicly visible listing data from a Depop product page for import, or populate the Vinted, Depop, or eBay sell form for you. Data involved may include the item title, description, brand, size, condition, colour, price, category selections, hashtags, and product photos.

The extension uses Chrome permissions as follows: storage and unlimitedStorage to hold pending listing payloads and temporary image data in chrome.storage.local; activeTab and tabs to detect, reuse, or open the supported Vinted, Depop, or eBay tab you asked us to use; and scripting plus narrowly scoped host permissions to run the autofill and import scripts only on supported ResellIQ, Vinted, Depop, eBay, and related asset/API endpoints needed to complete that workflow. We do not use these permissions to monitor unrelated browsing activity, read browsing history, or capture passwords or keystrokes from unrelated sites.

For cross-listing, listing data is passed between the ResellIQ web page and the installed extension on your device so the destination form can be completed on Vinted, Depop, or eBay. Product photo URLs may be fetched by the ResellIQ page and converted into browser-local data URLs before autofill so marketplace upload fields can be populated correctly. For import workflows, publicly visible Depop listing data is only added to your ResellIQ account if you choose to import it.

The extension does not sell your data, inject third-party advertising trackers, or read content from websites outside the supported ResellIQ, Vinted, Depop, and eBay flows.

If you use the Vinted import feature, we retrieve publicly visible data from the Vinted seller profile URL you provide — including item titles, prices, brands, sizes, conditions, images, and listing URLs — and import them into your ResellIQ inventory. This retrieval is performed at your direction and on your behalf.

When you use AI features (item scanning, description generation, pricing analysis, the business assistant, screenshot analysis, or Pokemon vision), we send relevant data — which may include your item photos, item metadata, inventory context, and screenshots you provide — to OpenAI for processing. As of the date of this policy, OpenAI's API data usage policy states that API inputs and outputs are not used to train their models; however, OpenAI's policies may change and you should review their current terms if this is a concern. AI outputs including descriptions, price estimates, grading suggestions, and authenticity assessments are stored in our database alongside your item records.

We collect usage data including session identifiers, event names, page paths, user agent strings, screen dimensions, and timestamps. This data may be collected from both authenticated and anonymous users. We strip sensitive keys before storage. We do not use third-party advertising trackers. We use this data solely to understand how the Service is used and to improve it. Session identifiers are pseudonymous and do not directly identify you without cross-referencing other data.

Payment processing is handled entirely by Stripe. We do not see, store, or process your credit card number or bank details. We receive from Stripe your subscription status, plan, trial dates, and payment event notifications (successful payments, failures, refunds, and cancellations) which we store to manage your account.

If you submit feedback through the in-app widget, we collect your message, the page you were on, and optionally your email address if you choose to provide it. Providing your email is entirely voluntary and is used only if we need to follow up on your feedback.

We periodically collect publicly available sold listing data from eBay and, where configured, other marketplace sources via third-party services. This data is used to power pricing analysis and AI grounding features. It is aggregated market data and does not contain personal information.