Privacy Policy

This Privacy Policy explains how Listybox LLC ("we", "us", "our") collects, uses, protects, and shares your personal information when you use our Service. By using Listybox, you agree to the collection and use of information in accordance with this policy. We are committed to protecting your privacy and complying with applicable data protection laws including GDPR (EU) and CCPA (California). We use industry-standard encryption (AES-256) for sensitive data and will never sell your personal information to third parties. We follow the principle of data minimization - collecting only what's necessary to provide our services.

1. Information We Collect

Personal Information

  • Account Data: Name, email address, phone number, country, language preference

  • Organization Data: Company name, website, tax ID, business address

  • Payment Information: Processed securely through Stripe (we don't store card details)

  • Marketplace Credentials: OAuth tokens for Etsy, Amazon, Shopify, Canva (encrypted with AES-256)

Automatically Collected Data

  • Usage Data: Features used, AI consumption metrics, platform interactions

  • Technical Data: IP address (stored for 30 days then anonymized), browser type, device information

  • Cookies: Only essential cookies for authentication and analytics (Google Analytics)

Content You Create

  • Product Data: Listings, descriptions, artwork, mockups

  • Business Data: Store settings, pricing, profit margins

2. Data Minimization Principle

We are committed to collecting only the minimum data necessary:

  • We only collect data REQUIRED for service functionality

  • You have the RIGHT TO DELETE any unnecessary data

  • Default settings collect MINIMUM data

  • You can opt-out of optional data collection at any time

3. How We Use Your Information

Service Provision

  • Create and manage your account

  • Process listings across marketplaces (Etsy, Amazon, Shopify)

  • Generate AI-powered content and mockups

  • Manage team collaboration within organizations

Platform Operations

  • Process payments via Stripe

  • Track AI usage for credit management and billing

  • Analyze aggregate usage statistics for pricing optimization (not individual habits)

  • Provide customer support

Legal & Security

  • Comply with legal obligations

  • Detect and prevent fraud

  • Enforce our Terms of Service

  • Protect against unauthorized access

4. Full Control Is Yours

Disconnect marketplace integrations instantly - revoke access anytime ✓ Export all your data in JSON format on demand ✓ Delete your account - all data removed within 30 days ✓ Disable AI features completely if preferred ✓ Manage permissions for each integration separately

5. Marketplace Token Security

Your marketplace tokens are used ONLY with your explicit instructions for:

  • Creating listings (with your approval)

  • Updating prices/inventory (based on your settings)

  • Retrieving order information for fulfillment

Important Security Guarantees:

  • You can REVOKE tokens at any time through your marketplace account

  • Tokens NEVER access your financial/banking information

  • Tokens CANNOT make purchases or payments

  • All actions are logged and visible in your activity history

  • Tokens are encrypted with AES-256 and never exposed

6. Data Sharing & Third Parties

Service Providers We Use

  • Payment Processing: Stripe (payment transactions only)

  • Analytics: Google Analytics (anonymized usage data)

  • Email Service: Amazon SES (transactional emails only)

  • AI Services: OpenAI, Google Gemini (content generation)

  • Infrastructure: Hetzner, Google Cloud Platform, Amazon Web Services

Marketplace Integrations

We share only necessary listing data with marketplaces through their APIs:

  • Etsy/Amazon/Shopify: Product listings, inventory, pricing

  • Canva Integration - We share ONLY:

    • URL of the image you choose to edit

    • Image dimensions

    • NO personal or financial information is ever shared

What We DON'T Do

  • We NEVER sell your personal data

  • We DON'T share data with marketers

  • We DON'T use your marketplace data for external AI training

7. Data Security

  • Encryption: All sensitive data encrypted with AES-256

  • Passwords: Secured using bcrypt hashing

  • Access Tokens: Encrypted storage, never exposed via API

  • Infrastructure: Distributed across multiple secure data centers

  • Access Control: Role-based permissions, two-factor authentication available

  • IP Address: Stored for 30 days for security purposes, then anonymized

8. Data Retention & Deletion

  • Active Data: Retained while account is active

  • Account Deletion: Data marked for deletion kept for 30 days for recovery and legal compliance

  • Permanent Deletion: Complete removal after 30 days

  • Marketplace Tokens: Removed immediately upon disconnection

  • AI Logs: Anonymized after 12 months

  • IP Addresses: Anonymized after 30 days

9. Your Rights

Under GDPR (EU Users)

  • Access: Request a copy of your personal data

  • Rectification: Correct inaccurate information

  • Erasure: Request deletion ("right to be forgotten")

  • Portability: Export your data in machine-readable format

  • Objection: Opt-out of certain processing

  • Restriction: Limit how we use your data

Under CCPA (California Users)

  • Know: What personal information we collect and how it's used

  • Delete: Request deletion of personal information

  • Opt-Out: Decline the sale of personal information (we don't sell data)

  • Non-Discrimination: Equal service regardless of privacy choices

10. Cookies Policy

We use only essential cookies:

  • Authentication Cookies: Keep you logged in (required)

  • Analytics Cookies: Google Analytics (performance monitoring)

  • No Marketing Cookies: We don't use tracking or advertising cookies

You can manage cookies through your browser settings, but disabling essential cookies may affect functionality.

11. International Data Transfers

Your data may be processed in:

  • Germany (Hetzner servers)

  • United States (Google Cloud, AWS)

  • European Union (GDPR compliance maintained)

We ensure appropriate safeguards through standard contractual clauses and encryption.

12. Children's Privacy

Listybox is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately.

13. Marketing Communications

  • In-App Users: No marketing emails sent from the platform

  • Mailchimp Subscribers: Separate opt-in list for newsletters

  • Transactional Emails: Order confirmations, password resets (via Amazon SES)

  • Unsubscribe: Available in all marketing communications

14. Transparency Commitment

We publish an annual transparency report detailing:

  • Number of data requests received

  • How we responded to each request

  • Security incidents (if any)

  • Data protection improvements made

15. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified via:

  • Email notification to your registered address

  • In-app notification banner

  • Updated "Last Modified" date

Continued use after notification constitutes acceptance of the revised policy.

16. Data Protection Officer

While not legally required to have a DPO, we take data protection seriously. For privacy concerns, contact our privacy team directly.

17. Contact Information

For questions about this Privacy Policy or to exercise your rights:

Arbitbox LLC 8 The Green, Suite A Dover, DE 19901 United States

Email: legal@listybox.com

Response Time: We aim to respond to all privacy requests within 30 days.