Privacy Policy

Who we are (data controller)

Wrenlist is operated by Dominic Cushnan, a sole trader based in the United Kingdom, trading as Wrenlist. Dominic Cushnan is the data controller for personal data processed through the Wrenlist service.

Contact: admin@wrenlist.com

ICO registration: Registered with the UK Information Commissioner's Office (registration number ZC121275).

We process your personal data in accordance with the UK General Data Protection Regulation and the Data Protection Act 2018. For users in the European Economic Area, we apply the same standards under the EU General Data Protection Regulation. For California residents, see the "California privacy rights (CCPA/CPRA)" section below.

What personal data we collect

Account Registration: Name, email address, password (hashed), authentication method (Google Sign-In or email).

Usage Data: Your inventory items, listing details, photos, pricing, platform connections, and sales history.

Marketplace Credentials: When you connect marketplace accounts (eBay, Vinted, Etsy, Shopify, Depop, Facebook Marketplace), we store OAuth tokens securely where an OAuth flow exists (eBay, Shopify). For marketplaces without a public OAuth flow (Vinted, Depop, Facebook Marketplace), the Wrenlist browser extension reads only your existing logged-in session cookie for that site, on your own device. We do not store marketplace passwords.

Technical Data: IP address, browser type, device information, access logs (for security purposes only).

Referral Payout Details: If you earn a reward under our referral programme, we collect the payout details you give us at that point — your PayPal email address, or UK bank sort code and account number — solely to pay you. They are used for that payment (lawful basis: contract), kept only as long as needed for payment and accounting records, and never used for marketing or shared beyond our payment provider.

Lawful basis for processing

Under UK GDPR Article 6, we process your personal data for the following lawful bases:

• Contract: Processing necessary to provide Wrenlist services (inventory storage, listing management, marketplace integrations).
• Legitimate Interests: Security monitoring, fraud prevention, platform maintenance, service improvements, and creating the anonymised dataset used to improve our AI features (see "AI features and anonymised training data" below).
• Consent: Marketing communications (you can opt out at any time).

How we use your data

To Provide Services: Store your inventory, manage listings, connect to marketplaces, provide customer support.

For Security: Prevent fraud, detect unauthorised access, maintain account security.

For Improvement: Analyse usage patterns to improve Wrenlist (anonymised data only).

For Communication: Send service updates, account notifications, and (with consent) marketing emails.

Marketplace connections

When you connect marketplace accounts (eBay, Vinted, Etsy, Shopify, Depop, Facebook Marketplace), we store your OAuth access tokens encrypted at rest (AES-256-CBC). Refresh tokens are stored securely. We only access the permissions you explicitly grant during OAuth authorisation. We do not store your marketplace username or password.

Wrenlist browser extension

Wrenlist publishes an optional Chrome browser extension — Wrenlist — Marketplace Sync — which acts as the automation layer for marketplaces that do not offer a public OAuth flow. Installing the extension is optional; you can use Wrenlist without it, but publish, update, and delist on Vinted, Depop, Etsy, Shopify and Facebook Marketplace require it.

What the extension reads. Only on marketplace domains you have connected in Wrenlist (*.vinted.*, *.ebay.*, www.etsy.com, admin.shopify.com, *.myshopify.com, *.depop.com, *.facebook.com, upload.facebook.com) and on your own Wrenlist dashboard (*.wrenlist.com). The extension reads the session cookie of marketplaces that require it (Vinted, Depop, Facebook Marketplace) so it can make authenticated requests on your behalf. It never reads, stores, or transmits cookies, messages, profile data, news feed, or any other data outside the marketplace API calls required to publish, update, or delist your own listings.

What the extension sends where. Your listing data goes to the marketplace APIs you are already signed into. Publish/delist job status is reported back to your own Wrenlist dashboard at app.wrenlist.com. No listing or session data is sent to any third party.

What the extension stores locally. Your Wrenlist bearer token (so it can talk to your Wrenlist dashboard), your extension preferences, and a short-lived diagnostic log for troubleshooting. No marketplace credentials are stored.

Remote code. The extension does not fetch or execute any remote JavaScript. All logic ships inside the published bundle on the Chrome Web Store.

Data we do not do. We do not sell, rent, or share any data the extension reads with third parties. We do not use the extension for advertising, profiling, or creditworthiness decisions. We do not use it to collect data unrelated to publishing and delisting your own listings.

