LEGAL · PRIVACY

Privacy Policy

LAST UPDATED · 30 APRIL 2026

Who we are

ListTriage is built and operated by an independent developer based in the United Kingdom. We are not affiliated with, endorsed by, or sponsored by Etsy, Inc.

For any privacy questions or requests, contact privacy@listtriage.com.

What we collect

Account information

• Email address — used for sign-in (we send a magic link, no password) and transactional notifications.
• Optional profile fields — shop name, shop URL, and niche category, if you choose to provide them.

Scan content and results

• Listing content you scan — the title, tags, description, and (optionally) image URLs you submit for scanning.
• Scan results — the AI-generated risk assessments and flagged phrases tied to each scan.
• Timestamps — when scans were run, used for rate-limiting free-tier usage and for your own scan history.
• CSV uploads — when you run a whole-shop audit, the CSV listing export you upload (this is processed in-memory and the parsed rows are stored against your account).

Billing information

• Stripe customer ID and subscription ID — so we can match Stripe events to your account and gate paid features.
• We never see, store, or process your card details. All payment data is handled exclusively by Stripe.

What we do not collect

• No cross-site tracking, fingerprinting, or third-party analytics ad cookies.
• No browsing history outside of the specific Etsy listing edit pages where you click the shield button.
• No location data.
• No contact lists, no calendar, no microphone, no camera.
• The Chrome extension only activates when you click the shield button on a supported Etsy edit page. It does not read tabs you haven't activated and does not run in the background on other pages.

How we use your data

We use the data described above only to:

• Provide the scanning service you've signed up for.
• Maintain your scan history so you can review past results.
• Send transactional emails (magic-link sign-in, billing receipts, audit-complete notifications).
• Enforce free-tier rate limits and unlock paid-tier features.
• Detect and prevent abuse of the service.

We never use your data for advertising, never sell it to third parties, and never use your scanned listings or scan results to train AI models.

Where your data lives

We use the following infrastructure providers, all under data-processing agreements:

• Postgres (database, EU/London region) — your account, scans, and audit data.
• AI processing provider — listing content is sent to a third-party large-language-model API for analysis. Our provider does not retain content for training and is bound by a data-processing agreement requiring deletion after processing. We may change AI providers from time to time as the technology evolves; the protections above are required of any provider we use.
• Resend — transactional email delivery only.
• Stripe — payment processing.
• Railway — application hosting.
• Cloudflare — DNS and edge security.

Chrome extension specifics

• Site access — the extension only runs on Etsy listing edit pages matching etsy.com/your/shops/*/listing-editor/* and similar listing-management URLs.
• Authentication — the extension reads the lt_session cookie from listtriage.com to identify you, the same way the website does.
• Local storage — the extension stores one setting locally: the API host (defaults to https://listtriage.com). No personal data is stored locally.
• Activation — the extension is dormant until you click the floating shield button or open its popup. It does not run in the background.
• No remote code — all extension JavaScript is bundled in the package downloaded from the Chrome Web Store.

Data retention

• Scan history — retained for the lifetime of your account. You can request deletion at any time.
• Magic-link tokens — expire 15 minutes after issue.
• Sessions — expire 30 days after last use.
• Cancelled subscriptions — your account and data remain accessible until the end of your paid-up billing period; after that the account becomes read-only.
• Account deletion — when you request deletion, your account and associated data are removed within 30 days, except where we are required to retain billing records for tax purposes.

Your rights

Under UK GDPR and EU GDPR, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data.
• Erase your account and data.
• Restrict processing.
• Port your data to another service in a machine-readable format.
• Object to processing.

To exercise any of these rights, email privacy@listtriage.com from the address associated with your account. We respond within 30 days.

If you are unhappy with how we've handled a privacy request, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

Security

• All connections are HTTPS-only.
• Session cookies are HTTP-only, secure, and SameSite-Lax.
• We use passwordless magic-link authentication — there are no passwords to leak.
• Database storage is encrypted at rest by our infrastructure provider.
• We follow least-privilege principles for internal access.

Children

ListTriage is not intended for use by anyone under 13 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete the data.

Changes to this policy

If we make material changes to how we handle your data, we will notify active account holders by email at least 14 days before the changes take effect. Non-material updates (clarifications, fixing typos, adding new infrastructure providers under the same protections) may be made without notice.

Contact

For privacy questions, data requests, or any other concern about how your data is handled:

privacy@listtriage.com