Privacy Policy
Effective date: 15 June 2026 · Last updated: 15 June 2026
This policy explains, in plain English, exactly what RepTools (rep.tools, and our mirror domains reptools.org and reptools.net) collects, why we collect it, who we share it with, and the choices and rights you have. We try to keep data collection to the minimum needed to run the site. We do not sell your personal data.
01 Who we are
RepTools is an independent, hobby-run website that provides online-shopping tools and information: it lists products, tracks shipping packages, shows quality-control (QC) photos, and points users to third-party shopping agents through affiliate links. For the purposes of data protection law (including the EU GDPR and UK GDPR), RepTools is the "data controller" for the limited personal data described below.
The site is operated by an individual. The quickest way to reach a real person is on Discord at @lude5 — see the Contact section for all options.
02 What we collect & why
We only collect what we actually need. Here is the complete list of personal data the site processes.
a) Your email address (for package-update notifications)
When you ask us to email you about a package, you give us your email address and a tracking number. We store these together so we can email you when that package's status changes (for example, "in transit", "out for delivery", "delivered"). We also store the carrier/courier code we detect for that tracking number, and a record of the last status we notified you about, so we don't send duplicate emails.
- What: email address, tracking number, detected courier code, last-notified status and timestamp.
- Why: to send you the package-update emails you specifically requested.
b) Marketing emails (deals & new finds)
When you subscribe for package updates, the form tells you that you'll also receive occasional related emails from RepTools — deals, drops, and new finds. This is the only marketing we send, it is closely related to the service you signed up for, and you can opt out at any time using the one-click unsubscribe link in every email (or by emailing us). We note on your subscription that you were shown this notice.
- What: a marketing flag tied to your email subscription.
- Why: to send occasional closely-related offers to people who signed up, on a soft opt-in basis, always with an easy way out. Subscriptions we import from elsewhere are never added to marketing.
c) Email deliverability data (bounces & complaints)
If an email we send you bounces, or you mark it as spam, our email provider tells us, and we add your address to an internal suppression list so we stop emailing you. This protects your inbox and our sending reputation.
d) Affiliate click analytics
When you click a product/affiliate link (for example a "Buy" or "QC" link, or a redirect through our /go/ links), we log the click so we can see which products are popular and how the site is being used. Importantly, we do not store your raw IP address for this. Your IP is run through a one-way SHA-256 hash and truncated to a short fragment before it is saved — we keep it only as a rough way to estimate distinct visitors, and it cannot be reversed back into your IP address.
- What: a one-way hashed fragment of your IP address (not your real IP), your browser's user-agent string (truncated), the referring page, the product/category clicked, the agent (e.g. KakoBuy), and a timestamp.
- Why: internal analytics — to understand which products and pages people use, and to count affiliate clicks.
Note on "country": our analytics database has a column that could hold a country value, but the click-logging code does not currently populate it from visitors. Any country information you may see on the site relates to a package's origin/destination (from the tracking carrier), not to your personal location.
e) Admin session cookies
The site uses a session cookie only for the private admin login (the site operator). It is set with the secure flags Secure, HttpOnly, and SameSite=Lax. Ordinary visitors browsing the public site are not asked to log in and are not assigned a login cookie.
f) Analytics cookies (only if enabled)
If Google Analytics is switched on (it loads only when a Google Analytics measurement ID is configured for the site), Google may set cookies and process data about your visit. See the Cookies & analytics section for details and how to opt out.
What we do NOT collect
- We do not ask for or store your name, postal address, phone number, or payment details. RepTools does not process payments — purchases happen on third-party shopping-agent sites under their own policies.
- We do not store your raw IP address for click analytics (it is hashed, as described above).
- We do not sell, rent, or trade your personal data to anyone.
03 Legal bases (GDPR / UK GDPR)
If you are in the UK, EU, or EEA, we rely on the following lawful bases to process your data:
| Data / activity | Lawful basis |
|---|---|
| Package-update emails (email + tracking number) | Performance of a service you requested, and our legitimate interest in providing it. You can unsubscribe at any time. |
| Marketing emails (deals & new finds) | Our legitimate interest in telling existing subscribers about closely-related offers (a "soft opt-in"), with clear notice at signup and one-click unsubscribe in every email. You can opt out at any time. |
| Suppression list (bounces/complaints) | Legal obligation / legitimate interest in honouring your opt-out and not sending unwanted email. |
| Click analytics (hashed IP, user-agent, referrer) | Legitimate interest in understanding and improving how the site is used, using minimised, non-identifying data. |
| Essential admin session cookie | Legitimate interest / necessity in securing the admin area. |
| Google Analytics cookies (if enabled) | Your consent, where required by ePrivacy / PECR rules for non-essential cookies. |
05 Who we share data with
We share data only with the service providers we need to run the site. Each has its own privacy policy governing what it does with data.
