Privacy Policy
Effective 2026-04-18
RepsRadar ("we", "us", "the site") is an information platform that aggregates publicly available product listings from Weidian and provides outbound links to third-party 代购 (reverse purchasing) services. This policy explains what personal data we collect, why, how long we keep it, and your rights under GDPR (EEA/UK) and CCPA/CPRA (California).
1. Data we collect
- Account data (only if you register): email address, hashed password (bcrypt), display name, role.
- Behavioral logs: search queries, product views, outbound buy-button clicks, IP address, user-agent. Stored in our database (search_logs / click_logs tables) for product analytics and search-quality improvement.
- Favorites & history (registered users only): products you save and view, retained while your account exists.
- Cookies: see Cookie Policy.
- Server logs: HTTP access logs (URL, status, latency, IP) retained 30 days for security and debugging.
2. Data we do NOT collect
- Payment information. All purchases happen on third-party 代购 platforms (KakoBuy, Superbuy, Sugargoo, etc.). We never see your card or shipping address.
- Government identifiers (passport, national ID, SSN).
- Precise geolocation. We only record coarse country-level signal from IP for traffic analytics.
3. Why we process this data (legal basis)
- Contract (GDPR Art. 6(1)(b)): operating your account, favorites, history.
- Legitimate interest (GDPR Art. 6(1)(f)): security, fraud prevention, search-quality measurement, aggregated analytics.
- Consent (GDPR Art. 6(1)(a)): non-essential cookies, newsletter (when launched).
- Legal obligation (GDPR Art. 6(1)(c)): retaining audit logs of admin actions for compliance.
4. Third parties
We use these processors. Each is bound by their own DPA / privacy terms:
- Cloudflare — DNS, CDN, DDoS protection, WAF. Receives all HTTP traffic metadata.
- OVH — server hosting (EU region). Stores the database and logs.
- DashScope (Alibaba Cloud) — AI image-search and product attribute extraction. Receives uploaded images at search time; we do not retain them server-side after embedding.
- Resend — transactional email (account / password reset). Receives your email address only.
- Plausible (self-hosted, planned) — privacy-friendly, cookie-less analytics. No cross-site tracking.
Outbound 代购 platforms (KakoBuy, Superbuy, Sugargoo, etc.) are independent operators. Once you click an outbound buy button you are on their site under their privacy policy.
5. Data retention
- Account data: until you delete your account.
- Search & click logs: 90 days for the per-user history view, then aggregated and stripped of IP / user-id.
- Server access logs: 30 days.
- Admin audit logs: 2 years (compliance with our internal SOPs).
6. Your rights
Under GDPR Articles 15-22 and CCPA §1798.100-130 you have the right to: access, rectify, erase, restrict, port, and object to processing of your personal data. To exercise these rights see the GDPR Rights page or email us. You may also lodge a complaint with your local data protection authority.
7. International transfers
Our servers are in the EU (OVH). DashScope processes inference in Singapore / Hong Kong. Where data leaves the EEA, transfers rely on Standard Contractual Clauses or equivalent safeguards.
8. Children
The site is not directed at children under 16. We do not knowingly collect data from minors.
9. Security
Passwords are hashed with bcrypt (cost ≥ 12). Sessions use HTTP-only, Strict SameSite cookies + double-submit CSRF tokens. The database is encrypted at rest and TLS-encrypted in transit. Backups are encrypted before upload to object storage.
10. Changes to this policy
We will post material changes on this page with a new effective date and notify registered users by email when changes affect their rights.
11. Contact
Email [email protected]. Postal contact available on request.