Privacy Policy
Canonical privacy policy for the Aureus service. Last updated: 23 May 2026.
1. Controller
The data controller is DIP SHORT SASU, a French simplified joint-stock company, SIREN 100154418, VAT FR43100154418, registered in France. Aureus ("the Service") is operated by DIP SHORT SASU. Contact: [email protected].
2. Data We Collect
- Account data: email address, authentication identifiers (Google / Discord OAuth tokens, Supabase auth session).
- Billing data: subscription tier, Stripe customer identifier, invoice metadata. Card details are handled exclusively by Stripe; Aureus never sees or stores them.
- Merchant content: product photos, listing titles, descriptions, prices, inventory state, and sales history that you upload or that Aureus retrieves from connected marketplaces on your behalf.
- Marketplace credentials: OAuth tokens and session credentials for the marketplaces you connect (Vinted, eBay, and others). Stored encrypted at rest, used only to operate on your behalf.
- Usage telemetry: page views, feature interactions, error reports, performance traces — collected via PostHog (EU), Sentry, and BetterStack for product analytics and reliability.
- Technical data: IP address, user-agent, timestamps, written to access logs for security and abuse prevention.
3. Purposes & Legal Bases
- Service delivery (contract, GDPR art. 6(1)(b)): authenticate you, run AI generation, publish listings, sync inventory, surface sales.
- Billing (contract): collect subscription fees via Stripe.
- Security & abuse prevention (legitimate interest, GDPR art. 6(1)(f)): rate limits, intrusion detection, audit trail.
- Product analytics & reliability (legitimate interest): understand which features are used, fix errors, monitor uptime.
- Legal obligations (GDPR art. 6(1)(c)): tax records, accounting, response to lawful requests.
4. Sub-processors
Aureus relies on the following sub-processors. Each is bound by a data processing agreement.
- Supabase (EU region) — primary database, authentication, file storage.
- DigitalOcean (EU region) — application hosting.
- Stripe — payment processing and subscription billing.
- OpenAI — AI generation for listing content (titles, descriptions, attribute extraction).
- Google (Gemini) — AI generation alternative; vision and language models.
- BetterStack — log ingestion and uptime monitoring.
- Sentry — error reporting.
- PostHog (EU region) — product analytics.
- Vinted, eBay and other marketplaces you connect — your listings and inventory are transmitted to these platforms at your direction.
5. International Transfers
Where a sub-processor operates outside the EEA (e.g. OpenAI, Stripe US entity), transfers are governed by the Standard Contractual Clauses approved by the European Commission and, where applicable, supplementary safeguards.
6. Retention
- Account & merchant content: retained for the duration of your subscription, deleted within 30 days of account closure.
- Billing records: 10 years, as required by French commercial and tax law.
- Access logs & telemetry: 90 days rolling.
- Backups: up to 30 days after deletion, then purged.
7. Your Rights
Under the GDPR you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erase your data ("right to be forgotten"), subject to legal retention obligations.
- Restrict or object to processing based on legitimate interest.
- Portability — receive your data in a structured, machine-readable format.
- Lodge a complaint with the French supervisory authority, CNIL (www.cnil.fr).
To exercise any of these rights, write to [email protected]. We respond within 30 days.
8. Security
Marketplace credentials are encrypted at rest. Access to production systems is restricted to authorised personnel. Authentication uses OAuth with industry-standard providers. Sensitive operations are gated by capability-based authorisation.
9. Changes
We may update this policy. Material changes will be announced in the dashboard and by email. The current version is always available at this URL.
Last updated: 23 May 2026.