Legal
Privacy Policy
This Privacy Policy explains what personal data QuickListing collects, why we collect it, who processes it on our behalf, and the rights you have over your data. It applies to the QuickListing web application at quicklisting.app and any connected services.
The data controller for this service is Abdullah Yasin Gündüz, acting as an individual sole proprietor based in Türkiye. Correspondence address: UŞAK OSB TEKNOPARK, Tekstil OSB 204. Cd. No:566, Merkez/Uşak, Türkiye. Privacy enquiries: support@quicklisting.app.
1. What We Collect
We collect only what we need to run the Service:
- Account data. Your email address, the time you signed up, your current subscription tier, and your credit balance.
- Authentication data. Session cookies and magic-link tokens issued by our auth provider (Supabase). IP address and user-agent of the device that signed in, retained for session-security purposes for up to 90 days.
- Etsy integration data. If you connect an Etsy shop, we store your Etsy shop id, display name, and OAuth access / refresh tokens. Tokens are encrypted at rest and are used only to create draft listings you have explicitly asked for.
- Generation inputs and outputs. The prompts, template choices, and reference images you submit, plus the images and SEO copy the AI returns. Outputs are stored so that you can return to them from your gallery.
- Billing data. Your Paddle customer id, a pointer to each transaction, subscription status, and billing period end. We never see or store your full credit-card number; Paddle handles payment details directly under its own privacy policy.
- Usage and error logs. Standard server access logs (timestamp, endpoint, response code, anonymised or truncated IP), retained for up to 30 days for debugging and abuse prevention.
2. How We Use Your Data
- To provide the Service: authenticate you, store your generations, run your credit ledger, and push drafts to your Etsy shop when you request it.
- To process payments and issue receipts through Paddle (legal basis: contract performance and tax-compliance obligation).
- To send service-related email: magic-link sign-in, Etsy connection notices, critical account or billing events.
- To detect and prevent abuse (legal basis: legitimate interest in protecting the Service and other users).
- To comply with legal and tax-record-keeping obligations under Turkish and EU law.
We do not sell your personal data, and we do not use your prompts or generations to train any AI model that is shared across accounts.
3. Sub-Processors
We rely on the following third-party providers to run the Service. Each is bound by its own data-protection terms; we select providers that offer GDPR-compliant processing agreements.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Authentication, primary database (account, credits, generations, Etsy tokens) | EU (Frankfurt) |
| Supabase Storage | Object storage for generated images and uploaded reference photos | EU (Frankfurt) |
| Cloudflare (DNS, Email Routing) | DNS for the site, forwarding of support-address email to the operator | Global edge |
| Vercel | Hosting the web application | US / EU |
| Railway | Hosting the backend API and background workers | US |
| Upstash Redis | Transient job queue and rate-limit counters | US / EU |
| Recraft | AI image generation; receives only the prompt and reference image submitted for that generation | US |
| Anthropic | Language-model calls (slogan generation, listing copy, trend filtering, mashup blending). Receives only the prompt context for each individual call. | US |
| Resend | Transactional email delivery (magic-link sign-in, billing receipts, renewal reminders, account-deletion confirmation) | EU / US |
| PostHog | Product analytics — counts page views, funnel steps, and feature usage. No third-party advertising signals. | EU |
| Sentry | Error and performance tracking. Captures stack traces, request paths, and trace ids when something breaks. | EU |
| Paddle | Merchant of record (payment processing, tax, invoicing) | UK / EU / US |
| Etsy | When you connect a shop, we exchange OAuth tokens with Etsy and call the Etsy API on your behalf | US |
Transfers outside the European Economic Area rely on the relevant provider’s Standard Contractual Clauses and supplementary measures. We may add new sub-processors as the Service grows; material additions will be announced by email.
4. Retention
- Account and generation data: kept while your account is open. Deleted within 30 days of account closure, except where a longer retention is required by law.
- Etsy OAuth tokens: deleted immediately when you disconnect your shop, and when your account is closed.
- Billing and tax records: retained for the period required by Turkish and EU tax law (currently up to 10 years) even after account closure.
- Server access logs: up to 30 days.
- Authentication session metadata (IP, user-agent): up to 90 days.
5. Your Rights
If you are in the EU/EEA, the UK, or a jurisdiction with similar rules (including Türkiye under KVKK), you have the right to:
- access a copy of the personal data we hold about you;
- correct inaccurate data;
- delete your data (subject to tax-record-keeping obligations);
- restrict or object to certain kinds of processing;
- receive your data in a portable format and transfer it to another provider;
- lodge a complaint with your local data-protection authority. In Türkiye that is the Kişisel Verileri Koruma Kurumu (KVKK); in the EU, your national DPA.
To exercise any of these rights, email support@quicklisting.app. We will respond within 30 days.
6. Cookies and Similar Technologies
We use a small number of strictly-necessary cookies to keep you signed in and route requests correctly, plus minimal product-telemetry cookies (PostHog, Sentry) to understand how the site is used and what breaks. We do not use third-party advertising cookies and do not engage in cross-site profiling.
For the full inventory — every cookie name, who sets it, what it does, and how long it lives — see our Cookie Policy. If we add advertising cookies in the future we will update both pages and, where required, ask for consent first.
7. Children
The Service is not directed to children under 18 and we do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, contact us and we will close it.
8. Security
We store OAuth tokens and sensitive secrets encrypted at rest. Traffic to and from the Service is served over HTTPS. Passwords are not used. Authentication is by magic link only. No online service can guarantee absolute security, but we aim to apply industry-standard protections proportionate to a small-scale SaaS.
9. Changes to This Policy
We may revise this Policy from time to time. Where a change meaningfully affects how we handle your data, we will notify you by email before the change takes effect. The current version always lives at this URL.