Privacy Policy — Vetsy

This Privacy Policy explains how Vetsy (“we”, “us”, or “our”) collects, uses, and protects your personal data when you use our website and services (collectively, the “Service”). We are committed to protecting your privacy and handling your data transparently.

If you have questions, contact us at support@vetsy.io.

1. Data We Collect

1.1 Account Data

When you register for an account, we collect:

Name — to personalise your experience.
Email address — for authentication, transactional emails, and account recovery.
Password hash — we store a bcrypt hash of your password, never the plaintext password.
OAuth profile data — if you sign in with Google, we receive your name, email address, and profile picture from Google.

1.2 Listing Data

When you use the listing scanner, we collect the Etsy listing URL you submit and the listing data we retrieve from it (title, description, tags, price, category). This data is used to run the compliance scan and is stored in your account for future reference. We do not store listing data beyond what is needed to display your scan history.

1.3 Appeal Questionnaire Data

When you use the appeal letter generator, we collect your answers to the multi-step questionnaire (suspension type, Etsy's stated reason, shop details, steps taken, supporting documentation references, and any additional context you provide). This data is used to generate your appeal letter and is stored in your account so you can review it later.

1.4 Payment Data

We do not collect or store payment card information. All payment processing is handled by LemonSqueezy, our payment processor. We receive confirmation of payment events (e.g. subscription created, subscription cancelled) and store subscription status only. Please review LemonSqueezy's Privacy Policy for details of how they handle payment data.

1.5 Usage Data

We collect usage data to operate and improve the Service, including:

Pages visited, features used, and time spent on the Service.
Scan and appeal credit usage counts.
Server logs, including IP address, browser type, and request timestamps (retained for up to 30 days for security purposes).

2. How We Use Your Data

We use the data we collect to:

Create and manage your account.
Provide the listing scanner and appeal generator features.
Process payments and manage subscriptions (via LemonSqueezy).
Send transactional emails — such as email verification, password reset, and appeal-ready notifications (via Resend). You can disable non-essential notifications in your account settings.
Improve the Service — analyse usage patterns to identify bugs and prioritise new features (using anonymised or aggregated data where possible).
Comply with legal obligations and enforce our Terms of Service.

3. Third-Party Service Providers

We share data with the following trusted third-party service providers, solely to the extent necessary to deliver the Service:

LemonSqueezy — payment processing and subscription management. Receives: email address, name, payment details (card data is processed directly by LemonSqueezy and not passed to us).
Anthropic — AI generation of appeal letters. Receives: your appeal questionnaire answers and listing context. Anthropic processes this data to generate your letter. Please review Anthropic's Privacy Policy.
Resend— transactional email delivery. Receives: your email address and name for the purpose of sending emails you've requested (verification, password reset, notifications).
Vercel — website hosting and serverless infrastructure. Processes request data (IP addresses, request logs) as part of serving the application.
Supabase / PostgreSQL — encrypted database hosting for all account, scan, and appeal data.

We do not sell your personal data to any third party. We do not use your data for advertising purposes and we do not share data with advertising networks.

4. Data Retention

Account data (name, email, password hash) — retained until you delete your account.
Scan history — retained for 12 months from the date of the scan, after which it is automatically deleted. You can delete individual scans at any time.
Appeal letters — retained indefinitely so you can access them in the future. You can delete individual appeals at any time.
Payment records — subscription event logs are retained for 7 years to meet financial record-keeping obligations.
Server logs — retained for up to 30 days.
When you delete your account, all personal data associated with your account (scans, appeals, profile information) is permanently deleted within 30 days, except where retention is required by law.

5. Cookies

We use a minimal set of cookies necessary to operate the Service:

Session cookie — set by NextAuth.js to maintain your login session. This is an essential cookie required for authentication. It expires when you sign out or after 30 days of inactivity.
CSRF token cookie — set by NextAuth.js to protect against cross-site request forgery attacks.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics or any equivalent service that tracks individual users across websites.

Your browser's cookie settings can be used to delete or block cookies, but this may prevent you from using the authenticated features of the Service.

6. Your Rights (including GDPR)

Depending on your location, you may have the following rights regarding your personal data:

Right of access — you can request a copy of the personal data we hold about you.
Right to correction — you can update your name and email in your account settings at any time.
Right to erasure (“right to be forgotten”) — you can delete your account from your settings page. This permanently deletes all personal data associated with your account within 30 days.
Right to data portability — you can request an export of your data (scan history, appeal letters) by emailing support@vetsy.io.
Right to object / restrict processing — you can ask us to stop processing your data for specific purposes. Note that this may prevent us from providing the Service.
Right to lodge a complaint — if you are in the EU or UK, you have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK).

6.1 Lawful Basis for Processing (GDPR)

For users in the EU/EEA, we process your data on the following lawful bases:

Contract — processing necessary to provide the Service you have signed up for (account management, scan and appeal features, billing).
Legitimate interest — service improvement, security monitoring, and fraud prevention.
Legal obligation — retention of payment records.
Consent — sending non-essential marketing communications (you may withdraw consent at any time in your notification settings).

7. Security

We take reasonable technical and organisational measures to protect your data, including:

HTTPS encryption for all data in transit.
bcrypt hashing for all stored passwords.
Encrypted database storage via Supabase.
Role-based access controls — only your own data is accessible to you.
Rate limiting on authentication endpoints to prevent brute-force attacks.

No system is completely secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities as required by applicable law.

8. Children's Privacy

The Service is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 14 days before the changes take effect.

10. Contact Us

For any privacy-related questions, requests to exercise your rights, or data export requests, please contact us at:

Email: support@vetsy.io

We will respond to all requests within 30 days.