Privacy Policy

Last updated: October 1, 2025

AutoLister AI ("we", "our", or "us") values your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Chrome extension ("Product"). By using the Product, you consent to the practices described in this policy. If you do not agree with any term, please do not use the Product.

1. Information We Collect

1.1 Personal Information

When you sign in to the Product via Magic Link, we collect the following:

• Email address: Used to identify your account and create a Supabase session.
• Stripe customer ID: Used during subscription checkout and billing portal creation. Stored in Supabase for reference.

1.2 Usage Data

We collect certain information about how you use the Product:

• API calls count: Number of times you request AI-generated titles/descriptions each month and time-based usage (to enforce subscription limits and prevent abuse).
• Subscription status and tier: Whether you are on a free trial, Starter, Professional, or Business plan. This determines your usage limits and available features.
• Extension interactions: Actions such as clicking "Generate", opening the popup, and navigating the billing portal. This data helps us monitor feature usage and detect abuse.

2. How We Collect Information

• Authentication: When you enter your email, we send a magic link via Supabase. Supabase collects and stores your email and session tokens.
• Stripe Checkout & Billing Portal: When you choose to upgrade or manage your subscription, we call Stripe API endpoints. Stripe collects your payment method details directly (we never store card numbers).
• Extension Storage: We store your Supabase session token, subscription tier, and usage data locally in chrome.storage.local on your browser to provide a seamless experience and display your current status without repeated network calls.
• Content Scripts: When you click “Generate” on a Vinted item page, our content script reads the item’s title/description fields and inserts AI-generated text. This requires permission to view and modify the page’s DOM temporarily.

3. How We Use Your Information

• Email Address: To authenticate you via Supabase magic link and tie your extension usage to your account.
• Supabase Session Token: To keep you logged in, fetch your profile (subscription status, API calls used), and securely call our backend APIs from the extension popup and content scripts.
• Stripe Customer ID: To create and manage subscription Checkout Sessions and redirect you to the Stripe Customer Portal.
• Usage Data: To enforce subscription limits (monthly totals) and calculate billing if you upgrade to a paid plan. We also use it to improve Product features and detect abusive behavior.
• Extension Interaction Data: To enhance user experience, debug errors, and optimize performance. We do not share this with third parties except as described below.

4. How We Share Your Information

We do not sell or rent your personal data. We only share your information with the following parties as necessary to operate the Product:

• Supabase:
  • Purpose: Authentication, storing user profiles, subscription status, API call counters, and Stripe customer IDs.
  • Data Shared: Email addresses, session tokens, subscription fields, usage counts, Stripe IDs.
  • Location: Supabase servers (hosted in EU region). See Supabase’s own Privacy Policy for details.
• Stripe:
  • Purpose: Processing subscription payments, creating Checkout Sessions, and managing Customer Portal sessions.
  • Data Shared: Email addresses, Stripe customer IDs, subscription metadata. Payment method details (card numbers) are collected directly by Stripe; we never see or store raw card numbers.
  • Location: Stripe’s global servers. See Stripe’s Privacy Policy for details.
• Vinted (Content Script Usage):
  • Purpose: The extension injects AI-generated text into Vinted item pages. We need temporary access to the page’s DOM but do not store any Vinted account credentials or PII beyond public listing data.
  • Data Shared: No personal data is sent to Vinted; only DOM manipulation occurs locally in your browser.
• Cloudflare (Hosting):
  • Purpose: Serving our static HTML (index.html, popup.html, success.html, cancel.html, privacy.html) and routing API calls to Vercel functions through their edge network.
  • Data Shared: Standard HTTP request metadata (IP addresses, user-agent) for CDN caching. We do not share user emails or subscription details with Cloudflare beyond what is included in HTTP requests you generate when interacting with our API.
• Chrome Web Store:
  • Purpose: Hosting the extension manifest. Does not access user-specific data; only metadata about the extension package itself.
  • Data Shared: None (other than what you explicitly grant in the Chrome Web Store Developer Dashboard, such as extension name, description, etc.).

