Hoard
Features Download Sign in Join waitlist

Legal

Privacy Policy

Last updated: April 16, 2026

Hoard ("we", "us", "our") operates tryhoard.com and the Hoard desktop application. This policy explains what data we collect, why, and what rights you have over it.

We built Hoard for sellers who want automated repricing without handing their entire business to a black box. We feel the same way about your personal data—you should know exactly what's happening with it.

1. What we collect

Account data

When you sign up, we collect your email address and a hashed password (bcrypt). We never store your password in plain text. If you sign up via magic link, we store a short-lived token that expires in 15 minutes.

Billing data

Payments are handled entirely by Stripe. We store your Stripe customer ID and subscription ID so we know what plan you're on. We never see or store your card number, CVV, or billing address—that stays with Stripe.

Inventory and sales data

Hoard syncs your marketplace inventory, orders, and sales data so we can display it in your dashboard and apply pricing rules. This data belongs to you. We use it solely to provide the service. We do not sell it, share it with other sellers, or use it for advertising.

Usage data

We collect basic server logs (timestamps, HTTP status codes) to keep the service running. We do not run Google Analytics, session recording, or any third-party tracking scripts. There are no analytics pixels on Hoard.

Desktop application

The Hoard desktop app runs locally on your machine. Your marketplace browser session stays on your computer—we never see your marketplace login credentials. The desktop app communicates with our server only to sync inventory data and check for updates.

2. How we use your data

  • Provide the service—display your inventory, calculate pricing, and sync with your marketplace.
  • Send transactional emails—magic links, password resets, agent health alerts, and your daily digest (if enabled).
  • Debug errors—we use Sentry for error tracking, which may include your user ID and email when an error occurs. This helps us fix bugs.
  • Process payments—via Stripe, for subscription billing only.

That's the complete list. We do not use your data for advertising, profiling, or selling to third parties.

3. Third-party services

We share data with the following services, and only for the purposes described:

ServicePurposeData shared
Stripe Payment processing Email, subscription status
Resend Transactional email delivery Email address, email content
Sentry Error monitoring User ID, email (on errors only)
Cloudflare Turnstile Bot protection on forms IP address (not stored by us)

We do not use data brokers, ad networks, or analytics platforms.

4. Cookies

We use a single session cookie (_ahg_session) to keep you logged in. It's HTTP-only, secure (HTTPS), and expires after 30 days of inactivity. We also use Cloudflare Turnstile's cookie for bot protection on forms.

We do not use tracking cookies, advertising cookies, or third-party cookies for analytics.

5. Your rights (GDPR and beyond)

Whether you're in the EU, UK, California, or anywhere else, we provide these rights to all users:

  • Access—you can export all your data at any time from your account settings. We provide a full JSON export of your account, inventory, orders, sales, and sync history.
  • Rectification—update your email or other account details in settings.
  • Erasure—delete your account from settings. This permanently removes your account, inventory data, pricing history, orders, and sales data. This action is irreversible.
  • Portability—your data export is machine-readable JSON.
  • Objection—you can opt out of any non-essential email (digest, onboarding, alerts) from your email preferences. Unsubscribe links are in every email.
  • Withdraw consent—you can delete your account at any time with no penalty.

6. Data retention

We keep your data for as long as your account is active. When you delete your account, we delete all associated data permanently. We do not keep shadow profiles or retain data after deletion.

Waitlist entries are retained until you are invited or ask us to remove them.

7. Data security

  • All traffic is encrypted via HTTPS (TLS). We enforce HTTPS in production.
  • Passwords are hashed with bcrypt.
  • API keys are unique per user and can be rotated.
  • The desktop app stores configuration with restricted file permissions (0600).
  • CSRF protection on all forms.
  • Content Security Policy headers.

8. International transfers

Our servers are hosted in the United States (Oregon) on Render. If you are located outside the US, your data is transferred to and processed in the US. Our third-party processors (Stripe, Resend, Sentry, Cloudflare) maintain their own GDPR compliance and data processing agreements.

9. Children

Hoard is a business tool for online sellers. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to this policy

If we make material changes, we'll email active users before the changes take effect. The "last updated" date at the top of this page always reflects the current version.

11. Contact

Questions about this policy or your data? Email us at privacy@tryhoard.com.