B

Privacy Policy

Last updated: 2026-05-14

Bumplyy is a personal seller toolkit for Vinted users — a Chrome extension and a companion website at this domain. This policy explains what we collect, where it lives, and how to delete it. We aim to collect the absolute minimum to run the features you turn on, and nothing else.

What we store

  • Your email address and a salted password hash on our backend (Supabase). The plaintext password never leaves your device and we never see it.
  • Per-month usage counters for your plan's monthly caps — numbers only, no buyer, item, or message context attached.
  • A device-local activity log of the last ~200 actions, in chrome.storage.local. Never sent off your device.
  • Your Vinted CSRF token (valid for 30 minutes), the relist queue, and a 7-day liker country-code cache — all device-local.

What we do not collect

  • No analytics, advertising SDKs, or fingerprinting on the marketing site or in the extension.
  • No buyer messages, prices, photos, or item content on our servers.
  • No browsing history outside of your open Vinted tabs.
  • No payment information — when billing goes live, Stripe will handle it directly.

Account on this website

When you sign in on this website, Supabase Auth sets essential cookies in your browser (httpOnly, SameSite=Lax) to keep you signed in. The login is the same as the one in the extension — same email, same password, same Supabase project. The website serves no analytics, no advertising trackers, and no third-party scripts other than what is required to run the page.

Account deletion

You can delete your account at any time from the /account page. Deletion immediately and permanently removes your email, password hash, and monthly usage counters from our backend. Your device-local data (queue, log, settings in chrome.storage.local) is not affected by this — uninstall the extension or clear chrome.storage.local separately to wipe it.

Your rights (GDPR)

If you are in the EU or another GDPR jurisdiction, you have the right to:

  • Access — request a copy of the data we hold on you (email us; we respond within 30 days).
  • Rectification — correct inaccurate data.
  • Erasure — delete your account self-serve, or by email.
  • Portability — receive your data in a portable format.
  • Restriction — ask us to pause processing while a dispute is resolved.
  • Objection — object to processing for any reason.

Data categories (Chrome Web Store framing)

For the Chrome Web Store's data-handling disclosure, the categories that apply to this product are:

  • Personally identifiable info: email address.
  • Authentication info: salted password hash (managed by Supabase), session tokens (httpOnly cookie on the website; chrome.storage.local in the extension).
  • User activity: aggregate monthly counters of actions taken (relists, messages, offers, edits, follows, likes, auto-accepts). No item, buyer, price, or message content is attached.
  • Web history: none.
  • Website content: none beyond your own listings, which you direct the extension to act on.
  • Location: none on the website. The extension caches each liker's country code (ISO codes like 'HU') for up to 7 days, on your device, to pick the right language template.
  • Financial info: none today. When subscription billing goes live, Stripe will store a customer ID; we will update this policy before that happens.

Limited Use disclosure

Our use of information received from Google APIs (none currently used), and any user data, adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. We do not transfer user data to third parties except as necessary to operate the service (Supabase for auth and usage metering).

No sale or sharing

We do not sell or share user data with any third party for advertising, analytics, or any purpose other than operating the service. We do not use your data to train AI models. We do not allow human reading of user data except where required by law or with your explicit consent for support.

Third parties

Supabase processes your account email, password hash, and usage counters under their privacy policy at https://supabase.com/privacy. The extension talks to Vinted's public API directly from your browser using your existing session — we don't proxy this traffic. The optional sniper push uses ntfy.sh (only the search-match data you opt into) at https://ntfy.sh/privacy.

Cookies

The website sets only essential authentication cookies (httpOnly, SameSite=Lax) when you sign in. There are no analytics or advertising cookies. Because essential cookies are exempt from consent under ePrivacy, no cookie banner is shown.

Where your data lives and how long

  • Email + password hash: Supabase, until you delete your account.
  • Monthly usage counters: Supabase, 13 months rolling and then deleted.
  • Activity log, queue, settings: your device (chrome.storage.local), until you clear it or uninstall.
  • CSRF token: your device, 30 minutes.
  • Liker country-code cache: your device, 7 days.

Children

The extension and website are not intended for and not marketed to users under 18. Vinted itself requires users to be 18+.

Changes to this policy

If we materially change what we collect or how we use it, we will bump the date at the top of this page and post a notice in the extension popup before the change takes effect.

Contact

Questions, deletion requests, or data export requests: morzsi812@gmail.com.