Privacy Policy.

Villemarette Software LLC, an Oklahoma limited-liability company (“PicCull,” “we,” “our”), is the data controller for personal information processed through piccull.com and app.piccull.com. Contact us at privacy@piccull.com.

We collect only what we need to run PicCull. The categories below map to the database schema on our backend.

• Account. Email address, argon2id password hash (or absence thereof for OAuth-only accounts), display name, cached Google profile picture URL, account tier, role, enabled feature flags, the timestamp at which you accepted these Terms, and the Terms version string.
• eBay tokens. When you connect an eBay account, we receive an OAuth access token and refresh token. Both are encrypted at rest with AES-256-GCM using a versioned master key bound to your account UUID.
• Listings & batches. Photos you upload, SKU and batch metadata you enter, AI- generated and human-edited listing copy, item-specifics, pricing, condition notes.
• Issue reports. If you submit a bug report from inside the app, we collect the viewport size, console errors, the route you were on, and (only when you explicitly enable it) a snapshot of the page DOM.
• AI usage. For each AI call we record token counts, cost, prompt id, and (capped at 8 KB) the prompt text and response so we can audit costs and fix prompt regressions.
• Refresh tokens & OAuth state. Short-lived authentication artifacts (15-minute access tokens, 7-day rotating refresh tokens, 5-minute OAuth state values).
• Operational logs. Web- server access logs (IP address, user agent, request URL, response code) and application logs. We scrub credentials and authentication headers from logs.

We do not store payment card numbers, CVV codes, or full bank details. All payments are processed by Stripe, Inc. under PCI DSS Level 1.

• Contract — to provide the service you signed up for (creating listings, publishing to eBay, processing payments).
• Legitimate interest — to keep the service secure, prevent fraud and abuse, generate aggregate (de-identified) pricing analytics, and improve our AI prompts. We balance these against your privacy rights and you can object at privacy@piccull.com.
• Consent — for non-essential cookies, marketing emails, and any analytics that go beyond strictly-necessary product telemetry.
• Legal obligation — to keep tax records (7 years), respond to lawful subpoenas, and meet anti-fraud requirements imposed by Stripe and our banking partners.

We use a small set of third-party services to run PicCull. Each is contractually bound by a data-processing agreement and operates under standard contractual clauses where required. The full current list with regions and purposes is on our Subprocessors page. As of the effective date above it includes: OpenAI (AI inference), eBay (marketplace integration), Neon (Postgres hosting), Cloudflare (R2 storage, DNS, bot challenge), Railway (backend hosting), Vercel (frontend hosting), SoldComps.com (sold comparable data), Resend (transactional email), Stripe (payments, when activated), Google & Apple (sign-in), PostHog (product analytics, when activated), Sentry (error tracking, when activated), Namecheap / Google Workspace (domain and email), Discord (operational alerts — no customer data).

We will notify subscribed users by email at least 14 days before adding a subprocessor that processes personal data of registered users. You may object to the addition by closing your account or emailing privacy@piccull.com.

We keep your data only as long as we need it for the purposes in §3, or as required by law. Specifically:

• Account row: for the life of your account. After deletion we keep an anonymized SHA-256 hash of your email indefinitely so we can detect repeat signups and defend against future disputes.
• Password hash: deleted with the account row.
• eBay OAuth tokens: encrypted and stored until you disconnect or 18 months idle. Revoked and purged at account deletion.
• Uploaded photos (R2): kept for the life of the listing plus 90 days after listing deletion, then purged. All photos are purged at account deletion.
• Listings, batches, knowledge-base entries: life of account; purged at deletion.
• Aggregate pricing data (sold-price, days-to-sell): we keep the row after deletion but null out the user reference, so the data feeds the comp engine for other users with no link back to you.
• Issue reports with optional page snapshots: 2 years, then anonymized.
• Server logs: 7–30 days (rolling) on Railway, then automatic expiry.
• Stripe customer records and invoices: 7 years (US tax retention) per IRS requirements, even after account deletion. This is the GDPR Art. 17(3)(b) legal-obligation carve-out.
• Database backups (Neon PITR): up to 7 days (Launch plan) or 30 days (Scale plan). Backups are used only for disaster recovery; if restored, deleted records are re-purged per our deletion procedure.

We protect your data with these technical and organizational measures (current as of the effective date):

• HTTPS / TLS 1.2+ for all traffic.
• Passwords hashed with argon2id (OWASP 2025 parameters). Legacy bcrypt hashes are transparently rehashed to argon2id on next login.
• JWT access tokens (15-minute lifetime), opaque rotating refresh tokens (7-day lifetime).
• eBay OAuth tokens encrypted at rest with AES-256-GCM, AAD- bound to the user UUID, and key-versioned for rotation.
• Per-route rate limits on authentication endpoints with a per-email credential-stuffing lockout.
• OAuth CSRF state stored in Postgres with a 5-minute TTL and atomic read-and-delete.
• Email verification required for first-time listing publish.
• Per-request log redaction strips passwords, JWTs, refresh tokens, and Stripe webhook signatures from operational logs.
• Two-factor authentication on all founder operator accounts.

We use OpenAI’s API with the default no-training-on-API- inputs setting; your photos and prompts are not used to train OpenAI models. We are pursuing zero-data-retention enrollment for our OpenAI account.

PicCull is operated from the United States. Most of our subprocessors are US-based. Where required, transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States are governed by the European Commission’s Standard Contractual Clauses (Module Two: controller-to- processor) and the UK International Data Transfer Addendum.

If GDPR applies to you, you have the right to: (a) access your data, (b) correct it, (c) erase it, (d) restrict our processing, (e) object to processing based on legitimate interest, (f) portability, and (g) withdraw consent at any time. Submit a request to privacy@piccull.com; we will respond within 30 days. Before completing destructive requests we verify control of the registered email via a click-confirmation link.

You also have the right to lodge a complaint with your supervisory authority (in Ireland: the Data Protection Commission; in the UK: the Information Commissioner’s Office).

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you the right to know what categories of personal information we collect, to delete that information, to correct it, to opt out of any sale or sharing of personal information, and to non- discrimination for exercising these rights.

PicCull does not sell your personal information and does not share it for cross-context behavioral advertising. See our Do Not Sell or Share My Personal Information page for the formal disclosure.

To exercise a CCPA right, email privacy@piccull.com from your account’s registered address.

PicCull is not directed at children under 18 and we do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, please email privacy@piccull.com and we will delete the account, refund any payments, and notify the registered email.

See our Cookie Policy for the full list of cookies and local-storage items we set, their purposes, and how to manage consent.

We may update this Policy. For material changes we will post the updated version with a new effective date and (where we have your email) email you at least 14 days before the change takes effect.