Privacy Policy
Last updated: 27 April 2026 (rev. 2)
This Privacy Policy describes how Listybitsy (“we”, “us”) collects, uses, stores, and discloses personal data when you use listybitsy.com (the “Service”). The Service is operated from Ireland and is accessible globally. We are the data controller for the personal data described below. This policy is intended to be aligned with the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable US state privacy laws including the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA).
For any privacy question or to exercise your rights, contact [email protected].
1. What we collect
- Account data — email address (for magic-link sign-in via Supabase Auth) and a Listybitsy user ID.
- Billing data — when you start a paid subscription, Stripe collects your payment details directly. We store the resulting Stripe customer ID, subscription ID, plan tier, and billing status. We never see or store your card number.
- Product content — photos you upload, the rough description text you provide, and the listing titles, descriptions, tags, and SEO scores generated from them.
- Etsy connection — if you connect your Etsy shop, we store an encrypted OAuth access token and refresh token along with your Etsy shop ID. We do not request more scopes than needed to publish a listing on your behalf.
- Support correspondence — emails you send to [email protected] (handled via Forward Email).
- Technical data — IP address, user agent, and request timestamps in our server logs (retained up to 30 days for abuse and reliability monitoring).
We do not use third-party advertising trackers, fingerprinting, behavioural profiling, or marketing cookies. The only telemetry on this Service is described under “Cloudflare” below.
Cloudflare Insights / Web Analytics. Our CDN provider (Cloudflare) loads a small script from static.cloudflareinsights.com on every page to collect aggregate, privacy-respecting performance metrics (page load times, Core Web Vitals, country-level traffic counts). Cloudflare does not track individual visitors across sites and does not set cookies for this purpose. We use this only to monitor Service health. You can block this script with most ad blockers, or browse via a privacy-preserving browser; the rest of the Service will continue to work. We are working to make this configurable from the Service itself.
2. Why we use it (legal basis)
- To provide the Service (contractual necessity, GDPR Art. 6(1)(b)) — generating listings, scoring listings, posting to Etsy on your behalf, sending magic-link emails.
- To bill paid plans (contractual necessity) — passing the minimum data needed to Stripe to charge your subscription.
- To keep the Service secure (legitimate interests, GDPR Art. 6(1)(f)) — abuse prevention, fraud detection, server-log analysis.
- To comply with law (legal obligation, GDPR Art. 6(1)(c)) — for example, retaining invoices for tax purposes.
3. AI processing of your photos and text
When you upload a photo or paste a listing for the free grader, we send the image and any text you provide to Anthropic (Claude Vision and Claude language models) via Anthropic's API for the sole purpose of generating or scoring your listing. Anthropic acts as a processor on our behalf and is contractually prohibited from using your content to train models. Anthropic's data handling is described in their Privacy Policy and Commercial Terms.
We do not use your uploaded photos or generated listings to train any model.
4. Subprocessors
We share personal data with the following subprocessors only to the extent needed for the purposes above. Each operates under a Data Processing Agreement.
| Subprocessor | Purpose | Region |
|---|---|---|
| Supabase | Authentication, database, file storage | EU (eu-west-1) |
| Anthropic | Claude Vision + Claude language models for listing generation and scoring | USA |
| Stripe | Subscription billing and payment processing | USA / Ireland |
| Brevo (Sendinblue) | Outbound transactional email | EU (France) |
| Forward Email | Inbound support email forwarding | USA |
| Etsy | Posting listings to your Etsy shop on your authorisation | USA |
| Railway | Application hosting | EU (europe-west4) and US-West |
| Cloudflare | CDN, DNS, DDoS protection, and Cloudflare Insights aggregate performance telemetry (no individual tracking, no cookies set for this purpose) | Global edge |
Transfers outside the European Economic Area rely on Standard Contractual Clauses and, where applicable, supplementary measures.
5. How long we keep it
- Account data — for the lifetime of your account, plus up to 30 days after deletion to handle billing reconciliation.
- Generated listings and uploaded photos — until you delete them or your account is deleted.
- Billing records — 7 years (Irish tax law requirement) in Stripe, redacted to invoice metadata only on our side.
- Server logs — up to 30 days.
6. Your rights (GDPR)
You have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Have your data deleted (right to erasure)
- Restrict or object to certain processing
- Receive your data in a portable format
- Withdraw consent at any time where consent is the basis
- Lodge a complaint with the Irish Data Protection Commission (dataprotection.ie) or your local supervisory authority
Email [email protected] to exercise any of these rights. We respond within 30 days.
7. California / US state privacy rights
If you are a resident of California, Colorado, Connecticut, Virginia, Utah, or another US state with comprehensive privacy legislation, you have rights similar to those above: to know what personal information we hold about you, to delete it, to correct it, and to opt out of any “sale” or “sharing” of personal information.
We do not sell your personal information, and we do not share it for cross-context behavioural advertising. We do not knowingly collect personal information of consumers under 16 for sale or sharing. To exercise any state-law right, email [email protected]; we will verify your identity using your account email.
8. International transfers
Some of our subprocessors are based outside the European Economic Area (notably the United States). Where personal data is transferred outside the EEA or UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, together with technical and organisational measures such as encryption in transit and at rest.
9. Security
We use HTTPS everywhere, encrypted database storage, encrypted Etsy OAuth tokens at rest, and least-privilege access controls. No system is perfectly secure; if we ever suffer a personal-data breach affecting your data, we will notify you and the supervisory authority as required by GDPR Art. 33–34.
10. Automated processing and AI-generated content (GDPR Art. 13(2)(f) / Art. 22)
The core function of the Service is automated: a Claude language/vision model generates listing titles, descriptions, tags, and SEO scores from the photos and text you provide. We want you to understand exactly what this means for your rights.
- What is automated. The generation and scoring of listing content is fully automated — no human at Listybitsy reviews each individual listing the model produces. Your free / Creator / Pro plan limits, your Stripe billing status, and basic abuse-prevention flags are also evaluated automatically against rules we have configured.
- What is not. We do not use automated decision-making (including profiling) to make decisions about you that produce legal effects or that significantly affect you within the meaning of GDPR Art. 22 — for example, we do not use automated systems to deny you access to credit, employment, insurance, or to assess your trustworthiness. Generating content from your inputs is not such a decision.
- Logic involved. The Claude model produces content by predicting tokens conditioned on your inputs and on prompts we have written that target Etsy SEO best practices (title length, exactly 13 tags, keyword placement, etc.). We do not have access to and do not control the model's internal weights.
- Significance and consequences. The output is a suggestion. You decide whether to publish it, edit it, or discard it. Listybitsy has no effect on your Etsy account, search ranking, or sales beyond what you choose to publish.
- Your rights. Even though we do not believe Art. 22 applies, you may at any time (a) ask a human at Listybitsy to review any generated output before relying on it, (b) contest a generation outcome and ask us to re-generate it, and (c) express your point of view, by emailing [email protected]. We respond within 30 days.
11. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact [email protected] and we will delete it.
12. Changes to this policy
Material changes will be notified by email to active users at least 14 days before they take effect. The “Last updated” date at the top reflects the latest revision.
13. Contact
Listybitsy — [email protected].