SmartList SmartList

Privacy Policy

Last Updated: February 21, 2026

1. Introduction

This Privacy Policy explains how Another Boring AI Company ("we," "us," or "our") collects, uses, shares, and protects your information when you use SmartList, our Chrome extension and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address — used for account identification, login, and email verification.
  • Name (optional) — used for personalization.
  • Password — stored only as a bcrypt hash; we never store or have access to your plaintext password.

2.2 Google OAuth Data

If you sign in with Google, we receive:

  • Google account ID — to link your Google account to your SmartList account.
  • Email address — same use as above.
  • Name — for personalization.

We request the openid, email, and profile scopes from Google. Your Google profile picture is received during authentication but is not stored on our servers.

2.3 Etsy Listing Content

When you use SmartList on an Etsy listing editor page, our Chrome extension detects:

  • Product photo URLs — publicly accessible URLs from Etsy's CDN (e.g., i.etsystatic.com). These URLs are sent to our backend for AI analysis.

We do not access your Etsy account credentials, shop settings, sales data, financial information, or any other Etsy data beyond the product photo URLs visible on the listing editor page you are actively working on.

2.4 Usage Data

  • Optimization history — generated titles, descriptions, and keywords from your past optimizations, stored so you can review and reuse them.
  • Credit transactions — records of credit purchases, grants, and usage for billing accuracy.

2.5 Payment Information

All payment processing is handled by Stripe. We do not store your credit card number, CVV, or full billing details on our servers. We store only your Stripe customer ID and email to associate payments with your account.

2.6 Technical Data

  • Authentication tokens — JSON Web Tokens (JWT) stored in your browser's local extension storage for session management.
  • Draft state — temporary analysis and workflow data stored for up to 24 hours to support in-progress optimizations.

3. How We Use Your Information

We use the information we collect to:

  • Create, authenticate, and manage your account.
  • Verify your email address (via a one-time verification email).
  • Perform AI-powered analysis of your product photos to identify product characteristics.
  • Conduct keyword research based on AI-derived seed keywords.
  • Generate SEO-optimized titles and descriptions for your Etsy listings.
  • Process payments and manage your credit balance.
  • Maintain your optimization history so you can access past results.
  • Provide customer support.
  • Monitor for critical errors and service reliability (internal alerting only).

4. Third-Party Services and Data Sharing

We share specific data with the following third-party services solely to provide the Service. We do not sell, rent, or trade your personal information.

Google (OAuth)

Data shared: OAuth authorization code during sign-in. Data received: Your Google ID, email, and name.

Google Privacy Policy

OpenAI / Google Gemini (AI Processing)

Data shared: Product photo URLs or base64-encoded images, product attributes, keywords, and optional custom product information you provide. No personal information (email, name, user ID) is sent to these services.

OpenAI Privacy Policy · Google AI Terms

DataForSEO (Keyword Research)

Data shared: Up to 5 seed keyword phrases derived from the AI analysis. No personal information or images are sent to DataForSEO.

DataForSEO Privacy Policy

Stripe (Payments)

Data shared: Your email address and an internal user ID for billing purposes. Stripe handles all payment card data directly — we never see or store your card details.

Stripe Privacy Policy

Resend (Email Delivery)

Data shared: Your email address, solely for delivering email verification messages. We do not send marketing emails through this service.

Resend Privacy Policy

5. Chrome Extension Permissions

SmartList requests the following Chrome extension permissions, each for a specific purpose:

Permission Purpose
sidePanelDisplay the SmartList interface alongside Etsy pages
storagePersist your authentication token locally in the browser
tabs / activeTabDetect when you are on an Etsy listing editor page
Host: etsy.comInject a content script to detect product photos and paste generated content into listing fields
Host: another-boring-ai-company.comCommunicate with our backend API and handle Google OAuth callbacks

6. Data Storage and Retention

  • Account data (email, name, hashed password) — retained for as long as your account exists.
  • Optimization history — retained until you delete individual entries or request full account deletion.
  • Draft/analysis state — temporary data with a 24-hour time-to-live; automatically deleted after expiry.
  • Authentication tokens — JWTs expire after 7 days.
  • Email verification tokens — expire after 24 hours.
  • Payment records — retained as required by applicable financial and tax regulations.

You may request deletion of your account and all associated data at any time by contacting us at support@another-boring-ai-company.com.

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Passwords are hashed using bcrypt before storage.
  • All data in transit is encrypted via HTTPS/TLS.
  • Authentication uses stateless, signed JSON Web Tokens.
  • Payment card data is never stored on our servers — it is handled entirely by Stripe, a PCI DSS Level 1 certified provider.
  • Our backend runs on Cloudflare Workers, which provides built-in DDoS protection and edge security.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights Under GDPR (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right to access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — request deletion of your personal data.
  • Right to restrict processing — request that we limit how we use your data.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.

Legal Basis for Processing

  • Contract performance — processing necessary to provide the Service (account management, AI analysis, content generation, payment processing).
  • Legitimate interest — processing necessary for service security, error monitoring, and fraud prevention.
  • Consent — where applicable (e.g., optional data you choose to provide).

Data Controller: Another Boring AI Company

Contact for GDPR requests: support@another-boring-ai-company.com

You also have the right to lodge a complaint with your local data protection supervisory authority.

9. International Data Transfers

Your data may be processed in locations outside your country of residence, including:

  • Cloudflare Workers — our backend runs on Cloudflare's global edge network; requests are processed at the nearest data center.
  • United States — AI processing services (OpenAI, Google Gemini), payment processing (Stripe), and email delivery (Resend) are provided by US-based companies.

Where data is transferred outside the EU/EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission to ensure your data remains protected.

10. Cookies and Local Storage

  • SmartList does not use tracking cookies.
  • The Chrome extension uses chrome.storage.local solely to store your authentication token and basic account information for session persistence.
  • We do not use any analytics, advertising, or third-party tracking scripts on our website or in the extension.

11. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such information, we will take steps to delete it promptly. If you believe a child under 13 has provided us with personal data, please contact us at support@another-boring-ai-company.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. Your continued use of the Service after any changes constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Another Boring AI Company
Email: support@another-boring-ai-company.com