Privacy Policy

We collect information in three ways:

1.1 Information you give us

• Account information: name, email address, password (stored only as a one-way bcrypt hash), and your purpose for using the Service (buying, selling, or both).
• Profile and shipping information: street address, city, state, and ZIP/postal code for shipping listings and authentication submissions.
• Listing content: photos, descriptions, condition notes, prices, certificate IDs, and other content you submit when you create a listing or authentication request.
• Communications: messages you send us through support channels.

1.2 Information from payments

Payments on Beanie Xchange are processed by Stripe, Inc. We do not see, store, or transmit your full card number, CVC, or bank account details. Stripe provides us a token reference, the last 4 digits of the payment method, and the payment status (authorized, captured, refunded, failed). Sellers who set up payouts complete Stripe Connect Express onboarding directly with Stripe; that flow may collect identity and tax information governed by Stripe's Privacy Policy.

1.3 Information collected automatically

• Session cookies: a first-party cookie set by our authentication system to keep you signed in.
• Analytics cookies (Google Analytics 4): we use Google Analytics 4 to understand aggregate site traffic — which pages people visit, how they arrived, and how long they stay. Google Analytics sets first-party _ga / _ga_* cookies and sends pseudonymized event data to Google. IP addresses are truncated by Google for privacy. We have not enabled Google Signals, Demographics, or advertising features. See Google's Privacy Policy for how Google handles this data. We do not use third-party advertising trackers.
• Server logs: IP address, user agent, request paths, timestamps, and response codes for security, abuse prevention, and debugging.
• CDN telemetry: aggregate traffic and threat metrics from Cloudflare (our CDN/DNS provider).

• To operate the Service: create accounts, host listings, process orders, run escrow, route shipments, and issue certificates of authenticity.
• To authenticate, grade, and assign registry numbers to items submitted for Beanie Xchange Authentication.
• To prevent fraud, identify counterfeit listings, detect abuse, and enforce our Terms.
• To communicate transactional updates (order status, shipment, authentication results, payout notifications).
• To comply with legal obligations, respond to lawful requests, and protect our rights and the rights of others.

We do not sell your personal information, and we do not use it for targeted advertising on or off our Service.

We share the minimum information necessary with the following service providers:

• Stripe — payment processing, payouts, and anti-fraud.
• Neon — managed PostgreSQL database hosting.
• Fly.io — application hosting.
• Cloudflare — DNS, CDN, and edge security.
• Cloudflare R2 — listing photo storage.
• Google (Google Analytics 4) — pseudonymized usage analytics. We send page views and event metadata, not your account profile.

We may also disclose information when required by law, subpoena, or court order; to investigate fraud or violations of our Terms; or to protect the rights, property, or safety of Beanie Xchange, our users, or the public. In the event of a merger, acquisition, or asset sale, your information may be transferred to the acquiring entity subject to this Privacy Policy.

We use two categories of cookies:

• Strictly necessary: a first-party session cookie to keep you signed in. Blocking this will prevent sign-in.
• Analytics (Google Analytics 4): first-party _ga and _ga_* cookies that store a pseudonymized client identifier so Google Analytics can deduplicate page views and sessions. You can opt out using the Google Analytics Opt-out Browser Add-on or by blocking these cookies in your browser.

We do not embed third-party advertising trackers, retargeting pixels, or social-media widgets. You can clear or block any cookie through your browser at any time.

We keep account, listing, order, and authentication-request records for as long as your account is active and for a reasonable period afterward to comply with tax, accounting, fraud-prevention, and dispute-resolution obligations. You may request deletion of your account at any time, subject to legal retention requirements.

We use industry-standard safeguards: HTTPS everywhere, bcrypt password hashing, environment-isolated secrets, signed webhook verification, and least-privilege database access. No internet-based service is perfectly secure, and we cannot guarantee absolute security.

You may at any time:

• Access the personal information in your account through your dashboard.
• Correct or update your name, email, address, or profile information.
• Request export of your data or deletion of your account.
• Opt out of non-essential email; transactional messages cannot be opted out of while you have active orders.

To exercise these rights, email privacy@beaniexchange.com. We respond within 30 days.

If you reside in California, you have the right to (a) know what categories of personal information we collect and the purposes for which it is used; (b) request access to and deletion of your personal information; (c) opt out of any sale or sharing of your personal information; and (d) not be discriminated against for exercising these rights. We do not sell or share personal information as those terms are defined under the CCPA/CPRA.

If you are in the European Economic Area or the United Kingdom, our lawful bases for processing your personal information are (i) performance of our contract with you (operating the marketplace), (ii) our legitimate interests in preventing fraud and improving the Service, (iii) compliance with legal obligations, and (iv) your consent for any purpose where consent is required. You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with your local data-protection authority.

The Service is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us personal information, contact us and we will delete it.

Beanie Xchange is operated from the United States. By using the Service, you understand that your information may be transferred to and processed in the United States and other countries that may have different data-protection laws than your country of residence.

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top and, for material changes, notify you by email or by posting a prominent notice on the Service. Continued use of the Service after a change constitutes acceptance of the updated policy.

Privacy questions: privacy@beaniexchange.com.