Privacy Policy

Who we are (data controller)

Wrenlist is operated by Dominic Cushnan, a sole trader based in the United Kingdom, trading as Wrenlist. Dominic Cushnan is the data controller for personal data processed through the Wrenlist service.

Contact: admin@wrenlist.com

ICO registration: Registered with the UK Information Commissioner's Office (registration number ZC121275).

We process your personal data in accordance with the UK General Data Protection Regulation and the Data Protection Act 2018.

What personal data we collect

Account Registration: Name, email address, password (hashed), authentication method (Google Sign-In or email).

Usage Data: Your inventory items, listing details, photos, pricing, platform connections, and sales history.

Marketplace Credentials: When you connect marketplace accounts (eBay, Vinted, Etsy, Shopify, Depop, Facebook Marketplace), we store OAuth tokens securely where an OAuth flow exists (eBay, Shopify). For marketplaces without a public OAuth flow (Vinted, Depop, Facebook Marketplace), the Wrenlist browser extension reads only your existing logged-in session cookie for that site, on your own device. We do not store marketplace passwords.

Technical Data: IP address, browser type, device information, access logs (for security purposes only).

Lawful basis for processing

Under UK GDPR Article 6, we process your personal data for the following lawful bases:

• Contract: Processing necessary to provide Wrenlist services (inventory storage, listing management, marketplace integrations).
• Legitimate Interests: Security monitoring, fraud prevention, platform maintenance, service improvements.
• Consent: Marketing communications (you can opt out at any time).

How we use your data

To Provide Services: Store your inventory, manage listings, connect to marketplaces, provide customer support.

For Security: Prevent fraud, detect unauthorised access, maintain account security.

For Improvement: Analyse usage patterns to improve Wrenlist (anonymised data only).

For Communication: Send service updates, account notifications, and (with consent) marketing emails.

Marketplace connections

When you connect marketplace accounts (eBay, Vinted, Etsy, Shopify, Depop, Facebook Marketplace), we store your OAuth access tokens encrypted at rest (AES-256-CBC). Refresh tokens are stored securely. We only access the permissions you explicitly grant during OAuth authorisation. We do not store your marketplace username or password.

Wrenlist browser extension

Wrenlist publishes an optional Chrome browser extension — Wrenlist — Marketplace Sync — which acts as the automation layer for marketplaces that do not offer a public OAuth flow. Installing the extension is optional; you can use Wrenlist without it, but publish, update, and delist on Vinted, Depop, Etsy, Shopify and Facebook Marketplace require it.

What the extension reads. Only on marketplace domains you have connected in Wrenlist (*.vinted.*, *.ebay.*, www.etsy.com, admin.shopify.com, *.myshopify.com, *.depop.com, *.facebook.com, upload.facebook.com) and on your own Wrenlist dashboard (*.wrenlist.com). The extension reads the session cookie of marketplaces that require it (Vinted, Depop, Facebook Marketplace) so it can make authenticated requests on your behalf. It never reads, stores, or transmits cookies, messages, profile data, news feed, or any other data outside the marketplace API calls required to publish, update, or delist your own listings.

What the extension sends where. Your listing data goes to the marketplace APIs you are already signed into. Publish/delist job status is reported back to your own Wrenlist dashboard at app.wrenlist.com. No listing or session data is sent to any third party.

What the extension stores locally. Your Wrenlist bearer token (so it can talk to your Wrenlist dashboard), your extension preferences, and a short-lived diagnostic log for troubleshooting. No marketplace credentials are stored.

Remote code. The extension does not fetch or execute any remote JavaScript. All logic ships inside the published bundle on the Chrome Web Store.

Data we do not do. We do not sell, rent, or share any data the extension reads with third parties. We do not use the extension for advertising, profiling, or creditworthiness decisions. We do not use it to collect data unrelated to publishing and delisting your own listings.

Data storage and security

Storage: Your data is stored in Supabase (PostgreSQL database hosted on AWS) with row-level security (RLS) enabled. All data is stored in EU data centres, ensuring compliance with UK GDPR.

Encryption: All connections use HTTPS/TLS encryption in transit. Sensitive fields (OAuth tokens, payment information) are encrypted at rest.

Access Control: Only you can access your data. Database queries are filtered by your user ID (auth.uid()).

Data retention

While Your Account is Active: Your data is retained as long as your Wrenlist account is active.

After Deletion: If you delete your account, all personal data (name, email, photos, descriptions, marketplace tokens) is permanently deleted immediately. Backup copies are securely destroyed within 90 days.

Anonymised Data Retention: When you delete your account, we retain a fully anonymised record of your product and sales data (category, brand, condition, pricing, sell-through timing) for service improvement and aggregate analytics. This data contains no user identifiers, photos, descriptions, or any information that could identify you. Under UK GDPR Recital 26, anonymised data is not personal data and is exempt from data subject rights. If you object to this retention, contact admin@wrenlist.com before deleting your account.

