Back to Home

Privacy Policy

Last updated: 21 April 2026

1. Data Controller

The data controller responsible for your personal data is:

Nova AI Ventures sp. z o.o.

ul. Jasna 26, 00-054 Warsaw, Poland

KRS 0001208266 · NIP 5253069869

Email: hello@novaai.ventures

This Privacy Policy covers the SnapSell mobile application (iOS and Android) as well as its web version at app.snap-sell.app. We process personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address – for account access and communications
  • First and last name – to personalise your experience
  • Profile photo (optional) – displayed on your seller profile
  • Firebase UID – a unique user identifier generated automatically for authentication
  • If you sign in with Google, Facebook or Apple: the email tied to that account and Firebase/Google/Apple ID + refresh/OAuth tokens necessary to verify your identity. We do not receive your password from these providers.

2.2 Content You Provide

When you use our services we process:

  • Product photos you upload for AI enhancement and listing generation
  • Listing content – titles, descriptions, prices, categories
  • Messages you send us through in-app support or email
  • Connected marketplace account names (OLX, Allegro, eBay) – only if you explicitly link your account

2.3 Payment Information

We process transaction metadata through our payment processors:

  • Token purchase transactions (Stripe, Apple, Google)
  • Seller payout metadata (stored at Stripe)
  • Transaction history and receipts

We never store your full credit card number. Card details are handled directly by Stripe, Apple, or Google Play.

2.4 Device and Diagnostic Data

When you use the app and website we collect:

  • Device information – device model, operating system and version, installation ID, app version, locale, region
  • Log data – IP address (truncated where possible), access times, crash stack traces (via Sentry)
  • Approximate location – country and city derived from IP address, for regional features only

2.5 Analytics, Marketing and Advertising Dataconsent required

With your consent expressed in our in-app consent sheet (shown on first launch for users in the European Economic Area and the UK) we collect:

  • Advertising identifier – IDFA (iOS) or Android Advertising ID (Android); on iOS this requires an additional approval in the system-level App Tracking Transparency prompt
  • Analytics session identifier generated by our analytics providers
  • Session Replay recordings – visual recordings of your in-app interactions with sensitive fields (prices, emails, phone numbers, payment sheets, personal photos) automatically masked. Used only for usability analysis; retained for 30 days.
  • Event data – screen views, taps on specific features, funnel step durations, purchase events, sign-up and listing submission events

2.6 Connected Platform Data

When you connect external marketplaces (OLX, Allegro, eBay) we receive the limited data you authorise: listing status, sales information, chat messages related to listings. We never receive your password for those platforms.

3. Legal Basis for Processing

Contract performance — Art. 6(1)(b) GDPR

Account management, photo enhancement, listing generation, token purchases, marketplace integrations, customer support.

Consent — Art. 6(1)(a) GDPR

Product analytics and session replay (Firebase Analytics, Amplitude), ad-effectiveness measurement (Meta App Events, Google Ads), push notifications, marketing emails. You can withdraw each consent independently in the app at any time.

Legitimate interest — Art. 6(1)(f) GDPR

Fraud prevention, security monitoring, bug reporting (Sentry), service reliability telemetry, establishment and defence of legal claims.

Legal obligation — Art. 6(1)(c) GDPR

Tax records, invoicing, compliance with court orders or regulatory requirements.

4. Consent Categories and Controls

Our in-app consent flow asks for two separate, independent consents:

Product analytics

Enables Firebase Analytics and Amplitude (including Session Replay). Used to improve the app. Never used for personalised advertising.

Ad measurement

Enables Meta App Events SDK and Google Ads conversion measurement (via Firebase ↔ Google Ads link). When denied, these tools are switched to restricted modes — Meta Limited Data Use; Google Consent Mode v2 signals set to "denied" — and no advertising identifiers (IDFA / Android Advertising ID) are collected.

