Rsellz Privacy Policy

• You own your data. We don't sell it. We don't run ads.
• We do not train any third-party AI model on your purchase or sale data.
• We use a session cookie to keep you signed in. Sensitive fields are encrypted at rest. 2FA is supported.
• You can export your full data as JSON or wipe everything from /account.

Rsellz ("we", "us", "our") is the data controller for personal information collected via rsellz.com and the related Telegram bot. Contact: privacy@rsellz.com.

We collect only the personal data we need to operate the Service.

• Account data: email, password hash (we never store your raw password), display name, role, 2FA secret (encrypted at rest), 2FA backup codes (encrypted), creation and last-login timestamps. Legal basis: performance of contract.
• User Content: the purchases, sales, inventory, buyers, commitments, gift cards, invoices, notes, attachments, and any other operational records you log. We process this only to provide the Service to you. Legal basis: performance of contract.
• Telegram link data: if you connect a Telegram account, we store your Telegram user ID and the time of linking so the bot can route messages to your Rsellz account. Legal basis: performance of contract.
• Push subscription data: if you opt in to push notifications, we store the subscription endpoint and public keys provided by your browser. Legal basis: consent.
• Activity log: a record of sensitive actions on your account (logins, account-data resets, account deletions, exports). Includes IP address and user-agent. Used for security, abuse detection, and incident response. Legal basis: legitimate interest in security.
• Server logs: our hosting provider (Vercel) records request metadata (IP, path, status, timestamp) for limited periods for operational and security purposes. We do not run our own analytics, advertising trackers, fingerprinting, or behavioral profiling.
• Receipt OCR uploads: if you use the receipt-photo feature, the image is sent to Anthropic's Claude vision API to extract structured fields. Anthropic processes the image and returns the result; we do not persist the image after extraction unless you save it as an attachment to a purchase.

We do not collect: payment card numbers (we don't process payments), Social Security or national ID numbers, biometric data, location data beyond IP-based coarse geolocation in security logs, or any "special category" data under GDPR.

• Encryption in transit: HSTS-enforced HTTPS for every connection.
• Encryption at rest: the Postgres database is encrypted at rest by our provider. Sensitive fields (2FA secrets, backup codes) are additionally encrypted with AES-256-GCM keys before being written to the database.
• Per-user isolation: every database table that holds user data is scoped by user ID and queries enforce that scope at the application layer.
• Authentication: bcrypt password hashing, encrypted iron-session cookies (httpOnly, secure, sameSite=lax), per-IP and per-account rate limiting, failed-login lockout, optional time-based one-time-password two-factor.
• Audit trail: sensitive actions are logged so we can investigate suspicious activity.
• Defense-in-depth headers: strict CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Cross-Origin isolation policies, and a restrictive Permissions-Policy.
• Vulnerability reporting: see /.well-known/security.txt. We coordinate responsible disclosure with researchers.

No system is completely secure. If we ever experience a data breach affecting your personal information, we will notify you without undue delay and within the timeframe required by applicable law.

The Service runs on the following infrastructure providers, each a "sub-processor" under data-protection law:

• Vercel — application hosting and edge network (United States).
• Neon — managed Postgres database hosting (United States).
• Anthropic — receipt-photo OCR (United States), only if you use that feature.
• Telegram — bot messaging (operates internationally), only if you link a Telegram account.
• Web Push services — your browser's push provider (e.g. Apple, Google, Mozilla), only if you opt in to push notifications.

We may add or change sub-processors over time and will update this list. By using the Service you consent to your data being processed in the United States and other countries where these providers operate.

We set one essential cookie: musiisells_session — an encrypted, HTTP-only, SameSite=Lax cookie used solely to keep you signed in. It expires 30 days after your last visit.

We do not use third-party advertising cookies, tracking pixels, fingerprinting, behavioral analytics, or cross-site tracking.

• User Content: for as long as your account exists, plus up to 30 days in encrypted backups after deletion.
• Activity log: 18 months, then automatically purged.
• Server logs: per Vercel's retention policy, typically 30 days.
• Account record: until you delete it. Once deleted, the account row and all associated User Content are removed from the active database within 24 hours and from backups within 30 days.

Depending on where you live, you have some or all of the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Portability: download your full data as JSON anytime from /account.
• Correction: update or correct inaccurate data via the app.
• Deletion: wipe all your data (Reset Zone) or delete your entire account (Danger Zone) from /account.
• Restriction / objection: request that we stop processing certain data, where applicable law gives you that right.
• Withdraw consent: for any processing based on consent (e.g. push notifications), you can withdraw at any time.
• Complaint: if you're in the EU/UK you may lodge a complaint with your local data protection authority.

To exercise any right that isn't built into the app, email privacy@rsellz.com. We will respond within 30 days (or sooner where law requires).

California residents have the right to know what personal information we collect, request deletion, opt out of "sale" or "sharing" of personal information, and not be discriminated against for exercising these rights. We do not sell or share personal information as those terms are defined under the CCPA.

To make a request, email privacy@rsellz.com. We will verify your identity (typically by sending a confirmation to the email on file) before fulfilling.

For users in the European Economic Area, the United Kingdom, or Switzerland, the legal bases listed in Section 3 govern our processing. If we transfer your personal data outside the EEA/UK, we rely on Standard Contractual Clauses or another lawful mechanism. You have the rights listed in Section 8 plus the right to lodge a complaint with your supervisory authority.

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, email privacy@rsellz.com and we will delete it.

The Service runs anomaly detection (e.g. flagging when a sale price is far below your usual margin) and produces calculated fields (ROI, COGS, projected cashback). These are decision aides — we do not make any automated decision about you that produces legal effects.

If we materially change this policy we'll post the new version here and update the date above. For significant changes that expand how we use personal data we will give you advance notice (typically 14 days) and the chance to delete your account before the change takes effect.

Privacy questions or requests: privacy@rsellz.com. Security reports: security@rsellz.com. General legal: legal@rsellz.com.