Back to Uselist · UA/en
Operator (Imprint): Roman Usov · Enskild firma (sole proprietorship) registered in Sweden · Postal address: [to be filled before public launch — see TASK-0177] · Personnummer / Org. nr: [to be filled] · VAT (where applicable): [OSS registration via Skatteverket] · Email: [email protected]
Privacy Policy · Ukraine
Effective date: 2026-05-10 · Jurisdiction: Ukraine (UA)
1. Controller
The data controller is Roman Usov, a sole proprietorship (enskild firma) registered in Sweden, operating Uselist. Contact: [email protected].
We are a foreign (non-Ukrainian) controller. Both Ukrainian Law No. 2297-VI ("On Protection of Personal Data") and the EU General Data Protection Regulation apply to our processing of data relating to users in Ukraine. Where the two regimes diverge, we apply the higher floor of protection.
2. What we process and why
| Data | Purpose | Lawful basis |
|---|---|---|
| Telegram ID, name, optional photo URL | Account identification, login via Telegram Login Widget | Contract (GDPR Art. 6(1)(b) / UA Law 2297-VI Art. 11) |
| Email (optional) | Billing, support communications | Contract |
| Item descriptions, photos, prices | Inventory storage; the core function of the Service | Contract |
| Card details | Payment processing — handled directly by Stripe; we never see the card number | Contract |
| Country, language, plan | Localization, marketplace selection, plan-based feature gating | Contract |
| IP address (hashed for signup), browser fingerprint | Anti-abuse, fraud prevention, rate limiting | Legitimate interest (GDPR Art. 6(1)(f)) |
| Product analytics events | Understand feature usage to improve the Service | Consent — opt-in via cookie banner; opt-out via Settings → Privacy |
3. Sub-processors
| Processor | Role | Region |
|---|---|---|
| Cloudflare, Inc. | CDN, WAF, DNS | EU edge (Ukraine recognises EU as adequate) |
| Stripe Payments Europe, Ltd. | Payment processing | Ireland (EU) |
| Telegram Messenger LLP | Bot platform, Login Widget | Multi-region — see section 4 |
| Google Ireland Ltd. (Gemini) | AI inference for listings | EU + US — see section 4 |
| PostHog Inc. (Cloud EU) | Product analytics — opt-in only | EU (Frankfurt + Helsinki) |
| Hetzner Online GmbH | Server hosting | Finland / Germany (EU) |
| Cloudflare R2 | Photo storage | EU |
4. Cross-border transfers
Most processing happens in the EU/EEA. Ukraine's Law 2297-VI recognises the EU as a jurisdiction providing adequate data protection. Two sub-processors may transfer data outside the EEA:
- Telegram — operates from multiple jurisdictions and does not commit to EU data residency. The data we receive from Telegram is limited to public profile fields (name, ID, optional photo URL) shared via the Login Widget.
- Google (Gemini) — AI inference may route through US regions. Transfers rely on Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.
5. Retention
- Account data, items, photos: kept while your account is active. Deleted within 30 days of an account-deletion request via
/deleteaccount. Backup copies purged within a further 60 days. - Analytics events: 90 days in PostHog.
- Billing records: retained for 7 years per the Swedish Bookkeeping Act (operator residency).
- Server logs: 30 days at the edge.
6. Your rights
You have the following rights under both Ukrainian Law 2297-VI and the GDPR:
- Access: request a copy of your data —
/exportin the bot for items, support contact for the rest. (UA Law 2297-VI Art. 8; GDPR Art. 15) - Rectification: correct inaccurate data via the dashboard. (UA Art. 8; GDPR Art. 16)
- Erasure: delete your account via
/deleteaccount. (UA Art. 8; GDPR Art. 17) - Restriction: contact support to pause processing pending dispute. (GDPR Art. 18)
- Portability:
/exportreturns your inventory in CSV. (GDPR Art. 20) - Objection: object to processing based on legitimate interest. (UA Art. 12; GDPR Art. 21)
We respond to verified requests within one calendar month per GDPR Art. 12 (Ukrainian law sets a 30-day response standard for personal data requests as well — equivalent floor).
7. Cookies and similar technologies
Strictly necessary cookies (consent, country, language preference, anti-bot) are set without consent because they are required to deliver features you actively requested. Analytics cookies (PostHog) are set only after you accept via the cookie banner; you can withdraw consent at any time via Settings → Privacy.
8. Security
We use TLS for all traffic, encrypt secrets at rest, store no plaintext passwords (Telegram authentication only), and rotate API tokens. We notify affected users and the supervisory authority of personal-data breaches likely to result in risk to data subjects, in line with GDPR Articles 33–34 and equivalent obligations under Ukrainian law.
9. Right to lodge a complaint
You may lodge a complaint with the Ukrainian supervisory authority for personal data:
Verkhovna Rada Commissioner for Human Rights (Ombudsman)
Department of Personal Data Protection
21/8 Instytutska St., Kyiv 01008, Ukraine
ombudsman.gov.ua · hotline: 0 800 501 720
You may also lodge a complaint with any EU data protection authority (e.g. Sweden's IMY at imy.se) given GDPR's extraterritorial application.
10. Changes
We may update this Privacy Policy. The "Effective date" line tracks the latest version. Material changes affecting your data will be communicated by email or in-app at least 30 days before they take effect.
11. Contact
Privacy questions, data subject requests, security disclosures: [email protected].