Privacy Policy

Effective Date: March 16, 2026

Unstalo (“we,” “our,” or “us”)

This Privacy Policy describes how Unstalo collects, uses, discloses, and safeguards your information when you use our web application and related services (collectively, the “Service”). By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

1. Information We Collect

We collect the following categories of information in connection with your use of the Service:

1.1 Account Information

When you create an account, we collect your name and email address as provided through Google OAuth authentication. We do not collect or store your Google password.

1.2 eBay Marketplace Data

With your explicit authorization, we access your eBay seller account data through the eBay API, including but not limited to: listing titles, descriptions, item specifics, pricing information, photographs, sales history, order details, and financial transaction records. This data is collected solely to provide listing management and optimization services to you.

1.3 Financial Institution Data

If you voluntarily choose to connect a bank account through our integration with Plaid Inc., we access your bank transaction history, including transaction dates, amounts, merchant names, and transaction categories. We do not access, collect, or store your bank account credentials, account numbers, routing numbers, or account balances. All bank authentication is handled exclusively by Plaid's secure infrastructure. The collection and use of your financial data through Plaid is also subject to Plaid's End User Privacy Policy.

1.4 Usage and Analytics Data

We automatically collect certain information about your use of the Service, including pages visited, features accessed, AI review requests, and general interaction patterns. This information is used exclusively to improve the Service and diagnose technical issues.

2. How We Use Your Information

We use the information we collect for the following purposes:

To provide, operate, and maintain the Service, including displaying and managing your eBay listings.
To provide AI-powered listing optimization, including analysis of titles, descriptions, pricing, and item specifics.
To generate pricing insights, market comparisons, and sales analytics based on eBay marketplace data.
To facilitate cost-of-goods-sold (COGS) tracking from bank transactions that you voluntarily tag for tax reporting purposes.
To generate tax summaries and financial reports based on your eBay transaction history.
To communicate with you regarding Service-related matters, including technical notices and support responses.
To detect, prevent, and address technical issues, security vulnerabilities, and fraudulent activity.
To improve and optimize the Service based on aggregated, de-identified usage patterns.

3. Third-Party Service Providers

We engage the following third-party service providers to deliver the Service. These providers receive only the minimum data necessary to perform their designated functions and are contractually obligated to protect your information:

Supabase, Inc. — Provides database hosting, user authentication, and data storage infrastructure. All data is stored with row-level security policies and encrypted at rest.
Anthropic, PBC (Claude) — Provides AI-powered listing analysis and optimization. Listing data transmitted to Anthropic for processing is not used to train their models, in accordance with Anthropic's API data usage policy.
OpenAI, Inc. — Provides AI-powered listing analysis when selected by the user as their preferred AI provider. Data transmitted to OpenAI is subject to OpenAI's API data usage policy and is not used for model training.
eBay, Inc. — Provides marketplace API access to read, manage, and update your listings with your explicit authorization. Your eBay authorization can be revoked at any time through your eBay account settings.
Plaid, Inc. — Provides secure bank account connectivity for transaction import. Plaid acts as an intermediary between your financial institution and the Service. Your bank credentials are entered directly into Plaid's secure, certified interface and are never transmitted to, processed by, or stored on Unstalo's systems. See Plaid's Privacy Policy for additional details.
Google LLC — Provides OAuth 2.0 authentication for user sign-in. We receive only your name and email address through this integration.
Railway Corp. — Provides application hosting and deployment infrastructure with TLS encryption and secure environment variable management.

4. Data Security

We implement commercially reasonable technical and organizational measures designed to protect your information, including but not limited to:

Encryption in Transit — All data transmitted between your browser and our servers is encrypted using HTTPS with TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) headers are enforced with preload.
Encryption at Rest — Sensitive credentials, including eBay API tokens and Plaid access tokens, are encrypted at rest using AES-256-GCM with authenticated encryption before being stored in our database.
Access Controls — All database tables enforce row-level security (RLS) policies, ensuring that each user can only access their own data. API endpoints require authenticated sessions.
Security Headers — The Service implements Content Security Policy (CSP), X-Frame-Options, Cross-Origin Resource Policy (CORP), Cross-Origin Opener Policy (COOP), and Permissions-Policy headers to mitigate common web vulnerabilities.
Input Validation — All user inputs are validated and sanitized to prevent injection attacks, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities.

