Skip to main content
DashVue

Privacy Policy — DashVue App

Last updated: 6 May 2026

This policy covers the DashVue App at app.dashvue.co.uk. The marketing site at dashvue.co.uk has its own privacy notice covering waitlist signups, contact forms, and analytics cookies. If you are only visiting the marketing site, that policy applies to you instead.

1. Who we are

DashVue Ltd(“DashVue”, “we”, “us”) is the data controller for personal data processed through the App.

  • Registered company number: 17160596 (England & Wales)
  • Registered office: 51 Woodland Vale Road, St Leonards-on-Sea, East Sussex, TN37 6JJ, United Kingdom
  • ICO registration: registered as a data controller. Reference number to be displayed on the marketing site.
  • Contact for privacy matters: privacy@dashvue.co.uk

We have not appointed a Data Protection Officer because we are not required to under UK GDPR Article 37. The contact above handles all privacy enquiries and you can address subject-access requests, complaints, or correspondence with the ICO to that address.

2. What personal data we process

2.1 Account data (collected from you)

  • Email address, hashed password, and any MFA factor you set up.
  • Display name and (optional) profile photo.
  • If you sign in with Google, your name and email from Google. We never receive your Google password.

2.2 Business profile (collected from you)

  • Trading name, registered address, contact details.
  • VAT registration status, VAT number, and VAT scheme (Standard / Flat Rate).
  • Business logo for your invoices (optional).

2.3 eBay-derived data (collected via eBay’s API after you authorise us)

  • Your eBay user ID, account profile, feedback score, and store subscription tier.
  • Your inventory listings: titles, SKUs, prices, images, quantities, categories.
  • Your order history: titles, prices, fees, shipping, tracking numbers, and the buyer’s eBay username and shipping address (so you can fulfil orders).
  • Your payouts and fee transactions from the eBay Finances API.
  • Buyer feedback you receive.
  • eBay marketplace notifications (shipping events, listing changes) we subscribe to on your behalf.

2.4 Buyer personal data (UK GDPR Article 14 notice)

Some of the data eBay sends us identifies your buyers — primarily their eBay username and shipping address. We did not collect this data directly from the buyer; eBay shared it with us so you (the seller) can fulfil their order. We act as a data processor for you in respect of this buyer data, and only retain it for as long as the order remains in your account or eBay’s API.

When eBay notifies us that an end-user has closed their eBay account (under eBay’s Marketplace Account Deletion API), we automatically anonymise that buyer’s identifiers on every matching order, feedback and offer row within minutes. Order amounts and fulfilment history are retained because you need them for your accounting; the personally-identifying username is replaced with an irreversible anonymised handle.

2.5 Financial inputs (collected from you)

  • Expenses, supplier invoices, COGS values, replenishment notes you record manually.
  • Files you upload: invoice PDFs / JPG / PNG, receipts, business logos, listing photos.

2.6 Billing data (collected via Stripe)

Subscription state, billing email, and Stripe customer / subscription IDs. We do not store your card number or CVC; Stripe handles all card data under PCI-DSS Level 1.

2.7 Anthropic (Claude) processing — no training

When you use AI invoice import or the listing helper, we send the relevant content to Anthropic’s Claude API to generate a response. Per Anthropic’s API terms, Anthropic does not use API inputs or outputs to train their models. We never send buyer personal information to Anthropic. Listing-helper prompts contain only your own listing data (rough description, photos you uploaded, your item title), never any buyer or order information.

2.8 Technical data

  • IP address (briefly, for rate-limiting; no permanent retention).
  • Browser session cookies (strictly necessary for authentication).
  • Standard server logs: request method, path, response code, user-agent, timestamp.

We do not process special category data (health, racial or ethnic origin, religious beliefs, biometric, genetic, sex life or sexual orientation, political opinions, trade-union membership). If you accidentally upload an invoice containing such data, please email us and we will delete it.

3. Why we use your data (purposes & lawful bases)

  • Provide the App — UK GDPR Art. 6(1)(b) (contract). Reading your eBay data, computing your figures, syncing your inventory.
  • Bill you — Art. 6(1)(b) (contract) and Art. 6(1)(c) (legal obligation) for VAT and accounting record-keeping.
  • Keep the service secure — Art. 6(1)(f) (legitimate interests in fraud / abuse prevention).
  • Anonymise buyer data when eBay tells us to — Art. 6(1)(c) (legal obligation under eBay’s Marketplace Account Deletion mandate, which mirrors UK GDPR Art. 17 erasure).
  • AI features (listing helper, invoice parser) — Art. 6(1)(b) (contract). We send your prompts to Anthropic’s Claude API and return suggestions for your review. Anthropic does not train its models on this data.
  • Repricer (rule-based price adjustments) — Art. 6(1)(b) (contract). Covered separately under “Automated decision-making” below.
  • Service communications — Art. 6(1)(b). Transactional emails about your subscription, sync failures, etc.
  • Marketing emails (none today) — would require Art. 6(1)(a) consent.

4. Automated decision-making

DashVue includes a rule-based repricerthat, when you enable it, can automatically change the listed price of your eBay items based on rules you define (e.g. “after 30 days, drop by 5%”). This is automated processing within the meaning of UK GDPR Art. 22, but:

  • It only acts on your own data and your own listings.
  • It does not produce legal effects or similarly significantly affect any person.
  • You configure every rule yourself, you can pause or override the system at any time, and you can revert any cycle from the Repricer page.
  • Hard safety nets (mandatory floor price, minimum margin, daily change cap, single-cycle drop cap) prevent runaway behaviour.

We do not use profiling for marketing, eligibility, or any decision affecting you as a person. The AI features (listing helper, invoice parser) generate suggestionsfor your review and never act on your behalf.