Changing your choices

Go to Profile → Privacy in the app to flip either consent at any time. On the web, re-open the consent banner from the "Privacy settings" link in the footer. Withdrawing consent does not affect the lawfulness of processing based on that consent prior to withdrawal.

5. Apple App Tracking Transparency (iOS)

On iOS 14.5 and later, before any advertising-identifier-based measurement, the app shows a standard Apple tracking-permission prompt. Choosing "Ask App Not to Track" does not reduce any app functionality — the only consequence is that Meta and Google will not receive your iOS advertising identifier (IDFA) for cross-app attribution. You may change this choice at any time in iOS Settings → Privacy & Security → Tracking.

6. AI Processing of Your Photos

How we process

  • Photos are uploaded over TLS to our servers and stored in Cloudflare R2 (EU region)
  • Photos are then forwarded, as needed, to our AI inference proxy (Nova Labs LiteLLM) which routes them to the current AI model provider (currently Google — Gemini family)
  • Enhanced versions are stored for your use; original photos are retained until you delete them or your account

Not used for AI training

Your photos and listing content are not used to train or improve third-party AI models. AI providers act as our processors under Art. 28 GDPR and process your data only as instructed, for the duration of each inference call.

7. Session Replay

If you grant "Product analytics" consent, we record anonymised playbacks of your in-app sessions. Recordings capture cursor movement, clicks, screen transitions, and on-screen content — except the following fields which are automatically masked:

  • Email addresses, phone numbers, passwords
  • Payment sheets and card entry forms
  • Personal photos in the enhance preview
  • Token balance and purchase prices

Recordings are used solely for usability analysis and are automatically deleted after 30 days. Our session-replay provider (Amplitude) does not share these recordings with third parties and does not use them for advertising purposes.

8. Data Retention

We retain personal data only for as long as necessary:

Data TypeRetention Period
Account informationUntil account deletion + 30 days
Listing content and photosUntil deleted by you or account deletion
Photos forwarded to AI providerUp to 24 hours after the inference call
Transaction records5 years (tax), up to 6 years (civil claims)
Messages24 months from last message
Firebase Analytics / Amplitude event data14 months (Firebase, max permitted by GA4 Consent Mode); 12 months of inactivity (Amplitude)
Session Replay recordings30 days
Meta App Events / Google Ads conversion data90 days in Meta / Google systems, per their policies
Crash reports (Sentry)90 days
Consent records3 years after withdrawal or expiry (evidentiary purposes)
Server logs90 days

9. Third-Party Data Processors

We share data with the following processors under Art. 28 GDPR data-processing agreements. The list reflects our current production stack:

Google Ireland Limited — Firebase (Authentication, Cloud Messaging, Analytics)

Purpose: user authentication, push notifications, product analytics (GA4). Primary region: EEA. Some data may route to Google LLC (US) under the EU–US Data Privacy Framework.

Privacy: Firebase Privacy

Amplitude, Inc. — product analytics and Session Replay

Purpose: behavioural analytics of in-app interactions; session-replay recordings with PII masked. Active only with "Product analytics" consent. US-based; transfers under EU–US Data Privacy Framework + SCCs.

Privacy: Amplitude Privacy

Meta Platforms Ireland Limited — Meta App Events

Purpose: measuring effectiveness of Meta advertising campaigns on mobile. Active only with "Ad measurement" consent (and, on iOS, ATT authorisation). When denied, Meta SDK operates in Limited Data Use mode.

Privacy: Meta Privacy Policy

Google Ireland Limited — Google Ads conversion measurement

Purpose: measuring effectiveness of Google Ads campaigns. Conversions flow from GA4 to Google Ads via a linked account. Active only with "Ad measurement" consent; Consent Mode v2 signals are set to "denied" otherwise.

Privacy: Google Privacy Policy

AI model providers — via Nova Labs LiteLLM proxy

Proxy operated by Nova AI Ventures (EU-hosted). Downstream model provider: Google LLC / Google Ireland Limited (Gemini models via Google Vertex AI). Photos and listing content are not used to train or improve AI models. Providers process data only as instructed, for each inference call.

