Privacy Policy

1. Introduction

This Privacy Policy explains how Kolva Ltd (“Kolva”, “we”, “us”, “our”) collects, uses, stores, shares, and protects personal data when you use KolvaSniper (the “Service”) — our AI-powered assistant that searches eBay listings, evaluates them on your behalf, and (where you authorise it) places proxy bids and Best Offer responses on your eBay account.

We act as the data controller for personal data processed through the Service. eBay Inc. and its regional affiliates remain data controllers for the data held within your eBay account; we access that data only with your authorisation and process it as described below.

2. Scope

This policy covers personal data we process when you create a KolvaSniper account, connect an eBay account to the Service, run AI-assisted hunts and evaluations, and use any related billing, support, or marketing channels. It does not cover third-party services you reach via outbound links, including eBay’s own website and apps, which are governed by their respective privacy policies.

3. Legal Basis for Processing

Under the UK GDPR and the Data Protection Act 2018, we rely on the following lawful bases:

• Performance of a contract: processing required to provide the Service you signed up for — account management, running hunts, executing snipes and offers, surfacing AI evaluations, and billing.
• Consent: for connecting your eBay account via OAuth, for any optional analytics cookies, and for marketing communications. You can withdraw consent at any time.
• Legitimate interests: for fraud prevention, abuse detection, security monitoring, debugging, and improving the Service — balanced against your rights and freedoms.
• Legal obligation: for retaining billing and tax records (HMRC), responding to lawful requests, and complying with eBay’s account-deletion notification programme.

4. Data We Collect

4.1 Account information

• Email address
• Password (stored only as a salted bcrypt/argon2 hash — never in plain text)
• Account creation date and last-login timestamp
• Display name (optional)

4.2 eBay connection data

When you connect an eBay account through OAuth 2.0:

• Your eBay username (after OAuth completes)
• Your eBay user ID
• OAuth access tokens (short-lived, in memory or short-term cache)
• OAuth refresh tokens, encrypted at rest using AES-256
• The OAuth scopes you have granted
• Limited public account metadata returned by eBay (e.g. registration site, feedback score, seller status) where required to operate the Service

4.3 Hunt and activity data

• Natural-language hunt queries you enter (“find me a mint Game Boy under £60” etc.)
• Structured search parameters our AI derives from those queries
• eBay listing snapshots returned for your hunts (titles, prices, images, seller info)
• Your saved hunts, snipe schedules, and offer history
• Outcomes of placed snipes/offers (won, outbid, accepted, declined)
• Purchase activity inferred from your eBay account where the OAuth scope permits

4.4 Billing data

• Stripe customer ID and subscription/plan status
• Invoice history and VAT status
• Card details are never stored on our servers — they are tokenised by Stripe

4.5 Technical data

• IP address (used for rate limiting, abuse prevention, and approximate region)
• Browser type, version, and user-agent string
• Device type and operating system
• Session identifiers and CSRF tokens
• Application and error logs (which may incidentally include IP, route, and user ID)

5. How We Use Your Data

• Running AI hunts: we send your natural-language query and relevant listing metadata to large language model providers (Anthropic Claude and Google Gemini) to parse intent, evaluate listings, score relevance, detect knockoffs, and recommend offer prices.
• Placing bids and offers: we use your encrypted eBay refresh token to obtain short-lived access tokens and call the eBay APIs to place proxy bids, submit Best Offers, and read auction status — only for hunts you have explicitly armed.
• Showing your history: we display your past hunts, snipes, offers, and outcomes in your dashboard.
• Billing and tax: we share necessary data with Stripe to charge you and keep invoices for HMRC.
• Security and abuse prevention: detecting credential stuffing, unusual bidding patterns, scraping, or violations of eBay’s rules.
• Service communications: account, security, and transactional emails. Marketing emails only with your opt-in consent — you can unsubscribe at any time.
• Customer support: when you contact us, we may access your account, hunts, and recent logs to diagnose your issue.

We do not sell your personal data, share it with data brokers, or use the content of your hunts for advertising profiling.

6. AI Processing

• What we send: your natural-language query, structured search parameters, and the listing metadata required to evaluate items (title, price, condition, photos URLs, seller rating, etc.). We do not send your password, eBay tokens, payment details, or address.
• When we send it: only when you actively run a hunt, refresh evaluations, or request an offer recommendation.
• Automated decisions: AI scores and recommendations are advisory. You remain in control of arming snipes, accepting offer prices, and confirming purchases. You can request human review of any decision that meaningfully affects you by emailing support.

7. Third-Party Service Providers

We share the minimum data necessary with the following processors and partners:

All providers are bound by data processing agreements that require appropriate technical and organisational safeguards. We may also disclose data when required by law, regulation, valid court order, or to protect our or others’ rights, property, or safety.

