Legal
Privacy Policy
Last updated: 29 June 2026 · Effective: 29 June 2026
Controller: Revaleur, Kleine Melanen 5, 4614RG Bergen op Zoom, the Netherlands · KVK 86792423 · VAT NL004117227B97 · info@revaleur.com
1. Who we are
CrossList EU is a product of Revaleur, a company registered in the Netherlands (KVK 86792423). We provide a Chrome extension and web application that allows users to cross-list second-hand items on European marketplaces including Marktplaats, 2dehands, Vinted and Shopify.
Questions about this policy? Contact us at info@revaleur.com.
2. What data we collect
We collect the following categories of personal data:
- Account data: email address and password (hashed) when you create an account via Supabase Auth.
- Billing data: payment method details are processed directly by Stripe. We store only your Stripe customer ID and subscription status — we never see or store your full card number.
- Listing data: item titles, descriptions, photos, prices and other product information you enter to crosslist.
- Platform session data: session cookies for connected marketplaces (Marktplaats, 2dehands, Vinted, Shopify) are stored locally in your Chrome extension and are never transmitted to our servers in readable form.
- Usage data: server access logs (IP address, browser type, pages visited, timestamps) for security and debugging.
3. Why we process your data (legal basis)
- Performance of a contract (Art. 6(1)(b) GDPR): to provide the CrossList EU service — creating your account, processing crosslisting jobs, managing your subscription.
- Legitimate interests (Art. 6(1)(f) GDPR): security monitoring, fraud prevention, and service improvement.
- Legal obligation (Art. 6(1)(c) GDPR): to comply with Dutch and EU legal requirements, including invoice retention for tax purposes.
4. How long we keep your data
- Account data: retained for as long as your account is active, and up to 30 days after deletion upon request.
- Billing / invoice records: 7 years (Dutch fiscal retention requirement).
- Server logs: maximum 90 days.
- Listing and item data: deleted within 30 days of account deletion.
5. Who we share your data with
We do not sell your personal data. We share data only with the following processors, all of whom have agreed to EU-compliant data processing agreements:
- Supabase Inc. (database and authentication) — servers in the EU (AWS eu-west-1).
- Stripe Inc. (payment processing) — Stripe is certified PCI-DSS Level 1 and compliant with EU data transfer rules.
- Railway Corp. (hosting) — our backend runs on Railway infrastructure.
When you list items on third-party platforms (Marktplaats, 2dehands, Vinted, Shopify), your listing content is transmitted to those platforms under their own terms and privacy policies.
6. International data transfers
Our primary processors (Supabase, Stripe) process data within the European Economic Area or under Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an equivalent level of protection to that provided under GDPR.
7. Your rights under GDPR
As a data subject within the EU/EEA, you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate data (Art. 16).
- Erase your data ("right to be forgotten") (Art. 17).
- Restrict processing in certain circumstances (Art. 18).
- Data portability — receive your data in a machine-readable format (Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
To exercise any of these rights, email info@revaleur.com. We will respond within 30 days.
8. Cookies
The CrossList EU web app uses only functional cookies required to maintain your login session. We do not use tracking, advertising or analytics cookies. The Chrome extension stores marketplace session data in Chrome's local extension storage — this never leaves your device and is not accessible to us.
9. Security
We protect your data using industry-standard measures: HTTPS encryption for all data in transit, hashed passwords (bcrypt via Supabase Auth), and access controls limiting who within Revaleur can access production data. We perform regular security reviews.
10. Children
CrossList EU is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will notify registered users by email for material changes. The "Last updated" date at the top of this page will always reflect the most recent version.
12. Contact
Revaleur
Kleine Melanen 5, 4614RG Bergen op Zoom, Netherlands
KVK: 86792423 · VAT: NL004117227B97
Email: info@revaleur.com