Rsellz Privacy Policy

• You own your data. We don't sell it. We don't run ads.
• We do not train any third-party AI model on your purchase or sale data.
• We use a session cookie to keep you signed in. Sensitive fields are encrypted at rest. 2FA is supported.
• You can export your full data as JSON or wipe everything from /account.

Rsellz ("we", "us", "our") is the data controller for personal information collected via rsellz.com and the related Telegram bot. Contact: privacy@rsellz.com.

We collect only the personal data we need to operate the Service.

• Account data: email, password hash (we never store your raw password), display name, role, 2FA secret (encrypted at rest), 2FA backup codes (encrypted), creation and last-login timestamps. Legal basis: performance of contract.
• User Content: the purchases, sales, inventory, buyers, commitments, gift cards, invoices, notes, attachments, and any other operational records you log. We process this only to provide the Service to you. Legal basis: performance of contract.
• Telegram link data: if you connect a Telegram account, we store your Telegram user ID and the time of linking so the bot can route messages to your Rsellz account. Legal basis: performance of contract.
• Push subscription data: if you opt in to push notifications, we store the subscription endpoint and public keys provided by your browser. Legal basis: consent.
• Activity log: a record of sensitive actions on your account (logins, account-data resets, account deletions, exports). Includes IP address and user-agent. Used for security, abuse detection, and incident response. Legal basis: legitimate interest in security.
• Server logs: our hosting provider (Vercel) records request metadata (IP, path, status, timestamp) for limited periods for operational and security purposes. We do not run our own analytics, advertising trackers, fingerprinting, or behavioral profiling.
• Receipt OCR uploads: if you use the receipt-photo feature, the image is sent to Anthropic's Claude vision API to extract structured fields. Anthropic processes the image and returns the result; we do not persist the image after extraction unless you save it as an attachment to a purchase.
• Inbound email (Gmail OAuth and IMAP): if you connect a Gmail account (read-only scope) or an IMAP mailbox, we read messages from that mailbox solely to identify retailer order confirmations, sales notifications, shipping updates, and similar reseller-relevant messages, and to extract structured fields (order number, item, price, tracking number). We do not read personal correspondence, marketing content unrelated to reselling, or attachments other than receipt images you explicitly tag. Parsed extracts are stored in your account as EmailEvent records for 24 months and then deleted; you can revoke the connection or delete individual events at any time from /inbox. IMAP passwords you provide are encrypted at rest with AES-256-GCM. Legal basis: consent (you explicitly connect the account).
• Google API Services User Data Policy — Limited Use disclosure. Rsellz’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, with respect to data accessed via the gmail.readonly scope: (i) we only use Gmail data to provide and improve user-facing reselling features inside Rsellz; (ii) we do not transfer Gmail data to others except as necessary to provide those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets where the acquiring entity is bound by these same restrictions; (iii) we do not use Gmail data for serving advertisements; (iv) we do not allow humans to read Gmail data unless we have obtained your affirmative agreement to view specific messages, it is necessary for security purposes (such as investigating abuse), it is necessary to comply with applicable law, or the data (including derivations) is aggregated and used for internal operations; and (v) we do not transfer or use Gmail data to develop, improve, or train generalized or non-personalized artificial-intelligence or machine-learning models.
• Gift-card credentials: if you use the gift-card auto-scan feature, we store the card number, PIN, and (for store-account-based balance lookups) your retailer account email and password. All of these are encrypted at rest with AES-256-GCM and decrypted only inside a server-side Playwright job that runs against the retailer on your behalf. We never send these credentials to any third party. You can delete a gift card and its credentials at any time, and we purge the encrypted blob immediately on delete. Legal basis: consent (you explicitly add the card and enable the scan).

We do not collect: payment card numbers (Stripe handles billing and we only receive a tokenized payment-method reference), Social Security or national-identification numbers, biometric or genetic data, precise geolocation, contents of personal correspondence unrelated to reselling, government-issued ID images, health or medical information, or any other "special category" data under GDPR.

