1. Introduction
This Privacy Policy describes how VaultLister ("we", "us", "our") collects, uses, and protects information when you use the VaultLister platform and related services (collectively, the "Service"). By using the Service, you agree to the practices described in this policy.
If you have questions about this policy or your data, please contact us at privacy@vaultlister.com.
2. What Data We Collect
We collect only the information necessary to operate the Service.
| Category | What is collected | Why |
|---|---|---|
| Account information | Email address, username, hashed password, optional profile details | Authentication and account management |
| Marketplace credentials | OAuth tokens for connected marketplaces (Poshmark, eBay, Mercari, Etsy, Shopify, etc.) | Listing, syncing, and automation operations |
| Inventory and listing data | Item details, descriptions, prices, photos, tags, sale records | Core platform functionality |
| Usage data | Feature interactions, session events, automation logs | Analytics, debugging, and automation audit trail |
| Images | Photos you upload to the Image Bank | Listing management and AI image analysis |
| Session and security data | IP address, session identifiers, CSRF tokens, login timestamps | Security, fraud prevention, and session management |
We do not collect advertising data, sell user profiles, or use third-party tracking pixels or analytics services.
3. How We Use Your Data
Your data is used exclusively to operate and improve the Service:
- Authenticating your identity and maintaining your session
- Storing and displaying your inventory, listings, and sales records
- Connecting to third-party marketplaces on your behalf using OAuth tokens
- Running automations you configure (sharing, offer rules, follow-back)
- Generating AI-powered listing suggestions when you request them
- Calculating analytics, profit margins, and performance reports
- Detecting and preventing unauthorized access or abuse
- Sending transactional notifications (e.g. sale alerts, sync errors)
We do not use your data to train AI models. Content submitted to AI features is processed in real time and is not stored for model training purposes beyond what Anthropic's own data policies govern (see Section 6).
4. Data Storage and Security
VaultLister is a self-hosted application. Your data is stored in a SQLite database on your own server or device. We take the following security measures to protect your data:
- Passwords are hashed using bcrypt with a minimum cost factor of 12 — plaintext passwords are never stored
- Marketplace OAuth tokens are encrypted at rest using AES-256-CBC before being written to the database
- All authenticated API requests require a short-lived JWT access token (15-minute expiry) and a secure refresh token (7-day expiry)
- Multi-factor authentication (TOTP) is available and encouraged for all accounts
- All mutating requests (POST, PUT, PATCH, DELETE) require a CSRF token to prevent cross-site request forgery
- Automation actions are logged to a local audit log file for accountability
Because VaultLister is self-hosted, the security of the underlying server or device is your responsibility. We recommend keeping your server software up to date and restricting network access appropriately.
5. Marketplace API Integrations
To enable cross-listing and automation features, VaultLister connects to third-party marketplace platforms using OAuth 2.0. When you authorize a marketplace connection:
- We receive and store an OAuth access token and refresh token for that marketplace
- These tokens are encrypted before storage and are used only to perform the operations you explicitly request
- We do not share your marketplace credentials or tokens with any other party
- You can revoke access to any connected marketplace at any time from your account settings or directly through the marketplace's own OAuth management page
Each marketplace platform has its own privacy policy governing how it handles data you submit through its API. We encourage you to review those policies for the platforms you connect.
6. Third-Party Services
VaultLister integrates with the following third-party services under specific conditions:
| Service | When used | Data shared |
|---|---|---|
| Anthropic Claude API | Only when you use AI listing generation or the Vault Buddy chat assistant | Item descriptions, images, and chat messages you submit to AI features. Governed by Anthropic's Privacy Policy. |
| Marketplace platforms | When you authorize a marketplace connection and perform listing or automation operations | Listing data, credentials via OAuth. Each platform's own privacy policy applies. |
No advertising networks, analytics services (e.g. Google Analytics), or data brokers are used by VaultLister.
7. Cookies and Local Storage
VaultLister uses browser localStorage to:
- Maintain your authentication session (JWT access and refresh tokens)
- Remember your preference for UI settings and dark mode
- Store your cookie consent choice
We do not use advertising cookies, third-party tracking cookies, or persistent analytics cookies. The only cookies set are those strictly necessary to operate the Service.
8. Data Retention and Deletion
Because VaultLister is self-hosted, you have direct control over your data at all times. Within the application:
- You can delete individual InventoryItems, Listings, Sales, or Images from within the application at any time
- You can delete your account from your account settings; this will remove all associated records from the database
- Automation audit logs are stored locally on your server and can be cleared manually
If you are using a managed or cloud-hosted instance of VaultLister, account deletion requests will be processed within 30 days. To request deletion, contact us at privacy@vaultlister.com.
9. Your Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your account and associated data
- Portability: Request an export of your data in a machine-readable format
- Restriction: Request that we limit processing of your data in certain circumstances
- Objection: Object to processing where our legal basis is legitimate interest
To exercise any of these rights, contact us at privacy@vaultlister.com. We will respond within 30 days.
If you are located in the European Economic Area, you also have the right to lodge a complaint with your local supervisory authority.
10. Children's Privacy
The Service is not directed to or intended for use by persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the Service or by email. The "Last updated" date at the top of this page reflects when the policy was most recently revised. Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.
12. Contact Information
For privacy questions, data requests, or concerns, please contact us at:
VaultLister
Email: privacy@vaultlister.com