While we strive to use commercially acceptable means to protect your information, no method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security.

5. Data Sharing and Disclosure

We do not sell, rent, trade, or otherwise transfer your personal information to third parties for marketing or advertising purposes. We may disclose your information only in the following circumstances:

Service Providers — To the third-party service providers identified in Section 3, solely to the extent necessary to provide the Service.
Legal Requirements — If required to do so by law, regulation, legal process, or governmental request.
Protection of Rights — To protect the rights, property, or safety of Unstalo, our users, or the public as required or permitted by law.
Business Transfers — In connection with a merger, acquisition, or sale of all or a portion of our assets, in which case you will be notified of any change in ownership or use of your information.

6. Your Rights and Choices

You have the following rights regarding your personal information:

Access and Portability — You may request a copy of the personal information we hold about you by contacting us at the address below.
Deletion — You may request deletion of your account and all associated data at any time by contacting us. Upon receiving a verified deletion request, we will delete your personal information from our active systems within 30 days, except as required by law.
eBay Disconnection — You may revoke Unstalo's access to your eBay account at any time through your eBay account's third-party application settings.
Bank Disconnection — You may disconnect your linked bank account at any time from within the Service. Upon disconnection, the Plaid access token is immediately revoked and all imported bank transaction data is permanently and irreversibly deleted from our database.
Opt-Out of AI Processing — You may use the Service without utilizing AI-powered features. AI analysis is performed only when you explicitly initiate a review.

To exercise any of these rights, please contact us using the information provided in Section 12 below.

7. Financial Data — Plaid Integration

This section provides additional detail regarding the collection and processing of financial data through our integration with Plaid Inc.:

Connecting a bank account is entirely voluntary and is not required to use the Service.
All bank authentication is conducted exclusively within Plaid's secure, PCI-compliant interface. Your financial institution login credentials are never transmitted to, processed by, or stored on Unstalo's servers or infrastructure.
We access only transaction history data, including transaction dates, amounts, merchant names, and merchant categories. We do not access account numbers, routing numbers, account balances, or identity information associated with your financial accounts.
Bank transaction synchronization occurs only when you manually initiate a sync by clicking “Sync Transactions” within the Service. We do not perform automatic, scheduled, or background synchronization of your bank data.
Synchronization is limited to no more than once per 24-hour period per connected institution to minimize unnecessary data access.
Imported transaction data is stored in our database with row-level security and is used solely for the purpose of cost-of-goods-sold (COGS) tracking and tax reporting functionality within the Service.
We do not sell, share, rent, or otherwise disclose your bank transaction data to any third party for any purpose.
Upon disconnection of your bank account, the Plaid access token is immediately revoked via the Plaid API, and all associated transaction data is permanently deleted from our database.

For comprehensive information regarding Plaid's data practices, security certifications, and your rights as an end user, please review Plaid's End User Privacy Policy.

8. Data Retention

We retain your personal information for as long as your account is active or as reasonably necessary to provide the Service to you. eBay listing data is retained in our database to support ongoing listing management and historical analytics. Bank transaction data is retained only while the associated bank connection remains active; upon disconnection, all bank transaction data is immediately and permanently deleted. If you request account deletion, we will delete all personal information from our active systems within 30 days, except where retention is required by applicable law, regulation, or legitimate business obligation (e.g., record-keeping for tax compliance).

9. Cookies and Local Storage

We use essential cookies and browser local storage strictly for the following functional purposes:

Authentication — To maintain your signed-in session securely.
User Preferences — To store your display preferences, such as theme (light/dark mode) and pricing mode settings.
Performance — To cache certain AI review results locally to reduce redundant API calls and improve responsiveness.

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. We do not participate in cross-site tracking or targeted advertising.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take reasonable steps to delete such information promptly.

11. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time. When we make material changes, we will update the “Effective Date” at the top of this page. Your continued use of the Service after the posting of any revised Privacy Policy constitutes your acceptance of the revised terms. We encourage you to review this Privacy Policy periodically for any changes.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Unstalo

Email: support@unstalo.com

We will respond to all legitimate inquiries within a reasonable timeframe and in accordance with applicable law.

Back to Login

Loading page content...