Privacy Policy (v2.0)
Effective 2026-06-30 (v2.0)
This Privacy Policy describes how sell.fun Inc. ("sell.fun," "we," "us," or "our") collects, uses, and shares information when you use our website at sell.fun, our MCP server, our CLI tools, our Claude Code plugin, and any related services (collectively, the "Services").
By using the Services, you agree to the collection and use of information as described in this policy.
1. Who We Are
sell.fun Inc. is a Delaware corporation and is the data controller for buyer transactional data (purchases, invoices, receipts, payment identifiers), consistent with our role as merchant of record under the Terms of Service. For non-transactional Creator-to-Buyer communications initiated by Creators (e.g., product updates, announcements), Creators and sell.fun act as joint controllers.
Contact: hello@sell.fun · sell.fun Inc., 1209 N Orange St, Wilmington, DE 19801, USA.
2. Information We Collect
2.1 Information You Provide
- Account information: Email address when you create a Creator or Buyer account via magic-link authentication.
- Creator profile and tax onboarding: Display name, legal business name, legal address, tax classification, tax form type (W-9 / W-8BEN / W-8BEN-E), Stripe Connect account details (we do not store your full bank account or card numbers).
- Product listings: Titles, descriptions, pricing, tags, categories, and uploaded product files.
- Purchase information: Products purchased, transaction amounts, tax collected, buyer country (from billing address), and buyer VAT ID if provided.
- Communications: Messages you send to us via email or support channels.
2.2 Information Collected Automatically
- Device and access data: IP address, browser type, operating system, referring URL, pages viewed, and timestamps.
- Usage data: Features used, tools invoked (via MCP, CLI, or web), search queries, and interaction patterns.
- Cookies: We use essential cookies for authentication and session management. See Section 8.
2.3 Information from Third Parties
- Stripe: Limited transaction data (payment status, payout status, Stripe account ID, charge ID, balance transaction fee). We never receive or store full credit card numbers.
- Cloudflare: Standard web analytics data (page views, geographic region, device type).
3. How We Use Your Information
- Provide the Services: Process purchases, deliver products, manage accounts, handle Creator payouts via Stripe.
- Act as merchant of record: Calculate and collect applicable indirect taxes (VAT, GST, sales tax) at checkout, issue invoices in sell.fun's name, manage disputes. Where we hold active tax-authority registrations, remit collected taxes to the relevant authorities. We do not charge an amount described as tax in any jurisdiction where we are not registered.
- Communicate: Purchase confirmations (including invoice receipts), delivery links, magic-link emails, and service notifications.
- Prevent fraud: Detect fraudulent transactions, enforce Terms of Service, moderate content.
- Improve the Services: Analyze usage patterns, fix bugs, develop new features.
- Legal compliance: Respond to legal requests, enforce our rights, meet tax-reporting requirements (including DAC7 for EU Creators), and comply with US export controls and OFAC sanctions.
We do not sell your personal information to third parties. We do not use your data for targeted advertising.
4. How We Share Your Information
4.1 With Creators (for Buyers)
When you purchase a product, the Creator receives your email address and purchase details for fulfillment purposes only. Creators may not use this information for unrelated marketing without your separate consent. Creators do not see your payment card details, billing address, or VAT ID; these remain with sell.fun.
4.2 With Service Providers
- Stripe — Payment processing, Creator payouts, fraud detection, tax calculation (Stripe Tax), and 1099-K / W-8 tax form collection (Connect).
- Cloudflare — Website hosting, content delivery, DDoS protection.
- Resend — Transactional email delivery (purchase confirmations, magic links).
- Tax-filing partners — sell.fun may use tax-compliance providers such as Taxually, TaxJar, hellotax, or Quaderno to file VAT OSS returns, UK VAT returns, and US state sales-tax returns. These providers process transaction data strictly for return preparation.
These providers process data only on our behalf (or in the case of Stripe, as a controller of payment credentials pursuant to its own privacy policy) and are contractually required to protect it.
4.3 For Legal Reasons
We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of sell.fun, our users, or the public.
4.4 Tax Authority Reporting
As merchant of record, we report aggregate transaction data to tax authorities in jurisdictions where we are registered. Under EU Directive 2021/514 (DAC7) — a reporting regime separate from VAT registration — if and once we are registered as a reporting platform operator, we will begin collecting and reporting Creator-level data (including identity, bank details, and annual consideration) to the Irish tax authority on the cadence required by the Directive. Affected Creators will be notified before any reportable data is submitted. See the Creator Agreement for details.
