Privacy policy
Last updated, May 20, 2026. Effective immediately.
The free pre-flight collects no personal data: no email, no signup, no login. We never train AI on your listing. Optional paid extras (a full audit upgrade, a downloadable cheat-sheet PDF) are handled by third-party Merchant-of-Record platforms (Polar and Lemon Squeezy), which see only the buyer details a payment processor needs. We do not see your card details and we do not store your buyer email on our side.
What we ask you to provide
A public marketplace listing URL (for example a public Etsy listing page). That is the only input. We do not ask for your name, email, account credentials, address, payment details, or anything else.
What we actually store
- A one-way SHA-256 hash of the listing ID, the heuristic letter grade, and the timestamp. This is anonymous and cannot be reversed back into the URL.
- Per-day counts of how many times each rule fired (no per-listing detail).
- An anonymous record if you click one of the "would this be useful" buttons after seeing your result, mapped only to the hashed audit ID.
- An anonymous record if you click "Yes" or "No" on the "was this useful" prompt, mapped only to the hashed audit ID.
- A 24-hour cache of the result so re-running the same URL is instant. After 24 hours the cache entry is auto-deleted.
We do not store your IP, your User-Agent, your referrer, the listing title, the listing description, the listing photos, the listing tags, your shop name, your account, or any cookie or identifier that could link separate visits together.
What happens when you paste a URL
Our Cloudflare Worker fetches the public listing page on your behalf in two ways:
- A direct HTTPS GET of the public listing page, identifying itself with a public User-Agent.
- Or, where we have access to richer structured data, a call to the third-party service Apify, which fetches the same public page and returns parsed fields (title, materials, tags, photo URLs, shop metadata) we then score against our rule pack.
Either path reads only the public listing page. We never log into any marketplace account on your behalf, we never see private data, and we never edit anything on your listing.
Sub-processors
| Service | What it does | What it sees |
|---|---|---|
| Cloudflare | Hosting, Workers, KV, D1 | Public listing URL, hashed audit metadata |
| Apify | Public-page structured fetcher (used by Stallscore as a server-side helper) | The public listing URL only |
| Polar (Merchant of Record) | Optional paid Full Report upgrade checkout, VAT handling, receipts | Buyer-provided name, email, billing country, card details (Polar only, never us) |
| Lemon Squeezy (Merchant of Record) | Optional Compliance Cheat Sheet PDF checkout, VAT handling, receipts and download delivery | Buyer-provided name, email, billing country, card details (Lemon Squeezy only, never us) |
Optional paid extras
If you buy the Full Report upgrade or the Compliance Cheat Sheet PDF, the Merchant of Record (Polar or Lemon Squeezy) collects the standard payment information they need to process the sale and remit VAT. They are the seller of record to you; their terms and privacy policy govern that transaction. We receive only an anonymous webhook event tying your purchase to the specific audit ID you were viewing (Full Report) or no Stallscore-side data at all (Cheat Sheet PDF, since LS delivers the file directly). We never see your card number.
What we do not do
- We do not collect or store email addresses for marketing. There is no email list.
- We do not run analytics, advertising, or tracking pixels.
- We do not place tracking cookies. We do not set first-party cookies for identification.
- We do not sell or share any data to any third party for marketing.
- We do not use listing content to train AI models.
- We never see your card details. Payment data lives with the Merchant of Record.
- We do not connect to your Etsy, Shopify, eBay, or any other marketplace account.
GDPR posture
Because the inputs we accept and the records we keep do not identify any natural person, almost none of GDPR applies. We document this analysis under the occasional, low-risk processing exception. If you believe a specific audit you ran is somehow linkable to you and want it removed, contact us with the hashed audit ID shown beside your "was this useful" prompt and we will clear the corresponding rows within 30 days.
Data controller
The data controller for Stallscore is Povilas Konopackas, a sole trader based in Lithuania, EU. Contact: povkonop@gmail.com.
Changes to this policy
If the data we touch ever changes (for example if we decide to take payments or accept an email, which is not on the roadmap today), we will update this page first and only then change the product. The "last updated" date above will reflect the change.
Contact
Questions or requests, email povkonop@gmail.com.