Skip to content
Back to home
Legal

Privacy Policy

Last updated:April 17, 2026
Effective:April 17, 2026

Introduction

This Privacy Policy explains how Individual Entrepreneur Evgenii Averin, registered in the Republic of Armenia ("Brimley", "we", "us", "our"), collects, uses, shares, and protects personal information when you use the Brimley service, including the website at getbrimley.com and related applications (collectively, the "Service").

Brimley provides profit analytics for Etsy sellers. We connect to your Etsy shop through the Etsy Open API v3 with your explicit authorization, retrieve your shop's transaction data, and calculate profit metrics for you.

This policy applies to information we collect about:

  • Users who create a Brimley account and connect their Etsy shop(s).
  • Website visitors who browse getbrimley.com without signing up.

This policy does not apply to Etsy itself. Etsy's own collection and use of information is governed by Etsy's Privacy Policy.

If you do not agree with this Privacy Policy, please do not use the Service.

Who we are and how to contact us

Data controller: Individual Entrepreneur Evgenii Averin Registered in: Republic of Armenia Business entity registration in progress. This page will be updated with full legal details upon completion. Contact email for privacy matters: privacy@getbrimley.com General support: support@getbrimley.com

We act as an independent data controller for the personal information described in this policy, consistent with our obligations under the Etsy API Terms of Use. If you are in the European Economic Area, United Kingdom, or Switzerland, this applies under GDPR / UK GDPR terms.

Information we collect

3.1 Information you provide to us

  • Account information: email address, name, password hash when you create an account.
  • Billing information: we use a third-party payment processor (Paddle or Lemon Squeezy) acting as Merchant of Record. We do not store full payment card numbers on our systems. We receive limited billing metadata (last four digits, billing country, transaction status).
  • Support communications: messages you send us via email or in-app support.
  • Cost of goods sold (COGS) data: product cost information you enter manually for your listings.
  • CSV uploads: Etsy Ads spend reports that you choose to upload.

3.2 Information we receive from Etsy on your behalf

When you connect an Etsy shop to Brimley through Etsy's OAuth flow, you authorize us to retrieve the following data from the Etsy Open API v3 using the scopes you grant (transactions_r, billing_r, listings_r, shops_r):

  • Shop profile information (shop name, country, currency)
  • Listings (titles, SKUs, tags, sections, taxonomy, state)
  • Receipts and transactions (order dates, items, prices, shipping charges, coupons, quantities, buyer_user_id)
  • Payments (gross, fees, net amounts, adjustments)
  • Refunds (amounts, reasons, dates)

We use only the minimum OAuth scopes needed to provide the Service. We do not currently request access to buyer email addresses (email_r scope). If we introduce features requiring that scope, we will request your explicit opt-in at that time.

We do not access: shop listings we are not authorized to see, buyer payment instruments, your Etsy password, or any data from shops you have not connected.

3.3 Information we collect automatically

  • Usage data: pages viewed, features used, time spent, clicks, approximate geographic location (derived from IP address at country/region level).
  • Device data: browser type, operating system, screen size, language.
  • Technical logs: IP address, timestamps, request paths, error information.
  • Cookies and similar technologies: see Section 8.

3.4 Information from third parties

If you connect Printify, Printful, or other integrations to pull Cost of Goods Sold data automatically, we receive product cost information from those services. Each integration is subject to its own privacy practices, which you should review separately.

How we use information

We use the information we collect for the following purposes:

Purpose Legal basis (GDPR)
Provide the Service (calculate profit, show dashboards, generate reports) Performance of contract
Authenticate you and secure your account Performance of contract, legitimate interest
Process payments and manage subscriptions Performance of contract
Respond to support requests Performance of contract, legitimate interest
Send transactional emails (onboarding, receipts, security alerts) Performance of contract
Send product updates and marketing emails Consent (you can opt out anytime)
Detect fraud and abuse, enforce our Terms Legitimate interest, legal obligation
Improve the Service (debugging, performance monitoring, product analytics on aggregated behavior) Legitimate interest
Comply with legal and tax obligations Legal obligation

We do not:

  • Sell your personal information.
  • Use your Etsy data or Etsy Member data with third-party advertising or marketing platforms.
  • Use Etsy API data for machine learning training, licensing, or content removal purposes.
  • Share individual shop data between users.
  • Use your data for any purpose not described in this policy.

How we share information

We share information only as described below.

5.1 Service providers (sub-processors)

We use the following categories of service providers to operate the Service. These providers only process information on our instructions and are bound by data protection agreements.

Category Provider Purpose Location
Hosting and infrastructure Vercel, Inc. Website and application hosting United States
Database and authentication Supabase, Inc. Data storage, user authentication United States or European Union
Background jobs Inngest, Inc. Data sync workers United States
Payments (Merchant of Record) Paddle.com Market Ltd. or Lemon Squeezy (PayLemon, Inc.) Subscription billing, tax remittance United Kingdom, United States
Transactional email Resend, Inc. Sending account emails United States
Error monitoring Functional Software, Inc. (Sentry) Debugging and error tracking United States
Product analytics PostHog, Inc. or Plausible Insights OÜ Understand feature usage United States or Estonia

A full and current list of sub-processors is available at getbrimley.com/subprocessors (or by email request to privacy@getbrimley.com).

5.2 Legal disclosures

We may disclose information when we believe in good faith that disclosure is necessary to:

  • Comply with applicable law, regulation, court order, or legal process.
  • Protect the rights, property, or safety of Brimley, our users, or the public.
  • Investigate and defend ourselves against legal claims.
  • Enforce our Terms of Service.

5.3 Business transfers

If Brimley is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity. We will notify you of any such change and any choices you may have.

5.4 With your consent

We share information in other ways only with your explicit consent.

Data retention

6.1 While your account is active

We retain data from your connected Etsy shop(s) for as long as needed to provide the Service. This includes historical transactions, payments, and listings from the beginning of your shop's history. This retention is necessary for the core function of the Service: showing you profit calculations over your full selling history and allowing you to verify calculations against original transactions.

6.2 Caching and freshness

In accordance with the Etsy API Terms of Use, we synchronize listing content from Etsy on an ongoing basis through webhooks and scheduled refreshes so that active listing data displayed in the Service does not become stale. Historical transactions, once finalized on Etsy, are immutable records and are retained as such.

6.3 After you cancel or disconnect

  • If you cancel your subscription and do not resubscribe within 30 days, your Etsy data is permanently deleted from our active systems.
  • If you disconnect an Etsy shop from Brimley, we delete OAuth tokens immediately and Etsy data within 30 days, unless you instruct us otherwise.
  • If you close your Brimley account, all personal data is deleted within 30 days.
  • Backups: deleted data may persist in encrypted backups for up to 90 days, after which it is permanently purged.
  • Legal retention: we may retain billing records, tax information, and fraud investigation records for longer periods where required by Armenian tax law or other applicable regulations (typically up to 5 years).

6.4 Data export

You can export your data at any time as CSV from within the Service. After account closure, data export is available on request for 30 days.

Security

We implement technical and organizational measures appropriate to the risk of processing, including:

  • Encryption in transit (TLS 1.2 or higher) for all traffic between you and the Service.
  • Encryption at rest for databases.
  • Encrypted storage of Etsy OAuth tokens.
  • Row-level security isolating each user's data from other users.
  • Access controls limiting access to user data, with audit logs.
  • Regular dependency updates and security monitoring.
  • Multi-factor authentication available for user accounts.
  • Incident response procedures for security events.

No system is perfectly secure. If we become aware of a personal data breach affecting your information, we will notify you and applicable authorities in accordance with applicable law.

Cookies and similar technologies

We use a limited set of cookies and similar technologies:

  • Essential cookies: required for authentication, session management, and security. These cannot be disabled.
  • Preference cookies: remember settings like timezone, currency display.
  • Analytics cookies: measure usage to improve the Service. Used only if we deploy PostHog or Plausible, configured to minimize personal data collection.

