Privacy Policy

Popup is a Chrome extension that lets Depop sellers bulk-relist listings, generate AI-optimized descriptions, and automatically select listings to relist via filter criteria — all from a panel injected into depop.com. This policy explains exactly what personal data we collect, how it is used, how it is stored, who it is shared with, and your rights regarding that data.

We do not sell your data. We do not serve ads. If you have any questions, email us at [email protected].

1. Data We Collect and Store

1.1 Account information

When you create a Popup account you provide an email address and choose a password, or sign in with Google. We store:

• Your email address — used to identify your account and send transactional messages (email confirmation links, password resets).
• A hashed password (if email/password sign-up) — hashed by Supabase before storage; we never see or store your plaintext password.
• Your account creation timestamp and last-active timestamp — updated each time the extension contacts our server.

1.2 Depop profile data

When the extension is open on depop.com and you are signed into Depop, the extension reads your Depop session to retrieve and store in our database:

• Your Depop user ID (numeric identifier)
• Your Depop username
• Your Depop avatar URL (a link to your profile photo hosted on Depop's servers)

This data is used to associate your Popup account with your Depop shop and to display your profile inside the extension.

1.3 Subscription and usage data

We store the following subscription and usage records in our database:

• Plan status — "free" or "pro"
• Trial expiry date — if you started a free trial, the date it ends
• AI description credits used — a counter of how many AI-generated descriptions you have used in the current billing period
• Auto-Select run counter — a counter of how many Auto-Select runs you have used in the current billing period
• Billing period reset dates — timestamps recording when monthly usage counters were last reset

1.4 Payment and billing data

If you subscribe to Popup Pro, payment is processed by Stripe. We do not collect, see, or store your credit card number, CVV, or full card details at any point — these are entered directly on Stripe's hosted checkout page and are held exclusively by Stripe. We do store in our database:

• Your Stripe customer ID (an opaque identifier issued by Stripe, e.g. cus_xxxxx)
• Your Stripe subscription ID (e.g. sub_xxxxx)

These identifiers are used solely to manage your subscription (upgrades, cancellations, billing portal access). See stripe.com/privacy for how Stripe handles payment data.

1.5 Depop authentication token (session only)

The extension reads your access_token cookie from depop.com to authenticate API calls made on your behalf — fetching your listings, re-uploading photos, creating new listings, and deleting old ones. This token is held in memory only for the duration of the operation and is never stored on our servers, written to disk, or logged.

1.6 Listing content and photos (AI feature)

If you use the AI description feature, your listing's description text and optionally a listing photo URL are forwarded through our Cloudflare Worker to Google's Gemini API. We do not store this content on our servers after the response is returned to your browser. Your listing photos are fetched from Depop's CDN and re-uploaded to Amazon S3 as part of the relist flow; we do not retain copies on our servers.

2. Data We Do Not Collect

• We do not collect browsing history or any activity outside of depop.com.
• We do not track which listings you view beyond what is required to perform a relist.
• We do not use analytics SDKs, tracking pixels, or device fingerprinting of any kind.
• We do not store your Depop password — the extension uses your existing Depop session cookie.
• We do not store credit card numbers, CVV codes, or any raw payment instrument data.
• We do not collect any data from pages other than depop.com.

3. How We Use Your Data

• Authentication — to sign you in and maintain your account session.
• Core functionality — to provide relisting, AI description generation, and Auto-Select criteria-based relisting.
• Account association — to link your Popup account to your Depop shop.
• Usage enforcement — to enforce plan limits (e.g. 10 AI descriptions per month on the free plan) using the usage counters described in section 1.3.
• Billing — to manage your subscription via Stripe.
• Transactional communication — to send confirmation emails, password resets, and subscription receipts. We do not send marketing emails.

We do not use your data for advertising, profiling, or sale to third parties.

4. Data Sharing and Third-Party Services

We share data with the following third-party services only to the extent necessary to operate the product. We do not share your data with any other third parties.

Supabase (database and authentication)

We use Supabase to host our database and manage authentication. Your email address, hashed password, Depop profile identifiers, subscription status, usage counters, and Stripe IDs are stored on Supabase's servers (hosted on AWS in the United States). Supabase acts as a data processor on our behalf under a Data Processing Agreement. See supabase.com/privacy.

