Privacy Policy

FindAFlip is operated by Pierce Pokorny (“FindAFlip,” “we,” or “us”). This Privacy Policy explains what information we collect when you use our website, mobile applications, and APIs (the “Service”), how we use that information, and the choices you have. For the legal contract governing your use of the Service, see our Terms of Service.

If you have any questions about this policy or your data, contact us at 0pierce.dev@gmail.com.

We collect the following categories of information:

a. Information you provide directly

• Account information. When you register with email and password, we collect your email address, a display name, and a securely hashed password. When you register with Google Sign-In, we receive your email address, name, and Google account identifier from Google’s OAuth identity service. We do not see or store your Google password.
• Profile updates. Any changes you make to your display name or other profile fields.
• Payment information. When you subscribe to Premium, payment is processed by Stripe, Inc. We do not store your full payment card number or CVV. We store the Stripe customer identifier and subscription metadata (status, plan, period start/end) needed to manage your subscription.
• Support communications. If you contact us, we keep a record of your messages and our responses.

b. Information collected automatically

• Usage data. Searches you perform, categories you browse, listings you view, profit estimates you request, and similar in-product actions, along with timestamps.
• Device and technical data. IP address, browser type and version, operating system, device model, mobile platform and OS version, app version, language preferences, and crash logs.
• Authentication tokens. Short-lived access tokens and rotating refresh tokens stored in your browser or mobile device’s secure storage to keep you signed in.
• Cookies and similar technologies. See “Cookies” below.
• Rate-limiting data. IP addresses are used briefly to enforce anti-abuse rate limits on authentication and search endpoints.

c. Location data

With your permission, we may collect approximate or precise location data from your device (such as via mobile OS location services or IP-based geolocation) to:

• Show listings near you when supported marketplaces allow city-level filtering;
• Tailor profit estimates that incorporate regional pricing differences;
• Improve the relevance of recommendations and search results.

On mobile, we request location access through your operating system’s standard permission dialog and you may revoke it at any time in your device settings. We do not collect background location unless you explicitly opt in to a feature that requires it. We never sell location data.

d. Information from third parties

• Google. If you use Google Sign-In, Google shares your verified email, name, profile picture URL, and a stable account identifier with us as permitted by your Google account permissions.
• Stripe. Stripe shares subscription event data (e.g., checkout completion, renewal, cancellation, payment failure) so we can update your account tier.

e. Public marketplace data

The listings, prices, and item descriptions you see in the Service are aggregated from third-party marketplaces. This data describes items for sale; it is not personal data about you.

We use the information we collect to:

• Create and manage your account, and authenticate you on return visits;
• Provide the core Service (search results, profit estimates, saved items, etc.);
• Process subscription payments and manage tier (Free / Premium) state;
• Send transactional emails (account confirmation, password reset, subscription receipts, security notices) using a transactional email provider;
• Personalize content based on your location and usage patterns;
• Diagnose problems, monitor performance, and improve the Service;
• Enforce our Terms of Service and prevent fraud, abuse, and security incidents;
• Comply with applicable laws and respond to legal requests.

If you are in the European Economic Area or United Kingdom, we rely on the following legal bases under the GDPR:

• Contract — to deliver the Service you signed up for;
• Legitimate interests — to secure, improve, and operate the Service, where those interests are not overridden by your rights;
• Consent — for optional features such as location collection and any non-essential analytics or marketing;
• Legal obligation — to comply with applicable law, including tax and recordkeeping.

We do not sell your personal information. We share it only as follows:

• Service providers (data processors). Cloud hosting, database, payment processing (Stripe), authentication (Google), transactional email, error monitoring, and analytics vendors that process data on our behalf under written contracts.
• Legal and safety. When required by law, valid legal process, or to protect the rights, property, or safety of FindAFlip, our users, or the public.
• Business transfers. If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction; we will notify you of any change in ownership or material change in how your data is handled.
• With your consent. Any other sharing will be done with your explicit consent at the time.

We use a small number of essential cookies and local-storage entries to keep you signed in, remember your theme preference, and protect against cross-site request forgery. We do not currently use third-party advertising cookies. If we add analytics or advertising cookies in the future, we will update this policy and, where required, ask for your consent through a cookie banner.

We retain your account information for as long as your account is active. If you delete your account, we delete or anonymize your personal information within 30 days, except where retention is required by law (e.g., financial records for tax purposes) or necessary to resolve disputes and enforce our agreements.

Authentication refresh tokens are retained for 7 days from issuance and invalidated on logout. Listing data scraped from public marketplaces is retained for up to 30 days as active and up to 90 days as archived sold-comparable data.

We implement reasonable technical and organizational measures to protect your information, including encryption in transit (HTTPS/TLS), hashed passwords, secure token storage on mobile devices, network-level rate limiting, and access controls on our infrastructure. No system is perfectly secure; you are responsible for keeping your password and devices safe.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — request a copy of the data we hold about you;
• Correction — request that we correct inaccurate data;
• Deletion — request that we delete your data, subject to limited exceptions;
• Portability — request a machine-readable export of data you provided;
• Restriction or objection — ask us to limit or stop certain processing;
• Withdraw consent — at any time, for any processing based on consent;
• Opt out of “sale” or “sharing” — for California residents under the CCPA/CPRA. We do not sell personal information.

To exercise these rights, email 0pierce.dev@gmail.com. We will respond within the timeframe required by applicable law. EEA/UK users also have the right to lodge a complaint with their local data protection authority.

We operate from Canada and may transfer, process, and store your information in countries other than your own. Where we transfer personal data out of the EEA, UK, or other regulated regions, we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

The Service is not directed to children under 18, and we do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, contact us and we will delete it.

The Service relies on third parties (Google, Stripe, and the marketplaces whose listings we display). Their handling of your data is governed by their own privacy policies, which we encourage you to read. We are not responsible for the practices of third parties whose services or websites you access through the Service.

We may update this policy from time to time. When we do, we will revise the “Effective date” above. For material changes we will give you reasonable advance notice by email or through an in-app notice. Continued use of the Service after the update takes effect constitutes acceptance.

Pierce Pokorny
0pierce.dev@gmail.com