DashVue Privacy Policy

This Privacy Policy explains how DashVue Ltd ("DashVue", "we", "us", or "our") collects, uses, stores, and protects your personal data when you visit our website at dashvue.co.uk (the "Website") or use our web application at app.dashvue.co.uk (the "App").

DashVue is a seller analytics dashboard designed for UK-based eBay sellers. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

This policy has two parts. Part A covers processing when you visit the Website (waitlist signups, contact form, cookies, analytics) and applies to every visitor. Part B covers processing when you sign up and use the App as a customer. If you are only on the Website, only Part A applies to you.

Data Controller: DashVue Ltd, a company registered in England and Wales.

Company Number: 17160596

Registered Address: 51 Woodland Vale Road, St Leonards-on-Sea, East Sussex, TN37 6JJ, United Kingdom

ICO registration: Registered as a data controller. (Add your ICO ref number once registered at ico.org.uk/registration — usual format ZA123456 or ZB123456.)

Data Protection Contact: privacy@dashvue.co.uk

We have not appointed a Data Protection Officer because we are not required to under UK GDPR Art. 37. The contact above handles all privacy enquiries.

A1.1 Waitlist email

When you join our pre-launch waitlist, we collect the email address you submit. That is the only field on the form. We lowercase and trim it before storage.

A1.2 Contact form (Support page)

When you submit the contact form at /support, we collect your name, email address, subject line, and message body. We use these only to reply to you.

A1.3 Cookies and analytics

We use two categories of cookie:

• Strictly necessary — the consent cookie (dashvue_consent) that records your choice (12 months), plus your theme preference (dv-theme). Set without consent because they are essential under PECR reg. 6(4)(b).
• Analytics — Google Analytics 4 cookies (_ga, _ga_*) set only after you click "Accept" on the cookie banner. These record a random client identifier, pages visited, referrer, and approximate location derived from a truncated IP. We do not run ad or marketing cookies.
• Live chat (Crisp) — our chat widget loads on every non-legal page and may set first-party cookies (crisp-client/session/*) so your conversation is maintained across pages and return visits. Crisp is a French company; chat data is stored in the EU. The widget is hidden on legal/policy pages.

A1.4 Server logs

Cloudflare (CDN/proxy) and Supabase (database) keep default access logs containing IP address, user agent, and request path for a limited period (typically 7–30 days). Used for security, abuse prevention, and debugging.

• Waitlist email — consent (Art. 6(1)(a)). You give consent by submitting the form. Withdraw at any time by emailing privacy@dashvue.co.uk.
• Contact form — legitimate interest (Art. 6(1)(f)) in responding to your enquiry, or steps taken at your request prior to a contract (Art. 6(1)(b)).
• Analytics cookies — consent (Art. 6(1)(a) + PECR reg. 6). No analytics cookies are set unless you click "Accept".
• Server logs — legitimate interest (Art. 6(1)(f)) in keeping the Website secure and reliable.

• Waitlist emails — up to 18 months from collection, or 90 days after the App's general-availability launch converts the waitlist into customer accounts, whichever is sooner.
• Contact-form messages — up to 24 months after our last reply.
• Consent cookie — 12 months from your last choice, or re-prompted on material policy change.
• Google Analytics data — 14 months from last user activity (GA4 default).
• Cloudflare and Supabase access logs — default provider retention (typically 7–30 days).

We do not sell, rent, or trade your personal data. We do not run advertising on the Website.

Where a processor transfers data outside the UK, we rely on either (a) the UK International Data Transfer Agreement (UK IDTA) or (b) the UK Addendum to the EU Standard Contractual Clauses, as offered by each provider's DPA. We monitor post-Schrems II ICO and EDPB guidance and will update safeguards if required.

B1.1 Account

Email, hashed password (or Google OAuth identity), display name, optional photo, MFA factor.

B1.2 Business profile

Business name, registered address, contact info, VAT number, VAT scheme, optional logo.

B1.3 eBay-derived data (via OAuth, after you authorise us)

• Order and transaction data (titles, prices, fees, shipping, buyer usernames + shipping addresses for fulfilment, tracking numbers)
• Inventory / listings (titles, SKUs, prices, images, quantities, categories)
• Seller feedback and ratings
• Fee and payout data from eBay's Finances API
• eBay user ID, account profile, store subscription tier
• Marketplace notifications (subscribed on your behalf)

You can revoke at any time from eBay's site (Account Settings → Application Access).

B1.4 Buyer personal data — UK GDPR Article 14 notice

Some eBay-derived data identifies your buyers (eBay username + shipping address). We didn't collect this directly from the buyer; eBay shared it so you can fulfil their order. When eBay notifies us under their Marketplace Account Deletion API that an end-user has closed their account, we automatically anonymise that buyer's identifiers across every order, feedback and offer row within minutes. Older buyer identifiers are also anonymised after 18 months as a long-tail backstop. The order amount and fulfilment history stay (you need them for accounting); the username is replaced with an irreversible hash.

B1.5 Financial inputs

Expenses, COGS, supplier invoice metadata, replenishment notes, repricer rules.

B1.6 Uploaded files

Invoice PDFs/JPG/PNG, receipts, logos, listing photos. Stored in Supabase Storage with user-scoped access policies.

