Privacy Policy

Legal · last updated June 15, 2026

Short version: we store the bare minimum, encrypt your eBay credentials with a per-user key wrapped by AWS KMS, and never sell your data. The long version is below.

Who we are

TruffleHunt is operated by IE Mikalai Tsiareshchanka (ID No. 322781272), an individual entrepreneur registered in Georgia, at Village Varkhani, 7th Street N7, Adigeni Municipality. Email: [email protected].

Data we collect

Account email, password hash (bcrypt cost 12), display name, optional avatar, timezone, currency preference. Your encrypted eBay developer credentials (App ID, Cert ID, Dev ID). Per-hunt configuration: keywords, negative keywords, polling cadence, target prices. Tracked item history: every listing your hunts have returned, retained per your plan (7 / 90 / 365 days). Billing identifiers from Paddle (customer ID, subscription ID) — never card numbers.

How we use it

We use your data for two things: running the hunts you configured, and billing you. We don't profile, we don't ad-target, we don't enrich, and we don't sell. We send transactional email (alerts, invoices, password resets). We do not send marketing email.

BYOK credential security

Your eBay developer credentials are encrypted with envelope encryption: a per-user Data Encryption Key (AES-256-GCM) wraps your secrets, and that DEK is itself wrapped by a master key held in AWS KMS. The plaintext DEK is held in worker memory only for the duration of one API call and is zeroed immediately after. Database backups never contain decryptable credentials in isolation — restoring requires both the database snapshot and live KMS access.

Sub-processors

Paddle (Merchant of Record · billing) · Telegram Bot API and Discord webhooks (notification delivery) · Cloudflare Email Service (transactional email delivery) · Sentry / GlitchTip (error reporting · we scrub credentials from stack traces) · Google Analytics, Google Tag Manager, and Google Ads conversion measurement (analytics and ad performance, controlled by Consent Mode and the cookie banner).

Cookies

We use a session cookie (HttpOnly, SameSite=Lax, Secure) to keep you signed in and a local consent preference so your cookie choice persists. We also use Google Analytics, Google Tag Manager, and Google Ads conversion measurement to understand product usage and ad performance. In the EEA and UK, analytics and advertising storage are denied by default until you accept cookies. If you decline, Google tags run with restricted Consent Mode signals only. We do not use Facebook Pixel and we do not sell personal data.

Your rights

Under GDPR you can export your data (Settings → Profile → Export), correct it, restrict its processing, or delete your account. Account deletion purges everything within 30 days. Encrypted backups are rotated out within 90 days.

Data location

Primary data is stored on a Netcup VPS in Manassas, Virginia, United States.

Breach disclosure

We commit to disclosing any confirmed security incident affecting customer data within 72 hours, to the affected users, by email, with a written incident report.

Contact

Email [email protected].