Privacy Policy

Last updated · May 21, 2026

Uselist ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, why, and your rights under the EU General Data Protection Regulation (GDPR).

1. Data controller

Uselist is operated as an Enskild Firma registered in Sweden. Contact: [email protected].

2. What data we collect

Data	Purpose	Retention
Telegram user ID & first name (if you sign in with Telegram)	Account identification	Until account deletion
Email address (if you sign up or sign in via email)	Authentication, magic-link delivery, service notifications	Until account deletion
TOTP secret & backup codes (hashed) — only if you enable 2FA	Two-factor authentication	Until you disable 2FA or delete account
Device fingerprint hash (User-Agent + Accept-Language + IP /24) — only when 2FA via Telegram confirmation is active	Detecting unfamiliar devices to trigger Telegram-confirm 2FA prompts	Until you sign out / device unused for 90 days
Short-lived auth tokens (magic links 15 min, Telegram-link codes 10 min, TOTP/TG-confirm challenges 5 min)	Sign-in flow security	Single-use, auto-expire
JWT session token	Keeping you signed in on the dashboard	30 days, browser local-storage only
Audit log of authentication events (sign-in, 2FA changes, account link/unlink)	Security incident response, fraud investigation	12 months
Photos you upload	AI item recognition, inventory storage	Until you delete the item
Item data (name, description, price)	Inventory management, listing generation	Until you delete the item
Usage counts (recognitions, listings)	Plan limit enforcement	Reset monthly · 12-month history
Subscription plan & payment status	Service delivery, billing	Until account deletion + legal retention
Style examples (if provided)	AI listing personalization	Until you clear it (/setstyle → /skip)

3. What we do NOT collect

We do not collect your phone number or real name (beyond Telegram first name, if you sign in with Telegram)
We do not track your location (we use the country code of your IP only for marketplace defaults — not your precise location)
We do not use third-party ad trackers or cross-site profiling cookies
We do not fingerprint your device for advertising, analytics, or cross-site tracking. We do compute a device fingerprint hash (User-Agent + Accept-Language + IP /24) solely for Telegram-confirm 2FA when you have both Telegram and email linked, so we can ask you for a second-factor approval from an unfamiliar device. This is described in §2.

4. How we use your data

AI processing: Photos are sent to Google Gemini API for item recognition. Google processes the image and returns text results. Google's usage policy applies to this processing. We do not send your Telegram ID or personal data to Google — only the image.
Storage: Your inventory data (items, descriptions) is stored on our EU-based servers. Photos and media files are stored on Cloudflare R2 (EU jurisdiction) and served via media.uselist.app.
Listing generation: Item data is sent to Google Gemini API to generate marketplace listings. No personal data is included.
Payment: Payments are processed by Stripe. When you pay through the dashboard (dashboard.uselist.app), you are redirected to Stripe Checkout where Stripe collects and processes your card details directly. We do not see or store your card details. If you pay through the Telegram mini-app, the same Stripe processing applies (via Telegram's payment integration). Stripe holds the card data; we receive only an opaque customer ID and the transaction outcome.
Website analytics: We use Cloudflare Web Analytics for anonymous, cookieless traffic measurement on our website. If you accept cookies in the banner, we also use PostHog for product event analytics in the dashboard.
Product events (PostHog, EU self-hosted): We capture five product events: user_registered, smart_add_completed, listing_generated, plan_upgrade_completed, and account_deleted. Event properties include Telegram numeric uid, plan, country, language, and when relevant platform. You can opt out in Dashboard → Settings → Privacy, or ask support to opt out via the bot.

5. Legal basis (GDPR Art. 6)

Contract (Art. 6(1)(b)): Processing necessary to provide the Service you requested
Legitimate interest (Art. 6(1)(f)): Usage analytics, content moderation, fraud prevention
Consent (Art. 6(1)(a)): Style learning (you explicitly provide example texts)

6. Third-party processors

Processor	Purpose	Location
Google (Gemini API)	AI image recognition & listing generation	EU/US
Telegram	Bot platform; mini-app payment redirect	EU
Stripe	Payment processing (dashboard Checkout + mini-app)	EU/US
Cloudflare	Media storage (R2), website hosting (Pages)	EU

7. Data transfers outside EU

Google Gemini API may process image data on servers outside the EU. This transfer is covered by Google's Standard Contractual Clauses (SCCs) and their EU data processing terms. Only image data is sent — no personal identifiers.

8. Your rights (GDPR)

You have the right to:

Access: Request a copy of all your data — use /export in the Telegram bot, or Settings → Export in the dashboard
Rectification: Edit any item data in the bot or dashboard at any time
Erasure: Delete individual items at any time. To remove your account and all associated data, use /deleteaccount in the Telegram bot, or open dashboard Settings → Account → Delete account.
Data portability: Export your inventory as CSV with photos via the same channels
Restriction: Request we stop processing your data while a dispute is resolved
Object: Object to processing based on legitimate interest
Withdraw consent: Clear your style data anytime (/setstyle → /skip)

To exercise these rights, contact [email protected]. We will respond within 30 days.

9. Data retention

Active accounts: data retained as long as account is active
Deleted items: removed immediately from our systems
Account deletion: all data deleted within 30 days, except payment records retained for legal/tax obligations (7 years per Swedish law)
Inactive accounts (no activity for 12 months): we will notify you before any data cleanup

10. Browser extension

The optional Uselist browser extension auto-fills listing forms on supported marketplaces (Blocket, Vinted, Etsy, Depop). The extension:

Only reads data from your Uselist inventory via our API, authenticated by a per-user API token issued when you pair the extension (the token is bound to your Uselist account regardless of whether you signed up with Telegram or email)
Does not track your browsing activity or collect data from other websites
Only activates on supported marketplace listing pages
Stores your API connection settings locally in the browser (chrome.storage)

11. Content moderation

We use AI-powered content moderation to detect prohibited items (weapons, drugs, counterfeit goods, adult content). This is an automated process. If you believe content was incorrectly rejected, contact us.

12. Children's privacy

Uselist is not intended for users under 18 years old. We do not knowingly collect data from minors. If you believe a minor is using the Service, contact us.

13. Security

We use industry-standard security measures including encrypted connections (HTTPS/TLS), secure server infrastructure, and access controls. However, no system is 100% secure — use the Service at your own discretion.

14. Changes to this policy

We may update this Privacy Policy. Material changes will be communicated via the Telegram bot and/or by email to the address on your account, depending on which sign-in methods you have linked. The "Last updated" date at the top reflects the most recent revision.

15. Supervisory authority

If you believe we are not handling your data properly, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY): www.imy.se.

16. Contact

Data protection questions: [email protected]