← CrossWire

// Privacy

Privacy policy

Last updated: February 19, 2026 · GDPR + CCPA compliant

What we collect

Just what we need to run the service:

  • Account info — email, name, hashed password (bcrypt — never stored in plaintext).
  • Listing content — titles, descriptions, prices, photos you upload or scrape via our Chrome extension.
  • Marketplace tokens — OAuth tokens for the marketplaces you connect (encrypted at rest). We never see your marketplace passwords.
  • Usage metadata — login times, listing counts, sync events, IP+user-agent for security.
  • Payment info — handled by Stripe. We store only Stripe customer/subscription IDs, never card numbers.

What we don't collect

  • We don't sell, rent or share your data with advertisers.
  • We don't read your marketplace messages.
  • We don't track you across other websites.
  • No third-party analytics on Pro tier (Free tier uses basic, anonymous, self-hosted metrics).

How we use it

  • To provide the service — push your listings to the marketplaces you've chosen.
  • To send you operational emails (verification, reset, receipts, ticket replies).
  • To detect and block fraud or abuse.
  • To improve the product — in aggregate, never identifying individuals.

AI processing

When you use the AI listing writer, your photos and prompts are sent to Anthropic (Claude) via our backend, processed transiently, and not retained by us beyond the API response. Anthropic's terms apply to that processing.

Your rights (GDPR + CCPA)

  • Access — download every record we hold from Settings → Privacy as JSON.
  • Correction — update your profile any time from Settings.
  • Deletion — delete your account from Settings. Soft delete for 30 days (recovery window), then permanent.
  • Portability — the JSON export is a structured, machine-readable copy.
  • Opt out of sale — N/A, we don't sell data. But you can opt out anyway, just contact us.
  • Lodge a complaint — with your local data protection authority.

Retention

  • Active account data — kept as long as your account is open.
  • Deleted account data — purged 30 days after deletion request.
  • Billing records — retained 7 years for tax/audit purposes.
  • Audit logs (admin actions) — retained 2 years.

Cookies

We use a small number of essential cookies for authentication (httpOnly access + refresh tokens) and a single preference cookie for theme/region. No tracking, advertising or analytics cookies.

Sub-processors

  • Stripe — payment processing.
  • Anthropic — Claude AI for listing generation.
  • Resend — transactional email.
  • MongoDB Atlas — data storage.
  • Cloudflare / Emergent — hosting + CDN.

Security

Data in transit uses TLS 1.3. Data at rest uses AES-256 encryption (managed by our cloud provider). Marketplace tokens are encrypted with a separate per-environment key. Passwords use bcrypt with cost 12.

Children

CrossWire is not directed at children under 13 (or 16 in the EU/UK). We do not knowingly collect data from them.

Contact

Questions, data requests or complaints: /contact or email privacy@crosswire.app.

Made with Emergent