Functional Software, Inc. (Sentry) — crash monitoring

Purpose: crash stack traces, performance traces, analytics- event breadcrumbs (name only, no values). EU data residency used where available.

Privacy: Sentry Privacy

Cloudflare, Inc. — object storage (Cloudflare R2)

Purpose: storing listing photos. Files stored in the EU region. Certified under the EU–US Data Privacy Framework.

Payments — Stripe, Apple, Google Play

Stripe Payments Europe, Ltd. (web), Apple Inc. (iOS in-app purchases), Google LLC (Google Play Billing). We receive transaction metadata only — never full card data.

Resend, Inc. — transactional email

Purpose: account verification, password resets, receipts, notifications. EU region where available.

Railway Corp. — application hosting

Purpose: hosting our API and worker services. Data limited to server logs and environment configuration.

External marketplaces (optional)

OLX Group (Poland), Allegro.pl sp. z o.o. (Poland), eBay Inc. (US). Only if you connect your account. Data shared only as necessary for listing creation, management, and messaging.

We do not sell your personal data. We do not share your data for third-party personalised advertising outside the scope of the "Ad measurement" consent (Meta App Events and Google Ads), which you can withdraw at any time.

10. International Data Transfers

Where data is transferred outside the European Economic Area we rely on the following safeguards under GDPR:

  • EU–US Data Privacy Framework for certified US providers (Amplitude, Stripe, Sentry, Cloudflare, Google LLC, Meta Platforms, Resend)
  • Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as a backstop
  • Additional technical and organisational measures including encryption in transit and at rest, minimisation, pseudonymisation, access control

11. Your Rights Under GDPR

Right of access

Receive a copy of the personal data we hold about you.

Right to rectification

Request correction of inaccurate or incomplete data.

Right to erasure ("right to be forgotten")

Request deletion of your data. Some data must be retained to meet legal obligations (e.g. tax records).

Right to restrict processing

Request that we limit how your data is used.

Right to data portability

Receive your data in a machine-readable format (JSON).

Right to object

Object to processing based on legitimate interests or to direct marketing.

Right to withdraw consent

Withdraw any consent at any time for consent-based processing.

Right not to be subject to automated decision-making

We do not make automated decisions that produce legal effects concerning you solely by automated means.

How to exercise your rights

Email hello@novaai.ventures with the subject "Privacy request", or use the Privacy controls in Profile → Privacy. We respond within 30 days (up to 60 for complex requests, with notice).

12. Data Security

  • HTTPS (TLS 1.3) for all data in transit
  • Encryption at rest for databases and object storage
  • Least-privilege access controls on cloud infrastructure
  • Regular security reviews, dependency scanning (Trivy), and vulnerability patching
  • Two-factor authentication mandatory for Nova AI Ventures staff
  • Audit logging and alerting on anomalous sign-in activity
  • Secure data-deletion procedures
  • Confidentiality agreements with all employees and contractors

If a security incident occurs that is likely to result in a high risk to your rights and freedoms, we will notify you within 72 hours of becoming aware of it, as required by Art. 34 GDPR.

13. Supervisory Authority

You have the right to lodge a complaint with a data-protection supervisory authority:

President of the Personal Data Protection Office (UODO)

ul. Stawki 2, 00-193 Warsaw, Poland

Website: uodo.gov.pl

You may also contact the data-protection authority in your country of residence, place of work, or place of the alleged infringement.

14. Children's Privacy

SnapSell is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@novaai.ventures and we will delete it immediately.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes — for example the addition of a new processor or a new purpose of processing — will be communicated via an in-app banner or email at least 14 days before they take effect. The "Last updated" date at the top indicates when the policy was last revised. Please review this policy periodically.

16. Contact Us

Nova AI Ventures sp. z o.o.

ul. Jasna 26, 00-054 Warsaw, Poland

Privacy inquiries: hello@novaai.ventures

General support: help@snapsell.app