Privacy Policy

Critflip — last updated 2026-05-19

Who we are

Critflip is an internal arbitrage tooling platform that operates on behalf of registered third-party resellers (our "Tenants"). We are not a public-facing consumer service. This policy describes how we handle eBay marketplace data accessed through the eBay Buy APIs while servicing our Tenants.

What data we access

Through eBay's developer APIs, we observe public listing data — product titles, descriptions, photos, prices, condition codes, shipping options, and seller usernames + public feedback metrics. We do not access buyer accounts, payment instruments, addresses, or private messages.

What data we store

We retain a copy of public listing metadata to enable our Tenants to review opportunities offline and to track listing lifecycles (active → sold/expired). Seller usernames are stored as part of the listing record. We do not store eBay user passwords, tokens, payment information, or any data outside the public Buy API surface.

How long we retain data

Listing snapshots are retained for as long as they are relevant to an active arbitrage decision plus historical reporting. Resolved listings (sold/removed/expired) and their associated public seller identifiers may be retained indefinitely for accounting and compliance purposes unless an account-deletion request is received.

eBay user account deletion

Critflip complies with eBay's Marketplace Account Deletion / Closure notification program. When an eBay user requests deletion of their marketplace account, eBay notifies our endpoint at /ebay/account-deletion/<tenant>. Upon receipt of such notification, we acknowledge the request and remove or anonymize associated public usernames from our retained listing records within a reasonable period.

Who we share data with

Public listing data is shared only with the Tenant on whose behalf it was collected. We do not sell, rent, or otherwise share eBay user data with third parties. Internal infrastructure providers (database hosting, server hosting, SMS delivery) process data as necessary to operate the platform, under standard commercial data processing terms.

Security

We use industry-standard transport encryption (TLS 1.2+) for all traffic with eBay and between our internal services. Database access is restricted to authorized service accounts with row-level security enforced at the database layer. Per-tenant data isolation is enforced by application logic AND database-level policy.

Contact

For questions about this policy or to request information about data we may have associated with you, contact: privacy@critflip.app.

Changes to this policy

We may update this policy. When we do, we will update the date at the top of the page. Material changes affecting how user data is handled will additionally be communicated to our Tenants directly.

This document is a plain-language statement of policy and does not constitute legal advice.