FlipCore Privacy Policy

Information we collect

• Account information — email address, display name, and optional profile image provided at registration.
• Business and financial data — listing details (item names, descriptions, photos, purchase prices, listed prices, sold prices), expenses, profit calculations, and sales records you enter into the Service.
• Location and journey data — if you use the Sourcing Trips feature, we collect GPS coordinates, route geometry, journey distance, duration, and associated vehicle information to calculate trip costs. Location data is only collected during an active trip session when you explicitly start one.
• Marketplace credentials — when you connect external marketplaces (eBay, Vinted), we store OAuth access and refresh tokens, encrypted at rest, to act on your behalf within those platforms.
• Marketplace transaction data — sale notifications received from connected marketplaces (including buyer country, sale price, and order identifiers) are stored to update your listing records.
• Usage and technical data — page views, feature interactions, device type, browser, and approximate location derived from IP address, collected via Vercel Analytics to help us improve the Service. No advertising profiles are built from this data.
• Cookies and local storage — we use browser cookies and local storage to maintain your authenticated session (via Supabase Auth) and to remember user interface preferences such as sort order and active filters. No third-party advertising cookies are used.

Lawful basis for processing

Where UK GDPR applies, we process your personal data on the following bases:

• Contract performance — to create and manage your account, provide core features, and fulfil subscription obligations.
• Legitimate interests — to operate, secure, and improve the Service, prevent fraud, and send service-related communications.
• Legal obligation — to comply with applicable laws and regulations, including financial record-keeping requirements.

How we use information

• Provide, maintain, and improve the Service.
• Authenticate users and secure accounts.
• Synchronise your listings with connected marketplaces on your behalf.
• Calculate and display sourcing trip costs and profitability.
• Process payments and manage your subscription.
• Respond to support requests and communicate about updates.
• Detect and prevent security incidents and abuse.

Third-party service providers

We share data with the following service providers only to the extent necessary to deliver the Service. We do not sell your personal information. Where a provider acts as a data processor on our behalf, we have data processing agreements in place. Where a provider acts as an independent data controller (e.g. eBay, Vinted), their own privacy policies govern their use of your data.

• Supabase — database, authentication, and file storage. Data is stored in the EU (eu-west-2). Supabase is a data processor acting on our instructions. Privacy policy.
• Vercel — application hosting, edge network delivery, and anonymised page-view analytics. May process request data (including IP address) via servers in the US and EU. Vercel is a data processor. Privacy policy.
• Stripe — payment processing and subscription management. Your payment card details are entered directly into Stripe's hosted forms and are never transmitted to or stored by us. Stripe is an independent data controller for payment data. Data may be processed in the US under Standard Contractual Clauses. Privacy policy.
• eBay — marketplace API integration. When you connect your eBay account, we exchange OAuth tokens and listing data with eBay's servers. eBay is an independent data controller for data held on its platform. Privacy notice.
• Vinted — marketplace API integration. When you connect your Vinted account, listing URLs and sale data are exchanged with Vinted. Vinted is an independent data controller for data held on its platform. Privacy policy.
• LocationIQ — geocoding and reverse geocoding for the Sourcing Trips map feature. Location search queries (place names or coordinates) are sent to LocationIQ's servers. LocationIQ is a data processor. Data may be processed outside the UK under appropriate safeguards. Privacy policy.
• Forward Email — transactional email delivery (account notifications, trial reminders). Your email address is shared with Forward Email solely to deliver messages from us. Forward Email is a data processor. Privacy policy.

Data retention

We retain your personal data for as long as your account is active or as needed to provide the Service. When you delete your account, your personal data is removed from active systems within 30 days, except where we are required to retain it for legal or tax purposes. Encrypted OAuth tokens for disconnected marketplaces are deleted immediately on disconnection. Anonymised aggregate usage statistics may be retained indefinitely.

Your rights

Under UK GDPR, you have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — request deletion of your data (subject to legal retention obligations).
• Portability — export your listing and business data via the export feature in Settings.
• Restriction — ask us to limit how we process your data in certain circumstances.
• Objection — object to processing based on legitimate interests.

To exercise any of these rights, contact us at support@flipcore.app. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).

Security

We use reasonable administrative, technical, and organisational measures to protect your information, including encryption of sensitive credentials at rest and HTTPS for all data in transit. Access to production data is restricted to authorised personnel. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

International transfers

Some of our service providers process data outside the UK, including in the United States. Where this occurs, transfers are made on the basis of the UK International Data Transfer Agreement (UK IDTA), Standard Contractual Clauses, or an adequacy decision, in accordance with UK GDPR requirements. Specific transfer mechanisms for each provider are detailed in their respective privacy policies linked above.

Changes to this policy

We may update this policy from time to time. We will update the effective date above and, for material changes, notify you by email or via an in-app notice before the change takes effect.

Contact

If you have questions about this policy or wish to exercise your rights, contact us at support@flipcore.app.