Privacy Policy

This policy informs you about the nature, scope and purpose of processing personal data by E.A.S.Y. — including the website easylisting.io, the web application app.easylisting.io, and the app easylisting.

1. Data controller

2. General notes

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations (GDPR, BDSG) and this privacy policy.

3. Server log files

When you visit our website, the browser on your device automatically sends information to the server. This information is temporarily stored in a log file:

• IP address of the requesting computer
• Date and time of the request
• Name and URL of the requested file
• Referrer URL
• Browser and operating system

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in stable delivery and security).

4. Contact form & demo booking

When you contact us via the demo form, your information (name, email, company, message) is stored for processing the request. Legal basis: Art. 6 (1) lit. b GDPR (pre-contractual measures) or Art. 6 (1) lit. a GDPR (consent).

5. Cookies & Consent Mode

This website uses two categories of cookies:

• Strictly necessary cookies (always on) - language pick, theme mode, cart state, and the consent decision itself. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operability).
• Statistics / analytics cookies (only with consent) - Google Analytics 4 for anonymized reach measurement. Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner).

We implement Google Consent Mode v2: as long as no consent is given, no analytics data is sent. Only after you explicitly click "Accept all" will data be transmitted to Google Analytics. Your decision is stored in your browser (localStorage).

You can change or revoke your consent any time via Cookie settings.

6. Third-party services

• Google Analytics 4 (consent-gated) - Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. We use property G-FMPLT1X28L with IP anonymization enabled. Transfer to Google servers in the US relies on EU Standard Contractual Clauses. Privacy: policies.google.com/privacy.
• Google Ads & Google Ads API (in customer app, voluntary connection) - Provider: Google Ireland Ltd. When you connect your Google Ads account in the customer application, we transmit your OAuth refresh token to Google for authentication and access your campaign, keyword and performance data in read (and, depending on the tier you choose, write) mode. Data is processed exclusively for the optimization of your own ad account, never shared with third parties and never mixed between E.A.S.Y. customers. Refresh tokens are stored end-to-end encrypted in our database. You can disconnect at any time via the Connection Hub; your token is then immediately revoked at Google. Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(a) GDPR (consent at OAuth connect). Google Ads API Terms of Service: developers.google.com/google-ads/api/docs/usage. easy.ads' use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
• Google Merchant Center & Content API for Shopping (in customer app, voluntary connection) - Provider: Google Ireland Ltd. We read your product feed only (title, price, availability, image, brand, GTIN, target country, language) and product status (approvals, warnings, disapprovals). We do not write any changes to Merchant Center. The data is used solely to detect and reduce ad spend on out-of-stock or disapproved items in our audit reports. Retention: once-daily sync, locally in your tenant in Frankfurt. On disconnect, data is deleted automatically within 30 days. Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(a) GDPR. Google API Services User Data Policy (Limited Use) applies analogously to the Ads API block above.
• Google Fonts - fonts loaded via Google servers. Provider: Google Ireland Ltd.
• Stripe - payment processing. Provider: Stripe Payments Europe Ltd.
• Resend - transactional email delivery. Provider: Resend Inc., USA. Standard Contractual Clauses + DPA.
• Hetzner - hosting in Falkenstein/Nuremberg, Germany. Provider: Hetzner Online GmbH. Privacy: hetzner.com/legal/privacy-policy.
• TikTok / TikTok for Business / TikTok Shop (in customer app easylisting and app.easylisting.io, voluntary connection) — Provider: TikTok Technology Ltd. (EU/EEA) and TikTok Inc. (USA). When you connect your TikTok Shop channel in the app easylisting or at app.easylisting.io, we transmit authentication credentials (OAuth token) to TikTok in order to read your listing data (product titles, descriptions, images, prices, inventory) and write back optimized versions. Data is processed solely to optimize your own TikTok Shop, and is never shared between E.A.S.Y. customers. OAuth tokens are stored end-to-end encrypted and can be disconnected at any time via the Connection Hub (token is immediately revoked at TikTok). For transfers to the USA, EU Standard Contractual Clauses apply. Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(a) GDPR (consent at OAuth connect). TikTok Privacy Policy: tiktok.com/legal/privacy-policy.

7. Data in the customer application (app.easylisting.io)

Once you create an account on app.easylisting.io, we additionally process the following data:

7.1 Account data

• Email address, display name, encrypted password hash (bcrypt)
• Company master data for invoicing (company, address, VAT ID)
• Login history (timestamp, IP, user agent — stored for 90 days)
• Active plan, add-ons, wallet balances

Legal basis: Art. 6(1)(b) GDPR.

7.2 Shop and listing data

When you connect a connector (Shopify, eBay, Etsy, WooCommerce, JTL, Plenty, XML/CSV feed) we read your product data into our database:

• Title, description, images, price, stock, attributes, categories, GTIN/EAN
• Sales data (orders per item, time range — if the connector provides it)
• Connector credentials (stored encrypted, used only for sync)

This data is used exclusively to optimize your own shop. Aggregated, anonymized branch statistics (e.g. "top performers in outdoor use on average 6 images per listing") flow into our engine — individual product text, images, or prices are never shared between E.A.S.Y. customers.

