Privacy Policy
Last updated: 14 May 2026
1. Who we are
ResellerHub is operated as a sole trader business based in the United Kingdom by Toby Harris (the “data controller” for the purposes of UK GDPR).
This Privacy Policy applies to:
- The marketing website at https://resellerhub.app
- The application at https://go.resellerhub.app
- The optional ResellerHub Connector browser extension
For any questions about this policy or how we handle your data, contact support@resellerhub.app.
2. What information we collect
Account information
- Your name and email address when you sign up directly or sign in with Google
- A password (stored as a bcrypt hash; we never see your plain-text password)
- Email-verification status
Marketplace credentials
- OAuth access and refresh tokens for connected eBay accounts
- Session tokens for connected Vinted accounts (captured via the optional browser extension — see section 9)
Product and inventory data
- Item details, descriptions, photos, pricing, SKUs, item specifics, and listing information you create or import
Payment information
- Processed by Stripe. We do not store your card details — they are entered on Stripe-hosted forms and never touch our servers
- We do store an anonymous card fingerprint provided by Stripe (a one-way hash, useless outside Stripe’s systems) to prevent duplicate free-trial abuse
Usage data
- Page visits and basic interaction counts via privacy-friendly analytics (self-hosted Plausible — no cookies, no PII, no cross-site tracking; see section 8)
- Application logs containing IP address, user-agent, request timestamps and paths, retained for security and debugging
Technical data
- IP address — collected for security, abuse-prevention, rate-limiting, and to comply with marketplace data-deletion notification requirements
3. Why we use your data — lawful basis under UK GDPR Article 6
| Purpose | Lawful basis |
|---|---|
| Providing the ResellerHub service to you | Contract — Art. 6(1)(b) |
| Processing your subscription payment | Contract — Art. 6(1)(b) |
| Sending service-related communications (billing, security, account events) | Contract — Art. 6(1)(b) |
| Privacy-friendly aggregate analytics | Legitimate Interest — Art. 6(1)(f) |
| Fraud prevention (trial-abuse fingerprinting, rate-limiting, breach-check on signup) | Legitimate Interest — Art. 6(1)(f) |
| Legal obligations (e.g. HMRC tax records, GDPR data subject requests, fraud reporting) | Legal Obligation — Art. 6(1)(c) |
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.
4. Who we share your data with
We share data with these third-party processors only as necessary to provide the service. We do not sell your personal data to any third party, ever.
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing. Card details entered directly on Stripe-hosted forms. | US (under UK/EU SCCs) |
| Optional sign-in via Google OAuth. Only if you choose this option. | US (under UK/EU SCCs) | |
| eBay | Listing data you ask us to sync to eBay on your behalf. | Varies per eBay |
| Vinted | Listing data you ask us to sync to Vinted on your behalf. | EU |
| Cloudflare | Edge network, DDoS protection, WAF. TLS-terminates traffic to *.resellerhub.app. | Global |
| Backblaze B2 | GPG-encrypted off-site database backups. Backblaze receives only encrypted blobs and cannot read them. | EU (Amsterdam) |
| Namecheap | Domain registration and email forwarding for @resellerhub.app. | US |
| IONOS | Primary VPS hosting. Application database stored here (encrypted at rest in our database). | UK (London) |
5. International data transfers
Some of our processors (Stripe, Google, Cloudflare, Namecheap) are based in or process data in the United States. These transfers rely on the EU/UK Standard Contractual Clauses (SCCs) and the EU–US Data Privacy Framework where applicable.
6. How long we keep your data
- Account and inventory data — retained while your account is active
- Marketplace tokens — retained while you keep the integration connected; you can disconnect at any time
- Payment records — retained for 7 years as required by HMRC for tax records
- Application logs — typically retained for 30 days
- Backups — encrypted backups retained for 30 days, then automatically deleted
If you delete your account, we will delete your personal data within 30 days, except where retention is required by law.