Sensitive Personal Information (CCPA/CPRA). Beyond the categories above, we do not collect, use, or share any “Sensitive Personal Information” as defined by Cal. Civ. Code § 1798.140(ae) — including precise geolocation; racial or ethnic origin; religious or philosophical beliefs; union membership; genetic data; biometric data processed for unique identification; health, sex life, or sexual orientation information; or the contents of mail, email, and text messages not addressed to Rsellz — for the purpose of inferring characteristics about you. Where Gmail or IMAP scanning is enabled, we read messages only to extract the reseller-relevant structured fields described above and do not analyze sensitive content.

• Encryption in transit: HSTS-enforced HTTPS for every connection.
• Encryption at rest: the Postgres database is encrypted at rest by our provider. Sensitive fields (2FA secrets, backup codes) are additionally encrypted with AES-256-GCM keys before being written to the database.
• Per-user isolation: every database table that holds user data is scoped by user ID and queries enforce that scope at the application layer.
• Authentication: bcrypt password hashing, encrypted iron-session cookies (httpOnly, secure, sameSite=lax), per-IP and per-account rate limiting, failed-login lockout, optional time-based one-time-password two-factor.
• Audit trail: sensitive actions are logged so we can investigate suspicious activity.
• Defense-in-depth headers: strict CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Cross-Origin isolation policies, and a restrictive Permissions-Policy.
• Vulnerability reporting: see /.well-known/security.txt. We coordinate responsible disclosure with researchers.

No system is completely secure. If we ever experience a data breach affecting your personal information, we will notify you without undue delay and within the timeframes required by applicable law. As a Florida-based operator, our default breach-notification commitment is consistent with the Florida Information Protection Act of 2014 (F.S. § 501.171): notice to affected individuals as expeditiously as practicable and not later than 30 days after determination of the breach, plus notice to the Florida Department of Legal Affairs where the law requires. For users in the European Economic Area or the United Kingdom, we will notify our lead supervisory authority within 72 hours of becoming aware of a personal-data breach where required by Article 33 of the GDPR.

The Service runs on the following infrastructure providers, each a "sub-processor" under data-protection law:

• Stripe — payment processing and invoice hosting (United States).
• Vercel — application hosting and edge network (United States).
• Neon — managed Postgres database hosting (United States).
• Anthropic — receipt-photo OCR, Deal Brain, and Pricing Oracle inference (United States).
• Google — Gmail OAuth and Gmail API access, only if you connect Gmail (United States).
• Resend — transactional email delivery, including password-reset and notification emails (United States).
• AfterShip — package tracking lookup, only if you click "Check status" on a shipment (United States / Hong Kong).
• Telegram — bot messaging (operates internationally), only if you link a Telegram account.
• Discord — server integrations and community-checkout, only if you connect Discord (United States).
• Sentry — application error reporting (United States). We do not send raw user data to Sentry; only stack traces, request metadata, and tags.
• Web Push services — your browser's push provider (e.g. Apple, Google, Mozilla), only if you opt in to push notifications.

We may add or change sub-processors over time. A current versioned list is maintained at /legal/sub-processors, and every change is recorded in the legal changelog. By using the Service you consent to your data being processed in the United States and other countries where these providers operate.

We set one essential cookie: musiisells_session — an encrypted, HTTP-only, SameSite=Lax cookie used solely to keep you signed in. It expires 30 days after your last visit.

We do not use third-party advertising cookies, tracking pixels, fingerprinting, behavioral analytics, or cross-site tracking.

• User Content: for as long as your account exists, plus up to 30 days in encrypted backups after deletion.
• Activity log: 18 months, then automatically purged.
• Inbound email records (EmailEvent): 24 months from receipt, then automatically purged. You may delete individual events at any time from /inbox.
• Gift-card credentials and retailer account passwords: for as long as the gift card row exists. Deleted immediately when you delete the card.
• Server logs: per Vercel's retention policy, typically 30 days.
• Account record: until you delete it. Once deleted, the account row and all associated User Content are removed from the active database within 24 hours and from backups within 30 days.

Depending on where you live, you have some or all of the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Portability: download your full data as JSON anytime from /account.
• Correction: update or correct inaccurate data via the app.
• Deletion: wipe all your data (Reset Zone) or delete your entire account (Danger Zone) from /account.
• Restriction / objection: request that we stop processing certain data, where applicable law gives you that right.
• Withdraw consent: for any processing based on consent (e.g. push notifications), you can withdraw at any time.
• Complaint: if you're in the EU/UK you may lodge a complaint with your local data protection authority.