We do not use advertising cookies or cross-site tracking. If you are in a jurisdiction requiring consent for non-essential cookies, we present a consent banner on your first visit.

You can control cookies through your browser settings. Blocking essential cookies will prevent the Service from working.

International data transfers

Brimley operates globally. Our primary operations are in the Republic of Armenia, and our service providers operate in the United States, European Union, and other jurisdictions. Your information may be transferred to, stored in, and processed in these countries. These countries may have data protection laws different from those in your country.

Where required (for example, for personal data of EEA or UK residents), we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission or the UK equivalent to ensure your information receives an adequate level of protection.

Your rights

Depending on your location, you may have the following rights regarding your personal information:

10.1 All users

  • Access: request a copy of personal information we hold about you.
  • Correction: ask us to correct inaccurate information.
  • Deletion: ask us to delete your personal information, subject to legal retention requirements.
  • Export: download your data in a portable format.

10.2 EEA, UK, Switzerland (GDPR and UK GDPR)

In addition to the rights above:

  • Restrict processing: ask us to limit how we use your information.
  • Object: object to processing based on legitimate interest.
  • Portability: receive your data in a machine-readable format.
  • Withdraw consent: where processing is based on consent, withdraw consent at any time.
  • Complain: lodge a complaint with your data protection authority.

10.3 California residents (CCPA/CPRA)

  • Right to know what personal information is collected, used, shared, or sold.
  • Right to delete personal information.
  • Right to correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under CCPA.
  • Right to non-discrimination for exercising your privacy rights.

10.4 How to exercise rights

Email privacy@getbrimley.com with your request. We will respond within 30 days (or the period required by applicable law). We may need to verify your identity before acting on your request.

Children

The Service is not intended for individuals under 18 years of age, and is not intended for children under 13 (United States) or 16 (EEA/UK) under any circumstance. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact privacy@getbrimley.com and we will delete it.

Etsy-specific terms

This section addresses our relationship with Etsy and applies in addition to the other sections of this Privacy Policy.

12.1 Independent controller

We are an independent data controller for the personal information we process from the Etsy API, as required by the Etsy API Terms of Use. Etsy is a separate controller for information it collects from you as an Etsy user.

12.2 Scope of use

We only use information obtained through the Etsy API to provide the Service to you. We do not:

  • Sell, lease, or transfer Etsy Member data to any third party.
  • Use Etsy API data with third-party advertising or marketing platforms.
  • Use the API to collect, scan, or request Etsy content for analytics, machine learning, licensing, or content removal beyond what is needed to provide the Service.
  • Use Etsy API data to train AI or machine learning models.

12.3 Buyer information

The Service does not currently store buyer email addresses, shipping addresses, or other buyer personal information beyond what is strictly necessary for profit analytics (primarily buyer_user_id for identifying repeat customers and lifetime value calculations). If we introduce features that require additional buyer personal information, we will request your explicit opt-in authorization at that time, as required by Etsy.

12.4 Disconnection

You may disconnect your Etsy shop from Brimley at any time through your Brimley account settings, or by revoking access in your Etsy account under "Apps and Services". Upon disconnection, we will stop making Etsy API calls on your behalf and will delete your Etsy data according to Section 6.3.

12.5 Etsy trademark

The term "Etsy" is a trademark of Etsy, Inc. This Application uses Etsy's API, but is not endorsed or certified by Etsy.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do:

  • We will update the "Last updated" date at the top.
  • For material changes, we will notify you by email or in-app notice at least 30 days before the changes take effect.
  • Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

The most current version is always available at getbrimley.com/privacy.

Contact

Questions, concerns, or requests regarding this Privacy Policy:

Email: privacy@getbrimley.com Mail: Individual Entrepreneur Evgenii Averin (address will be updated upon completion of business registration)

If you are in the EEA, UK, or Switzerland and your concern is not resolved, you have the right to contact your local data protection authority.