7. How we secure your data
We take data security seriously and implement multiple layers of protection:
- In transit: TLS 1.2+ encryption everywhere, with HSTS preloaded into major browsers (Chrome, Firefox, Safari, Edge) so HTTP connections are refused
- At rest in the database: OAuth tokens (eBay access/refresh, Google access/refresh/ID, Vinted session) are encrypted with AES-256-GCM
- Passwords: bcrypt hashed (cost factor 12); we check new passwords against the Have I Been Pwned breached-password corpus on signup
- Browser extension secret & verification tokens (password resets, email verification): SHA-256 hashed — we never store the plain values
- Backups: Encrypted with GPG (AES-256) before being uploaded off-site; the decryption passphrase is held only in our password manager, never on the server
- Infrastructure: Origin IP not publicly reachable (all traffic routed via Cloudflare); firewall locked down to Cloudflare ranges only; SSH key-only access; automated security patching; gitleaks secrets scanning on every code commit
- Email security: SPF, DKIM, DMARC, MTA-STS, TLS-RPT — preventing email being spoofed in our name
- DNS security: DNSSEC enabled; CAA records pinning the certificate authorities allowed to issue for our domain
- Content Security Policy: Strict nonce-based CSP with
default-src 'none'— defence in depth against cross-site scripting
For security vulnerability disclosure, see our security.txt.
8. Cookies and tracking
We use the minimum cookies needed to run the service:
- Authentication cookies (NextAuth) — essential for keeping you logged in. HttpOnly, Secure, SameSite=Lax, with
__Host-and__Secure-prefixes - Theme preference — a small
localStorageentry remembering whether you prefer dark or light mode
No analytics cookies. No advertising trackers. Our analytics provider (self-hosted Plausible) is cookieless by design and does not collect personally identifiable information. There is no Google Analytics, no Facebook Pixel, and no third-party tracking on our pages.
9. Browser Extension (ResellerHub Connector)
Our optional browser extension, ResellerHub Connector, is required to keep your Vinted account connected to ResellerHub. It is available for Chrome, Edge, Brave and other Chromium-based browsers.
What the extension reads
- Vinted session cookies — two specific named cookies on the Vinted domain (
access_token_webandrefresh_token_web). These tokens are how Vinted’s own website tracks your authenticated session. We do not see, store, or transmit your Vinted password. - Vinted display profile — your username, numeric user ID, and avatar URL, used to show which Vinted account is paired in the extension popup and on your ResellerHub Settings page.
The extension does not read any cookies on non-Vinted domains. It does not collect your browsing history, your location, your keystrokes, or any data outside what is described above. It makes no automated requests to Vinted on your behalf.
Where the data goes
The captured tokens and display profile are sent over HTTPS to our servers (go.resellerhub.app) where they are encrypted at rest (AES-256-GCM). They are used solely to make API calls to Vinted on your behalf — posting listings, syncing prices and stock, and marking items sold — exactly as you would do manually on Vinted’s website.
Cookie sync-back
When our server refreshes your Vinted session token (a normal part of token rotation), the extension writes the new token back into your browser’s Vinted cookie jar. This keeps your existing vinted.co.uk browser session alive across server-side refreshes. The extension only writes cookies to Vinted domains the user has previously visited.
Periodic checks
The extension runs a 15-minute background check to ensure your Vinted session cookies stay in sync with the latest server-side token. This is the only background activity. No browsing data, page content, or other tab information is read or transmitted.
User control
You can disconnect at any time from your ResellerHub Settings page. Disconnecting:
- Immediately invalidates the stored tokens server-side
- Clears the extension’s local cache of pending tokens
- Stops all Vinted API calls made on your behalf
You can also uninstall the extension via your browser’s extension management page (e.g. chrome://extensions). Uninstalling removes all locally stored extension data.
10. Your rights under UK GDPR
Under UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data (“right to be forgotten”)
- Portability — request your data in a machine-readable format
- Objection — object to certain processing of your data (in particular processing based on legitimate interest)
- Restriction — ask us to limit how we use your data
- Withdraw consent — where we rely on consent as a lawful basis, you can withdraw it at any time
To exercise any of these rights, email support@resellerhub.app. We will respond within 30 days.
You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk if you believe we are not handling your data correctly.
11. Children’s data
ResellerHub is not intended for use by anyone under 18. We do not knowingly collect personal data from children. If you believe we hold data about a child, contact us and we will delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email and/or through the app. The “Last updated” date at the top of this page tells you when the policy was most recently revised. Your continued use of ResellerHub after changes are posted constitutes acceptance of the updated policy.
13. Contact
For questions about this Privacy Policy or to exercise your rights, contact us at support@resellerhub.app.