B1.7 AI features

When you use:

• AI invoice import — we send the uploaded invoice + relevant inventory titles to Anthropic's Claude API to extract structured data
• Listing helper — we send your photos + rough description to Claude to draft a listing

In all cases, Anthropic processes the request statelessly and does not train its models on your data (per Anthropic's commercial API terms). No eBay buyer personal information is sent to external AI services.

B1.8 Usage telemetry

Feature usage, AI token counts, sync timestamps, IP for rate-limiting.

We do not process special category data (health, racial/ethnic origin, religion, biometrics, genetic, sex life, political opinions, trade-union membership). If you accidentally upload an invoice containing such data, please email us and we will delete it.

• Providing the App — contract (Art. 6(1)(b))
• Billing and tax records — legal obligation (Art. 6(1)(c))
• Service communications and security — legitimate interest (Art. 6(1)(f))
• Anonymising buyer data on eBay deletion notification — legal obligation (Art. 6(1)(c))
• AI features (listing helper, invoice parser) — contract (Art. 6(1)(b))
• Repricer — contract (Art. 6(1)(b)) — see B5

• Account data — until you delete your account; deleted within 30 days.
• eBay data — deleted within 30 days of disconnecting eBay or closing your account.
• Uploaded files, expenses, COGS — deleted when you delete them or your account.
• Notification log + sync API log — 90 days (auto-pruned daily).
• AI usage log — 365 days for billing, abuse prevention, and capacity planning (auto-pruned daily).
• Rate-limit counters — 7 days.
• Internal staff audit trail — 730 days, for incident investigation and ICO reporting if required.
• Buyer personal data — anonymised within minutes when eBay notifies us of a closed account, and as a long-tail backstop, anonymised across all rows older than 18 months.
• Billing records — 6 years from end of accounting period (UK Companies Act 2006 s. 388).

International transfers to US-based processors use the UK IDTA or the UK Addendum to the EU SCCs, as offered by each provider's DPA.

We will give you 30 days' notice by email before adding a new sub-processor that has access to customer data, so you can object if you wish (UK GDPR Art. 28).

DashVue includes a rule-based repricer that, when you enable it, can automatically change the listed price of your eBay items based on rules you define (e.g. "after 30 days, drop by 5%"). This is automated processing within the meaning of Art. 22, but:

• It only acts on your own data and your own listings.
• It does not produce legal effects or similarly significantly affect any person.
• You configure every rule yourself, you can pause or override the system at any time, and you can revert any cycle from the Repricer page.
• Hard safety nets (mandatory floor price, minimum margin, daily change cap, single-cycle drop cap) prevent runaway behaviour.

We do not use profiling for marketing, eligibility, or any decision affecting you as a person. The AI features (listing helper, invoice parser) generate suggestions for your review and never act on your behalf.

• TLS 1.2+ across the Website and App.
• Database encryption at rest (AES-256, provider default).
• eBay OAuth tokens encrypted at rest with an additional application-layer AES-256-GCM envelope, keyed by an env-var secret separate from the database.
• Row Level Security policies on every customer-data table, with explicit WITH CHECK clauses to prevent ownership-takeover via UPDATE.
• OAuth state parameters HMAC-signed with a dedicated secret, bound to user identity, with a 10-minute TTL.
• Rate limiting on every billable / abusable endpoint.
• Multi-factor authentication enforced on all internal staff access to customer data.
• Webhook integrity: Stripe + eBay webhook signatures verified on every request; unsigned events dropped.
• Documented incident-response process with 72-hour ICO notification procedure (Art. 33).
• Principle-of-least-privilege access controls for DashVue staff.

You can exercise any of the following rights by emailing privacy@dashvue.co.uk or, for App users, via Settings → Danger Zone:

• Access — copy of your personal data. The App has self-serve export at Settings → Danger Zone → Export my data (returns JSON).
• Rectification — correction of inaccuracies. Most fields are editable in Settings.
• Erasure — deletion of your data, including withdrawing your waitlist signup. App: Settings → Danger Zone → Delete account.
• Restriction — limit how we process your data while a query is being resolved.
• Portability — machine-readable export.
• Objection — to processing based on legitimate interests.
• Withdraw consent — for processing based on consent. Withdrawal does not affect prior lawful processing.
• Not be subject to automated decisions — see Part B § B5. The repricer can be paused and any cycle reverted at any time.

We will respond within one calendar month (Art. 12(3)). For complex or voluminous requests, we may extend by two further months and will tell you within the first month.

If you are not satisfied, you can complain to the Information Commissioner's Office. We'd appreciate a chance to fix it first, but you don't have to come to us before approaching the ICO.

DashVue is a B2B service for UK eBay sellers. We do not target or knowingly collect data from anyone under 18. If you believe a child has given us personal data, email privacy@dashvue.co.uk and we will delete it.

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours (Art. 33). Where the risk is high, we will notify you without undue delay (Art. 34).

We may update this Privacy Policy. Material changes will be notified by email (for App users and waitlist members) or a prominent notice on the Website, and will re-prompt the cookie banner. The "Last updated" date at the top shows when it was last revised.

Privacy queries: privacy@dashvue.co.uk

General support: support@dashvue.co.uk

Post: DashVue Ltd, 51 Woodland Vale Road, St Leonards-on-Sea, East Sussex, TN37 6JJ, United Kingdom

Company Number: 17160596