AutoLister AI ("we", "our", or "us") values your privacy. This Privacy Policy explains how we collect, use,
disclose, and safeguard your information when you use our Chrome extension ("Product"). By using the Product, you
consent to the practices described in this policy. If you do not agree with any term, please do not use the
Product.
1. Information We Collect
1.1 Personal Information
When you sign in to the Product via Magic Link, we collect the following:
Email address: Used to identify your account and create a Supabase session.
Stripe customer ID: Used during subscription checkout and billing portal creation. Stored in
Supabase for reference.
1.2 Usage Data
We collect certain information about how you use the Product:
API calls count: Number of times you request AI-generated titles/descriptions each month and
time-based usage (to enforce subscription limits and prevent abuse).
Subscription status and tier: Whether you are on a free trial, Starter, Professional, or
Business plan. This determines your usage limits and available features.
Extension interactions: Actions such as clicking "Generate", opening the popup, and
navigating the billing portal. This data helps us monitor feature usage and detect abuse.
2. How We Collect Information
Authentication: When you enter your email, we send a magic link via Supabase. Supabase
collects and stores your email and session tokens.
Stripe Checkout & Billing Portal: When you choose to upgrade or manage your subscription, we
call Stripe API endpoints. Stripe collects your payment method details directly (we never store card numbers).
Extension Storage: We store your Supabase session token, subscription tier, and usage data
locally in chrome.storage.local on your browser to provide a seamless experience and display your
current status without repeated network calls.
Content Scripts: When you click “Generate” on a Vinted item page, our content script reads
the item’s title/description fields and inserts AI-generated text. This requires permission to view and modify
the page’s DOM temporarily.
3. How We Use Your Information
Email Address: To authenticate you via Supabase magic link and tie your extension usage to
your account.
Supabase Session Token: To keep you logged in, fetch your profile (subscription status, API
calls used), and securely call our backend APIs from the extension popup and content scripts.
Stripe Customer ID: To create and manage subscription Checkout Sessions and redirect you to
the Stripe Customer Portal.
Usage Data: To enforce subscription limits (monthly totals) and calculate billing if you
upgrade to a paid plan. We also use it to improve Product features and detect abusive behavior.
Extension Interaction Data: To enhance user experience, debug errors, and optimize
performance. We do not share this with third parties except as described below.
4. How We Share Your Information
We do not sell or rent your personal data. We only share your information with the following parties as necessary
to operate the Product:
Supabase:
Purpose: Authentication, storing user profiles, subscription status, API call counters,
and Stripe customer IDs.
Data Shared: Email addresses, Stripe customer IDs, subscription metadata. Payment method
details (card numbers) are collected directly by Stripe; we never see or store raw card numbers.
Location: Stripe’s global servers. See Stripe’s Privacy Policy for details.
Vinted (Content Script Usage):
Purpose: The extension injects AI-generated text into Vinted item pages. We need
temporary access to the page’s DOM but do not store any Vinted account credentials or PII beyond public
listing data.
Data Shared: No personal data is sent to Vinted; only DOM manipulation occurs locally in
your browser.
Cloudflare (Hosting):
Purpose: Serving our static HTML (index.html, popup.html, success.html, cancel.html,
privacy.html) and routing API calls to Vercel functions through their edge network.
Data Shared: Standard HTTP request metadata (IP addresses, user-agent) for CDN caching.
We do not share user emails or subscription details with Cloudflare beyond what is included in HTTP requests
you generate when interacting with our API.
Chrome Web Store:
Purpose: Hosting the extension manifest. Does not access user-specific data; only
metadata about the extension package itself.
Data Shared: None (other than what you explicitly grant in the Chrome Web Store Developer
Dashboard, such as extension name, description, etc.).
5. Third-Party Services & Links
The Product integrates with the following third-party services:
Supabase: For authentication, user profile management, and storing subscription metadata. By
using the Product, you agree that Supabase may process your data under their Privacy Policy.
