1. Information We Collect
We collect information in the following categories:
- Account information: email address, name, and password hash when you create an account
- Reverb data: shop orders, listings, feedback, and payouts accessed via OAuth with your explicit authorization
- Usage analytics: page views, feature usage, and session duration to improve the Service
- Billing information: processed and stored by Stripe; we do not store credit card numbers
2. How We Use Your Information
- Provide and operate the Service (analytics, reports, dashboards)
- Process billing and manage your subscription
- Send transactional emails (billing receipts, sync notifications)
- Generate anonymized panel benchmarks from aggregated seller data
- Improve the Service based on usage patterns
- Respond to support requests
3. Data Storage & Security
Your data is stored in Supabase (PostgreSQL) with row-level security enforced on all user-facing tables. OAuth tokens are encrypted using AES-256-GCM before storage. The application is hosted on Vercel with HTTPS enforced on all connections. We follow industry-standard practices for data protection.
4. Third-Party Processors
We share data with the following processors, solely to operate the Service:
- Stripe: payment processing and subscription management
- Supabase: database hosting and authentication
- Vercel: application hosting and edge delivery
- Resend: transactional email delivery
5. Data Sharing
We never sell your personal data. Anonymized, aggregated data from opted-in sellers may be used to generate panel benchmarks (e.g., average sell-through rates by category). These benchmarks never identify individual sellers. Deanonymization thresholds (minimum 3 sellers per segment) are enforced to protect your privacy.
6. Your Rights
Depending on your jurisdiction, you have the right to:
- Access: request a copy of all data we hold about you
- Export: download your data in a portable format (JSON)
- Rectify: correct inaccurate personal data
- Delete: request erasure of your account and all associated data
- Restrict: limit how we process your data
- Object: opt out of certain data processing activities
These rights apply under GDPR (EU), CCPA (California), and similar regulations. To exercise your rights, use the account settings page or contact us.
7. Data Retention
- Active account: data retained for the duration of your subscription
- Cancelled account: data retained for 30 days, then deleted
- Deleted account: all data erased immediately upon request
- Audit logs: retained for 90 days for security purposes
8. Cookies
We use the following types of cookies:
- Essential: authentication session cookies required for the Service to function
- Optional: analytics cookies to understand usage patterns (can be declined via our cookie banner)
9. Children
The Service is not intended for users under the age of 16. We do not knowingly collect data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. Continued use of the Service constitutes acceptance of the updated policy.
11. Contact
For privacy-related questions or to exercise your data rights, contact us at privacy@verbstack.com.