Back to Uselist · SE/en
Operator (Imprint): Roman Usov · Enskild firma (sole proprietorship) registered in Sweden · Postal address: [to be filled before public launch — see TASK-0177] · Personnummer / Org. nr: [to be filled] · VAT (where applicable): [OSS registration via Skatteverket] · Email: [email protected]
Privacy Policy · Sweden
Effective date: 2026-05-10 · Jurisdiction: Sweden (SE)
1. Controller
The data controller is Roman Usov, a sole proprietorship (enskild firma) registered in Sweden, operating Uselist (the "Service"). Contact: [email protected].
Under GDPR Article 37, we are not required to designate a Data Protection Officer (we do not carry out large-scale systematic monitoring, are not a public authority, and do not process special-category data at scale). Privacy questions are handled directly by the controller via the contact above.
2. What we process and why
| Data | Purpose | Lawful basis |
|---|---|---|
| Telegram ID, name, optional photo URL | Account identification, login via Telegram Login Widget | Contract (Art. 6(1)(b)) |
| Email (optional, for receipts) | Billing, support communications | Contract (Art. 6(1)(b)) |
| Item descriptions, photos, prices | Inventory storage; the core function of the Service | Contract (Art. 6(1)(b)) |
| Card details | Payment processing — handled directly by Stripe; we never see the card number | Contract (Art. 6(1)(b)) |
| Country, language, plan | Localization, marketplace selection, plan-based feature gating | Contract (Art. 6(1)(b)) |
| IP address (hashed for signup), browser fingerprint | Anti-abuse, fraud prevention, rate limiting | Legitimate interest (Art. 6(1)(f)) |
| Product analytics events | Understand feature usage to improve the Service | Consent (Art. 6(1)(a)) — opt-in via cookie banner; opt-out via Settings → Privacy |
| Support correspondence | Resolve your support requests | Legitimate interest + Contract |
3. Sub-processors
We use the following sub-processors. Each is bound by a Data Processing Agreement consistent with GDPR Article 28.
| Processor | Role | Data category | Region |
|---|---|---|---|
| Cloudflare, Inc. | CDN, WAF, DNS | HTTP traffic, IP, request metadata | EU edge |
| Stripe Payments Europe, Ltd. | Payment processing | Card details, email, billing country | Ireland (EU) |
| Telegram Messenger LLP | Bot platform, Login Widget | Telegram ID, name, photo URL, optional username | Multi-region |
| Google Ireland Ltd. (Gemini) | AI inference for listings | Item name + photo | EU + US (regions vary) |
| PostHog Inc. (Cloud EU) | Product analytics — opt-in only | Pseudonymous Telegram ID, plan, country, language | EU (Frankfurt + Helsinki) |
| Hetzner Online GmbH | Server hosting | All data at rest | Finland / Germany |
| Cloudflare R2 | Photo storage | Item photos uploaded by users | EU |
4. Cross-border transfers
Most processing happens in the EU/EEA. Two sub-processors may transfer data outside the EEA:
- Telegram — operates from multiple jurisdictions and does not commit to EU data residency for chat infrastructure. The data we receive from Telegram is limited to public profile fields (name, ID, optional photo URL) shared via the Login Widget; no chat content reaches our systems.
- Google (Gemini) — AI inference may route through US regions. Transfers rely on Standard Contractual Clauses (Commission Decision (EU) 2021/914) and the EU-U.S. Data Privacy Framework where applicable.
5. Retention
- Account data, items, photos: kept while your account is active. Deleted within 30 days of an account-deletion request (via the bot's
/deleteaccountcommand). Backup copies are purged within a further 60 days (90 days total). - Analytics events: 90 days in PostHog, then automatically deleted.
- Billing records: retained for 7 years to comply with the Swedish Bookkeeping Act (Bokföringslagen 1999:1078). These records are kept separately from account data and are not affected by account deletion.
- Server logs: 30 days at the edge (Cloudflare); we do not centralize origin logs beyond what's needed for incident investigation.
6. Your rights (GDPR Articles 15–22)
- Access (Art. 15): request a copy of your data — use the bot's
/exportcommand for items, or contact support for the rest. - Rectification (Art. 16): correct inaccurate data via the dashboard or by editing items in the bot.
- Erasure (Art. 17): delete your account via
/deleteaccount. This wipes all account data subject to the retention exceptions in section 5. - Restriction (Art. 18): ask us to pause processing pending resolution of a dispute — contact support.
- Portability (Art. 20):
/exportreturns your inventory in CSV. - Objection (Art. 21): object to processing based on legitimate interest — contact support; we will stop unless we can demonstrate compelling legitimate grounds.
- Automated decision-making (Art. 22): we do not make decisions based solely on automated processing that produce legal or similarly significant effects on you.
We respond to verified requests within one calendar month per Art. 12, extendable by two months for complex requests with notice.
7. Cookies and similar technologies
Strictly necessary cookies (consent, country, language preference, anti-bot) are set without consent because they are required to deliver features you actively requested. Analytics cookies (PostHog) are set only after you accept via the cookie banner; you can withdraw consent at any time via Settings → Privacy.
8. Security
We use TLS for all traffic, encrypt secrets at rest, store no plaintext passwords (Telegram authentication only), and rotate API tokens. Access to production data is limited to the controller. We notify affected users and the supervisory authority of personal-data breaches likely to result in risk to data subjects, in line with GDPR Articles 33–34.
9. Right to lodge a complaint
You have the right to lodge a complaint with the Swedish Authority for Privacy Protection:
Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm
[email protected] · imy.se
You may also contact the supervisory authority of your habitual residence or place of work.
10. Changes
We may update this Privacy Policy to reflect product, legal, or regulatory changes. The "Effective date" line at the top tracks the latest version. Material changes affecting your data will be communicated by email or in-app at least 30 days before they take effect.
11. Contact
Privacy questions, data subject requests, security disclosures: [email protected].