Privacy Policy

1. Data We Collect

Account Information: We collect your name, email address, and password when you create an account, plus optional profile fields (handicap, location, bio, "what's in the bag", profile photo) that you choose to add.

Phone Number (for Trusted verification): If you complete phone verification we receive your phone number from Firebase Authentication after you confirm an SMS code. We store the phone number on your profile so you can prove account ownership and so we can display a Trusted badge. Firebase / Google receives the phone number and a reCAPTCHA token during the SMS dispatch; GolfTradr never receives the underlying SMS code.

Identity Verification Status (for GT Verified): If you start the GT Verified flow, Stripe Identity collects and processes a government identity document and a selfie image directly. GolfTradr only receives a verification outcome (verified / requires_input / canceled) via a signed Stripe webhook. We do not see, receive, or store your document or selfie images.

Subscription and Payment Information: When you start a free trial or subscribe, we receive a Stripe customer ID, subscription status, plan (monthly, quarterly, or annual), trial end date, current billing period end date, and the last 4 digits of your payment card. Full card numbers, expiration dates, and CVV codes are handled entirely by Stripe and never reach our servers.

Listing Information: We collect details about items you list for trade, including photos, descriptions, valuations, and the original source URL when a listing was imported from another marketplace.

Communication Data: We collect messages exchanged between users for trade negotiations, dispute resolution, and trade-related email notifications sent via Resend.

Trade Records: We collect and retain trade history including proposer/recipient identities, agreement signatures, tracking numbers, drop-off photos, dispute filings, and reviews.

Saved Searches and Search History: We collect saved search criteria so we can email or push you when a new listing matches. We also log search queries (lowercased, normalized) so the search bar can show trending and recent suggestions; search logs are aggregated and not linked back to your account on the public surface.

Referral Data: We collect referral relationships (which user referred you, conversion status) so we can apply the free-month reward when a referred user starts a paid plan.

Push Notification Tokens: If you opt in to web push notifications we store the browser-issued endpoint and subscription keys so we can dispatch listing-match alerts and trade notifications.

Usage Data: We collect information about how you use our platform, including page views, listing view counts, and interaction patterns.

1b. Additional Data

Photo and Image Data: Photos and images uploaded for listings, profile avatars, trade ship photos, and dispute evidence are stored in Google Cloud Storage. URLs are served as time-limited seven-day signed URLs.

Location Information: Location information provided in listings.

Device Information: Device and browser information collected automatically.

Cookies: Cookies and similar tracking technologies used for session management and analytics.

2. How We Use Your Data

Service Provision: We use your data to provide the trading platform, facilitate trades, and communicate with you about your account.

Subscription Processing: We use your Stripe customer ID and subscription record to grant or restrict access to subscriber-only features (messaging, trade proposals, seller profiles, watchlist, inbox), to process recurring billing, and to send billing-related emails such as trial-ending reminders and payment-failure notices.

Trade Facilitation: We use listing and communication data to help you find trading partners and complete trades.

Safety & Security: We use your data to prevent fraud, resolve disputes, and ensure platform safety.

Improvement: We use usage data to improve our services and develop new features.

2b. Third Party Services

We use the following third party services that may collect or process your data:

• Supabase - primary database, authentication, and realtime updates
• Google Cloud Storage - listing photos, avatars, trade and dispute photos (current image storage)
• Cloudinary - legacy image storage; pre-migration listing photos and the GolfTradr logo are still served from Cloudinary's CDN
• Stripe - subscription payments, bump and featured listing payments, and Stripe Identity for GT Verified document checks
• Firebase Authentication (Google) - phone-number SMS verification for the Trusted badge
• Google APIs - Sheets/Drive integration for admin financial-summary exports (admin only)
• Resend - transactional email delivery
• Vercel - web hosting and edge content delivery

Each service has its own privacy policy governing its data use.

