Privacy Policy
This Privacy Policy explains how Gold Shield("we", "us", "our") collects, uses, stores, and protects personal information of Etsy sellers who use our service (the "Service"), available at goldshield.app and its related domains.
Gold Shield is operated by SubLuna, an independent business based in Ukraine. We are not affiliated with, endorsed by, or sponsored by Etsy, Inc.
1. Scope
This Policy applies to personal information processed by Gold Shield when you visit our website, create an account, connect your Etsy shop, or interact with our service in any way. It does not apply to third-party sites or services we link to but do not operate.
2. What data we collect
We collect only what is necessary to provide the Service:
Account data
- Your email address
- An optional display name
- Account preferences and notification settings you configure
- Subscription, billing, and payment status (processed via our payment provider — we never see full card numbers)
Etsy shop data (via OAuth, read-only)
- Public information about your Etsy shop (name, region, listing count)
- Your active listings (titles, tags, descriptions, photos, prices)
- Your order history and transaction records, used to associate customer messages with specific orders
- Reviews and feedback received on your shop
Etsy notification data (forwarded by you)
- The contents of Etsy notification emails you choose to forward to a private address we provide (new conversation alerts, review notifications, order confirmations)
- This forwarding is fully optional and entirely controlled by you in your own Etsy email settings
Service usage data
- Server logs (IP address, browser type, pages visited, request timestamps)
- Aggregated, anonymized usage analytics
- Error reports if a feature crashes
We do not collect: your Etsy password, your Etsy account credentials, sensitive financial information, government-issued IDs, biometric data, or any data category beyond what is described above.
3. Why we collect it
- To provide the Service: countdown timers, AI reply suggestions, review surfacing, listing monitoring
- To send you the notifications you have asked us to send (deadline reminders, review alerts)
- To bill you for paid plans, if applicable
- To improve the Service via aggregated, anonymized analytics
- To respond to your support requests
- To meet our legal obligations (e.g. tax records under Ukrainian law)
- To detect and prevent fraud, abuse, and security incidents
We will neveruse your data to train AI models for other sellers, never sell or rent your data to third parties, and never aggregate or compare your data with other sellers' performance.
4. Legal bases (GDPR)
For users in the European Economic Area, United Kingdom, and Switzerland, we rely on:
- Performance of a contract — to provide you the Service you signed up for
- Legitimate interest — to keep the Service secure, prevent fraud, and improve our product (we balance this against your rights)
- Consent — for optional marketing emails, optional analytics, and any non-essential cookies (you can withdraw consent at any time)
- Legal obligation — to comply with tax, accounting, and other legal requirements
5. Who we share data with (sub-processors)
We use a small number of trusted service providers to operate the Service. Each is bound by a data processing agreement and processes data only on our instructions:
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Website hosting, edge delivery | USA / global edge |
| Supabase Inc. | Database, authentication | EU (Frankfurt) / USA |
| Anthropic, PBC | AI reply drafting (with zero-retention) | USA |
| Postmark (ActiveCampaign) | Transactional email + inbound parsing | USA |
| Stripe / LemonSqueezy | Billing and payment processing | USA / EU |
| Sentry / BetterStack | Error monitoring, uptime checks | USA / EU |
We update this list when we add or remove a sub-processor. Material changes are announced by email at least 30 days before they take effect for paid customers. We do not share your data with anyone else unless required by law (e.g. court order, lawful government request).
6. How long we keep data
- Etsy shop data & messages: for as long as your account is active, plus 30 days after cancellation, after which it is permanently deleted
- Account data & billing records: retained for up to 7 years after account closure to comply with Ukrainian tax law and financial obligations
- Server logs: 30 days, then deleted or fully anonymized
- Aggregated, anonymized analytics: may be kept indefinitely (cannot identify you)
- Marketing email subscribers (if applicable): until you unsubscribe
You can request earlier deletion at any time (see Section 8).
7. International transfers
Some of our sub-processors are located outside the European Economic Area, including in the United States. When we transfer your data internationally, we rely on:
- The European Commission's Standard Contractual Clauses (SCCs)
- The EU-U.S. Data Privacy Framework where applicable
- Additional contractual and technical safeguards (encryption at rest and in transit)
8. Your rights
You have the following rights with respect to your personal data:
- Access: obtain a copy of the personal data we hold about you
- Correction: ask us to fix inaccurate or incomplete data
- Deletion: request that we erase your data (subject to legal retention obligations)
- Portability: receive your data in a structured, machine-readable format
- Restriction: ask us to limit how we use your data
- Objection: object to processing based on legitimate interest, or to direct marketing
- Withdraw consent: at any time, where we rely on consent
- Lodge a complaint with a supervisory authority (in Ukraine, the Ukrainian Parliament Commissioner for Human Rights; in the EU, your local Data Protection Authority)
To exercise any of these rights, email hello@goldshield.app. We respond within 30 days. We will not discriminate against you for exercising any of these rights.
You can also revoke our access to your Etsy shop at any time directly in your Etsy account settings; this immediately stops new data collection.
9. Security
- All data in transit is encrypted via TLS 1.2+
- All data at rest is encrypted with AES-256
- OAuth tokens are stored in an encrypted secrets vault
- Access to production systems is limited to authorized personnel and protected by 2FA
- We log access to personal data and review logs regularly
- We perform automated dependency scanning to catch known vulnerabilities
No system is perfectly secure. If we ever discover a personal data breach affecting you, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Article 33–34.
10. Cookies and analytics
We use a minimal set of cookies, all strictly necessary for the Service to work (authentication session, CSRF protection). We do not use advertising cookies, tracking pixels from ad networks, or third-party retargeting.
We may use privacy-respecting analytics (e.g. Plausible, Vercel Analytics) that do not collect personally identifiable information and do not require cookie banners under EU law. If we change this, we will update this Policy and ask for consent where required.
11. Children
Gold Shield is intended for use by adult Etsy sellers. We do not knowingly collect data from children under 16. If you believe we have collected such data, contact us immediately and we will delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest revision. For material changes, we will notify active users by email at least 30 days before the changes take effect, and you may close your account if you disagree.
13. Contact
For any privacy questions, requests, or concerns, contact us at:
Email: hello@goldshield.app
Operator: SubLuna (independent product, based in Ukraine)
If you are in the EEA/UK and we cannot resolve your concern, you may also lodge a complaint with your local data protection authority.
This Privacy Policy is provided for transparency. It is not a substitute for legal advice; if you have specific questions about your rights, please consult an attorney qualified in your jurisdiction.