Legal

Privacy Policy

Applies to: Behind BuyBox Chrome Extension

Last updated:  ·  Effective:

Plain-English summary: Behind BuyBox reads data from Amazon product pages entirely within your browser. Amazon prices, sellers, and availability data are never sent to our servers. We only collect your email address (to create your account) and verify your $1.99/month subscription. Payments are handled by LemonSqueezy — we never see your card details.

1. Who We Are

Behind Brands Agency ("we", "us", "our") is a full-service Amazon store management agency registered in the United Kingdom, with our principal place of business in Birmingham, UK.

We operate the Behind BuyBox Chrome Extension ("the Extension") and the website at behindbrands.agency ("the Site").

For the purposes of UK/EU data protection law, Behind Brands Agency is the data controller for personal data processed in connection with the Extension and the Site.

2. Scope of This Policy

This Privacy Policy applies to:

  • The Behind BuyBox Chrome Extension (available on the Chrome Web Store)
  • Account registration and authentication associated with the Extension
  • The tools pages and support forms on behindbrands.agency

It does not cover our general agency services or the main contact form on the home page, which are governed by our general website privacy practices.

3. What We Collect

3.1 Account Information

To use the Extension you must create an account. We collect:

  • Email address — used to identify your account and send essential communications (e.g. email confirmation, password reset)
  • Password — stored as a salted hash by our authentication provider (Supabase); we never see your plain-text password

Alternatively, you may sign in with Google OAuth. In that case, Google shares with us only your email address and a unique Google account identifier. We do not receive your Google password or any other Google account data.

3.2 Authentication Tokens

When you log in, a JSON Web Token (JWT) access token and refresh token are issued by our authentication provider and stored locally in your browser via chrome.storage.local. These tokens are used solely to verify that you are logged in and that your subscription is active. They are not transmitted to any third party other than our authentication provider (Supabase).

3.3 Subscription Status

We verify whether your subscription is active by sending your access token to a Supabase Edge Function that checks your subscription status against records provided by LemonSqueezy. No payment card data is ever shared with us — see Section 6 for details.

3.4 Support Form Submissions

If you contact us through the support form on Behind BuyBox support page, we collect:

  • Your name and email address
  • The tool you are asking about
  • Issue type, subject line, and your message
  • Browser and operating system (optional, provided by you)

This information is used exclusively to respond to your support request and is stored in our email inbox.

3.5 Amazon Page Data (Processed Locally Only)

The Extension reads the following information from Amazon product pages you visit while using it:

  • Product ASIN, title, and current listed price
  • Your current delivery ZIP code or postcode
  • Seller name, price, and estimated ship date per location
  • Amazon anti-CSRF cookie (read temporarily to call Amazon's own delivery-location API)

This data never leaves your browser. All processing happens locally. Amazon data is displayed in the Extension popup and, if you choose, exported as a CSV file to your device. It is not transmitted to Behind Brands Agency or any third party.

3.6 Local Job State

While a price comparison is running, the Extension stores the current job progress (ASIN, selected ZIP codes, results so far) in chrome.storage.local so that you can pause, resume, or reopen the popup without losing your results. This data is cleared when you cancel a job or uninstall the Extension.

4. What We Do Not Collect

  • Your Amazon login credentials or Amazon account data
  • Your browsing history or any URLs other than the active Amazon product page
  • Payment card numbers, bank details, or billing addresses
  • Any personally identifiable information beyond what is listed in Section 3
  • Analytics, usage telemetry, or crash reports
  • Data from any website other than Amazon product pages

5. How We Use Your Data

We use the personal data we collect for the following purposes:

  • Account authentication — to log you in and keep your session active
  • Subscription verification — to confirm your $1.99/month subscription is active before granting access to the Extension
  • Support — to respond to support requests submitted via the tools support form
  • Essential communications — to send email confirmations, password reset links, and important notices about the Extension or your account

We do not use your data for advertising, profiling, or any purpose not listed above.

6. Third-Party Services

6.1 Supabase (Authentication & Subscription Backend)

We use Supabase to manage user accounts and verify subscription status. Supabase processes your email address and authentication tokens on our behalf. Supabase is certified under the EU–US Data Privacy Framework and stores data in the EU (AWS eu-west-1 by default). For details, see the Supabase Privacy Policy.

6.2 LemonSqueezy (Payments)

The $1.99/month subscription is processed by LemonSqueezy, a third-party payment platform. LemonSqueezy collects and processes your payment card details, billing address, and other information necessary to complete the transaction. We receive only your email address and a subscription status flag (active/inactive). We never see or store your card details. Please review the LemonSqueezy Privacy Policy for full details.

6.3 Amazon

The Extension interacts directly with Amazon's websites and internal delivery-location API to change the ZIP code and fetch product page data. These requests are made from your browser to Amazon's servers and are governed by Amazon's Privacy Notice. Behind Brands Agency does not intercept or receive this data.

6.4 Google (Chrome Identity API)

If you choose to sign in with Google, the Extension uses the Chrome Identity API to initiate an OAuth flow. Google's own privacy policy governs how your Google account data is handled during this process.

7. Data Storage & Security

Authentication tokens stored in chrome.storage.local are protected by Chrome's built-in sandboxing and are not accessible to other extensions or websites.

Account data held by Supabase is encrypted at rest and in transit. We implement reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately at info@behind-brands.com.

8. Data Retention

  • Account data — retained for as long as your account exists. If you request account deletion, we will delete your data within 30 days.
  • Support form submissions — retained for up to 2 years in our email inbox for reference purposes, then deleted.
  • Local Extension data (tokens, job state) — stored on your device only and removed when you log out or uninstall the Extension.

9. Your Rights Under GDPR / UK GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate data
  • Right to erasure — request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing — request that we limit how we use your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time

Our legal basis for processing your account data is contract performance (processing is necessary to provide the Extension service you subscribed to). To exercise any of these rights, contact us at info@behind-brands.com. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).

10. Your Rights Under the CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

  • Right to know — know what personal information we collect and how it is used
  • Right to delete — request deletion of personal information we have collected
  • Right to opt-out of sale — we do not sell your personal information to third parties
  • Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights

To exercise your CCPA rights, email info@behind-brands.com with the subject line "CCPA Request". We will verify your identity and respond within 45 days.

11. Children's Privacy

The Extension is not directed at children under the age of 13 (or 16 in the EEA where applicable). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes we will notify active subscribers by email. We encourage you to review this page periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Behind Brands Agency
Birmingham, United Kingdom
Email: info@behind-brands.com
Phone: +44 7377 300651
Support: Behind BuyBox Support Form