Privacy Policy
Last updated: May 2026
This Privacy Policy explains how Flipr ("we", "us", "our") collects, uses, and protects information when you use the Flipr Chrome extension and associated services at getflipr.co.uk.
Flipr is an independent tool and is not affiliated with, endorsed by, or connected to Vinted UAB.
1. Who We Are
Flipr is a Chrome extension and cloud service that helps Vinted resellers track their profits, sales, and purchases. Our backend service is operated at flipr-backend-production.up.railway.app and hosted by Railway.
For data protection enquiries, contact us at hello@getflipr.co.uk.
2. What Data We Collect
| Data | Why we collect it | Where it's stored |
|---|---|---|
| Email address | Account creation, login, and transactional emails | Our server (Railway) |
| Password (bcrypt hash) | Authentication. We never store your plaintext password. | Our server (Railway) |
| Stripe customer ID & subscription status | Billing and access control | Our server (Railway) & Stripe |
| Cost basis and notes per item | Synced to our server so your data survives reinstall | Our server (Railway) |
| Vinted sale, purchase & listing data | Fetched from Vinted's API on your behalf to power the dashboard | Your browser only (chrome.storage.local) |
| Password reset tokens | Time-limited (1 hour), single-use, then marked used | Our server (Railway) |
We do not collect your Vinted password. The Vinted auth token captured by the extension is stored only in your browser's local storage and is used solely to make API calls to Vinted on your behalf. It is never sent to our servers.
3. How We Use Your Data
- To authenticate you and maintain your Flipr account
- To manage your subscription and process payments via Stripe
- To sync your cost basis data between devices so it's never lost
- To send transactional emails (welcome, password reset, subscription confirmation) via Brevo. We do not send marketing emails.
4. Data Sharing
We do not sell, rent, or share your personal data with third parties, except:
- Stripe — for payment processing. Stripe's own privacy policy applies to payment data.
- Brevo — for transactional email delivery only.
- Railway — our hosting provider. Your data is stored on Railway's infrastructure in the EU/US.
We will never sell your data to advertisers or data brokers.
5. Chrome Extension Permissions
| Permission | Why it's needed |
|---|---|
storage | Stores your sales, purchases, listings and settings locally in your browser |
alarms | Schedules periodic background sync so your data stays up to date |
cookies | Reads your Vinted session cookie to authenticate API calls to Vinted on your behalf |
tabs | Opens the dashboard and Stripe checkout in a new tab |
activeTab | Detects when you're on a Vinted page to enable sync |
| Host access to vinted.co.uk, .com, .fr, .de | To sync your Vinted sales and purchases from Vinted's API |
| Host access to flipr-backend-production.up.railway.app | To communicate with the Flipr backend for account and cost data |
6. Data Retention
Your account data is retained for as long as your account exists. Cost data, email address, and account details are deleted when you request account deletion. You can request deletion at any time by emailing hello@getflipr.co.uk.
Vinted data (sales, purchases, listings) is stored only in your browser's local storage and is cleared when you clear your browser data or uninstall the extension.
7. Your Rights
If you are in the UK or EU, you have the following rights under UK GDPR / GDPR:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your personal data
- Right to data portability — request your data in a machine-readable format
- Right to object — object to our processing of your personal data
To exercise any of these rights, contact us at hello@getflipr.co.uk.
8. Security
- Passwords are hashed using bcrypt (cost factor 10) — never stored in plaintext
- All API traffic is encrypted via HTTPS
- JWT authentication tokens expire after 30 days
- Rate limiting is applied to all authentication endpoints to prevent brute force attacks
- Password reset tokens expire after 1 hour and are single-use only
9. Cookies
Our website (getflipr.co.uk) does not use tracking cookies or analytics. We do not use Google Analytics or any third-party tracking tools. The only cookies used are essential session cookies if you are logged into your Flipr account.
10. Children
Flipr is not intended for use by anyone under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a notice on this page. The "last updated" date at the top of this page reflects when changes were last made.
12. Contact
If you have any questions about this Privacy Policy or how we handle your data, contact us at hello@getflipr.co.uk.