Legal Obligations: If required by law (e.g., tax or fraud investigations), we may retain data longer to comply with UK legal requirements.

Cookies and tracking

Essential Cookies Only: We use cookies solely for authentication and session management (e.g., storing your session token).

No Third-Party Analytics: We do not use Google Analytics, Facebook Pixel, or any third-party tracking services.

No Marketing Cookies: We do not use cookies to track your behaviour for marketing purposes.

Consent: By using Wrenlist, you consent to essential cookies. You can disable cookies in your browser settings, but this may affect functionality.

Your data rights under UK GDPR

You have the following rights under UK GDPR Articles 15–20:

• Right of Access (Article 15): Request a copy of your personal data. We will provide this within 30 days.
• Right to Rectification (Article 16): Correct inaccurate data. You can update account details directly in settings.
• Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten"). We will delete all data within 30 days.
• Right to Data Portability (Article 20): Request your data in a portable, standard format (CSV/JSON). We will provide this within 30 days.
• Right to Restrict Processing (Article 18): Request we limit how we process your data.
• Right to Object (Article 21): Object to processing for marketing purposes.

Sharing your data

We do not sell your data to third parties. Your data is only shared with:

• Marketplace Platforms: When you connect marketplace accounts (eBay, Vinted, Etsy, etc.), they receive the inventory and listing data you choose to publish. This is necessary to provide the service.
• Antique-centre owners (if you are a booth-renting dealer): When you accept an invitation to join an antique centre on Wrenlist, you are agreeing to share a defined slice of your data with that centre's owner. See "Wrenlist Emporium — centre and dealer data sharing" below for the exact list.
• Service Providers: AWS (hosting), Supabase (database), Google (authentication), Resend (transactional email). All have UK GDPR data processing agreements in place.
• Legal Requirement: If required by law, law enforcement, or court order.

Wrenlist Emporium — centre and dealer data sharing

Wrenlist Emporium lets a UK antique-centre owner operate a multi-dealer till on Wrenlist. The relationship between centre owner and booth-renting dealer involves a defined slice of personal and trading data flowing both ways. This section explains who sees what, and why.

When you accept an invitation to join a centre as a dealer:

• The centre owner becomes a joint data controller with Wrenlist for the till and settlement data generated by sales at their centre. Wrenlist processes the data on shared infrastructure; the centre owner uses it to run their business.
• The lawful basis is contract (the booth-rental agreement between you and the centre) combined with legitimate interests (the centre needs to settle commission, the dealer needs to be paid, both need an auditable record).
• You can leave at any time by suspending or declining the membership; no new data is shared after that point.

What the centre owner can see:

• Your email address and display name (so they can invite, contact, and pay you).
• Your booth-tagged sales rung up at their till: item title, optional cashier-typed description, sale price, payment method, optional photo, time of sale.
• Your booth stock currently listed at the centre (item title and price only, drawn from finds you have linked to your booth stash).
• Aggregated settlement totals (gross, commission, rent if any, amount owed) per period.

What the centre owner cannot see:

• Your wider Wrenlist account: sales on other marketplaces, finds not linked to this centre's booth, your sourcing log, your cost or profit figures, or your bank details.
• Other centres' data if you rent at more than one venue.
• The contents of messages or notes you write that aren't explicitly stamped on a sale row.

What you (the dealer) can see about the centre: centre name, address, payout cadence, commission %, and your own per-period settlement breakdown.

Public micro-site: if the centre publishes a public page on /e/[slug], your booth-linked items may appear in the live stock grid with your booth code and first name. You can opt down to booth-code-only or fully anonymous attribution at any time by emailing the centre owner or contacting admin@wrenlist.com.

Retention: sales rows and settlement statements are retained for at least 7 years after the financial year they relate to, to meet HMRC record-keeping requirements for both parties. Deleting your account anonymises personal identifiers on your sales but does not delete the sale row itself, so the centre's books remain auditable.

Disputes between you and the centre (e.g. a sale you don't recognise) are between the two of you in the first instance. Wrenlist surfaces a dispute flag on the relevant settlement and preserves the audit trail; we are not a party to the commercial relationship and do not arbitrate.

International data transfers

Your data is stored in the EU (Ireland) on AWS servers. If we ever transfer data outside the UK/EU, we will only do so with appropriate safeguards (Standard Contractual Clauses or Binding Corporate Rules) compliant with UK GDPR Chapter 5.

Data protection impact assessment

We conduct regular security reviews and data protection assessments to ensure compliance with UK GDPR.

Contact and your rights

To exercise any of your data rights, contact us at admin@wrenlist.com with "Data Request" in the subject line. We will respond within 30 days.

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): www.ico.org.uk.

Changes to this policy

We may update this privacy policy at any time. Material changes will be notified via email. Continued use of Wrenlist after changes constitute acceptance.

Contact

For privacy questions or data requests, email admin@wrenlist.com.