Privacy Policy

Last updated: 23/05/2026

This privacy policy describes how VintedWatch collects, uses, and protects users' personal data, in compliance with Regulation (EU) 2016/679 (GDPR).

1. Data Controller

The data controller for personal data processing is VintedWatch. For any privacy-related requests, you can contact the data protection officer at: privacy@vintedwatch.com

2. Data Collected

Data	Purpose	Required
Email address	Registration, login, email notifications	Yes
Password (bcrypt hash)	Authentication	Yes
Telegram Chat ID	Sending notifications via Telegram	No
Alert preferences	Configuration of search criteria and notifications	No
Push notification token (FCM)	Delivery of push notifications on the Android app via Firebase Cloud Messaging	Only if you install the Android app
Anonymous app crash logs	Stability diagnostics via Firebase Crashlytics (no personal data, no listings content)	Only if you install the Android app
Payment data	Managed entirely by Paddle (Merchant of Record)	Only for paid plans

We do not collect browsing data, do not use profiling cookies, and do not collect users' Vinted credentials.

3. Purpose of Processing

Service delivery: listing monitoring and sending notifications according to user-configured criteria
Account management: registration, authentication, subscription plan management
Service communications: account-related notifications, terms updates, technical communications

4. Legal Basis

Performance of contract (art. 6.1.b GDPR): for service delivery and account management
Consent (art. 6.1.a GDPR): for sending notifications via Telegram (provided by linking your Telegram account)
Legitimate interest (art. 6.1.f GDPR): for service security and abuse prevention

5. Data Sharing

Personal data may be shared with the following third parties, exclusively for the purposes indicated:

Recipient	Purpose	Data Shared
Paddle.com Market Limited	Payment processing and billing (Merchant of Record)	Email, payment data
Telegram Bot API	Sending notifications via Telegram	Telegram Chat ID, notification content
SMTP Provider (Brevo/other)	Sending notifications via email	Email address, notification content
Google (Firebase Cloud Messaging)	Delivery of push notifications on the Android app (app users only)	FCM token, notification payload
Google (Firebase Crashlytics)	Stability diagnostics for the Android app (app users only)	Anonymous stack traces, device model, OS version, app version

We do not sell or share personal data with third parties for marketing purposes. Firebase services (Google LLC) are used exclusively for the technical operation of the Android app (push notification delivery and crash diagnostics). Google acts as a data processor under art. 28 GDPR.

6. Data Subject Rights

Under the GDPR, you have the right to:

Access: obtain confirmation of the existence of your data and receive a copy
Rectification: request correction of inaccurate or incomplete data
Erasure: request deletion of your data ("right to be forgotten")
Restriction: request restriction of processing in certain cases
Portability: receive your data in a structured, commonly used, and machine-readable format
Objection: object to processing based on legitimate interest
Withdrawal of consent: withdraw consent at any time, without affecting the lawfulness of prior processing

To exercise these rights, write to privacy@vintedwatch.com. We will respond within 30 days of receiving your request.

You also have the right to lodge a complaint with the competent supervisory authority (Italian Data Protection Authority — Garante per la protezione dei dati personali).

7. Cookies and Tracking Technologies

VintedWatch uses only strictly necessary technical cookies for the operation of the service. Specifically:

JWT Token: stored in localStorage to maintain the authentication session

We do not use profiling cookies, third-party cookies for advertising purposes, or analytics tracking tools.

8. Data Retention

Personal data is retained for the duration of the contractual relationship with the user. Upon account deletion:

Account data is deleted within 30 days
Billing data is retained for the period required by applicable tax regulations
Anonymized technical logs may be retained for up to 12 months

9. Security

We implement appropriate technical and organizational measures to protect personal data, including:

Password encryption via bcrypt hashing
Secure communications via HTTPS
Data access restricted to authorized personnel

10. International Transfers

Personal data may be transferred to countries outside the European Economic Area only where adequate protection guarantees are ensured (e.g., Standard Contractual Clauses approved by the European Commission).

11. Contact

For any questions regarding this privacy policy or the processing of personal data:

Data protection officer: privacy@vintedwatch.com
General support: support@vintedwatch.com

12. Account and data deletion

You can request the complete deletion of your VintedWatch account and all associated personal data at any time.

How to request deletion:

Send an email to support@vintedwatch.com with subject "Account deletion"
Specify the email address associated with your VintedWatch account
You will receive an acknowledgement within 48 business hours

Data deleted within 30 days of the request:

User account (email, password, preferences)
All configured alerts and their execution history
All registered devices and related FCM tokens (Android app push notifications)
Linked Telegram Chat ID (if any)
Notification delivery history

Data retained for legal obligations:

Invoicing documents and payment data — managed by Paddle, retained under applicable tax regulations (typically 10 years)
Anonymous Firebase Crashlytics crash logs — retained automatically by Google for up to 90 days and not attributable to the deleted user

Account deletion is free of charge, final and not reversible.