Privacy Policy

Effective date: May 18, 2026 · Last updated: May 20, 2026

Popup is a Chrome extension that lets Depop sellers bulk-relist listings, generate AI-optimized descriptions, and schedule automatic relists — all from a panel injected directly into depop.com. This policy explains exactly what data the extension accesses, how it is used, and your rights regarding that data.

We do not sell your data. We do not serve ads. If you have any questions, email us at support@popupbot.net.

1. Data We Collect

Account information

When you create a Popup account you provide an email address and choose a password. Your password is hashed by Supabase (our authentication provider) and is never visible to us. We store your email address to identify your account, manage your access, and send transactional messages (e.g., email confirmation links, password resets).

Depop profile data

When the extension authenticates on your behalf, it reads your Depop user ID, username, and avatar URL from Depop's API and stores them in our database alongside your account so we can associate your Popup account with your Depop shop.

Usage metadata

We record your account creation timestamp and a last-active timestamp that updates each time you open the extension. We also store your subscription plan status (currently "free" for all users). No other usage data is recorded.

Depop authentication token

The extension reads your access_token cookie from depop.com solely to authenticate API requests made on your behalf — fetching your listings, re-uploading photos, creating new listings, and deleting old ones. This token is held in memory only and is never stored, logged, or sent to any server we operate beyond Depop's own API.

Listing data and photos (AI feature)

If you use the optional AI description feature, your listing's description text is sent through a Cloudflare Worker proxy we operate to Google's Gemini API, which generates a rewritten description. We do not store this text after the response is returned to your browser. Your listing photos are fetched from Depop / Amazon S3 and re-uploaded to S3 as part of the relist flow; we do not retain copies of them on our servers.

2. Data We Do Not Collect

We do not collect browsing history or any activity outside of depop.com.
We do not track which listings you view beyond what is required to perform a relist.
We do not use analytics SDKs, tracking pixels, or device fingerprinting.
We do not store your Depop password — the extension uses your existing Depop session cookie.
We do not collect payment card details — payments are handled directly by Stripe if applicable.

3. How We Use Your Data

To authenticate you and maintain your account session.
To provide the extension's core functionality (relisting, AI descriptions, auto-scheduling).
To associate your Popup account with your Depop shop.
To send transactional emails (confirmation links, password resets).
We do not use your data for advertising, profiling, or sale to third parties.

4. Third-Party Services

The extension and our backend interact with the following third-party services:

Depop API (webapi.depop.com) — to fetch and manage your listings on your behalf. Subject to Depop's Terms of Service.
Supabase — authentication and database hosting. Your email address and account metadata are stored on Supabase servers. See supabase.com/privacy.
Cloudflare Workers — we operate a proxy worker that routes API requests, validates your session, and forwards AI requests to Google. Cloudflare does not store request bodies beyond their edge-logging window. See cloudflare.com/privacypolicy.
Google Gemini API — your listing description text is forwarded to Google's Gemini API when you use the AI description feature. See policies.google.com/privacy.
Amazon S3 — Depop stores product photos on AWS S3. The extension fetches your photos from S3 and uploads fresh copies as part of the relist flow.
Stripe (if applicable) — payment processing. Stripe handles payment information directly; we never store or access your card details. See stripe.com/privacy.

5. Chrome Extension Permissions

Popup requests the following Chrome permissions and uses them only as described:

cookies — to read your Depop access_token cookie for API authentication.
tabs — to detect when you navigate to depop.com so the panel can be shown.
storage — to persist your Popup session token locally so you stay signed in between browser sessions.
declarativeNetRequest — to override CORS headers on Depop API responses, allowing the extension to make API calls from within the browser.
host permissions for depop.com and webapi.depop.com — required for cookie access and API calls.

6. Local Storage

The extension stores your Popup session token (access token and refresh token) in chrome.storage.local on your device so you remain signed in between browser sessions. This data never leaves your device except as an authentication credential in HTTPS requests to Supabase and our Cloudflare Worker.

7. Data Retention

We retain your email address, Depop profile identifiers, and account metadata for as long as your account is active. If you delete your account, we remove your record from our database within 30 days. Supabase authentication records are deleted upon account deletion request.

8. Your Rights

You have the right to:

Access — request a copy of the data we hold about you.
Correction — ask us to correct inaccurate data.
Deletion — delete your account and associated data at any time via the Account page or by emailing us.
Portability — request your data in a machine-readable format.

To exercise any of these rights, email support@popupbot.net. We will respond within 30 days.

9. Security

All communication between the extension, Supabase, our Cloudflare Worker, and Depop's API uses HTTPS with TLS. Your Depop access token is never written to disk or transmitted outside of the request for which it is needed. Our Cloudflare Worker validates your Supabase JSON Web Token before processing any authenticated request — unauthenticated requests are rejected.

10. Children's Privacy

Popup is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Continued use of the extension after a material update constitutes acceptance of the revised policy. For significant changes, we may notify you by email.

12. Contact

Questions, requests, or concerns about this privacy policy or your data:

Email: support@popupbot.net