Privacy Policy

BrickOps ("we", "us", "our") is an independent order management tool for BrickLink sellers. We are not affiliated with the LEGO® Group or BrickLink. This Privacy Policy explains what personal data we collect, how we use it, and your rights in relation to it.

For questions or requests, contact us at [email protected].

2.1 Data you provide directly

• Account identity — when you sign up, your identity (email address, name, and OAuth profile if you use a social login) is managed by our authentication provider, Clerk. We receive and store only an opaque Clerk user ID — not your email, name, or profile photo — in our own database.
• BrickLink API credentials — Consumer Key, Consumer Secret, Token, and Token Secret that you generate on BrickLink and enter in BrickOps. These are stored encrypted in our database (see Security below).
• Store name — an optional label you can set for display purposes. Stored as plaintext.

2.2 Data retrieved from BrickLink on your behalf

When you use BrickOps, we use your BrickLink credentials to call the BrickLink API and retrieve your store data, including:

• Order lists and order details (which may include your buyers' names, shipping addresses, and payment method/status as returned by BrickLink)
• Order messages between you and buyers
• Item and inventory data from your store
• Catalog and image data

This data is displayed in BrickOps but is not stored in our database, with one exception: when you start a picking session for an order, the list of items in that order is snapshotted and stored as part of your picking session record (see §2.3). Buyer personal information (names, addresses, emails) is never persisted in our database.

2.3 Picking session data

When you start a picking session, we store the following in our database:

• Your Clerk user ID and the BrickLink order ID being picked
• Your picking progress (current item index, quantities picked per item)
• A snapshot of the order's item list (part numbers, colors, quantities, remarks) — not buyer PII

This data is retained until you complete or delete the picking session, at which point it is permanently deleted from our database.

2.4 Automatically collected data

Our web server and hosting provider automatically log standard HTTP access information including request URLs, HTTP status codes, timestamps, and IP addresses. These logs are used for debugging and security monitoring. We do not use analytics cookies, behavioral tracking pixels, or any third-party analytics services.

• To authenticate you and provide access to BrickOps
• To make API calls to BrickLink on your behalf using your credentials
• To display your store's order, inventory, and catalog data within the application
• To track and persist your picking session progress
• To respond to support or legal requests you initiate
• To maintain the security and operation of the service

We do not sell, rent, or share your data with third parties for advertising purposes.

We rely on the following third-party services to operate BrickOps:

Each sub-processor is subject to its own privacy policy. We encourage you to review them. Our servers are located in a DigitalOcean data center; the specific region will be listed at brickops.io/privacy once a region is confirmed at launch.

• BrickLink credentials — retained until you delete them or close your account.
• Picking sessions — retained until the session is completed or deleted by you.
• Buyer PII — not retained. Fetched live from BrickLink, displayed, and discarded.
• Server logs — retained for up to 30 days at the hosting-provider level.
• Database backups — retained for up to 7 days via DigitalOcean managed backups (when enabled).
• After account deletion — your encrypted credentials and any active picking sessions are deleted within 30 days of account closure.

Your BrickLink API credentials are stored using column-level encryption via the ASP.NET Core Data Protection API. The encryption keys are stored in the same database. We take reasonable technical precautions to protect your data, but no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

If you believe your BrickLink credentials have been compromised, you should immediately revoke and regenerate them from your BrickLink account settings. BrickOps cannot access your BrickLink account independently — your credentials are required for every API call.

BrickOps uses only strictly-necessary cookies. We do not use advertising or analytics cookies.

Because these cookies are strictly necessary to provide the service you have requested, they do not require separate consent under applicable cookie laws.

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of the personal data we hold about you
• Deletion — request deletion of your account and associated data
• Correction — request correction of inaccurate data
• Portability — receive your data in a machine-readable format
• Objection / restriction — object to or restrict certain processing

To exercise any of these rights, email [email protected]. We will respond within 30 days. For account deletion, you can also close your account directly within BrickOps or via your Clerk account settings.

GDPR (EU/EEA users): Our legal basis for processing your personal data is performance of a contract (providing the BrickOps service you signed up for) and our legitimate interest in operating and improving the service. You have the right to lodge a complaint with your local supervisory authority.

CCPA (California users): We do not sell personal information. California residents may contact us to exercise rights under the CCPA.

BrickOps is not directed to children under the age of 13 (or 16 in the EU). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

We may update this Privacy Policy from time to time. When we do, we will revise the "last updated" date at the top of this page. For material changes, we will notify you by email (via Clerk) or by displaying a prominent notice within BrickOps. Your continued use of BrickOps after the effective date of any changes constitutes your acceptance of the updated policy.

BrickOps
Email: [email protected]