Skip to main content
ZipThrifter

Pending Legal Review

This document is a draft prepared for ZipThrifter under North Carolina general law. It has not yet been reviewed by an NC-licensed attorney and should not be relied on as a final binding agreement. Final terms will be posted following counsel review.

Privacy Policy

Last updated: June 27, 2026

This Privacy Policy explains what personal information ZipThrifter collects, how we use it, who we share it with, and the choices you have. We collect the minimum we need to run the marketplace, and we never sell your personal information.

1. Who We Are

ZipThrifter (“ZipThrifter,” “we,” “our,” or “us”) operates the website at zipthrifter.com and related services (the “Platform”). For purposes of applicable privacy law, ZipThrifter is the data controller of the personal information described in this Policy.

2. Scope

This Policy applies to information we collect from Shoppers, Store account holders, and casual visitors to the Platform. It does not apply to information collected by third parties whose services you access through the Platform (for example, Stripe payment processing), which is governed by those third parties’ privacy notices.

3. Information We Collect

3.1 Information You Provide Directly

  • Account information: name, email address, password (stored only as an Argon2id hash; we cannot recover your plaintext password).
  • Shopper profile: optional phone number, home ZIP code, social media handles, communication preferences.
  • Store profile: business name, business email, business phone, business address, store hours, store photo, and verification documents you submit.
  • Listings: photographs, descriptions, prices, and any details you enter for items.
  • Reservation and pickup records: items reserved, pickup deadlines, pickup codes, in-store handoff status.
  • Messages: the content of any shopper-to-store messages, store-to-shopper messages, and support inquiries.
  • Reviews and creator content: reviews you leave for stores, posts you upload to the Hype Rack, comments, likes.

3.2 Information Collected Automatically

  • Device and connection information: IP address, browser type and version, operating system, referring URL, pages viewed, timestamps.
  • Usage data: searches you run, items you view, items you save, items you reserve, store pages you visit. This is used to power features like “Recently Viewed,” “More like this,” and basic analytics about platform health.
  • Local storage: we store your session token (a signed JWT) and a small “recently viewed” cache in your browser’s localStorage. This data is not transmitted off your device except as needed to authenticate API calls.

3.3 Information from Third Parties

  • Stripe: when you place a Reservation, Stripe processes your payment. Stripe shares with us a confirmation of payment success, a Payment Intent identifier, the last 4 digits of the card, the card brand, and the billing ZIP code. We do not receive or store your full card number, CVV, or full billing address.
  • Google Maps Platform: when stores type an address during onboarding, Google Places autocompletes the address. Google may collect typing input for that field; see Google’s privacy policy for details.
  • Resend: our transactional email provider, which delivers messages like reservation confirmations and password resets.

4. Information We Do NOT Collect

  • We do not collect Social Security Numbers, driver’s license numbers, or other government identifiers from Shoppers. (Stores submitting verification may be asked for a business EIN; see Section 7.)
  • We do not collect biometric data (fingerprints, face geometry, voiceprints).
  • We do not collect precise geolocation from Shoppers. We use your home ZIP code (which you provide) to surface nearby stores.
  • We do not knowingly collect personal information from children under thirteen (13). See Section 12.

5. How We Use Your Information

We use personal information to:

  • create and maintain your account;
  • process Reservations, payments, and pickups, including issuing pickup credentials;
  • provide customer support and respond to inquiries;
  • send transactional messages (reservation confirmations, pickup reminders, password resets);
  • send marketing or promotional messages, only when you have opted in (you can opt out anytime);
  • operate, secure, and improve the Platform (including detecting fraud, abuse, and security incidents);
  • generate aggregate analytics about Platform usage;
  • power features like Recently Viewed and More Like This, and—for signed-in shoppers—personalized ordering of your browse feed based on your favorites, purchases, followed stores, and searches (this re-orders what you see; it never hides items or changes prices);
  • moderate content (Listings, reviews, messages, Hype Rack posts) for compliance with our policies;
  • comply with legal obligations and respond to lawful requests; and
  • enforce our Terms of Service.

5.1 How Specific Data Is Used

To be concrete about the information people most often ask about:

  • Email address — to sign you in, send transactional messages (reservation confirmations, pickup receipts, password resets), and—only if you opt in—occasional marketing. You can unsubscribe from marketing at any time without affecting transactional messages.
  • Home ZIP code / location — to show you stores and items near you and to order “stores near me.” We use the ZIP you provide; we do not collect precise GPS geolocation.
  • Payment information (via Stripe) — Stripe processes your card; we receive only a payment confirmation, a Payment Intent identifier, the card brand, the last four digits, and the billing ZIP. We use these solely to match your payment to your reservation, prevent fraud, and handle refunds and disputes. We never see or store your full card number or CVV.
  • Photos you upload for AI features — when you use AI-assisted listing or photo/visual search, your image is sent to a third-party AI provider to generate the suggestion or find matches, then returned to you. See our AI Disclosure for details. We do not sell your photos.
  • Activity signals (searches, item views, favorites, follows, purchases) — to personalize your browse feed and improve search relevance for you, as described above.

6. Legal Bases (for EEA/UK/Swiss Residents)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR (as applicable):

  • Contract: to provide the Platform and fulfill Reservations.
  • Legitimate interests: to secure the Platform, prevent fraud, operate analytics, and improve our services. We have weighed these interests against your rights.
  • Consent: for marketing emails and other optional features. You can withdraw consent at any time.
  • Legal obligation: to comply with tax, accounting, and law-enforcement requirements.

