Privacy Policy

1. Introduction

This Privacy Policy explains how Kolva Ltd (“Kolva”, “we”, “us”, “our”) collects, uses, stores, shares, and protects personal data when you use Kolva Seller (the “Service”) — our AI-powered assistant that turns a photo into a complete eBay listing for your review and, when you authorise it, publishes that listing to your own eBay account.

We act as the data controller for personal data processed through the Service. eBay Inc. and its regional affiliates remain data controllers for the data held within your eBay account; we access that data only with your authorisation and process it as described below.

2. Scope

This policy covers personal data we process when you create a Kolva Seller account, connect an eBay account to the Service, upload photos and draft and publish listings, and use any related billing, support, or marketing channels. It does not cover third-party services you reach via outbound links, including eBay’s own website and apps, which are governed by their respective privacy policies.

3. Legal Basis for Processing

Under the UK GDPR and the Data Protection Act 2018, we rely on the following lawful bases:

• Performance of a contract: processing required to provide the Service you signed up for — account management, drafting listings from your photos, publishing listings to your eBay account, and billing.
• Consent: for connecting your eBay account via OAuth, for any optional analytics cookies, and for marketing communications. You can withdraw consent at any time.
• Legitimate interests: for fraud prevention, abuse detection, security monitoring, debugging, and improving the Service — balanced against your rights and freedoms.
• Legal obligation: for retaining billing and tax records (HMRC), responding to lawful requests, and complying with eBay’s account-deletion notification programme.

4. Data We Collect

4.1 Account information

• Email address
• Password (stored only as a salted bcrypt/argon2 hash — never in plain text)
• Account creation date and last-login timestamp
• Display name (optional)

4.2 eBay connection data

When you connect an eBay account through OAuth 2.0:

• Your eBay username (after OAuth completes)
• Your eBay user ID
• OAuth access tokens (short-lived, in memory or short-term cache)
• OAuth refresh tokens, encrypted at rest using AES-256
• The OAuth scopes you have granted
• Limited public account metadata returned by eBay (e.g. registration site, feedback score, seller status) where required to operate the Service

4.3 Listing and activity data

• Photographs you upload of the items you want to list
• The listing drafts our AI generates (title, description, item specifics, category, condition, suggested price band, postage)
• Any edits you make to a draft before publishing
• The eBay listing identifiers and status of listings you publish through the Service
• Your draft history and the outcomes of publish attempts (published, failed, edited)

4.4 Billing data

• Stripe customer ID, credit balance, and purchase history
• Invoice history and VAT status
• Card details are never stored on our servers — they are tokenised by Stripe

4.5 Technical data

• IP address (used for rate limiting, abuse prevention, and approximate region)
• Browser type, version, and user-agent string
• Device type and operating system
• Session identifiers and CSRF tokens
• Application and error logs (which may incidentally include IP, route, and user ID)

5. How We Use Your Data

• Drafting listings: we send your uploaded photo and the listing context to large language model providers (Anthropic Claude and Google Gemini) to identify the item, write the title and description, fill item specifics, resolve the eBay category, and suggest a price band.
• Publishing listings: we use your encrypted eBay refresh token to obtain short-lived access tokens and call eBay’s Sell APIs to create and publish a listing on your account — only when you click Publish.
• Showing your history: we display your drafts, published listings, and their status in your dashboard.
• Billing and tax: we share necessary data with Stripe to charge you and keep invoices for HMRC.
• Security and abuse prevention: detecting credential stuffing, unusual usage patterns, scraping, or violations of eBay’s rules.
• Service communications: account, security, and transactional emails. Marketing emails only with your opt-in consent — you can unsubscribe at any time.
• Customer support: when you contact us, we may access your account, drafts, and recent logs to diagnose your issue.

We do not sell your personal data, share it with data brokers, or use the content of your listings for advertising profiling.

6. AI Processing

• What we send: the photo you upload and the listing context required to draft the listing (your notes, the resolved category, and similar listing metadata). We do not send your password, eBay tokens, payment details, or address.
• When we send it: only when you actively draft or re-analyse a listing.
• Automated decisions: AI drafts and price suggestions are advisory. You remain in control of reviewing, editing, and choosing whether to publish each listing. You can request human review of any decision that meaningfully affects you by emailing support.

7. Third-Party Service Providers

We share the minimum data necessary with the following processors and partners:

All providers are bound by data processing agreements that require appropriate technical and organisational safeguards. We may also disclose data when required by law, regulation, valid court order, or to protect our or others’ rights, property, or safety.