Stripe: For subscription billing, payment processing, and Customer Portal. All payment
information is collected by Stripe; see Stripe’s Privacy Policy for
details.
OpenAI (Backend): Used to generate AI-based titles and descriptions. The user-provided
listing text (e.g., item details from Vinted) and metadata (e.g., user email) are sent to our secure backend on
Vercel, which in turn calls the OpenAI API. OpenAI processes prompts according to their Privacy Policy. We do not store conversation logs
long-term; only transient request/response data is held to fulfill generation requests and enforce usage limits.
The Product’s Privacy Policy does not apply to third-party websites or services linked from within the extension
(such as Vinted or GitHub). We encourage you to read their privacy policies directly.
6. Data Retention and Account Termination
We retain your personal data (email, subscription metadata, usage counts) in Supabase as long as your account
exists or until you request deletion. Your Stripe Customer ID and subscription information are retained by Stripe
according to their retention policies. We store your session token and profile data in
chrome.storage.local as long as you remain signed in or until you sign out. If you choose to delete
your account, we will remove all associated data from our Supabase database within 30 days and revoke any active
Stripe subscriptions.
7. Your Rights & Choices
Access & Correction: You can view or update your email address and subscription details by
signing into the extension and visiting the “Manage Subscription” flow in Stripe, or by contacting us directly
(see Section 12).
Deletion: To delete your account and all associated data, send an email to privacy@autolister.ai. We will process deletion requests within 30
days.
Opt-Out of Tracking: We only track usage counts and subscription status necessary to enforce
free‐tier limits and billing. If you do not wish to have your usage tracked, you may choose not to use the AI
generation feature. You can still use the free features of Vinted manually without accepting the extension’s
terms.
Email Communications: We may send transactional emails (e.g., magic link, subscription
receipts). You cannot opt out of these because they are necessary to use the Product. You will not receive
marketing emails unless you explicitly sign up for updates via our website.
8. Security
We implement reasonable technical and organizational measures to protect your personal data:
Data in transit is encrypted using HTTPS/TLS.
Supabase and Stripe store data in secure, PCI-compliant environments.
Session tokens are stored in chrome.storage.local, which is sandboxed per extension and not
accessible to other extensions.
We do not store payment card numbers; Stripe handles all payment data under their strict security policies.
However, no system is completely secure. If you believe your data has been compromised, please contact us
immediately (see Section 12).
9. Fair Use Policy and Abuse Prevention
We reserve the right to monitor, restrict, or terminate accounts that violate our fair use
policy.
Usage Monitoring: We actively monitor API usage patterns, request frequencies, and user
behavior to detect abuse, fraud, or violations of our terms.
Rate Limiting: We enforce usage limits based on your subscription tier (monthly totals vary
by plan). Additionally, we apply server-side protections to limit rapid automated requests (burst protection).
Circumventing these limits is prohibited.
Account Suspension: We may immediately suspend or terminate accounts that:
Attempt to bypass rate limits or abuse our API
Use automated tools, bots, or scripts to generate excessive requests
Share account credentials or violate our single-user license
Engage in fraudulent chargebacks or payment disputes
Use the service for illegal activities or spam generation
No Refunds for Abuse: Accounts terminated for abuse forfeit any remaining subscription time
or credits without refund.
Legal Action: We reserve the right to pursue legal action against users who cause financial
damage through abuse or violation of our terms.
Data Retention for Compliance: Usage data and logs may be retained for up to 2 years for
abuse detection, legal compliance, and account security purposes.
10. Children's Privacy
The Product is not intended for children under the age of 13. We do not knowingly collect personal data from
children. If you are under 13, do not use the extension. If we learn that we have inadvertently collected personal
information from a child under 13, we will promptly delete that data.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices or legal
requirements. When we make changes, we will revise the “Last updated” date at the top. We encourage you to review
this page periodically. Your continued use of the Product after any changes indicates your acceptance of the
updated policy.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please
contact us at: