Email address for login, email verification, support, and contract-related communication.
Password hash with individual salt. Plain-text passwords are not stored.
Optional: Google account ID when Google login is used.
Account status, credits/listings, plan, settings, and templates.
b) eBay integration
eBay OAuth tokens so Insero can prepare and publish eBay listings on your behalf.
eBay account ID, eBay username, business policies, location, shipping, payment, and return policies, as required for the listing flow.
Listing metadata such as title, description, price, category, condition, SKU, offer ID, eBay item ID, status, and error details.
c) Product photos and AI processing
Uploaded product photos are processed for analysis and eBay image upload.
For AI analysis, product photos, detected image details, and user notes may be transmitted to the configured AI provider.
For go-live, images are transferred to eBay Picture Services.
Image data is not used for ad tracking.
d) Learning, quality, and training data
Insero stores structured AI drafts, final user versions, diffs, quality scores, and approval status to improve the listing workflow.
Exportable training data is sanitized before export. OAuth tokens, API keys, private contact data, addresses, and payment data are not exported.
Training candidates are not used blindly; they must pass quality review and approval.
e) Payment and billing
Payments are processed through Stripe. Insero stores Stripe event IDs, plan, amount, currency, payment status, and associated user ID.
Full payment data such as credit card numbers is not stored by Insero.
f) Technical data
IP address, timestamps, requested URL, referrer, user agent, and rate-limit data for security and abuse prevention.
Session cookie te_session for login.
3. Purposes and legal bases
Contract performance and provision of the SaaS service: Art. 6(1)(b) GDPR.
Security, abuse prevention, error analysis, and stability: Art. 6(1)(f) GDPR.
Legal retention obligations, where applicable: Art. 6(1)(c) GDPR.
Consent, where individual features explicitly require it: Art. 6(1)(a) GDPR.
4. Recipients and service providers
Fly.io for hosting and infrastructure.
Stripe for payment processing and subscription management.
Resend for email delivery, especially OTP and system emails.
eBay for OAuth, listing management, image hosting, and publication.
OpenAI, Google Gemini, or other configured AI providers for image and text analysis, where enabled in the system.
Data processing agreements are concluded with processors where required.
For transfers to third countries, appropriate safeguards such as standard contractual clauses are used.
5. Cookies
Insero uses a strictly necessary session cookie (te_session), HttpOnly,
SameSite=Lax, with a lifetime of up to 30 days. No advertising cookies,
Meta Pixel, or Google Analytics are used.
6. Retention period
Account and contract data: as long as the account exists and thereafter as required by legal retention periods.
Listing and learning data: as long as required for the service, traceability, quality assurance, or user history.
Rate-limit and security data: generally time-limited, unless needed to investigate abuse.
After account deletion, personal data is deleted or anonymized unless legal obligations prevent it.
7. Your rights
Under the GDPR you have in particular the following rights:
Access under Art. 15 GDPR.
Rectification under Art. 16 GDPR.
Erasure under Art. 17 GDPR.
Restriction of processing under Art. 18 GDPR.
Data portability under Art. 20 GDPR.
Objection under Art. 21 GDPR.
Complaint to a supervisory authority under Art. 77 GDPR.