8. International Data Transfers

Some of the providers above are based in the United States or process data globally. Where data leaves the UK or EEA, we rely on:

• UK Information Commissioner’s Office adequacy decisions where they exist
• The UK International Data Transfer Addendum to the EU Standard Contractual Clauses
• EU–US Data Privacy Framework certification, where applicable
• Provider-specific data processing agreements with appropriate safeguards

9. eBay Account Connection & Deletion

KolvaSniper integrates with eBay using OAuth 2.0. Your eBay password is never seen, transmitted, or stored by us — you authenticate directly with eBay, which then issues us tokens with the scopes you approve.

You can disconnect your eBay account at any time from Settings → Connections. When you disconnect:

• We immediately revoke and delete your stored OAuth refresh and access tokens
• We stop placing any further bids or offers on your behalf
• Your historical hunts and outcomes remain in your KolvaSniper account so you can review past activity, until you delete them or your account

eBay Marketplace Account Deletion notifications. KolvaSniper participates in eBay’s Marketplace Account Deletion/Closure Notification programme. Our endpoint is:

When eBay notifies us that a user’s eBay account has been deleted or closed, we will, within 30 days of receiving the notification, delete or irreversibly anonymise that user’s eBay identifiers and OAuth credentials from our systems and from any backups that come due for rotation in that window. We retain only what we are legally required to keep (for example, anonymised billing records).

10. Data Retention

• Account & profile: retained for the life of your account.
• eBay OAuth tokens: retained until you disconnect your eBay account, delete your KolvaSniper account, or eBay notifies us of account deletion.
• Hunt history and AI evaluations: retained until you delete the individual hunt or your account.
• Snipe and offer logs: retained for 24 months for dispute resolution and abuse investigation, then deleted or anonymised.
• Billing records: retained for 6 years to comply with HMRC requirements, even after account deletion.
• Application logs: rotated within 30 days unless flagged for security investigation.
• Backups: encrypted backups may persist for up to 35 days after deletion, after which they are overwritten.

When you delete your KolvaSniper account, we erase or irreversibly anonymise your personal data within 30 days, subject to the legal retention exceptions above.

11. Your Rights Under UK GDPR

You have the following rights, free of charge, in respect of your personal data:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: ask us to correct inaccurate or incomplete data.
• Right to erasure: ask us to delete your personal data (the “right to be forgotten”).
• Right to restrict processing: ask us to pause processing while a query is resolved.
• Right to data portability: request your data in a structured, commonly-used, machine-readable format (JSON export).
• Right to object: object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: where processing is based on consent, withdraw it at any time.
• Rights regarding automated decisions: request human review of any decision based solely on automated processing that produces a significant effect on you.

12. Cookies and Similar Technologies

KolvaSniper uses a small number of cookies and local-storage entries:

• Strictly necessary: session cookies, CSRF tokens, and authentication state. These are required for the Service to function and do not require consent.
• Preferences: remembering theme, layout, and last-used filters.
• Analytics (placeholder): we may add a privacy-respecting analytics tool to understand aggregate product usage. If we do, it will be disclosed here, and where required by law it will only run after you opt in via our cookie banner.

We do not use cross-site advertising cookies or third-party trackers for behavioural marketing.

13. Security

We implement appropriate technical and organisational measures, including:

• TLS 1.2+ encryption in transit for all connections
• AES-256 encryption at rest for sensitive secrets, including eBay OAuth refresh tokens
• Salted password hashing (bcrypt/argon2) — passwords are never recoverable in plain text
• Principle of least privilege, audit logging, and access reviews for production systems
• Hardened, automatically patched infrastructure with isolated environments
• Rate limiting, anomaly detection, and DDoS protection via Cloudflare

No system is perfectly secure. If we ever become aware of a personal data breach affecting your rights, we will notify the UK ICO within 72 hours where required and notify affected users without undue delay.

14. Children’s Privacy

KolvaSniper is not available to anyone under 18 years of age. The Service places legally binding bids and offers on eBay on your behalf, and minors cannot enter into such contracts in the UK. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered, please contact [email protected] and we will close the account and delete the data.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, in our third-party processors, or in the law. Where changes are material, we will notify you by email and/or by an in-app notice and update the “Last updated” date at the top of this page. Continued use of the Service after changes take effect indicates acceptance of the updated policy.

16. Contact & Complaints

For any questions or to exercise your rights:

If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority for data protection in the UK:

This Privacy Policy is governed by the laws of England and Wales. Any disputes arising out of or in connection with it are subject to the exclusive jurisdiction of the courts of England and Wales.