Legal
Privacy Policy
Last updated May 19, 2026
This Privacy Policy explains what data AutoFlip ("we", "us") collects, why we collect it, where it's stored, and how you can control it. We wrote this in plain English. If anything's unclear, email jon@autoflip.net.
AutoFlip is operated from the United States. The Service is available worldwide. If you access AutoFlip from outside the U.S., you understand and consent that your data will be transferred to and processed in the United States, which may have data protection laws that differ from those in your country.
1. What we collect
- Account data: email address, name (if provided), and the Clerk user id used to authenticate you. Clerk handles password and OAuth credentials; we never see or store them.
- Subscription & billing data: plan, billing period, subscription status, and Stripe customer id. Card numbers and other payment instruments are stored by Stripe directly — we never see them.
- Watchlist data: the queries, locations, exclusions, and filters you create; the structured listing data we scrape for those watchlists; and the alert emails we send you about them.
- Service logs: request logs (URL, timestamp, IP address, user agent), error reports (via Sentry), and email delivery events (via Amazon SES — bounces, complaints, opens where supported by your client). We use these to keep the Service running and to investigate abuse.
- Product analytics:we use PostHog to measure feature usage and the signup → activation → paid funnel. Events captured include page views, watchlist creation, and checkout completion, tied to your account id and email so we can debug specific user issues. We do not use ad networks or cross-site tracking. PostHog respects your browser's Do Not Track and Global Privacy Control signals.
- Feedback you send: when you submit feedback through the app or email us, we keep the message so we can reply and improve the product.
2. What we do not collect
We don't collect biometric data, government identifiers, or precise device location. We don't scrape your social media. We don't require connecting your marketplace accounts — AutoFlip reads only public listing pages. We don't use third-party advertising trackers on the Service today.
3. How we use it
- To deliver the Service: scan marketplaces and email you matching listings.
- To bill you and prevent fraud (via Stripe).
- To send transactional emails (alerts, billing, account notices). We do not currently send marketing email; if we ever do, it will be a clearly-distinct opt-in.
- To debug and improve the Service via aggregated, de-identified metrics.
- To comply with legal obligations and protect AutoFlip's rights.
4. Where data lives
Account data, watchlists, and listing/notification history are stored in a managed PostgreSQL database hosted by Supabase in the United States. Asynchronous infrastructure (Lambda functions, SQS queues, scheduling, email) runs in Amazon Web Services (us-east-2, Ohio). Authentication is provided by Clerk. Payments are processed by Stripe. Error monitoring is provided by Sentry. Product analytics events are processed by PostHog. Each of these providers operates under their own privacy and security commitments.
5. How long we keep it
We keep account and subscription data for as long as your account is open and for a short period after deletion so that we can respond to billing disputes and meet legal retention obligations. Listing and notification data are retained for the operational windows described in our spec (typically 30–90 days) and then purged automatically. You can ask us to delete the rest at any time.
6. Sharing
We don't sell or rent your personal data. We share data only with the service providers listed in section 4 (Supabase, AWS, Clerk, Stripe, Sentry), each under a contract that limits their use of it. We'll share data with law enforcement or in response to a valid legal request when required, and we'll narrow such requests to the minimum necessary.
7. Your rights
Wherever you live, you can email jon@autoflip.net to access, correct, export, or delete your AutoFlip data. We'll respond within the time required by applicable law (typically 30 days).
If you're in the EU, UK, or Switzerland, the GDPR / UK GDPR gives you specific rights to access, rectify, erase, restrict processing of, port, or object to the processing of your personal data, and to lodge a complaint with your supervisory authority. Our lawful bases are: (a) performance of our contract with you (to deliver the Service); (b) legitimate interest (to operate and secure the Service); and (c) consent (for any future marketing email). We are happy to act as a single point-of-contact for these requests.
If you're in California, the CCPA / CPRA gives you the right to know what personal information we collect, to delete it, to correct it, to limit the use of sensitive information (we don't use any), and to be free from discrimination for exercising these rights. AutoFlip does not sell or share personal information as those terms are defined in the CCPA.
Similar rights may apply under Canada's PIPEDA, Brazil's LGPD, Australia's Privacy Act, and other jurisdictions' laws. Email us to exercise any of them.
If you're in the EU, UK, or Switzerland, the GDPR / UK GDPR gives you specific rights to access, rectify, erase, restrict processing of, port, or object to the processing of your personal data, and to lodge a complaint with your supervisory authority. Our lawful bases are: (a) performance of our contract with you (to deliver the Service); (b) legitimate interest (to operate and secure the Service); and (c) consent (for any future marketing email). We are happy to act as a single point-of-contact for these requests.
If you're in California, the CCPA / CPRA gives you the right to know what personal information we collect, to delete it, to correct it, to limit the use of sensitive information (we don't use any), and to be free from discrimination for exercising these rights. AutoFlip does not sell or share personal information as those terms are defined in the CCPA.
Similar rights may apply under Canada's PIPEDA, Brazil's LGPD, Australia's Privacy Act, and other jurisdictions' laws. Email us to exercise any of them.
8. International transfers
When personal data moves from the EU, UK, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses (or equivalent mechanism) with our processors. If you have questions about a specific transfer, email us.
9. Children
AutoFlip is not directed to children under 16, and we don't knowingly collect data from them. If we learn we've collected data from a child, we'll delete it.
10. Security
We use TLS for all data in transit, encryption at rest for the database and managed infrastructure, and least-privilege access controls for our team. No system is perfectly secure; we'll notify affected users and, where required, regulators about any breach involving their personal data.
11. Cookies and similar tech
AutoFlip uses cookies and equivalent storage to keep you signed in (via Clerk), to remember UI preferences, and to support fraud prevention by Stripe. We don't use third-party advertising or cross-site tracking cookies. You can disable cookies in your browser settings, but the Service won't work without the authentication cookie.
12. Account deletion
Delete your account from the avatar menu in the top-right of the app (it's a Clerk-provided control). Deletion cancels any active subscription, removes your watchlists, and purges your data within a reasonable period, subject to legal and billing retention. Email us if anything goes wrong.
13. Changes to this Policy
We may update this Policy as the Service evolves. We'll change the "Last updated" date above and, for material changes, notify you by email. Your continued use of the Service after the new Policy takes effect means you accept it.
14. Contact
AutoFlip is operated by a single founder based in the United States. For privacy questions, requests, or to report a concern, email jon@autoflip.net.