1. Who we are
Marketmate Solutions Ltd ("we", "us", "our") operates the OmniLister platform at omnilister.co.uk. We are the data controller for personal data processed in connection with your OmniLister account.
Registered office: 3 Lawrence Close, Basingstoke, RG24 9DP, United Kingdom.
Company contact: privacy@marketmatesolutionsltd.co.uk
2. Scope
This policy covers personal data collected through the OmniLister web application, our marketing site at omnilister.co.uk, and any email or support correspondence with us. It does not cover third-party marketplaces (Amazon, eBay, Temu, Shopify) or their handling of buyer data — those services have their own privacy policies that govern data they control.
3. Data we collect
We collect the minimum personal data needed to operate the service:
- Account data: name, email, password hash, company name.
- Billing data: billing address, last four digits of payment card (full card data is handled by our payment processor and never touches our servers).
- Product catalogue: SKUs, titles, descriptions, images, identifiers (EAN, UPC, ASIN, ISBN), attributes, and any other product data you import or enter.
- Technical data: IP address, browser type, session cookies, page views — used for security and service improvement.
- Support correspondence: any messages you send us and our replies.
4. Marketplace data
When you connect a marketplace account (Amazon, eBay, Temu, Shopify) to OmniLister, we store:
- The OAuth refresh token issued by that marketplace, encrypted at rest with AES-256.
- Your seller username on that marketplace (for display only).
- Product catalog data fetched via the marketplace's API to assist with enrichment and listing creation.
We do not access buyer personal data (order shipping addresses, customer emails) in the current OmniLister MVP. That functionality is on the roadmap and will be added under a separate, explicit authorisation when released.
5. How we use data
We process personal data to:
- Provide the OmniLister service — product information management, data enhancement, listing creation.
- Authenticate you and protect your account from unauthorised access.
- Send service-related emails (security alerts, billing notices, important product changes).
- Respond to support requests and investigate issues you report.
- Comply with legal obligations (tax records, law enforcement orders, GDPR subject requests).
- Improve the service through aggregate usage analytics (no individual user profiling for advertising).
6. Legal basis
Under UK GDPR, we rely on the following legal bases:
- Contract: processing needed to deliver the service you've signed up for.
- Legitimate interests: fraud prevention, security logging, product improvement.
- Legal obligation: accounting records, tax reporting, responding to lawful requests.
- Consent: marketing emails (you can withdraw consent any time).
7. Sharing & subprocessors
We never sell your data. We share data only with:
- Subprocessors that power the service — each bound by contract to protect your data:
| Subprocessor | Purpose | Location |
|---|---|---|
| Google Cloud (Firestore, Cloud Run, Firebase Hosting) | Application hosting & data storage | EU (europe-west2) |
| Anthropic (Claude) | AI product content generation & enrichment | USA |
| Google (Gemini) | AI product content generation & enrichment | USA |
| Typesense | Product search indexing | EU |
| Amazon SP-API, eBay Browse API, Temu Open API, Shopify Admin API | Marketplace integration on your behalf | USA/EU |
- Legal authorities when required by a valid court order or UK law.
- Acquirers if Marketmate Solutions Ltd is acquired, merged, or reorganised — you'll be notified before any transfer.
8. International transfers
Some of our AI subprocessors (Anthropic, Google) process data in the USA. We rely on the UK International Data Transfer Agreement (IDTA) and/or Standard Contractual Clauses approved by the ICO to protect data transferred outside the UK and EEA.
9. Retention
Our default retention for personal data (PII) is a maximum of 30 days after your account is closed. Beyond that period, PII is only retained where one of the following applies:
- You have given us written approval to retain specific data for a stated purpose and period.
- We are required by UK law to retain specific records — for example, HMRC requires financial transaction records (invoices, VAT records) to be kept for 6 years. We cannot waive these obligations even with your consent, but we ringfence them — only the records required for the legal purpose are kept, and nothing else.
Active-account data (while your account is live) is retained for as long as your account remains active.
Product catalogue data is deleted within 30 days of account closure unless you export it sooner. Support correspondence is retained for up to 30 days beyond the resolution of the related support ticket.
To request earlier deletion — or to give written approval to retain specific data longer — email privacy@marketmatesolutionsltd.co.uk.
10. Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erase your data (subject to legal retention requirements).
- Restrict or object to processing.
- Portability — receive your data in a machine-readable format.
- Withdraw consent where we rely on it.
- Complain to the UK Information Commissioner's Office (ico.org.uk) if you believe we've mishandled your data.
To exercise any of these, email privacy@marketmatesolutionsltd.co.uk. We respond within 30 days.
11. Security
We protect your data with:
- AES-256 encryption at rest for marketplace credentials and other sensitive fields.
- TLS 1.2+ for all data in transit.
- Firebase Authentication with per-tenant isolation — your catalogue is never visible to other customers.
- Access controls: only employees with a documented operational need can access production infrastructure, and all access is logged.
- Regular security scans (gosec, Semgrep, govulncheck, npm audit, Trivy) on every release.
If you believe you've found a security vulnerability, email security@marketmatesolutionsltd.co.uk.
12. Children
OmniLister is a business tool. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we'll delete it.
13. Changes
We may update this policy. Material changes are announced by email at least 14 days before taking effect. The date at the top of this page is always the most recent update.
14. Contact
Questions about this policy, or about how we handle your data:
Marketmate Solutions Ltd
3 Lawrence Close, Basingstoke, RG24 9DP, United Kingdom
privacy@marketmatesolutionsltd.co.uk