Your data, plainly
Privacy Policy
We collect the minimum needed to sell you a device, buy back your old one, and run our accounts — and we don't sell your personal information. Here's the full picture.
Last updated: July 1, 2026
What we collect
- Order details — name, email, shipping address, and what you bought. Card numbers go directly to Stripe and never touch our servers.
- Account data — email, password hash (we can't read your password), saved address, order history. Sign-in with Google shares your name, email and avatar with us.
- Trade-in details — contact info, device descriptions and payout details (PayPal email or bank details) you provide to get paid.
- Wholesale applications — company and contact details you submit.
- Device data on trade-ins — we factory-wipe every device on arrival to industry data-sanitization practice; we don't browse or retain your content.
- Technical basics — standard server logs (IP, user-agent) for security and rate-limiting. Cart, wishlist and recently-viewed live in your own browser's storage, not on our servers.
How we use it
- Fulfilling orders, trade-ins and warranty claims — including transactional email (order confirmations, shipping notices, trade-in status).
- Account management, fraud prevention and abuse rate-limiting.
- Legal obligations — tax records, and lawful requests concerning lost/stolen devices.
- We do not sell or rent personal information, and we don't send marketing email without your consent.
Who we share with
- Stripe — payment processing.
- Resend — transactional email delivery.
- Shipping carriers — name and address, to deliver your order.
- Our database host — encrypted storage of the data above.
- Authorities where the law requires it (e.g. stolen-device reports).
Retention & security
Order and trade-in records are kept as long as tax law requires; account data until you delete your account. Passwords are bcrypt-hashed, connections are TLS-encrypted, and payment data is handled entirely by Stripe (PCI-DSS Level 1).
Your choices & rights
- Access, correct or delete your data — from your account page or by contacting support.
- California residents: we don't sell personal information as defined by the CCPA/CPRA; you still have the rights to know, delete and correct, exercisable via support.
- EU/UK visitors: our lawful bases are contract (orders), legitimate interest (security) and consent (optional email); you may lodge complaints with your local supervisory authority.
To exercise any of these, reach us via the help page.
Questions about this policy? Contact support — we answer within one business day.