Data storage and security

Storage: Your data is stored in Supabase (PostgreSQL database hosted on AWS) with row-level security (RLS) enabled. All data is stored in EU data centres, ensuring compliance with UK GDPR.

Encryption: All connections use HTTPS/TLS encryption in transit. Sensitive fields (OAuth tokens, payment information) are encrypted at rest.

Access Control: Only you can access your data. Database queries are filtered by your user ID (auth.uid()).

Data retention

While Your Account is Active: Your data is retained as long as your Wrenlist account is active.

After Deletion: If you delete your account, all personal data (name, email, photos, descriptions, marketplace tokens) is permanently deleted immediately. Backup copies are securely destroyed within 90 days.

Anonymised Data Retention: When you delete your account, we retain a fully anonymised record of your product and sales data (category, brand, condition, pricing, sell-through timing) for service improvement and aggregate analytics. This data contains no user identifiers, photos, descriptions, or any information that could identify you. Under UK GDPR Recital 26, anonymised data is not personal data and is exempt from data subject rights. If you object to this retention, contact admin@wrenlist.com before deleting your account.

Legal Obligations: If required by law (e.g., tax or fraud investigations), we may retain data longer to comply with UK legal requirements.

AI features and anonymised training data

Wrenlist's AI features (photo identification, pricing suggestions, category matching) are improved using data from how the service is actually used. Two distinct kinds of data are involved, and they are handled differently.

1. Anonymised sales records. When an item sells, a nightly process copies a stripped-down record into a separate, anonymised dataset. That record contains: category, brand, condition, size, colour, cost, asking price, sold price, sourcing and sale dates, days-to-sell, and which marketplace it sold on. It contains no user ID, no item ID, no photos, no descriptions, no SKUs, and no notes. Duplicate prevention uses a one-way salted hash, which cannot be reversed to identify you or your item. These records cannot be linked back to your account.

2. AI interaction logs. When you use an AI feature, we keep a per-account record of the inputs (such as the item photo and title you submitted) and the outcome (whether you accepted, rejected, or corrected the suggestion). We use these logs to audit accuracy and improve the AI's prompts and examples. Unlike the anonymised sales records, these logs are personal data: they are keyed to your account, only visible to you and Wrenlist, and are permanently deleted when you delete your account.

Lawful basis. The act of creating anonymised records from your data is processing of personal data; we rely on legitimate interests (UK GDPR / EU GDPR Article 6(1)(f)) — improving the AI features all users rely on, using the minimum data needed, with identifiers removed at the earliest step. We have completed a legitimate interest assessment for this processing, available on request from admin@wrenlist.com. Once data is anonymised, it is no longer personal data under UK GDPR Recital 26. If we ever wanted to use identifiable content for AI training — we do not today — we would ask for your consent first.

Retention. Anonymised sales records are retained indefinitely — they are the dataset the AI features are built on. AI interaction logs are retained while your account is active and deleted with it.

What deletion does and does not undo. Deleting your account permanently removes all personal data: your photos, descriptions, listings, marketplace tokens, and AI interaction logs. Two things are not undone, and we want to be transparent about both: (1) sales records that were already anonymised before deletion remain in the anonymised dataset — they contain nothing that identifies you and cannot be traced back to you; (2) AI models already trained or tuned using anonymised data cannot selectively "unlearn" an individual contribution. Neither contains your personal data.

No sale of personal data. We never sell personal data. We may publish or commercialise aggregate, anonymised market statistics (for example, average sold prices by category). These contain no personal data.

Your choice. If you object to your data being included in future anonymisation snapshots or training runs, email admin@wrenlist.com and we will exclude your account going forward.

California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you rights to know, delete, correct, and port the personal information we hold about you, and to opt out of the sale or sharing of personal information.

We do not sell or share personal information as those terms are defined by the CCPA, and we have not done so in the preceding 12 months. We do not use or disclose sensitive personal information for purposes requiring a right to limit.

Deidentified data commitment: where we maintain deidentified data (the anonymised sales records described above), we maintain and use it only in deidentified form and commit not to attempt to re-identify it, as the CCPA requires.

To exercise any CCPA right, email admin@wrenlist.com with "California Privacy Request" in the subject line. We will verify your request and respond within 45 days. We will not discriminate against you for exercising these rights.

Cookies and tracking

Essential Cookies Only: We use cookies solely for authentication and session management (e.g., storing your session token).

No Third-Party Analytics: We do not use Google Analytics, Facebook Pixel, or any third-party tracking services.

No Marketing Cookies: We do not use cookies to track your behaviour for marketing purposes.

Consent: By using Wrenlist, you consent to essential cookies. You can disable cookies in your browser settings, but this may affect functionality.

Your data rights under UK GDPR

You have the following rights under UK GDPR Articles 15–20:

• Right of Access (Article 15): Request a copy of your personal data. We will provide this within 30 days.
• Right to Rectification (Article 16): Correct inaccurate data. You can update account details directly in settings.
• Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten"). We will delete all data within 30 days.
• Right to Data Portability (Article 20): Request your data in a portable, standard format (CSV/JSON). We will provide this within 30 days.
• Right to Restrict Processing (Article 18): Request we limit how we process your data.
• Right to Object (Article 21): Object to processing for marketing purposes.

Sharing your data

We do not sell your data to third parties. Your data is only shared with:

• Marketplace Platforms: When you connect marketplace accounts (eBay, Vinted, Etsy, etc.), they receive the inventory and listing data you choose to publish. This is necessary to provide the service.
• Antique-centre owners (if you are a booth-renting dealer): When you accept an invitation to join an antique centre on Wrenlist, you are agreeing to share a defined slice of your data with that centre's owner. See "Wrenlist Emporium — centre and dealer data sharing" below for the exact list.
• Service Providers: AWS (hosting), Supabase (database), Google (authentication), Resend (transactional email). All have UK GDPR data processing agreements in place.
• Legal Requirement: If required by law, law enforcement, or court order.

Wrenlist Emporium — centre and dealer data sharing

Wrenlist Emporium lets a UK antique-centre owner operate a multi-dealer till on Wrenlist. The relationship between centre owner and booth-renting dealer involves a defined slice of personal and trading data flowing both ways. This section explains who sees what, and why.

When you accept an invitation to join a centre as a dealer:

• The centre owner becomes a joint data controller with Wrenlist for the till and settlement data generated by sales at their centre. Wrenlist processes the data on shared infrastructure; the centre owner uses it to run their business.
• The lawful basis is contract (the booth-rental agreement between you and the centre) combined with legitimate interests (the centre needs to settle commission, the dealer needs to be paid, both need an auditable record).
• You can leave at any time by suspending or declining the membership; no new data is shared after that point.

What the centre owner can see:

• Your email address and display name (so they can invite, contact, and pay you).
• Your booth-tagged sales rung up at their till: item title, optional cashier-typed description, sale price, payment method, optional photo, time of sale.
• Your booth stock currently listed at the centre (item title and price only, drawn from finds you have linked to your booth stash).
• Aggregated settlement totals (gross, commission, rent if any, amount owed) per period.

What the centre owner cannot see:

• Your wider Wrenlist account: sales on other marketplaces, finds not linked to this centre's booth, your sourcing log, your cost or profit figures, or your bank details.
• Other centres' data if you rent at more than one venue.
• The contents of messages or notes you write that aren't explicitly stamped on a sale row.

What you (the dealer) can see about the centre: centre name, address, payout cadence, commission %, and your own per-period settlement breakdown.

Public micro-site: if the centre publishes a public page on /e/[slug], your booth-linked items may appear in the live stock grid with your booth code and first name. You can opt down to booth-code-only or fully anonymous attribution at any time by emailing the centre owner or contacting admin@wrenlist.com.

Retention: sales rows and settlement statements are retained for at least 7 years after the financial year they relate to, to meet HMRC record-keeping requirements for both parties. Deleting your account anonymises personal identifiers on your sales but does not delete the sale row itself, so the centre's books remain auditable.

Disputes between you and the centre (e.g. a sale you don't recognise) are between the two of you in the first instance. Wrenlist surfaces a dispute flag on the relevant settlement and preserves the audit trail; we are not a party to the commercial relationship and do not arbitrate.

International data transfers

Your data is stored in the EU (Ireland) on AWS servers. If we ever transfer data outside the UK/EU, we will only do so with appropriate safeguards (Standard Contractual Clauses or Binding Corporate Rules) compliant with UK GDPR Chapter 5.

Data protection impact assessment

We conduct regular security reviews and data protection assessments to ensure compliance with UK GDPR.

Contact and your rights

To exercise any of your data rights, contact us at admin@wrenlist.com with "Data Request" in the subject line. We will respond within 30 days.

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): www.ico.org.uk.

Changes to this policy

We may update this privacy policy at any time. Material changes will be notified via email. Continued use of Wrenlist after changes constitute acceptance.

Contact

For privacy questions or data requests, email admin@wrenlist.com.