Privacy Policy

Last updated: 2026-05-22

This policy explains what data Goblin Stash collects when you use goblin-stash.com and the Goblin Stash browser extension, why we collect it, and your rights over it. We keep this short on purpose: we only collect what's needed to run the service.

1. Who we are

Goblin Stash is operated by Monedra Group, a French company. Contact: [email protected]. Data controller for GDPR purposes: Monedra Group.

2. Data we collect

2.1 Account

• Email address and a hashed password (never stored in plain text)
• Optional display name
• Language preference, timezone

2.2 Product data you create

• Titles, descriptions, images, variants and prices of products you import via the extension
• Shop settings (shipping fees, Etsy categories, etc.)
• Technical import logs (success/failure) for debugging

2.3 Billing

• Stripe customer ID and subscription history
• We never store payment card data — Stripe handles it end-to-end

2.4 Technical data

• IP address, browser type, pages visited on goblin-stash.com (standard server logs, kept ≤ 30 days)
• No third-party ad trackers

3. The browser extension

The Goblin Stash extension is designed to leave the smallest possible footprint:

• It runs only on the pages you actively visit on AliExpress, Alibaba, Printables and the Etsy listing editor
• It does not track your browsing, does not read unrelated pages, and does not log clicks
• When you click "Import", it sends that page's title, description, images, variants and prices to your Goblin Stash account over encrypted HTTPS
• Your auth token is stored encrypted in chrome.storage.local and never leaves your browser except to call the Goblin Stash API
• No data is ever sold or shared with third parties

4. Why we process your data (GDPR legal bases)

• Contract performance: running your account, processing imports, delivering the paid service
• Legal obligation: retaining invoices (10 years, French Commercial Code)
• Legitimate interest: security, abuse prevention, technical debugging
• Consent: we ask for explicit consent before any non-essential cookies (currently none)

5. Sub-processors and third-party services

We use the following processors, each under a data processing agreement (DPA):

• Stripe (US, DPF-certified) — payments and billing
• Cloudflare R2 — storage of the product images you import
• OVHcloud / application host (EU) — application servers and database
• OpenAI / LLM provider — only when you explicitly use the AI optimization features; prompts do not contain your credentials

6. Data retention

• Account data: as long as your account is active, then 90 days after deletion
• Billing data: 10 years (French legal requirement)
• Import logs: 30 days
• HTTP server logs: 30 days

7. Your rights

Under GDPR you have the following rights:

• Access: get a copy of your data
• Rectification: correct inaccurate data
• Erasure: delete your account ("Delete my account" button in your profile)
• Portability: export your data in a machine-readable format
• Objection / Restriction: restrict certain processing
• Withdraw consent at any time
• Lodge a complaint with the CNIL: cnil.fr

To exercise these rights: [email protected]. We reply within 30 days.

8. Security

Passwords hashed with bcrypt, transport over HTTPS (TLS 1.2+), API tokens encrypted client-side, encrypted backups, production data access restricted and logged.

9. Changes

This policy may be updated. The "Last updated" date at the top shows the current version. Material changes are announced by email.