Privacy policy

Last updated: July 13, 2026

Last updated: 26 June 2026

This policy explains what data PricePanda collects, why, and what you can do about it. PricePanda is operated by Volsted Media OÜ(registry code 17472855), an Estonian private limited company with its registered office at Sepapaja tn 6, Lasnamäe linnaosa, 15551 Tallinn, Estonia. If anything is unclear, emailhello@price-panda.com.

1. Who we are (data controller)

The data controller for personal data processed through PricePanda is:

  • Volsted Media OÜ
  • Registry code: 17472855
  • Sepapaja tn 6, Lasnamäe linnaosa, 15551 Tallinn, Harju maakond, Estonia
  • Email: hello@price-panda.com

2. What we collect

We collect only what we need to run the service.

Account data

  • Email address, required to sign in and to send price alerts.
  • A hashed password if you choose email/password sign-in. We never see your plaintext password.
  • Your name and the name of your business (optional, used in the UI and on invoices).
  • Two-factor authentication state (you opt in; we store the encrypted secret).

Service data

  • The store URL you add and the competitor URLs you ask us to track.
  • The product titles, prices, and images we scrape from those public pages.
  • Matches and decisions you make in the app (confirm / decline a match, notification rules, etc.).

Technical data

  • Standard server request logs: IP address, user agent, request time, response code. Kept for up to 30 days for security and abuse prevention.
  • Error and crash logs to help us fix bugs. Stripped of personal data where practical.

Billing data

  • Billing email, plan, and invoice history. We do not store full payment card details, our payment provider Paddle handles that.
  • VAT number (if you provide one) and billing country.

Analytics & advertising data (consent only)

  • If you accept analytics or marketing cookies (see section 8), we and Google receive standard measurement data: pages viewed, approximate location, device/browser, and whether you completed key actions such as signing up. This helps us measure traffic and the performance of our ads.
  • If you decline, none of these cookies are set and no such data is collected.

3. What we don't collect

We do not run session-replay tools, and we do not sell your data to anyone, ever. Advertising and analytics cookies are set only if you opt in via our cookie banner (see section 8); decline and nothing tracking-related runs.

4. Why we process it (legal basis under GDPR)

  • Contract performance, to provide the service you signed up for (scraping, matching, alerts, billing).
  • Legitimate interest, to keep the service secure (rate limits, abuse detection) and to improve the product based on aggregated usage.
  • Legal obligation, to keep invoicing and accounting records as required by Estonian and EU tax law.
  • Consent, where we ask for it explicitly, e.g. optional product update emails. You can withdraw consent at any time.

5. How long we keep it

  • Account data: while your account is open, plus 90 days after deletion in case you change your mind.
  • Scraped competitor product data: up to 24 months for historical price reports. You can request earlier deletion.
  • Invoices and accounting records: 7 years (Estonian Accounting Act).
  • Server request logs: up to 30 days.
  • Backups: up to 35 days rolling, then overwritten.

6. Who we share data with (subprocessors)

We use a small number of EU-friendly vendors to run PricePanda. Each one processes only the minimum data needed to deliver its feature.

  • Supabase, primary database and authentication. EU-West region.
  • Vercel, application hosting and edge delivery.
  • Firecrawl, fetches the public competitor pages on our behalf.
  • OpenRouter / model providers, runs the AI matching prompts. Product titles only; never your account data.
  • Resend, sends transactional email (alerts, password resets, billing).
  • Paddle, our payment provider and Merchant of Record. Paddle processes payments, issues invoices, and handles billing-related data and applicable VAT.
  • Trigger.dev, runs scheduled scrape jobs.
  • Google (Tag Manager & Google Ads), measures traffic and ad performance. Loaded only after you accept analytics/marketing cookies, and governed by Google Consent Mode so nothing fires until then.

Some of these vendors operate in the United States. We rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses for those transfers.

7. International transfers

Data is primarily stored in the EU (Supabase EU-West). Where data is transferred outside the EU/EEA (e.g. for AI processing or email delivery), it is protected by Standard Contractual Clauses and additional safeguards as required by GDPR.

8. Cookies

When you first visit, we show a cookie banner. Nothing beyond strictly necessary cookies is set until you make a choice, and you can change that choice at any time via the Cookie settings link in the site footer. We use Google Consent Mode, so analytics and advertising stay switched off by default until you opt in.

Strictly necessary (always on)

First-party cookies that keep you signed in, remember your two-factor authentication state, and protect the site (e.g. abuse/security). These don't require consent because the service can't work without them.

Analytics (consent required)

Used to measure traffic and improve the product. Set only if you accept analytics cookies. Declining leaves them off.

Marketing / advertising (consent required)

Set via Google Tag Manager and Google Ads to measure the performance of our advertising (for example, which campaigns lead to a signup). Set only if you accept marketing cookies. We do not sell your data, and declining leaves them off.

You can withdraw or change your consent at any time. Withdrawing is as easy as giving it, just reopen Cookie settings and update your choices.

9. Your rights under GDPR

You have the right to:

  • Access the personal data we hold on you.
  • Correct anything that's wrong.
  • Delete your account and personal data (right to erasure).
  • Export your data in a portable format.
  • Restrict or object to certain processing.
  • Withdraw consent at any time, where consent is the legal basis.

To exercise any of these, emailhello@price-panda.comfrom your account address. We respond within 30 days. There's no fee.

10. Complaints

If you think we've mishandled your data, please contact us first and we'll try to fix it. You also have the right to complain to the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, AKI):aki.ee.

11. Security

We protect your data with TLS in transit, encryption at rest, role-based access control, two-factor authentication for staff accounts, and routine vulnerability review. No system is perfectly secure, but we treat your data as if it were our own.

12. Children

PricePanda is a B2B tool not directed at children. We do not knowingly collect personal data from anyone under 16.

13. Changes to this policy

We'll email registered users at least 30 days before any material change. The "Last updated" date at the top of this page shows the most recent revision.

14. Contact

Volsted Media OÜ (registry code 17472855), Sepapaja tn 6, Lasnamäe linnaosa, 15551 Tallinn, Estonia. Emailhello@price-panda.com.