Privacy Policy

1.1 Information You Provide

• Account data: name, email address, password (hashed — never stored in plain text), phone number (optional), zip code, and profile photo.
• Listing data: item title, description, photos, price, category, and approximate location (zip code / neighborhood — never your exact GPS coordinates).
• Messages: content of conversations between users on the Platform.
• Reviews & ratings: text and star ratings you submit for other users.
• Payment data: billing details processed by Stripe. We do not store full card numbers; Stripe handles PCI compliance.
• Identity verification: government ID documents (only if you elect ID verification).

1.2 Information Collected Automatically

• Usage data: pages visited, features used, search queries, listing views, clicks, and session duration.
• Device & log data: IP address, browser type, operating system, device identifiers, and crash reports.
• Cookies & similar technologies: see Section 6 below.

1.3 Information from Third Parties

• Location data enriched from your zip code via publicly available geocoding services (approximate city/state only).
• Payment transaction data from Stripe.

We use your information to:

• Create and manage your account and authenticate you securely.
• Enable you to post listings, message other users, and complete transactions.
• Show listings and content relevant to your location and preferences.
• Process payments and send receipts.
• Send transactional emails (account verification, password reset, transaction confirmations).
• Send service updates and, with your consent, promotional communications. You may opt out at any time.
• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Enforce our Terms of Service and community guidelines.
• Improve, personalize, and develop the Platform through analytics.
• Comply with legal obligations.

We do not sell your personal information to third parties for their independent marketing purposes.

3.1 With Other Users

Your public profile (name, avatar, ratings, listings, approximate location by neighborhood or city) is visible to other users. Your exact address, phone number, and email are never shown publicly.

3.2 With Service Providers

We share data with trusted vendors who help us operate the Platform, including:

• Stripe — payment processing
• Cloudinary — image storage and delivery
• Twilio — phone number verification (OTP)
• Resend — transactional email delivery
• Neon / PostgreSQL — database hosting
• Upstash / Redis — caching and session management

These vendors are contractually obligated to use your data only to provide services to us and in accordance with this Policy.

3.3 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or government authority, or if we believe disclosure is necessary to: (a) comply with a legal obligation; (b) protect the rights or safety of SurplusNest, our users, or the public; or (c) detect or prevent fraud or security issues.

3.4 Business Transfers

If SurplusNest is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will notify you via email or prominent notice before your data becomes subject to a different privacy policy.

We retain your personal data for as long as your account is active or as necessary to provide services. You may request deletion of your account at any time via Settings or by emailing privacy@surplusnest.com. Upon deletion:

• Your profile, listings, and messages are removed from public view within 30 days.
• We retain certain data for up to 7 years to comply with tax, legal, and fraud-prevention obligations.
• Aggregated, de-identified analytics data may be retained indefinitely.

We implement industry-standard security measures including:

• Passwords hashed with bcrypt (cost factor 12) — we never store plain-text passwords.
• Access tokens expire after 15 minutes; refresh tokens are stored as SHA-256 hashes.
• All data transmitted over HTTPS / TLS 1.2+.
• Database access restricted by IP allowlist and role-based permissions.
• Regular security reviews and dependency updates.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a data breach that affects your rights, we will notify you as required by applicable law.

We use the following types of cookies and similar technologies:

• Essential cookies: required for authentication and core functionality. Cannot be disabled without breaking the service.
• Analytics cookies: help us understand how users interact with the Platform (e.g., page views, session length). We use anonymized data only.
• Preference cookies: remember your settings (e.g., view mode, filters).

You can control cookies through your browser settings. Disabling essential cookies will impair Platform functionality. We do not use cookies to build advertising profiles or sell data to ad networks.

7.1 All Users

• Access: request a copy of the personal data we hold about you.
• Correction: update inaccurate data via account Settings or by contacting us.
• Deletion: request deletion of your account and associated data.
• Opt-out of marketing: unsubscribe from promotional emails at any time via the link in the email or in Settings.

7.2 California Residents (CCPA / CPRA)

Under the California Consumer Privacy Act, California residents have the right to:

• Know what personal information we collect, use, and disclose.
• Delete personal information (subject to certain exceptions).
• Opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information for cross-context behavioral advertising.
• Non-discrimination for exercising your rights.
• Correct inaccurate personal information.
• Limit use and disclosure of sensitive personal information.

To exercise these rights, contact us at privacy@surplusnest.com with the subject line "CCPA Request." We will respond within 45 days.

7.3 Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy laws may have similar rights. Contact us at privacy@surplusnest.com to exercise those rights.

SurplusNest is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us at privacy@surplusnest.com and we will delete it promptly.

SurplusNest is operated in the United States. If you access the Platform from outside the U.S., your information will be transferred to and processed in the U.S. By using the Platform you consent to this transfer. We endeavor to comply with applicable data protection laws in all jurisdictions where we operate.

The Platform may contain links to third-party websites or services. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party services you visit.

We may update this Privacy Policy periodically. Material changes will be communicated via email or prominent notice on the Platform at least 14 days before they take effect. The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

For privacy questions, data requests, or concerns, contact our Privacy Team:

We aim to respond to all privacy inquiries within 30 days.