Your data, plainly

Privacy Policy

We collect the minimum needed to sell you a device, buy back your old one, and run our accounts — and we don't sell your personal information. Here's the full picture.

Last updated: July 1, 2026

What we collect

  • Order details — name, email, shipping address, and what you bought. Card numbers go directly to Stripe and never touch our servers.
  • Account data — email, password hash (we can't read your password), saved address, order history. Sign-in with Google shares your name, email and avatar with us.
  • Trade-in details — contact info, device descriptions and payout details (PayPal email or bank details) you provide to get paid.
  • Wholesale applications — company and contact details you submit.
  • Device data on trade-ins — we factory-wipe every device on arrival to industry data-sanitization practice; we don't browse or retain your content.
  • Technical basics — standard server logs (IP, user-agent) for security and rate-limiting. Cart, wishlist and recently-viewed live in your own browser's storage, not on our servers.

How we use it

  • Fulfilling orders, trade-ins and warranty claims — including transactional email (order confirmations, shipping notices, trade-in status).
  • Account management, fraud prevention and abuse rate-limiting.
  • Legal obligations — tax records, and lawful requests concerning lost/stolen devices.
  • We do not sell or rent personal information, and we don't send marketing email without your consent.

Who we share with

  • Stripe — payment processing.
  • Resend — transactional email delivery.
  • Shipping carriers — name and address, to deliver your order.
  • Our database host — encrypted storage of the data above.
  • Authorities where the law requires it (e.g. stolen-device reports).

Retention & security

Order and trade-in records are kept as long as tax law requires; account data until you delete your account. Passwords are bcrypt-hashed, connections are TLS-encrypted, and payment data is handled entirely by Stripe (PCI-DSS Level 1).

Your choices & rights

  • Access, correct or delete your data — from your account page or by contacting support.
  • California residents: we don't sell personal information as defined by the CCPA/CPRA; you still have the rights to know, delete and correct, exercisable via support.
  • EU/UK visitors: our lawful bases are contract (orders), legitimate interest (security) and consent (optional email); you may lodge complaints with your local supervisory authority.

To exercise any of these, reach us via the help page.

Questions about this policy? Contact support — we answer within one business day.