Privacy Policy

Last updated: March 10, 2026 · Effective: March 10, 2026

1. Who We Are

Legitsy is operated by Sahara Tides SARL AU, a company registered in Morocco.

• Address: HAY EL MASSIRA 02 RUE OUED BAHT APPT 05, Dakhla 73000, Morocco
• ICE: 003683979000053
• Tax ID (IF): 66245765
• Contact: contact@legitsy.io

Legitsy is not affiliated with, endorsed by, or connected to Etsy, Inc. All Etsy-related trademarks are the property of Etsy, Inc.

2. What Data We Collect

2.1 Account Data (when you sign up)

• Email address — required for account creation and communication
• Name — display name (from OAuth provider or manually entered)
• Avatar — from your Google or Microsoft account (if you use OAuth)
• Authentication provider — which method you used to sign in

2.2 Usage Data (when you use Legitsy)

• Listing IDs checked — the Etsy listing IDs you choose to verify (only when you click "Check this item")
• Check results — the verdict (clean, alert, verified) and confidence score
• Check timestamps — when each check was performed
• Daily check count — for rate limiting purposes

2.3 Seller Data (when sellers apply for Trust Badge)

• Etsy shop URL — submitted during application
• Shop name and contact details — for review communication
• Shop metadata — listing count, ratings, member-since date (fetched from public Etsy data during verification)
• Listing data — titles, URLs, prices, images of products in verified shops (fetched from public Etsy data)

2.4 What We Do NOT Collect

3. How We Use Your Data

• To provide the service: processing listing checks, displaying results, managing your account
• To enforce rate limits: counting daily checks per user and per IP address
• To improve the service: aggregate, anonymized statistics (total checks, clean rate) — never individual data
• To communicate: account confirmations, seller application updates, service notifications
• To process payments: subscription management via Lemon Squeezy (we do not store credit card data)
• To verify sellers: analyzing publicly available Etsy shop data for Trust Badge applications

4. Data Storage & Security

• Database: Supabase (hosted in the US/EU, SOC 2 Type II compliant, encrypted at rest)
• Cache: Upstash Redis (encrypted, serverless)
• API: Cloudflare Workers (global edge network, encrypted in transit)
• Payments: Lemon Squeezy acts as Merchant of Record — we never see or store your credit card information
• Emails: Resend (DKIM/SPF/DMARC verified, encrypted)

All data transmission uses TLS 1.3 encryption. We implement Row Level Security (RLS) on all database tables to ensure users can only access their own data.

5. Data Retention

• Check logs: retained for 90 days, then automatically purged
• Seller impressions: retained for 2 years
• Account data: retained until you delete your account
• Webhook events: retained for 30 days (for payment processing integrity)
• Admin audit logs: retained permanently (for security compliance)

6. Your Rights (GDPR / CCPA)

Regardless of where you live, you have the following rights:

• Access: Export all your data at any time via your dashboard (Settings → Export my data)
• Correction: Update your name, email, and preferences in your dashboard
• Deletion: Delete your account and all associated data at any time (Settings → Delete account). This is permanent and cannot be undone. All check logs, testimonials, and personal data will be removed within 30 days.
• Portability: Export your data in standard JSON/CSV format
• Objection: Contact us at contact@legitsy.io to object to any data processing
• Restriction: Request that we limit processing of your data while we investigate any concern

To exercise any right, email contact@legitsy.io or use the self-service options in your dashboard. We respond within 30 days.

7. Chrome Extension Permissions

The Legitsy Chrome extension requests the minimum permissions necessary:

• Host permission (etsy.com/listing/*): Required to inject the "Check this item" trigger button on Etsy product pages only. No other websites are accessed.
• Storage: To store your authentication token locally so you don't need to log in every time.
• ActiveTab: To read the current tab's URL (only to extract the listing ID when you click "Check").

The extension does not request access to your browsing history, bookmarks, downloads, or any other browser data. It has no content scripts on any site other than Etsy product pages.

8. Third-Party Services

• Supabase (authentication, database) — supabase.com/privacy
• Cloudflare (CDN, Workers, Turnstile) — cloudflare.com/privacypolicy
• Oxylabs (product data analysis) — processes only public Etsy listing data
• Lemon Squeezy (payments) — lemonsqueezy.com/privacy — Merchant of Record, handles all payment data
• Resend (email delivery) — resend.com/privacy
• Google/Microsoft (OAuth sign-in) — we only receive your email and name, never your password

9. Children's Privacy

Legitsy is not intended for users under 13 years of age (or 16 in the EU). We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it immediately.

10. International Data Transfers

Your data may be processed in the United States and European Union (where our infrastructure providers are located) and Morocco (where Sahara Tides is incorporated). All transfers are protected by encryption and the service providers' compliance programs (Supabase: SOC 2, Cloudflare: ISO 27001).

11. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to registered users at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact Us

For any privacy-related questions, concerns, or requests:

• Email: contact@legitsy.io
• Mail: Sahara Tides SARL AU, HAY EL MASSIRA 02 RUE OUED BAHT APPT 05, Dakhla 73000, Morocco