Privacy Policy

Dcrayons eBay Manager (the "Service", "we", "our") is a seller-side tool that connects to eBay's Sell APIs on behalf of authorised eBay sellers to help them manage listings, inventory, orders, and Promoted Listings advertising campaigns. This page explains what information we collect, how we use it, and how we protect it.

1. Who we are

The Service is operated by Dcrayons. We can be reached at admin@dcrayons.app or via our main site at dcrayons.app.

2. What data we collect

We collect only the minimum data needed to operate the Service:

• Local account data — your name, email address, and a hashed (irreversibly encrypted) password for signing into the Service.
• eBay OAuth tokens — after you authorise the Service to act on your eBay seller account, we receive and store an access token and a refresh token issued by eBay. Both tokens are encrypted at rest inside our PostgreSQL database using AES-256 via Laravel's application-level encryption, and they never leave our server.
• eBay seller metadata — your eBay username, user ID, the marketplaces you have selected to operate on (e.g. EBAY_US, EBAY_GB), and the scopes you granted during OAuth consent.
• Business data synced from eBay — SKUs, inventory items, offers, listings, Promoted Listings campaigns, and aggregated performance metrics. This data belongs to you (the seller) and is synced solely so that the Service can display it and let you act on it.
• API logs — each HTTPS request the Service makes to eBay is logged (endpoint, method, response status, duration, truncated body). Authorization headers are always redacted before storage.
• Session data — standard HTTP session cookies issued by Laravel so that you remain logged in. No third-party tracking cookies are used.

3. What we do NOT collect

• We do not collect or store payment information, credit card details, or bank details — eBay handles all buyer and seller financial transactions directly on its own platform.
• We do not run analytics trackers (Google Analytics, Facebook Pixel, etc.) on this domain.
• We do not sell, rent, or share any personal data with advertisers or data brokers.

4. How we use your data

Your data is used exclusively to:

• Authenticate you as a user of the Service.
• Make eBay API calls on your behalf, using the OAuth tokens you granted, strictly within the scopes you consented to during OAuth.
• Display your listings, offers, orders, and campaign performance to you inside the Service's dashboard.
• Send you in-app alerts about sync failures, token refresh failures, or performance anomalies.

We never use your data for advertising, marketing, or any purpose other than operating the Service for you.

5. Data sharing

We share data only with:

• eBay — our API calls to eBay necessarily include your OAuth token and whatever payload you asked us to submit (e.g. a new listing). This is the entire point of the Service.
• Our hosting provider (Amazon Web Services) — the Service runs on an AWS Lightsail instance in the ap-south-1 (Mumbai) region. AWS acts as a data processor; we do not grant AWS any right to inspect or use your data.

We do not share your data with any other third party. We do not sell data under any circumstances.

6. Data storage and security

• All traffic to and from the Service is encrypted in transit via TLS (HTTPS) using a certificate issued by Let's Encrypt.
• Your eBay OAuth access token and refresh token are encrypted at rest using Laravel's encrypt() / decrypt() helpers (AES-256-CBC with HMAC-SHA256) before being written to PostgreSQL.
• The database and application run on the same server, so no credentials travel across the network in cleartext.
• Your local account password is hashed with bcrypt and is never stored in reversible form.
• Access to the server is limited to authorised Dcrayons operators via SSH key authentication.

7. eBay Marketplace Account Deletion

We comply with eBay's Marketplace Account Deletion / Closure Notification Workflow. We expose a public webhook at https://ebay.dcrayons.app/ebay/notifications. When eBay sends us a notification that an eBay user has deleted or closed their account, we:

1. Verify the notification is legitimate (signature check).
2. Locate any records in our database matching that eBay user ID or username.
3. Immediately revoke stored OAuth tokens and anonymise or delete the user's personal identifiers (username, user ID, eiasToken).
4. Record the processed event in an audit log for eBay's verification.

Our endpoint is validated by eBay against the exact URL above and responds to the challenge handshake with a SHA-256 hash of challenge_code + verification_token + endpoint_url, per the eBay developer specification.

8. Your rights

You have the right to:

• Access — request a copy of the data we hold about you.
• Correct — update inaccurate data via the in-app profile page, or by contacting us.
• Delete — request that we delete your local account and all associated data. Upon deletion, your eBay OAuth tokens are revoked and your personal identifiers are purged.
• Disconnect — at any time, you can disconnect an eBay account from the Service via the dashboard. Disconnection immediately marks the OAuth tokens as revoked and stops all further API calls on your behalf.

To exercise any of these rights, contact admin@dcrayons.app.

9. Data retention

We retain your data for as long as your local account is active. When you delete your account (or your eBay user account is deleted via the Marketplace Account Deletion flow), we purge your personal identifiers and encrypted tokens within 30 days. We may retain aggregated, non-identifying usage counters for system-health purposes.

10. Children

The Service is intended for eBay sellers who must be at least 18 years old. We do not knowingly collect data from anyone under 18.

11. International transfers

Our server is located in India (AWS ap-south-1, Mumbai). By using the Service, you acknowledge that your data will be processed in India.

12. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect the most recent revision. Material changes will be announced in-app.

13. Contact

Questions or concerns? Email admin@dcrayons.app or visit our contact page.