Privacy Policy
Effective 2026-05-13.
What we collect
- Account data — email, display name, password hash (scrypt), optional phone number for SMS notifications, IP address for fraud and rate-limiting.
- Listings and content — cards you list, photos you upload, messages you send.
- Transactions — order history, shipping addresses, Stripe payment intent IDs (we never see your full card number — that goes directly to Stripe).
- Behavior — pages viewed, searches run, watchlist + collection items. Used to power recommendations.
- Identity verification documents — only when you submit them. Stored encrypted, visible only to admins reviewing your verification.
What we don't sell
We don't sell, rent, or trade your data to third parties. Period.
Who we share with
- Stripe — for payment processing. They have their own privacy terms.
- EasyPost — when you buy a shipping label (carrier, addresses).
- Twilio — when you opt in to SMS notifications (phone number only).
- Sentry — for error tracking. Personal data is scrubbed from error reports.
- Law enforcement — only when compelled by valid legal process, and we'll attempt to notify you unless prohibited.
Cookies and tracking
One session cookie to keep you logged in, SameSite=Lax. We don't use third-party analytics, advertising trackers, or fingerprinting.
Your rights
- Export — download everything we have about you as JSON: Settings → Your data.
- Delete — scrub PII; we retain order/payout records for tax compliance (anonymized).
- Correct — update profile, settings, addresses anytime.
Retention
Active accounts: indefinitely. Deleted accounts: PII scrubbed immediately, transactional records retained ~7 years per tax obligations. Identity verification docs deleted after approval / rejection.
Children
Not directed at users under 13. We don't knowingly collect data from minors; if you believe we have, contact support and we'll delete it.
Contact
Privacy questions: support chat or open a ticket.