8. International Data Transfers

Some of the providers above are based in the United States or process data globally. Where data leaves the UK or EEA, we rely on:

• UK Information Commissioner’s Office adequacy decisions where they exist
• The UK International Data Transfer Addendum to the EU Standard Contractual Clauses
• EU–US Data Privacy Framework certification, where applicable
• Provider-specific data processing agreements with appropriate safeguards

9. eBay Account Connection & Deletion

Kolva Seller integrates with eBay using OAuth 2.0. Your eBay password is never seen, transmitted, or stored by us — you authenticate directly with eBay, which then issues us tokens with the scopes you approve.

You can disconnect your eBay account at any time from Settings → Connections. When you disconnect:

• We immediately revoke and delete your stored OAuth refresh and access tokens
• We stop publishing any further listings on your behalf
• Your historical drafts remain in your Kolva Seller account so you can review past activity, until you delete them or your account. Listings already live on eBay are unaffected and remain managed from eBay.

eBay Marketplace Account Deletion notifications. Kolva Seller participates in eBay’s Marketplace Account Deletion/Closure Notification programme. Our endpoint is:

When eBay notifies us that a user’s eBay account has been deleted or closed, we will, within 30 days of receiving the notification, delete or irreversibly anonymise that user’s eBay identifiers and OAuth credentials from our systems and from any backups that come due for rotation in that window. We retain only what we are legally required to keep (for example, anonymised billing records).

10. Data Retention

• Account & profile: retained for the life of your account.
• eBay OAuth tokens: retained until you disconnect your eBay account, delete your Kolva Seller account, or eBay notifies us of account deletion.
• Listing drafts and AI evaluations: retained until you delete the individual draft or your account.
• Uploaded photos: retained with their associated draft until you delete the draft or your account; orphaned uploads are cleared during routine maintenance.
• Publish logs: retained for 24 months for dispute resolution and abuse investigation, then deleted or anonymised.
• Billing records: retained for 6 years to comply with HMRC requirements, even after account deletion.
• Application logs: rotated within 30 days unless flagged for security investigation.
• Backups: encrypted backups may persist for up to 35 days after deletion, after which they are overwritten.

When you delete your Kolva Seller account, we erase or irreversibly anonymise your personal data within 30 days, subject to the legal retention exceptions above.

11. Your Rights Under UK GDPR

You have the following rights, free of charge, in respect of your personal data:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: ask us to correct inaccurate or incomplete data.
• Right to erasure: ask us to delete your personal data (the “right to be forgotten”).
• Right to restrict processing: ask us to pause processing while a query is resolved.
• Right to data portability: request your data in a structured, commonly-used, machine-readable format (JSON export).
• Right to object: object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: where processing is based on consent, withdraw it at any time.
• Rights regarding automated decisions: request human review of any decision based solely on automated processing that produces a significant effect on you.

12. Cookies and Similar Technologies

Kolva Seller uses a small number of cookies and local-storage entries:

• Strictly necessary: session cookies, CSRF tokens, and authentication state. These are required for the Service to function and do not require consent.
• Preferences: remembering theme, layout, and last-used filters.
• Analytics: we do not currently run third-party analytics or behavioural tracking. If we add a privacy-respecting analytics tool in future, we will update this policy and the cookie disclosure before deployment, and where required by law it will only run after you opt in via our cookie banner.

We do not use cross-site advertising cookies or third-party trackers for behavioural marketing.

13. Security

We implement appropriate technical and organisational measures, including:

• TLS 1.2+ encryption in transit for all connections
• AES-256 encryption at rest for sensitive secrets, including eBay OAuth refresh tokens
• Salted password hashing (bcrypt/argon2) — passwords are never recoverable in plain text
• Principle of least privilege, audit logging, and access reviews for production systems
• Hardened, automatically patched infrastructure with isolated environments
• Rate limiting, anomaly detection, and DDoS protection via Cloudflare

No system is perfectly secure. If we ever become aware of a personal data breach affecting your rights, we will notify the UK ICO within 72 hours where required and notify affected users without undue delay.

14. Children’s Privacy

Kolva Seller is not available to anyone under 18 years of age. The Service lets you publish listings and enter into legally binding sale contracts on eBay, and minors cannot enter into such contracts in the UK. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered, please contact [email protected] and we will close the account and delete the data.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, in our third-party processors, or in the law. Where changes are material, we will notify you by email and/or by an in-app notice and update the “Last updated” date at the top of this page. Continued use of the Service after changes take effect indicates acceptance of the updated policy.

16. Contact & Complaints

For any questions or to exercise your rights:

If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority for data protection in the UK:

This Privacy Policy is governed by the laws of England and Wales. Any disputes arising out of or in connection with it are subject to the exclusive jurisdiction of the courts of England and Wales.