Privacy
policy.

Account data: email, display name, optional bio, optional avatar, optional garage details (chassis, year, engine).

Transaction data: listings you post or buy, prices, payment method tokens (Stripe holds the card itself — we never see full PAN), shipping addresses, tracking numbers.

Behavioural data: pages viewed (anonymized via Plausible — no cookies, no fingerprinting), search queries, watchlist and recently-viewed items. Server logs (IP, user agent, request path) for 30 days for abuse detection.

Device data: push notification tokens for users who opt in, service-worker registration ID. [TBD: add any additional categories collected by integrations we add later].

To run the marketplace: authenticate you, show your listings, route payments, deliver shipping labels, surface relevant items, send transactional and (with consent) marketing emails. [TBD: confirm with counsel whether magic-link emails fall under transactional or require consent in CCPA-restricted states].

To prevent fraud: detect patterns of abuse, enforce marketplace rules, report stolen-item listings to law enforcement when legally required.

To improve the product: aggregated, anonymized analytics. We do NOT sell your personal information.

Stripe (payment processing — subject to Stripe’s privacy notice), Postmark (transactional email), Plausible (privacy-respecting analytics, EU-hosted), AWS (infrastructure hosting). [TBD: add shipping label providers, KYC vendors, NHTSA VIN-check API once integrated].

We do not sell or rent personal information to advertisers, brokers, or data marketplaces.

You can request a copy of your data, correct inaccurate data, delete your account and associated data, or opt out of any sale or sharing of personal information. Account deletion ships at /account → Delete account. For other requests email [email protected].

California residents: see the “Do Not Sell My Personal Information” link in our footer and cookie banner. [TBD: California Authorized Agent process language per CPRA § 1798.135].

EU/EEA residents: legal basis for each processing activity is [TBD: specify under Art. 6 GDPR per activity — contract performance, legitimate interests, consent].

We retain account data for the life of your account plus [TBD: retention period required by IRS Form 1099-K reporting and CCPA]. Server logs roll off after 30 days. Off-site database backups retain for 7 days.

Data lives in AWS US-East-1. Postgres on encrypted volumes, daily backups, magic-link auth (no passwords to leak), Stripe-tokenized card data. We’ll notify you of any breach affecting your data within 72 hours where required by law.

The Service is not directed at children under 13 (under 16 for EU/UK). We don’t knowingly collect their data; if you believe we have, contact [email protected] and we’ll delete it.

Material changes to this policy will be announced via email and a banner on the site at least [TBD: 30] days before they take effect. Continued use after the effective date constitutes acceptance.