C
Crateed

Privacy Policy

Last updated: May 31, 2026.

This Privacy Policy explains how Crateed collects and processes personal data when you use our apps, websites, and connected services (“Services”).

1. Controller & Contacts

Crateed is operated by Christer Ek, an individual based in Sweden. Christer Ek is the data controller for personal data processed through the Services.

Privacy: privacy@crateed.com

Support: support@crateed.com

The supervisory authority for Sweden is Integritetsskyddsmyndigheten (IMY) — imy.se.

2. Scope

This policy applies when you use our Services as an individual or on behalf of a business, and to personal data as defined by applicable laws (e.g., GDPR, UK GDPR, CCPA/CPRA).

3. Data We Collect

  • Account data: name, email, password hashes, country, language, preferences.
  • Vault & listing data: item photos, attributes, categories, prices, SKU, condition, ownership, dimensions, valuations, listing history and status.
  • Location data: if you grant permission, we collect your device's GPS coordinates to power location-based features (nearby listings, discovery, and your home location). Your approximate location is displayed on our public Live Network page (crateed.com/live) as an anonymised dot — coordinates are jittered by ~500 m before any public display and are never shown with your identity. You can revoke location permission at any time in your device settings.
  • Integrations data: for the eBay direct API connection we store an eBay account token on your device to publish listings on your behalf. For all other platforms (161+ supported), Crateed uses a copy-paste toolbar — no account credentials, tokens, or order data are collected or stored by Crateed for those platforms. Session cookies for third-party platforms remain on your device only.
  • Usage & device data: app interactions, logs, crash reports, device type, OS, browser, IP address, cookie identifiers, advertising IDs.
  • Support & communications: messages you send us, surveys, feedback, and call/chat transcripts.
  • Marketing data: preferences, engagement with emails and in‑app messages.
  • Compliance data: identity verification (KYC) status, AML screening results where required by law or platform policy.

4. Sources of Data

  • Directly from you (account setup, uploads, forms, messages).
  • Automatically via cookies/SDKs when you use the Services.
  • From connected third parties (marketplaces, payment and shipping providers, analytics, fraud-prevention vendors).

5. Purposes & Legal Bases

  • Contract Provide, maintain, and personalize the Services; create and distribute listings; process orders and payments; provide support.
  • Legitimate interests Improve features; analytics; prevent abuse and fraud; protect security; market similar services to existing users (where permitted).
  • Consent Non-essential cookies/SDKs; certain marketing; optional data processing where required.
  • Legal obligation Tax, accounting, AML/KYC and compliance with lawful requests.

Where we rely on legitimate interests, we balance our interests with your privacy rights and implement safeguards.

6. Sharing & Recipients

  • Service providers (processors): cloud hosting, storage, analytics, monitoring, communications, customer support, fraud prevention.
  • eBay (direct API): listing data you choose to publish is sent to eBay via their API using your account token. No other marketplace receives data from Crateed — all other platforms use copy-paste initiated by you directly.
  • Payment & shipping providers: processors and carriers involved in transactions you initiate.
  • Corporate transactions: your data may be transferred in a merger, acquisition, or asset sale.
  • Legal: to comply with law or protect rights, security, and safety.

We do not sell personal data. We may publish a list of core subprocessors on our website; material changes will be notified where required.

7. International Transfers

Where personal data is transferred outside your country (e.g., from the EEA/UK to third countries), we use lawful transfer mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs) and implement additional safeguards where appropriate.

8. Data Retention

  • Account data: retained while your account is active and for up to 24 months after closure, unless a longer period is required by law.
  • Vault/listing data: retained while needed for Services and audit/compliance (typically 24–36 months after last activity).
  • Transaction data: retained per tax/accounting rules (usually 7–10 years depending on jurisdiction).
  • Support communications: typically 24 months.
  • Location data (GPS coordinates): retained while your account is active. When you revoke location permission or delete your account, location data is deleted within 30 days.
  • Cookie identifiers: per cookie lifecycle; see Cookies.