To exercise any right that isn't built into the app, email privacy@rsellz.com. We will respond within 30 days (or sooner where law requires).

California residents have the right to know what personal information we collect, request deletion, correct inaccurate personal information, limit the use of sensitive personal information, opt out of "sale" or "sharing," and not be discriminated against for exercising these rights. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA, and we do not use sensitive personal information for purposes that would trigger the right to limit.

Categories collected. In the 12 months before the date above, we have collected the following CCPA categories of personal information from operators:

• Identifiers (e.g. account email, display name, IP address in security logs).
• Customer-records information (Cal. Civ. Code § 1798.80) (e.g. billing email and address forwarded to Stripe).
• Commercial information (your subscription tier, payment-method reference token, and the reseller-business records you log inside Rsellz).
• Internet or other electronic-network activity (page paths, request metadata, browser user-agent).
• Inferences drawn from the above strictly to operate the Service (e.g. anomaly flags on unusually low margins).

We do notcollect: biometric information; geolocation beyond IP-coarse; audio, electronic, visual, or similar information (other than receipt images you choose to upload, processed transiently); professional or employment information; education information; or any “Sensitive Personal Information” category as defined by Cal. Civ. Code § 1798.140(ae). We do not sell or share any category.

Global Privacy Control: we honor the Global Privacy Control (GPC) browser signal. If your browser sends GPC, we treat it as a valid opt-out request for any future "sale" or "sharing" we might engage in, and we will not change that posture without your explicit re-consent.

Shine the Light (Cal. Civ. Code § 1798.83). California residents may request, once per calendar year, a list of the personal information disclosed by Rsellz to third parties for their direct-marketing purposes in the preceding year, along with the names and addresses of those third parties. We have not disclosed any personal information to any third party for the third party’s direct-marketing purposes, but you may confirm this in writing by emailing privacy@rsellz.com with the subject line "California Shine the Light Request."

To make any other California-rights request, email privacy@rsellz.com. We will verify your identity (typically by sending a confirmation to the email on file) before fulfilling. You may also designate an authorized agent to make a request on your behalf, in which case we will require written authorization signed by you.

Florida Statutes §§ 501.701–.721 (the “FDBR”) apply by their terms to large "controllers" with significant Florida operations and to entities engaged in specified high-risk activities. Rsellz is below those thresholds as of the date above, but we extend the substantive FDBR consumer rights to all Florida residents as a matter of policy. Specifically, Florida residents may:

• confirm whether Rsellz is processing their personal data and access that data;
• correct inaccurate personal data, taking into account the nature of the data and the purposes of processing;
• delete personal data Rsellz holds about them;
• obtain a copy of their personal data in a portable, technically feasible format (available 24/7 from /account);
• opt out of the sale of personal data and of targeted advertising (Rsellz does neither);
• opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (Rsellz does no such profiling — see Section 12).

To exercise any of these rights, email privacy@rsellz.com. We will respond within 45 days of receiving an authenticated request. If we deny a request, you may appeal the denial by replying to our denial email; we will respond to the appeal within 60 days.

For users in the European Economic Area, the United Kingdom, or Switzerland, the legal bases listed in Section 3 govern our processing. If we transfer your personal data outside the EEA/UK, we rely on Standard Contractual Clauses or another lawful mechanism. You have the rights listed in Section 8 plus the right to lodge a complaint with your supervisory authority.

The Service is restricted to users 18 years of age or older. We do not knowingly permit minors to create accounts and we do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account or provided us with personal data, email privacy@rsellz.com and we will delete the account and the data.

The Service runs anomaly detection (e.g. flagging when a sale price is far below your usual margin) and produces calculated fields (ROI, COGS, projected cashback). These are decision aides — we do not make any automated decision about you that produces legal effects.

If we materially change this policy we'll post the new version here and update the date above. For significant changes that expand how we use personal data we will give you advance notice (typically 14 days) and the chance to delete your account before the change takes effect.

Privacy questions or requests: privacy@rsellz.com. Security reports: security@rsellz.com. General legal: legal@rsellz.com.