ZipThrifter is a US-based pickup-only marketplace and is not designed to serve EEA/UK shoppers. This Section is included for completeness.

7. How We Share Information

We share personal information only as described below. We do not sell personal information.

7.1 With Stores (for Shoppers)

When you place a Reservation, we share with the relevant Store the information they need to fulfill the pickup: your first name and last initial (for verification at the counter), your pickup credential, the reserved items, and the reservation timestamp. Stores do not receive your email, phone, or home address unless you choose to message them directly through the Platform.

7.2 With Shoppers (for Stores)

Store name, business email, business phone, business address, store hours, store photograph, and listings are public on the Store’s profile page. Personal information of the store owner (other than the business contact info they choose to publish) is not shared with Shoppers.

7.3 With Service Providers

We share information with vendors that help us operate the Platform under contract:

7.4 Legal and Safety Disclosures

We may disclose personal information if we believe in good faith that disclosure is necessary to: (a) comply with a law, regulation, subpoena, or court order; (b) protect the rights, property, or safety of ZipThrifter, our users, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) enforce our Terms.

7.5 Business Transfers

If ZipThrifter is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred to the successor or buyer, subject to this Policy.

8. Cookies and Similar Technologies

ZipThrifter does not use third-party advertising cookies or cross-site tracking. We use:

  • Strictly necessary local storage: a signed authentication token, a small “recently viewed” cache, and short-lived state for in-progress reservations.
  • Performance monitoring: Vercel Speed Insights and Vercel Analytics, which collect anonymized page-load metrics. These do not use cookies that track you across other sites.
  • Session cookies set by Stripe during checkout (governed by Stripe).

You can clear local storage at any time through your browser settings. Doing so will sign you out and erase recently-viewed history.

9. Data Retention

We retain personal information only as long as needed for the purposes described in this Policy, or as required by law:

  • Account data: for the life of your account, plus up to ninety (90) days after deletion to handle reversal requests and billing reconciliation.
  • Transaction records (Reservations, payments, payouts): at least seven (7) years to comply with tax and accounting obligations.
  • Audit and security logs: up to two (2) years.
  • Marketing-list memberships: until you unsubscribe.
  • Anonymized aggregate analytics: indefinitely.

10. Your Rights and Choices

10.1 All Users

You may:

  • access, update, or correct the information in your account by signing in and editing your profile;
  • opt out of marketing emails by clicking “unsubscribe” in any marketing message or adjusting preferences in your account drawer;
  • delete your account by contacting help@zipthrifter.com. (A self-service deletion endpoint is in development.) Note that we may retain certain records as described in Section 9.

10.2 California Residents (CCPA / CPRA)

If you are a California resident, in addition to the rights above, you may:

  • Right to know: request a copy of the categories and specific pieces of personal information we collected about you in the past 12 months.
  • Right to delete: request deletion of personal information we collected from you, subject to certain exceptions.
  • Right to correct: request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: as noted above, we do not sell personal information and do not share it for cross-context behavioral advertising.
  • Right to non-discrimination: we will not deny services, charge different prices, or provide a different level of service because you exercised your rights.

To exercise these rights, email help@zipthrifter.com with the subject “California Privacy Request.” We will verify your identity before fulfilling the request.

10.3 Other US State Residents

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive consumer privacy laws have similar rights. Contact help@zipthrifter.com with the subject “State Privacy Request.”

10.4 North Carolina Data-Breach Notification

If we discover that an unauthorized person has acquired your unencrypted personal information, we will notify you in accordance with the North Carolina Identity Theft Protection Act (NCGS § 75-65). We will also notify the North Carolina Attorney General as required by law.

11. Security

We use commercially reasonable administrative, technical, and physical safeguards to protect personal information, including:

  • passwords stored as Argon2id hashes (not recoverable as plaintext);
  • TLS encryption in transit for all communication with the Platform;
  • encryption at rest by our cloud providers;
  • least-privilege access controls for ZipThrifter personnel;
  • rate limiting, IP-based throttling, and audit logging on sensitive endpoints;
  • routine independent security review.

No system is perfectly secure. We cannot guarantee that unauthorized access, hardware/software failure, or other factors will never compromise your information.

12. Children

The Platform is not directed to children under the age of thirteen (13), and we do not knowingly collect personal information from anyone under thirteen. If we learn we have collected personal information from a child under thirteen, we will delete it. Contact help@zipthrifter.com if you believe a child has provided us with personal information.

13. International Transfers

ZipThrifter is operated from the United States. If you access the Platform from outside the US, your information will be transferred to and processed in the US, where data protection laws may differ from those in your jurisdiction. By using the Platform, you consent to that transfer.

14. Third-Party Sites

The Platform may contain links to third-party websites or services. We are not responsible for their privacy practices. Review the privacy notices of any third-party services before providing personal information.

15. Changes to This Policy

We may update this Policy from time to time. The “Last updated” date at the top reflects the most recent revision. If we make material changes, we will provide additional notice (such as a banner on the Platform or an email). Your continued use of the Platform after the effective date of an updated Policy constitutes acceptance.

16. Contact

For questions or to exercise your privacy rights, contact:

ZipThrifter Privacy Team
help@zipthrifter.com