9. Security

  • Encryption in transit, network isolation, access controls, and logging.
  • Vendor security reviews and data processing agreements.
  • Incident response program; we will notify authorities and users where legally required.

10. AI, Profiling & Automated Decisions

  • We use AI for product recognition, attribute detection, suggested titles/descriptions, and estimated valuations.
  • These outputs are assistive, not determinative. You can edit or ignore them. We do not make legally significant decisions solely by automated means without human involvement.
  • You may object to profiling used for direct marketing at any time.

11. Cookies & Similar Technologies

We use cookies/SDKs to operate the site, remember preferences, measure performance, and personalize content. You can manage preferences below.

Cookie Preferences

Toggle non‑essential categories and save.

  • Strictly necessary (always on): login, security, load balancing.
  • Analytics (consent where required): usage measurement, crash diagnostics.
  • Marketing (consent): campaign attribution, personalization.

12. Marketing Communications

You can opt out of marketing emails via the unsubscribe link or in settings. We may still send service or transactional messages.

13. Your Rights

Your rights vary by region and may include: access, rectification, erasure, restriction, portability, and objection; and the right to withdraw consent at any time.

  • To exercise rights, contact privacy@crateed.com. We may request verification and will respond within one month (or as required by law).
  • EEA/UK: You may lodge a complaint with your local supervisory authority (e.g., Sweden’s IMY).
  • California: You may exercise rights under the CPRA as described in Regional Disclosures.

14. Children’s Privacy

Our Services are not directed to children under 16. If you believe a child provided personal data, contact us to request deletion.

15. Changes to this Policy

We may update this policy to reflect changes to our practices or legal requirements. If changes are material, we will provide notice (e.g., email or in‑app) and indicate the effective date.

16. Regional Disclosures (EEA/UK & California)

A. EEA/UK

  • Controller & DPA: Where we process data on your behalf (e.g., buyer/order data), a Data Processing Addendum (DPA) may apply upon request.
  • Transfers: We rely on SCCs and supplementary measures for transfers to third countries.
  • Legal bases: See Section 5 for mapping of purposes to legal bases.

B. California (CCPA/CPRA)

  • Categories collected: Identifiers; commercial information; internet/electronic activity; precise geolocation (device GPS, jittered before any public display — this is sensitive personal information under CCPA); inferences (valuation suggestions); and professional information (for business accounts).
  • Business purposes: Provide and improve Services; security; debugging; short‑term transient use; advertising/marketing (subject to opt‑out/consent where required).
  • Sale/Sharing: We do not sell personal information for money. Some analytics/advertising uses may be considered “sharing” under the CPRA. You may opt out using cookie preferences or by contacting us.
  • Consumer rights: Right to know, delete, correct, and opt‑out of sale/sharing; limit use of sensitive personal information; and non‑discrimination for exercising rights.
  • Authorized agents: You may use an authorized agent; we may require verification.
  • GPC: We honor Global Privacy Control signals for applicable processing.

17. Account Deletion and Data Removal

To delete your account and all associated data, follow these steps in the app:

  1. Go to Menu.
  2. Navigate to Settings.
  3. Click Delete Account.

If you're unable to delete your account via the app, please contact us at support@crateed.com.

18. Live Network Public Display

Crateed operates a public Live Network page at crateed.com/live that displays real-time activity on the platform. This page may show:

  • Anonymised location dots: your approximate location shown as a dot on a world map. GPS coordinates are jittered by ~500 m server-side before display. No name, username, or identifying information is attached to the dot.
  • Activity events: recent listings, sales, trades, and new user registrations shown with item title, city name, and country. User IDs and emails are never shown.

If you do not want your activity or approximate location to appear on the Live Network page, you can:

  • Revoke location permission in your device settings — your dot will be removed from the map.
  • Contact privacy@crateed.com to request exclusion from the activity feed.

The legal basis for this processing is our legitimate interest in demonstrating platform activity publicly. We apply the minimum data necessary (jittered coordinates, no personal identifiers) to minimise privacy impact.