| Service | What it does for us | What it may receive |
|---|---|---|
| Package-tracking data provider | A third-party tracking-data service that returns package status and sends us status-change updates. | The tracking numbers you submit. (We store subscriptions locally; the provider does not hold your email.) |
| Email delivery provider | A third-party email service that delivers our notification and marketing emails and reports bounces/complaints. | Your email address and the email content we send you. |
| KakoBuy | Shopping agent we link to via affiliate code "thelude"; we also fetch QC photos from it. | When you click through to KakoBuy, your visit happens on their site under their policy. We do not pass them your email. Standard affiliate referral parameters may be included in the link. |
| Google Analytics (if enabled) | Aggregate website analytics. | Usage and device data, plus Google cookies, as described above. |
| Cloud hosting provider | A third-party cloud platform that runs our servers and stores our database. | Anything processed by the site, including standard server logs, is hosted on the provider's infrastructure. |
We may also disclose data if required to comply with a valid legal request, to enforce our terms, or to protect the rights, safety, and security of our users or the site.
We do not sell your personal data, and we do not "share" it for cross-context behavioural advertising as those terms are defined under California law (CCPA/CPRA).
06 International data transfers
RepTools has a global audience, including many users in the UK and EU. The service providers listed above may process data on servers located outside your country, including in the United States. Where personal data of UK/EU/EEA users is transferred internationally, those providers rely on recognised safeguards such as the EU Standard Contractual Clauses and/or the EU-U.S. Data Privacy Framework. By using the site you understand your data may be processed in these locations.
07 How long we keep data
- Tracking subscriptions (email + tracking number): kept while your subscription is active so we can notify you. When you unsubscribe or ask us to delete your data, we remove or deactivate it.
- Marketing consent flag: kept for as long as your subscription exists; cleared when you unsubscribe or are deleted.
- Suppression list (bounces/complaints): retained for as long as needed to keep honouring your opt-out and avoid emailing addresses that have bounced or complained.
- Click analytics (hashed IP, user-agent, referrer): kept for analytics purposes. Because the IP is irreversibly hashed, these records are not directly identifying. We periodically prune or aggregate older analytics data.
- Server logs: standard hosting logs are retained by our hosting provider per their policies and are used for security and troubleshooting.
08 Your rights & choices
Depending on where you live (e.g. under the UK GDPR, EU GDPR, or California's CCPA/CPRA), you have some or all of the following rights:
- Access — ask what personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure / deletion — ask us to delete your data.
- Restriction & objection — ask us to limit, or object to, certain processing (including direct marketing).
- Withdraw consent — for anything based on consent (marketing email, analytics cookies), at any time, without affecting prior lawful processing.
- Portability — receive your data in a portable format, where applicable.
- Non-discrimination (California) — we will not treat you differently for exercising your rights.
How to exercise them — the easy ways
One-click unsubscribe. Every package-update and marketing email we send includes a one-click unsubscribe link (and a standards-based List-Unsubscribe header that Gmail, Apple Mail, Yahoo and similar clients can act on). Clicking it stops the emails for that subscription immediately — no account or login needed.
Email us to delete your data. If you contact us at the address below and ask us to delete your data, we will remove your email subscription(s) and associated personal data from our system. This is the simplest way to have everything we hold about you erased.
We aim to respond to rights requests promptly, and within the time limits set by applicable law (generally within 30 days under the GDPR/UK GDPR). We may need to verify your identity — usually just by confirming you control the email address in question.
If you are in the UK or EU and are unhappy with how we have handled your data, you have the right to lodge a complaint with your local data protection authority (in the UK, the Information Commissioner's Office, ico.org.uk). We'd appreciate the chance to resolve it directly first.
09 Security
We take reasonable, proportionate steps to protect your data: the site is served over HTTPS; the admin area is protected by a session cookie with Secure, HttpOnly, and SameSite=Lax flags; IP addresses used for analytics are irreversibly hashed; email inputs are validated; and rate limiting is applied to deter abuse. No method of transmission or storage is ever 100% secure, but we work to keep the limited data we hold safe.
10 Children
RepTools is not directed at children. It is intended for adults (and at minimum users aged 16, or the age of digital consent in your country, e.g. 13 in the US). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us and we will delete it.
11 Changes to this policy
We may update this policy from time to time — for example if we add a feature or change a provider. When we do, we'll update the "Last updated" date at the top of this page. Material changes will be highlighted on the site. Your continued use of RepTools after an update means you accept the revised policy.
12 Contact us
Questions, requests, or want your data deleted? Reach out:
Email lude@rep.tools and ask us to delete your data and we will remove your subscriptions and the personal data we hold about you. For a quick reply, Discord @lude5 is usually fastest.