Legal basis: Art. 6(1)(b) GDPR.

7.3 Branch check (free market analysis on the homepage)

When you use the branch check on easylisting.io, we process the URL of your shop/listing you entered and the result of the analysis. If you additionally enter your email address, we store it to send you personal feedback. Email processing is based on your explicit consent (Art. 6(1)(a) GDPR). Revocable any time at easy@easylisting.io.

8. AI processing (LLM, image and video generation)

For listing and easy.ads asset optimization we use external AI providers:

• Anthropic (Claude — text models): Anthropic PBC, San Francisco, USA. We send your listing text, performance data and branch context to the Anthropic API to generate optimization suggestions. Contractually secured data processing agreement (DPA) incl. Standard Contractual Clauses. Anthropic does not retain API requests for training purposes (Zero-Retention mode for business customers). Privacy: anthropic.com/legal/privacy.
• Black Forest Labs (FLUX — image generation): Black Forest Labs GmbH, Freiburg (DE). EU hosting available, contractually secured. Prompts and generated images are not used for training.
• Runway (Gen-4 — video generation) or Google Veo: Runway AI Inc. (USA) or Google LLC (USA). Contractual data processing, US transfer on the basis of EU Standard Contractual Clauses.
• ElevenLabs (voice-over for videos): ElevenLabs Inc., USA. DPA + SCC in place.

The choice of AI provider depends on the asset type and plan. You can see in your account settings which provider was used per asset (column "Model" in the asset library).

Legal basis: Art. 6(1)(b) GDPR; for transfers to third countries Art. 46(2)(c) GDPR (Standard Contractual Clauses).

9. Data processing & sub-processors

If you use easy.ads or easy.listing commercially, a data processing agreement (DPA) applies between you and us. We use the following sub-processors:

• Hetzner Online GmbH (hosting, DE) — Falkenstein / Nuremberg
• Anthropic PBC (AI text models) — USA, SCC + Zero-Retention
• Black Forest Labs GmbH (AI image generation) — DE
• Runway AI Inc. / Google LLC (AI video generation) — USA, SCC
• ElevenLabs Inc. (voice-over) — USA, SCC
• Stripe Payments Europe Ltd. (payment processing) — IE
• Resend Inc. (transactional email) — USA, SCC
• Google Ireland Ltd. (Ads API + Merchant Center API + Analytics — only when connection activated / consent given) — IE
• TikTok Technology Ltd. / TikTok Inc. (TikTok Shop API — only when connection activated) — IE/USA, SCC

The full DPA incl. current sub-processor list is available on request: easy@easylisting.io.

10. Retention

• Server log files: 14 days
• Demo/contact requests: deleted after completion, unless statutory retention applies
• Account data: for the duration of the contract + 10 years (HGB §257) for invoice-relevant data
• Listing and performance data: during active connection; on connector disconnect, deleted within 30 days (hard delete incl. backups within 90 days)
• AI-generated assets: permanent in your library; unused > 60 days, automatic cleanup (see account settings)
• Branch check URLs: 12 months for statistical analysis, then anonymized
• Branch check emails (with consent): until revocation, max 24 months

11. Security measures

• TLS encryption (HTTPS) for all web traffic
• OAuth refresh tokens and connector credentials encrypted with AES-256-GCM in the database; master key kept outside the database
• Passwords stored only as bcrypt hash, never in clear text
• Daily encrypted backups, retained 30 days
• Multi-tenant isolation: each tenant has its own tenant ID, all DB queries are tenant-filtered
• Audit log of all AI write operations (table ads_apply_jobs) — per action timestamp, trigger, result

12. Your rights

You have the right at any time to access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and to object (Art. 21) to the processing of your data. Consents you have given can be revoked at any time with effect for the future (Art. 7(3) GDPR). Contact easy@easylisting.io — we respond within 14 days.

13. Data deletion & account closure

You can close your E.A.S.Y. account at any time yourself:

• Disconnect connectors: app.easylisting.io/connections/ — immediately ends read access to your shop
• Disconnect Google: same page, revokes the OAuth token at Google
• Full account deletion: email easy@easylisting.io with subject "Account deletion"

After account deletion, all personal data is removed from active systems within 7 days. Invoice-relevant data is kept in a separate, access-restricted archive for the statutory retention period (10 years, HGB).

14. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority — competent for us is the Thüringer Landesbeauftragte für den Datenschutz und die Informationsfreiheit, Häßlerstraße 8, 99096 Erfurt, Germany, www.tlfdi.de.

15. Changes to this privacy policy

We reserve the right to adjust this privacy policy so that it always meets current legal requirements or to reflect changes in our services. A material change will be announced to you by email to the address stored in your account at least 30 days before taking effect. The current version is always available here.

Last update: 26 May 2026 · Version 2.1