3. Payment Processing & Security

Stripe Integration: All payment processing (subscription charges, trial initiations, billing portal access, and any trade-related charges) is handled through Stripe, a PCI-compliant payment processor. By subscribing you are subject to Stripe's privacy policy in addition to ours.

Data Shared With Stripe: We share your email address, Supabase user ID, and selected plan with Stripe to create and manage your subscription. We receive back a Stripe customer ID, subscription ID, subscription status, trial/period end timestamps, and the last 4 digits of your card, which we store in our subscriptions database.

No Card Storage: GolfTradr never sees or stores full credit card numbers, expiration dates, or CVV codes. Those are handled entirely by Stripe.

Webhook Verification: Payment events (subscription created, updated, canceled, payment succeeded, payment failed, trial ending) are received from Stripe via a signed webhook. All events are cryptographically verified before being applied to your account.

Encryption: All data transmission is encrypted using industry-standard SSL/TLS protocols.

4. Data Retention

Account Data: We retain your account information while your account is active and for a reasonable period after account closure.

Subscription Data: We retain your subscriptions record (including Stripe customer ID, plan, status, and billing period history) for as long as the account exists and for at least 7 years after cancellation to satisfy tax, audit, and chargeback obligations.

Trade Records: We retain trade records for 7 years to comply with legal requirements and dispute resolution needs.

Messages: We retain message history for 2 years to support dispute resolution and platform safety.

Listing Photos: Photos uploaded to Google Cloud Storage are retained for the duration of the account plus 90 days after account deletion to support open trade and dispute resolution.

Search Logs: Aggregated search-query logs are retained for 90 days for the trending-search feature. Logs are not joined back to individual user accounts.

Phone Verification: After phone verification, the verified phone number is stored on your profile. The underlying Firebase SMS code is processed and discarded by Firebase; GolfTradr never receives it. The phone number on your profile can be cleared by request to support@golftradr.com.

5. Data Sharing

Payment Processors: We share your email address, Supabase user ID, subscription plan, and related billing metadata with Stripe to process subscriptions and manage the billing portal. We do not share this information with any other third parties for payment purposes.

Legal Requirements: We may share your data if required by law, court order, or government request.

Business Transfers: If GolfTradr is sold or transferred, your data may be transferred to the new owner.

No Sale of Data: We do not sell your personal data, and we do not share your data with advertisers.

6. Your Rights

Access: You can request access to your personal data at any time.

Correction: You can request correction of inaccurate personal data.

Deletion: You can request deletion of your account and personal data, subject to legal retention requirements.

6b. Connecticut Privacy Rights

Connecticut residents have the right to:

• Know what personal data we collect
• Correct inaccurate data
• Delete personal data
• Opt out of sale of personal data (we do not sell personal data)
• Appeal our decisions regarding your privacy rights

To exercise these rights contact support@golftradr.com.

6c. COPPA Compliance

GolfTradr does not knowingly collect data from children under 13. If we discover we have collected data from a child under 13 we will delete it immediately. Users must be 18 or older to use the platform.

6d. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities as required by Connecticut law within 72 hours of discovering the breach.

7. Privacy Contact

For privacy-related questions, data requests, or concerns about your personal information, please contact us at support@golftradr.com. We will respond to privacy requests within 2 business days.

7b. Cookies

We use essential cookies for session management and authentication. We do not use third party advertising cookies. You can disable cookies in your browser settings but this may affect platform functionality.

8. Do Not Track

GolfTradr does not respond to Do Not Track signals from browsers as there is no industry standard for handling such signals.

9. International Users

GolfTradr is operated from the United States. If you access our platform from outside the United States, your data will be transferred to and processed in the United States. By using our platform, you consent to this transfer.

10. Changes to Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or platform notification. Continued use of the platform after changes constitutes acceptance of the updated policy.

11. Contact for Legal Process

For law enforcement requests, subpoenas, or other legal process, please contact support@golftradr.com with official documentation.