Privacy Policy

Last updated: June 2026 · transactionmerge.co.uk

1. Who we are

TransactionMerge is currently offered as a free beta service, operated in England, United Kingdom. We are the data controller for information collected through transactionmerge.co.uk. We are in the process of registering with the Information Commissioner's Office (ICO) as a data controller. Contact us at transactionmerge@gmail.com.

2. What data we collect

We collect and process the following:

  • Account data — your name, email address, and hashed password when you register
  • eBay connection data — your eBay username, OAuth tokens (encrypted at rest), and account type (business/personal)
  • FreeAgent connection data — your FreeAgent email, OAuth tokens (encrypted at rest), and nominated bank account
  • Transaction data — eBay financial transaction records (amounts, dates, order IDs, descriptions) processed in order to perform the sync
  • Usage data — sync history, settings, and session logs for troubleshooting

3. What we do not collect

  • eBay listing, order, messaging, or buyer data beyond financial transactions
  • Payment card details (handled by our payment processor)
  • Any data from FreeAgent beyond bank account identity needed to post transactions

4. How we use your data

  • To provide the transaction sync service you have subscribed to
  • To authenticate your sessions securely
  • To send you service-related emails (account alerts, sync failures, billing)
  • To investigate and resolve support queries

We do not use your data for marketing, profiling, or sale to third parties.

5. Legal basis for processing (UK GDPR)

  • Contract — processing necessary to deliver the service you have subscribed to
  • Legitimate interests — security logging and fraud prevention
  • Legal obligation — retaining records as required by UK law

6. Data retention

We retain your account and transaction data for as long as your account is active plus 12 months. On account deletion we remove all personal data within 30 days, except where retention is required by law. Sync history logs are retained for 90 days for troubleshooting purposes.

7. Third parties

We share data only with:

  • eBay — via OAuth, to read your financial transaction data
  • FreeAgent — via OAuth, to post transactions to your account
  • Hosting providers — Render (backend) and Netlify (frontend), both operating under GDPR-compliant data processing agreements
  • We do not use advertising networks or analytics platforms that track users across sites

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Object to or restrict processing
  • Lodge a complaint with the ICO at ico.org.uk

To exercise any of these rights, email transactionmerge@gmail.com. We will respond within 30 days.

9. Cookies

We use a single session cookie to keep you logged in. No third-party tracking or advertising cookies are used.

10. Security

OAuth tokens are encrypted at rest. All data in transit is protected by TLS. Sessions expire after 10 minutes of inactivity. We apply security best practices and review them regularly.

11. Changes to this policy

We will notify you by email before making material changes to this policy. The current version is always available at transactionmerge.co.uk/privacy.

Questions? Contact us at transactionmerge@gmail.com