Spylist

Privacy Policy

Last updated: May 2026

This Privacy Policy explains what personal data Spylist collects, why we collect it, how we use it, and the rights you have. We respect your privacy and only collect what we genuinely need to run the Service.

This policy applies to the Spylist website (spyli.st), web app, and related services. It is written to comply with the Swiss Federal Act on Data Protection (revFADP) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Who We Are (Data Controller)

Pavlovic Media, Dimitrije Pavlovic
Im Bruggrain 1
4147 Aesch, Switzerland
support@spyli.st

We are not required to appoint a Data Protection Officer. For any privacy-related question, write to support@spyli.st.

2. What We Collect and Why

Account data

  • Email address — to create your account, log you in, and send essential service emails.
  • Name — to personalize the Service.
  • Password (hashed) — we never store your plain-text password. We use scrypt key derivation with a random salt.

Usage data

  • Spy history — the Etsy shop URLs you research, stored so you can revisit results and we can enforce your plan quota.
  • Session cookie — one HTTP-only cookie containing a signed session token to keep you logged in.
  • Server logs — standard web logs (IP address, user agent, timestamps) used for security, abuse prevention, and debugging. Retained up to 30 days.

Billing data

  • Payment details — collected and stored by Polar, our payment processor. We never see or store your full card number. We receive only metadata: subscription status, plan, billing email, country, and invoice IDs.

What we do NOT collect

  • We do not run third-party advertising trackers.
  • We do not run analytics by default.
  • We do not sell or rent your data to anyone, ever.

3. Legal Bases for Processing (GDPR)

For users in the EU/EEA we rely on:

  • Contract (Art. 6(1)(b) GDPR) — for processing needed to provide the Service: account, spy history, billing.
  • Legitimate interest (Art. 6(1)(f) GDPR) — for security logs, abuse prevention, and product improvement.
  • Legal obligation (Art. 6(1)(c) GDPR) — for retaining tax/billing records as required by law.
  • Consent (Art. 6(1)(a) GDPR) — only where explicitly requested (e.g. optional marketing emails, if introduced).

4. Sub-Processors

We use the following service providers to run Spylist. Each is contractually bound to protect your data and process it only for our documented purposes:

ProviderPurposeLocation
VercelHosting, web infrastructureUSA / EU
NeonPostgres database (account, spy history)EU
ApifyPublic Etsy data scraping. No personal data of yours is sent; only the Etsy shop URL you submit.EU / USA
PolarPayment processing (Merchant of Record). Collects and remits applicable taxes including EU VAT.USA
GoogleOAuth sign-in, only if you choose to log in with Google. We receive your email and name from Google.USA

For transfers to providers outside Switzerland or the EU, we rely on EU Standard Contractual Clauses (or equivalent Swiss-recognized safeguards) and where available the EU-US Data Privacy Framework.

5. Data Retention

  • Account data — kept for as long as you have an active account.
  • Spy history — kept while your account is active and for the historical-data window your plan provides (30/90/365 days). Older snapshots may be deleted automatically.
  • Billing records — retained for up to 10 years after the relevant billing year, as required by Swiss tax law.
  • Server logs — up to 30 days unless tied to a security incident.
  • After account deletion — we delete or anonymize personal data within 30 days, except billing records (see above) or data we are legally required to retain.

6. Cookies

We use one essential cookie:

  • spylist_session — HTTP-only, signed session token. Required to keep you logged in. Lifetime: 30 days. No consent required as it is strictly necessary for the Service.

We do not use marketing or tracking cookies. If we ever introduce analytics, we will request your consent first.

7. Your Rights

Under the Swiss FADP and (where applicable) the GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Deletion — ask us to delete your data, subject to legal retention obligations.
  • Portability — receive your data in a machine-readable format.
  • Restriction or objection — limit or object to certain processing based on legitimate interest.
  • Withdraw consent — where processing is based on your consent, you can withdraw it at any time.

To exercise any of these rights, email support@spyli.st. We respond within 30 days.

If you believe we are not handling your data properly, you can lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC), or with your local EU data-protection authority.

8. Security

We protect your data with industry-standard practices: HTTPS, hashed passwords (scrypt with random salt), HTTP-only signed session cookies, principle-of-least-privilege access to production systems, and regular dependency updates. No system is perfectly secure — if you suspect a breach affects you, contact us immediately.

9. Children

Spylist is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us their data, contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the latest revision. Material changes will be communicated via email or in-app notice.

11. Contact

Privacy questions or requests: support@spyli.st

Privacy Policy — Spylist