Privacy Policy

Last updated: 2026-04-19

This policy describes what Peer Attestation ("we") collects about you, how we use it, and what rights you have. It applies to the Peer Attestation website and services.

1. What we collect

1.1 Information you give us

• Account basics: email address, chosen handle, display name, optional bio, location, trading categories.
• Identity proofs: phone number, eBay / TCGplayer handles, and similar verification signals you choose to add. We store a peppered hash of the value (not the raw value) for uniqueness checks. The raw value we receive briefly during verification is not retained afterward.
• Trade records: descriptions of off-platform trades you report, amounts, counterparty email or handle, and screenshots or receipts you upload.
• Attestation responses: when a counterparty confirms, disputes, or denies a trade, we record their response, their email, and their rating / notes if provided.
• Support correspondence: messages you send to our support address.

1.2 Information collected automatically

• Session signals: login timestamps, IP address, user-agent string, referrer.
• Usage telemetry: pages viewed, actions taken. We do not use third-party analytics in v1. We do use an internal events table to study onboarding drop-off.
• Cookies: see our Cookie Policy. We use only functional cookies.
• Error traces: when the app crashes, we capture a stack trace. Email addresses, phone numbers, and identity-proof values are stripped before the trace reaches our error-tracking provider.

2. How we use your information

• To run the Service: authenticate you, display your profile, compute your trust score.
• To verify trades: deliver attestation request emails and record responses.
• To enforce uniqueness and prevent fraud: identity-proof hashes let us detect the same phone or eBay handle being used across multiple accounts.
• To communicate: transactional email about your account, security alerts, and in-product notifications. We do not send marketing email in v1.
• To improve the Service: internal analytics of aggregated, non-identifying usage patterns.
• To comply with law: responding to lawful government requests and protecting our rights.

3. How long we keep it

• Active accounts: while your account exists.
• Deleted accounts: personal identifiers are erased within 30 days of deletion. Pseudonymous records (trade hashes, attestation outcomes) may be retained to preserve the integrity of other users' trade history.
• Auth tokens: magic-link tokens expire within 30 minutes; we purge them within 24 hours of expiry.
• Backups: encrypted backups are retained up to 30 days.
• Server logs: up to 30 days.
• Fraud records: account bans and related evidence may be retained for up to seven years to prevent repeat abuse.

4. Who we share with

We use the following third-party processors. We have data-processing arrangements with each and share only what they need.

• Supabase — database, auth, object storage. Data stored in the US region.
• Resend — transactional email delivery. Recipient addresses and message bodies flow through Resend.
• Twilio — phone OTP delivery when you verify a phone number (optional).
• Google (Gemini API) — optional OCR of trade screenshots when you upload one. Disabled unless you opt in.
• Sentry — error tracking. Emails, phone numbers, and identity-proof values are scrubbed before they reach Sentry.
• Vercel — hosting. Vercel sees HTTP request metadata.

We do not sell your personal information. We do not share it with advertising networks.

5. Your rights

Depending on where you live, you may have rights under the GDPR, UK GDPR, or state privacy laws (CCPA / CPRA, VCDPA, CPA, CTDPA, UCPA).

• Access: request a copy of the data we hold about you.
• Deletion: request deletion of your account and personal data, subject to the retention exceptions above.
• Correction: fix inaccurate data.
• Portability: export your trade history and profile in a common machine- readable format.
• Objection and restriction: object to certain processing or request restriction.
• Opt-out of targeted advertising or sale: not applicable in v1 — we do not sell data or run targeted ads.
• Complain to a regulator: you may lodge a complaint with your local data protection authority.

Email privacy@example.com with the word "Privacy Request" in the subject line. We reply within 30 days.

6. International transfers

Our primary data stores are in the United States. If you use the Service from the European Economic Area, the United Kingdom, or another region, your data will be transferred to the US. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

7. Security

We encrypt data in transit (HTTPS) and at rest. We hash identity-proof values with a server-side pepper that never leaves our servers. Access to production data is limited to named engineers with auditable logs. No system is perfectly secure; if we learn of a material breach affecting your data, we will notify you in accordance with applicable law.

8. Children

The Service is not intended for anyone under 18. If you believe a minor has created an account, email us and we will investigate and delete the account.

9. Changes to this policy

We will update this page and change the "Last updated" date when we make material changes. If the change affects how we process your personal data, we will notify you by email.

10. Contact

Privacy requests: privacy@example.com
Other: support@example.com

Changelog

• 2026-04-19 — Initial version.