5. Third-Party Services & Links

The Product integrates with the following third-party services:

• Supabase: For authentication, user profile management, and storing subscription metadata. By using the Product, you agree that Supabase may process your data under their Privacy Policy.
• Stripe: For subscription billing, payment processing, and Customer Portal. All payment information is collected by Stripe; see Stripe’s Privacy Policy for details.
• OpenAI (Backend): Used to generate AI-based titles and descriptions. The user-provided listing text (e.g., item details from Vinted) and metadata (e.g., user email) are sent to our secure backend on Vercel, which in turn calls the OpenAI API. OpenAI processes prompts according to their Privacy Policy. We do not store conversation logs long-term; only transient request/response data is held to fulfill generation requests and enforce usage limits.

The Product’s Privacy Policy does not apply to third-party websites or services linked from within the extension (such as Vinted or GitHub). We encourage you to read their privacy policies directly.

6. Data Retention and Account Termination

We retain your personal data (email, subscription metadata, usage counts) in Supabase as long as your account exists or until you request deletion. Your Stripe Customer ID and subscription information are retained by Stripe according to their retention policies. We store your session token and profile data in chrome.storage.local as long as you remain signed in or until you sign out. If you choose to delete your account, we will remove all associated data from our Supabase database within 30 days and revoke any active Stripe subscriptions.

7. Your Rights & Choices

• Access & Correction: You can view or update your email address and subscription details by signing into the extension and visiting the “Manage Subscription” flow in Stripe, or by contacting us directly (see Section 12).
• Deletion: To delete your account and all associated data, send an email to privacy@autolister.app. We will process deletion requests within 30 days.
• Opt-Out of Tracking: We only track usage counts and subscription status necessary to enforce free‐tier limits and billing. If you do not wish to have your usage tracked, you may choose not to use the AI generation feature. You can still use the free features of Vinted manually without accepting the extension’s terms.
• Email Communications: We may send transactional emails (e.g., magic link, subscription receipts). You cannot opt out of these because they are necessary to use the Product. You will not receive marketing emails unless you explicitly sign up for updates via our website.

8. Security

We implement reasonable technical and organizational measures to protect your personal data:

• Data in transit is encrypted using HTTPS/TLS.
• Supabase and Stripe store data in secure, PCI-compliant environments.
• Session tokens are stored in chrome.storage.local, which is sandboxed per extension and not accessible to other extensions.
• We do not store payment card numbers; Stripe handles all payment data under their strict security policies.

However, no system is completely secure. If you believe your data has been compromised, please contact us immediately (see Section 12).

9. Fair Use Policy and Abuse Prevention

We reserve the right to monitor, restrict, or terminate accounts that violate our fair use policy.

• Usage Monitoring: We actively monitor API usage patterns, request frequencies, and user behavior to detect abuse, fraud, or violations of our terms.
• Rate Limiting: We enforce usage limits based on your subscription tier (monthly totals vary by plan). Additionally, we apply server-side protections to limit rapid automated requests (burst protection). Circumventing these limits is prohibited.
• Account Suspension: We may immediately suspend or terminate accounts that:
  • Attempt to bypass rate limits or abuse our API
  • Use automated tools, bots, or scripts to generate excessive requests
  • Share account credentials or violate our single-user license
  • Engage in fraudulent chargebacks or payment disputes
  • Use the service for illegal activities or spam generation
• No Refunds for Abuse: Accounts terminated for abuse forfeit any remaining subscription time or credits without refund.
• Legal Action: We reserve the right to pursue legal action against users who cause financial damage through abuse or violation of our terms.
• Data Retention for Compliance: Usage data and logs may be retained for up to 2 years for abuse detection, legal compliance, and account security purposes.

10. Children's Privacy

The Product is not intended for children under the age of 13. We do not knowingly collect personal data from children. If you are under 13, do not use the extension. If we learn that we have inadvertently collected personal information from a child under 13, we will promptly delete that data.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices or legal requirements. When we make changes, we will revise the “Last updated” date at the top. We encourage you to review this page periodically. Your continued use of the Product after any changes indicates your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Email: privacy@autolister.app
Address: AutoLister AI, 1234 Extension Lane, Amsterdam, Netherlands