Privacy Policy

Last Updated: January 21, 2025

1. Information We Collect

• Account Information: Name, email, location, profile details
• Transaction Data: Purchase history, payment information (processed by Stripe)
• Communication Data: Messages between users
• Usage Data: How you interact with our Service
• Device Information: IP address, browser type, device identifiers
• Location Data: For in-person meetups, we collect GPS coordinates to verify both parties are at the agreed meeting location. This data is used solely for transaction verification and is deleted after 30 days

2. How We Use Your Information

We use your information for the following purposes:

• Service Provision: To provide and improve our Service (Legal Basis: Contract Performance)
• Transaction Processing: To process transactions and payments through Stripe (Legal Basis: Contract Performance)
• Communication: To communicate with you about your account, transactions, and service updates (Legal Basis: Contract Performance, Legitimate Interest)
• Security & Fraud Prevention: To prevent fraud, ensure security, and protect users (Legal Basis: Legitimate Interest, Legal Obligation)
• Legal Compliance: To comply with legal obligations, including tax and financial reporting (Legal Basis: Legal Obligation)
• Analytics: To analyze usage patterns and improve our Service (Legal Basis: Legitimate Interest - with consent for non-essential cookies)

3. Information Sharing

We do not sell your personal information. We may share information with:

• Payment Processor: Stripe, Inc. (payment processing, escrow services, refunds, chargebacks) - See Stripe's Privacy Policy
• Database Provider: Supabase (data storage, authentication) - See Supabase's Privacy Policy
• Hosting Provider: Vercel (application hosting) - See Vercel's Privacy Policy
• Analytics: Vercel Analytics (usage analytics) - See Vercel's Privacy Policy
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In case of merger or acquisition

Location Data: Location data collected for in-person meetup verification is shared only between the buyer and seller for that specific transaction and is not shared with third parties except as required by law.

4. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of sensitive data at rest
• Row-level security (RLS) on database tables
• Authentication and authorization controls
• Regular security assessments
• Access controls and audit logging

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

4.1 Data Breach Notification

In the event of a data breach that may affect your personal information, we will:

• Notify affected users within 72 hours of becoming aware of the breach (as required by GDPR)
• Notify relevant authorities within 72 hours if required by law
• Provide information about the nature of the breach and steps taken to address it
• Recommend steps you can take to protect yourself

We will notify you via email to the address associated with your account or through a prominent notice on our Service.

5. Your Rights (GDPR/CCPA)

5.1 GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), you have the following rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete information
• Right to Erasure: Request deletion of your data (subject to legal obligations)
• Right to Data Portability: Export your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Restrict Processing: Request restriction of processing in certain circumstances
• Right to Withdraw Consent: Withdraw consent for processing that requires consent

To exercise these rights, contact our DPO at fisp@uchicago.edu. We will respond within 30 days.

5.2 CCPA Rights (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information (subject to exceptions)
• Right to Opt-Out: Opt-out of the sale of personal information (we do not sell personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise these rights, contact us at fisp@uchicago.edu with "CCPA Request" in the subject line.

6. Cookies and Tracking

We use cookies and similar technologies (web beacons, pixels, local storage) to:

• Essential Cookies: Required for the Service to function (authentication, session management)
• Analytics Cookies: Help us understand how users interact with our Service (Vercel Analytics)
• Preference Cookies: Remember your settings and preferences

You can control cookies through our cookie consent banner or your browser settings. Note that disabling essential cookies may affect Service functionality.

Third-Party Cookies: We use the following third-party services that may set cookies:

• Vercel Analytics: Analytics and performance monitoring (see Vercel's Privacy Policy)
• Stripe: Payment processing (see Stripe's Privacy Policy)
• Supabase: Authentication and database (see Supabase's Privacy Policy)

6.1 Location Tracking

For in-person meetups, we request access to your device's location services to verify you are at the agreed meeting location. This is optional and only used for transaction verification. Location data is:

• Collected only when you initiate a location check for a meetup
• Shared only with the other party in the transaction
• Deleted after 30 days
• Not used for advertising or marketing

7. Data Retention

We retain your information as follows:

• Account Information: Retained while your account is active and for 7 years after account closure for legal compliance
• Transaction Data: Retained for 7 years for tax and legal compliance (as required by law)
• Location Data: Deleted after 30 days
• Communication Data: Retained while your account is active and for 1 year after account closure
• Payment Information: Processed and retained by Stripe according to Stripe's data retention policy

8. Children's Privacy

Our Service is not intended for children under 13. We do not knowingly collect personal information from children under 13.

9. International Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes.