Privacy Policy
Version v1.0 — Effective 2026-05-03
DRAFT — pending counsel review. Per-state privacy law compliance (CCPA, VCDPA, CPA, CTDPA, UCPA, plus the 2024-2026 additions in TX, OR, MT, IA, DE, NJ, NH, MN, MD, RI, KY, IN, TN) requires localization before launch.
What we collect
- Account information. Email, username, hashed password, mobile phone (for SMS verification), state of residence, ZIP code.
- Listing content. Titles, descriptions, prices, photos, location hints you provide.
- Messages. Buyer–seller messages routed through the platform.
- Technical data. IP address, user-agent, geolocation derived from IP, session cookies, device characteristics.
- Usage data. Pages viewed, search queries, click events, listing views.
- Sensitive data. Firearms ownership data is treated as a sensitive category under several state privacy regimes.
How we use it
- To operate, secure, and improve the platform
- To verify users are real (SMS, IP-state matching)
- To moderate listings (algorithmic and human review)
- To send transactional emails (account, listings, messages)
- To respond to legal process
How we share it
- Service providers processing data under contract (Twilio for SMS, Postmark for email, Cloudflare for CDN, Anthropic for moderation).
- Legal and safety — to comply with valid legal process or to investigate fraud/abuse.
- We do not sell or share for cross-context behavioral advertising.
Your rights
Depending on your state of residence, you may have rights to:
- Know what we collect about you
- Access or download your data
- Correct inaccuracies
- Delete your data
- Opt out of profiling and sale/sharing (we do not sell or share)
- Limit use of sensitive personal information
To exercise these rights, email privacy@example.com. We will respond within 45 days.
Universal opt-out
We honor the Global Privacy Control (GPC) browser signal where applicable.
Data retention
- Account data — until account deletion + 30 days
- Listing data — 30 days after expiration or deletion
- Messages — 1 year
- Audit logs — 7 years (legal/compliance)
Security
We use TLS in transit, encryption at rest for credentials, and standard defense-in-depth practices. No system is perfectly secure.
Children
We do not knowingly collect data from anyone under 18. The Service is age-restricted.
Changes
Material changes communicated via email and in-app notice.
Contact
privacy@example.com