Privacy Policy

Who we are (data controller)

Wrenlist is operated by Dominic Cushnan, a sole trader based in the United Kingdom, trading as Wrenlist. Dominic Cushnan is the data controller for personal data processed through the Wrenlist service.

Contact: admin@wrenlist.com

ICO registration: Registered with the UK Information Commissioner's Office (registration number ZC121275).

We process your personal data in accordance with the UK General Data Protection Regulation and the Data Protection Act 2018.

What personal data we collect

Account Registration: Name, email address, password (hashed), authentication method (Google Sign-In or email).

Usage Data: Your inventory items, listing details, photos, pricing, platform connections, and sales history.

Marketplace Credentials: When you connect marketplace accounts (eBay, Vinted, Etsy, Shopify, Depop, Facebook Marketplace), we store OAuth tokens securely where an OAuth flow exists (eBay, Shopify). For marketplaces without a public OAuth flow (Vinted, Depop, Facebook Marketplace), the Wrenlist browser extension reads only your existing logged-in session cookie for that site, on your own device. We do not store marketplace passwords.

Technical Data: IP address, browser type, device information, access logs (for security purposes only).

Lawful basis for processing

Under UK GDPR Article 6, we process your personal data for the following lawful bases:

• Contract: Processing necessary to provide Wrenlist services (inventory storage, listing management, marketplace integrations).
• Legitimate Interests: Security monitoring, fraud prevention, platform maintenance, service improvements.
• Consent: Marketing communications (you can opt out at any time).

How we use your data

To Provide Services: Store your inventory, manage listings, connect to marketplaces, provide customer support.

For Security: Prevent fraud, detect unauthorised access, maintain account security.

For Improvement: Analyse usage patterns to improve Wrenlist (anonymised data only).

For Communication: Send service updates, account notifications, and (with consent) marketing emails.

Marketplace connections

When you connect marketplace accounts (eBay, Vinted, Etsy, Shopify, Depop, Facebook Marketplace), we store your OAuth access tokens encrypted at rest (AES-256-CBC). Refresh tokens are stored securely. We only access the permissions you explicitly grant during OAuth authorisation. We do not store your marketplace username or password.

Wrenlist browser extension

Wrenlist publishes an optional Chrome browser extension — Wrenlist — Marketplace Sync — which acts as the automation layer for marketplaces that do not offer a public OAuth flow. Installing the extension is optional; you can use Wrenlist without it, but publish, update, and delist on Vinted, Depop, Etsy, Shopify and Facebook Marketplace require it.

What the extension reads. Only on marketplace domains you have connected in Wrenlist (*.vinted.*, *.ebay.*, www.etsy.com, admin.shopify.com, *.myshopify.com, *.depop.com, *.facebook.com, upload.facebook.com) and on your own Wrenlist dashboard (*.wrenlist.com). The extension reads the session cookie of marketplaces that require it (Vinted, Depop, Facebook Marketplace) so it can make authenticated requests on your behalf. It never reads, stores, or transmits cookies, messages, profile data, news feed, or any other data outside the marketplace API calls required to publish, update, or delist your own listings.

What the extension sends where. Your listing data goes to the marketplace APIs you are already signed into. Publish/delist job status is reported back to your own Wrenlist dashboard at app.wrenlist.com. No listing or session data is sent to any third party.

What the extension stores locally. Your Wrenlist bearer token (so it can talk to your Wrenlist dashboard), your extension preferences, and a short-lived diagnostic log for troubleshooting. No marketplace credentials are stored.

Remote code. The extension does not fetch or execute any remote JavaScript. All logic ships inside the published bundle on the Chrome Web Store.

Data we do not do. We do not sell, rent, or share any data the extension reads with third parties. We do not use the extension for advertising, profiling, or creditworthiness decisions. We do not use it to collect data unrelated to publishing and delisting your own listings.

Data storage and security

Storage: Your data is stored in Supabase (PostgreSQL database hosted on AWS) with row-level security (RLS) enabled. All data is stored in EU data centres, ensuring compliance with UK GDPR.

Encryption: All connections use HTTPS/TLS encryption in transit. Sensitive fields (OAuth tokens, payment information) are encrypted at rest.

Access Control: Only you can access your data. Database queries are filtered by your user ID (auth.uid()).

Data retention

While Your Account is Active: Your data is retained as long as your Wrenlist account is active.

After Deletion: If you delete your account, all personal data (name, email, photos, descriptions, marketplace tokens) is permanently deleted immediately. Backup copies are securely destroyed within 90 days.

Anonymised Data Retention: When you delete your account, we retain a fully anonymised record of your product and sales data (category, brand, condition, pricing, sell-through timing) for service improvement and aggregate analytics. This data contains no user identifiers, photos, descriptions, or any information that could identify you. Under UK GDPR Recital 26, anonymised data is not personal data and is exempt from data subject rights. If you object to this retention, contact admin@wrenlist.com before deleting your account.

Legal Obligations: If required by law (e.g., tax or fraud investigations), we may retain data longer to comply with UK legal requirements.

Cookies and tracking

Essential Cookies Only: We use cookies solely for authentication and session management (e.g., storing your session token).

No Third-Party Analytics: We do not use Google Analytics, Facebook Pixel, or any third-party tracking services.

No Marketing Cookies: We do not use cookies to track your behaviour for marketing purposes.

Consent: By using Wrenlist, you consent to essential cookies. You can disable cookies in your browser settings, but this may affect functionality.

Your data rights under UK GDPR

You have the following rights under UK GDPR Articles 15–20:

• Right of Access (Article 15): Request a copy of your personal data. We will provide this within 30 days.
• Right to Rectification (Article 16): Correct inaccurate data. You can update account details directly in settings.
• Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten"). We will delete all data within 30 days.
• Right to Data Portability (Article 20): Request your data in a portable, standard format (CSV/JSON). We will provide this within 30 days.
• Right to Restrict Processing (Article 18): Request we limit how we process your data.
• Right to Object (Article 21): Object to processing for marketing purposes.

Sharing your data

We do not sell your data to third parties. Your data is only shared with:

• Marketplace Platforms: When you connect marketplace accounts (eBay, Vinted, Etsy, etc.), they receive the inventory and listing data you choose to publish. This is necessary to provide the service.
• Service Providers: AWS (hosting), Supabase (database), Google (authentication). All have UK GDPR data processing agreements in place.
• Legal Requirement: If required by law, law enforcement, or court order.

International data transfers

Your data is stored in the EU (Ireland) on AWS servers. If we ever transfer data outside the UK/EU, we will only do so with appropriate safeguards (Standard Contractual Clauses or Binding Corporate Rules) compliant with UK GDPR Chapter 5.

Data protection impact assessment

We conduct regular security reviews and data protection assessments to ensure compliance with UK GDPR.

Contact and your rights

To exercise any of your data rights, contact us at admin@wrenlist.com with "Data Request" in the subject line. We will respond within 30 days.

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): www.ico.org.uk.

Changes to this policy

We may update this privacy policy at any time. Material changes will be notified via email. Continued use of Wrenlist after changes constitute acceptance.

Contact

For privacy questions or data requests, email admin@wrenlist.com.