5. Sub-processors

We use the following sub-processors. Each has a written data-processing agreement (UK GDPR Art. 28) and the UK International Data Transfer Agreement (UK IDTA) or UK Addendum to the EU Standard Contractual Clauses where data leaves the UK.

ProcessorPurposeRegion
Supabase Inc.Database, authentication, file storageEU (Frankfurt) — US control plane
Vercel Inc.Application hostingEU edge with US fallback
Cloudflare Inc.DNS, edge proxyingGlobal edge — US control plane
Stripe Payments UK LtdSubscription billingUK — onward transfer to Stripe Inc. (US)
Anthropic, PBCClaude API (listing helper, invoice parser)US
eBay Inc.eBay APIs (read your data on your authorisation)US/UK
Resend, Inc.Transactional email deliveryUS
Google Ireland LtdOAuth sign-in (only if you choose Google)EU — onward to Google LLC (US)

We do not sell, rent, or trade your personal data. We do not run advertising. We do not share your data with anyone outside this list except where required by law (e.g. ICO, HMRC, court order).

We will give you 30 days’ notice by email before adding a new sub-processor that has access to customer data, so you can object if you wish.

6. International transfers

Where a sub-processor is outside the UK (Anthropic, Stripe Inc., Google LLC, parts of Cloudflare and Vercel), we rely on either the UK IDTA or the UK Addendum to the EU SCCs as offered by each provider’s DPA. We monitor post-Schrems II ICO and EDPB guidance and will update safeguards if required. Supabase is EU-hosted, so the only US exposure for our database is the Supabase parent’s control-plane access — covered by the UK Addendum.

7. How long we keep it (retention)

  • Account & business data — for as long as your account is active. Deleted within 30 days of deletion request, subject to backup rotation.
  • eBay-derived data — deleted within 30 days of disconnecting eBay or closing your account.
  • Uploaded files (receipts, invoices, photos) — until you delete them or your account.
  • Notification log + sync API log — 90 days.
  • AI usage log — 365 days for billing, abuse prevention, and capacity planning.
  • Rate-limit counters — 7 days.
  • Internal staff audit trail — 730 days, for incident investigation and ICO reporting if required.
  • Buyer personal data flagged for deletion by eBay — anonymised within minutes of receiving the deletion notification.
  • Billing records — 6 years from end of accounting period (UK Companies Act 2006 s. 388).

Pruning runs automatically every day via a scheduled job. You don’t need to do anything for this to happen.

8. Security (UK GDPR Art. 32)

  • TLS 1.2+ on all connections.
  • Database encryption at rest (AES-256, provider default).
  • eBay OAuth tokens encrypted at rest with an additional application-layer AES-256-GCM envelope, keyed by an env-var secret separate from the database.
  • Row Level Security policies on every table prevent cross-account access at the database layer, with explicit WITH CHECK clauses to prevent ownership reassignment.
  • OAuth state parameters HMAC-signed with a dedicated secret, bound to user identity, with a 10-minute TTL — closes the OAuth account-linking attack class.
  • Rate limiting on every billable / abusable endpoint.
  • Multi-factor authentication enforced on all administrative access.
  • Webhook integrity: Stripe + eBay webhook signatures verified on every request; unsigned events dropped.
  • Documented incident-response process with 72-hour ICO notification (Art. 33).
  • Principle-of-least-privilege access controls for DashVue staff.

9. Your rights (UK GDPR Art. 15–22)

You have the right to:

  • Access — get a copy of your personal data. Use Settings → Danger Zone → Export my data, or email privacy@dashvue.co.uk. Delivered as JSON.
  • Rectification — correct anything inaccurate. Most fields are editable in Settings; email us for the rest.
  • Erasure — delete your data or your account. Use Settings → Danger Zone → Delete account. Acted on within 30 days.
  • Portability — receive your data in a machine-readable format. The export above returns JSON.
  • Restriction — limit how we process your data while a query is being resolved. Email us.
  • Objection — to processing based on legitimate interests. Email us.
  • Withdraw consent — for processing based on consent (e.g. marketing emails if we ever introduce them). Use the unsubscribe link or email us.
  • Not be subject to automated decisions — see “Automated decision-making” above. The repricer can be paused and any cycle reverted at any time.
  • Complain to the ICOico.org.uk/make-a-complaint. We’d appreciate a chance to fix it first, but you don’t have to come to us before approaching the ICO.

We will respond to any request within one calendar month (Art. 12(3)). For complex or voluminous requests we may extend by two further months and will tell you within the first month if we do.

10. Cookies

The App uses only strictly-necessary cookies, so PECR reg. 6(4)(b) applies and no consent banner is required:

  • sb-* — Supabase authentication session. Required to keep you signed in.
  • dv-theme — your light/dark theme preference.
  • ebay_oauth_state — OAuth state cookie set during eBay connect, 10-minute lifespan, deleted on callback.

We do not set any analytics, advertising, or marketing cookies inside the App. The marketing site has its own cookie notice for analytics.

11. Children

DashVue is a B2B service for UK eBay sellers. We do not target or knowingly collect data from anyone under 18. If you believe a child has provided personal data through DashVue, email privacy@dashvue.co.uk and we will delete it.

12. Data breach notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours (UK GDPR Art. 33). Where the risk is high, we will notify you without undue delay (Art. 34).

13. Changes to this policy

We will update the “Last updated” date at the top when material changes are made. For significant changes (new sub-processor, new lawful basis, new data category) we will email registered users at least 14 days before the change takes effect.

14. Contact

Privacy queries: privacy@dashvue.co.uk
General support: support@dashvue.co.uk
Post: DashVue Ltd, 51 Woodland Vale Road, St Leonards-on-Sea, East Sussex, TN37 6JJ, United Kingdom