Back to FlipCrate

Privacy Policy

Last updated: April 14, 2026

What FlipCrate Does

FlipCrate connects to your email to find order confirmation emails from major retailers. It extracts structured data (items, prices, tracking numbers) and displays it in a dashboard so you can track inventory, sales, and profit. That is all it does with your email.

What We Collect

  • Account info — your email address, name, and profile picture (from Google OAuth or registration).
  • Order data — retailer name, order number, item names, quantities, prices, tracking numbers, and order status. This is extracted from your email, not entered manually.
  • Inventory and sales data — products you import from orders, sale prices, platforms, and buyer notes you enter.
  • Connection credentials — Gmail OAuth tokens or IMAP credentials for email access.

How We Access Your Email

When you connect Gmail, we request the gmail.readonly scope. This grants read-only access — FlipCrate cannot send, delete, or modify your emails.

For IMAP connections, your password is encrypted at rest using AES-256-GCM before it is stored. FlipCrate connects to your mailbox read-only.

In both cases, FlipCrate only searches for order confirmation emails from supported retailers (Amazon, Best Buy, Target, Costco, Apple, Walmart, Nike, eBay, Pokemon Center, Newegg, Macy's, Lowe's, Sam's Club). Personal emails, conversations, and other messages are ignored entirely.

Raw email content is never stored. Only the extracted structured data (items, prices, tracking numbers, order numbers) is saved to your account.

Google API Disclosure

FlipCrate's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Gmail data to extract order information as described above.
  • We do not use Gmail data for advertising or to serve ads.
  • We do not allow humans to read your email content unless you give explicit consent for support purposes.
  • We do not transfer Gmail data to third parties except as necessary to provide the service.

Data Security

  • All traffic is encrypted in transit via HTTPS.
  • User passwords are hashed with bcrypt (never stored in plaintext).
  • IMAP passwords are encrypted at rest with AES-256-GCM.
  • Sessions use signed JWTs with secure, HTTP-only cookies.
  • Data is stored in a PostgreSQL database on infrastructure we control.

Third-Party Services

  • Google OAuth — for sign-in and Gmail access. Google receives standard OAuth data per their privacy policy.
  • Discord OAuth — optional, for sign-in. Discord receives standard OAuth data per their privacy policy.
  • Stripe — for payment processing on paid plans. Stripe handles all payment data directly; we do not store card numbers.

We do not use any analytics services, tracking pixels, or advertising networks.

Cookies

FlipCrate uses a single session cookie to keep you signed in. We do not use analytics cookies, tracking cookies, or any third-party cookies.

Data Retention and Deletion

Your data is retained as long as your account exists. You can delete your account at any time from the Settings page. When you delete your account, all associated data (orders, inventory, sales, connections, and credentials) is permanently deleted. There is no recovery.

No Data Sales

We do not sell, rent, or share your personal data with third parties for their own purposes. Period.

Changes to This Policy

If we make changes, we will update this page and the “Last updated” date. For significant changes, we may notify you via email or an in-app notice.

Contact

Questions about this policy? Reach us at [email protected].