4.5 Business Transfers
If sell.fun is acquired or merged, user information may transfer to the new owner. We will notify affected users before their information becomes subject to a different privacy policy.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Creator/Buyer account data | Until account deletion + 30 days |
| Purchase, invoice, and transaction records | 10 years (tax and VAT compliance) |
| Product listings and files | Until deleted by Creator |
| Authentication tokens | Until session expiry or logout |
| Server logs (IP, access) | 90 days |
| Support communications | 3 years |
6. Data Security
- All data in transit encrypted via TLS/HTTPS.
- Product files stored in Cloudflare R2 with signed delivery tokens.
- Magic-link authentication (no passwords stored).
- Payment processing handled entirely by Stripe. We never see or store credit card numbers.
- Database encrypted at rest via Cloudflare D1.
No method of transmission or storage is 100% secure. If we become aware of a personal-data breach, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours, and will notify affected users without undue delay where the breach is likely to result in a high risk to their rights, in each case as required by applicable law (including GDPR/UK GDPR Articles 33–34 and US state breach-notification laws).
7. Your Rights
All users may request access, correction, deletion, or export of their data by emailing hello@sell.fun. We respond within 30 days. Note: records required for tax compliance (section 5, 10-year retention) may not be fully deletable until the retention period expires, but we can restrict further processing.
EEA/UK Users (GDPR)
You may also restrict processing, object to processing based on legitimate interests, withdraw consent, and lodge complaints with your local data protection authority. Legal bases: contract performance (including as merchant of record), legitimate interests (fraud prevention, platform integrity), legal obligations (tax reporting, DAC7), and consent. If and when we offer the Services to EEA or UK data subjects, our Article 27 representatives will be named here.
California Users (CCPA/CPRA)
You have the right to know the categories and specific pieces of personal information we collect, the sources, and the purposes; to correct or delete it; to opt out of the sale or sharing (for cross-context behavioral advertising) of personal information; and to limit the use of sensitive personal information. We do not sell or share your personal information. We honor the Global Privacy Control (GPC) and other opt-out preference signals as a valid opt-out of sale/sharing. We will not discriminate for exercising these rights. Because there is no industry consensus on Do Not Track, we do not separately respond to DNT signals, which are distinct from GPC. To exercise these rights, email hello@sell.fun; we confirm receipt within 10 business days and respond within 45 days (extendable by 45 with notice).
8. Cookies
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Authentication (Creator/Buyer login) | Session / 30 days |
| CSRF token | Cross-site request forgery protection | Session |
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Cloudflare may set security cookies to protect against bots.
9. International Data Transfers
Our Services are hosted on Cloudflare's global network. For EEA personal data we rely on the EU Standard Contractual Clauses and, where a recipient is certified, the EU-US Data Privacy Framework; for UK personal data we rely on the UK International Data Transfer Addendum to the SCCs (or the IDTA). These cover transfers to our processors (Cloudflare, Stripe, Resend). Stripe's GDPR compliance framework covers payment-card data.
10. Children's Privacy
The Services are not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect information from children. Contact us at hello@sell.fun if you believe a child has provided us with personal information.
11. AI Assistant and MCP Usage
When you interact with sell.fun through an AI assistant, the AI provider processes your conversation per their own privacy policy. sell.fun receives only tool calls made on your behalf (e.g., creating a listing, making a purchase). We do not receive or store your conversation history. Authentication uses OAuth 2.1 directly with sell.fun.
12. CLI Tool and Plugin Usage
The CLI stores your authentication token locally in ~/.sellfun/config.json. The sell.fun skills plugin may write local usage telemetry such as which skill completed and how long it took to ~/.sellfun/analytics/. Anonymous aggregate telemetry (no personal data) can be opted into; the default is off. The plugin checks for updates by contacting sell.fun/api/sell/version. Skill execution (reading files, generating descriptions) happens locally using your AI tokens; data is sent to sell.fun when you create, update, publish, or upload a listing.
13. Changes to This Policy
We may update this policy. Material changes will be posted on our website with an updated effective date, and existing users will see a notice at their next login. Continued use constitutes acceptance.
14. Contact Us
Email: hello@sell.fun · Website: sell.fun