Cloudflare Workers (API proxy and backend)

All requests from the extension to our backend pass through a Cloudflare Worker. Cloudflare processes request metadata (IP address, timestamps) transiently for routing and security purposes. Cloudflare does not retain request bodies beyond its standard edge-logging window. See cloudflare.com/privacypolicy.

Google Gemini API (AI descriptions)

When you use the AI description feature, your listing's description text and an optional photo URL are forwarded to Google's Gemini API to generate a rewritten description. This data is processed by Google subject to their API terms. We recommend reviewing Google's Generative AI Terms and Google's Privacy Policy.

Stripe (payment processing)

If you subscribe to Popup Pro, Stripe processes your payment. You enter card details directly on Stripe's hosted checkout — we never see them. Stripe receives your email address and the subscription amount. We receive back only the Stripe customer ID and subscription ID (see section 1.4). See stripe.com/privacy.

Depop API and Amazon S3

The extension communicates directly with Depop's API (webapi.depop.com) using your Depop session cookie to fetch and manage your listings. Your listing photos are hosted by Depop on Amazon S3; the extension fetches them from S3 and re-uploads new copies as part of the relist flow. Subject to Depop's Terms of Service and Amazon's Privacy Policy.

5. Chrome Extension Permissions

Popup requests the following Chrome permissions, used only as described:

• cookies — to read your Depop access_token cookie from depop.com for API authentication. Only the access token cookie is read; no other cookies are accessed.
• storage — to persist your Popup session tokens (access token and refresh token) in chrome.storage.local so you remain signed in between browser sessions. This data stays on your device.
• declarativeNetRequest / declarativeNetRequestWithHostAccess — to modify CORS and Origin headers on requests to Depop's API, which is required for the extension to make API calls from within the browser context.
• Host permissions for depop.com, *.depop.com, *.amazonaws.com, *.supabase.co, depop-ai-proxy.depoptools.workers.dev — required for cookie access, API calls to Depop, photo re-uploads to S3, authentication with Supabase, and communication with our backend proxy.

6. Local Data Storage

The extension stores the following data locally on your device using chrome.storage.local:

• Your Popup session access token and refresh token — used to authenticate requests to our backend and keep you signed in.
• A cached copy of your account status (plan, avatar URL, join date) — used to display your account information instantly without waiting for a network request. This cache is cleared when you sign out.

This data never leaves your device except as an authentication credential in HTTPS requests to Supabase and our Cloudflare Worker.

7. Data Retention

• Active accounts — we retain your account data (email, Depop profile, subscription status, usage counters) for as long as your account is active.
• Account deletion — when you delete your account via the Account page, we delete your records from our database immediately and remove your Supabase authentication identity within 30 days. Your Stripe subscription is cancelled at the same time.
• AI request content — listing text and photo URLs sent to Google Gemini are not retained by us after the API response is returned.
• Stripe records — Stripe retains transaction records for legal and financial compliance purposes according to their own retention policy.

8. International Data Transfers

Popup is operated from the United Kingdom. Data is processed and stored on servers located primarily in the United States (Supabase on AWS, Cloudflare, Stripe). By using Popup, you consent to the transfer of your data to the United States and other countries where our service providers operate, which may have different data protection laws than your country of residence.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate or incomplete data.
• Deletion — delete your account and all associated data at any time via the Account page or by emailing us. Deletion is processed immediately for our database records.
• Portability — request your data in a machine-readable format.
• Objection / restriction — object to or request restriction of certain processing activities.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

10. Security

All communication between the extension, Supabase, our Cloudflare Worker, and Depop's API uses HTTPS/TLS. Your Depop access token is never written to disk or transmitted outside of the immediate API request for which it is needed. Our Cloudflare Worker validates your Supabase JSON Web Token on every authenticated request — unauthenticated or invalid requests are rejected with a 401 status. Database access for plan updates uses Supabase's service key (which bypasses row-level security), never exposed client-side.

11. Children's Privacy

Popup is not directed at children under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Continued use of the extension after a material update constitutes acceptance of the revised policy. For significant changes affecting how we handle your data, we will notify you by email at least 14 days in advance.

13. Contact

For questions, data requests, or concerns about this privacy policy:

Email: [email protected]
Website: popupbot.net