Privacy Policy

Disc.Market ("Disc.Market," "we," "us") operates an online marketplace where independent third-party sellers ("Pro Shops" or "vendors") list disc golf products for sale. We don't manufacture, warehouse, or ship the products listed on the platform ourselves. We do process payments, handle shipping logistics, and provide the software that connects buyers and sellers.

This Privacy Policy explains what personal information we collect when you use disc.market, our mobile apps, and our related services (together, the "Services"); how we use it; who we share it with; and the choices and rights you have regarding that information.

By creating an account, listing a product, making a purchase, or otherwise using the Services, you consent to the practices described in this policy. If you don't agree, please don't use the Services.

1. Information you provide directly

When you create a buyer account

• Email address, optional username and display name
• Password (stored hashed by Supabase Auth — we never see it)
• Optional profile photo

When you make a purchase

• Shipping address (name, street, city, state, ZIP) — stored per order and optionally saved to your address book
• Order history (items, prices, taxes, shipping, totals — all in integer cents)
• Payment method details — handled entirely by Stripe; we store only the Stripe payment intent ID, not card numbers, tokens, or CVV

When you apply to be a vendor

• Legal first and last name, email, phone, country, state
• Pro Shop name and description
• Business background: prior selling experience, monthly volume, links to existing stores (eBay, Facebook, etc.)
• Identity verification information is handled by Stripe Connect during payout onboarding — we don't see your SSN, EIN, or bank account numbers
• Your electronic signature on the Vendor Agreement, together with your IP address and timestamp

When you communicate with us or other users

• Buyer ↔ vendor messages, attachments, and read timestamps
• Support tickets, live chat transcripts, and any attachments you send
• Product reviews, review photos, and review replies

2. Information we collect automatically

• Usage data: pages viewed, products clicked, search terms, filter selections, and session timestamps — collected via our analytics tools
• Device info: browser type, operating system, approximate geographic region (derived from IP), screen size
• Push notification tokens: if you enable notifications in our mobile app, Firebase Cloud Messaging issues a device-specific token we store to deliver push notifications
• Log data: IP addresses, user agent strings, and request timestamps — used for rate limiting, fraud prevention, and debugging

3. Information we generate about you

• Vendor performance metrics: rating average, on-time-ship rate, total shipments, late shipments
• Order and payout status history
• Moderation flags (e.g., a banned account, a hidden product, a resolved report)

We use the information we collect to:

Operate and provide the marketplace

• Create and authenticate your account
• Enable buyer ↔ vendor transactions, messaging, and reviews
• Process payments, calculate sales tax, and facilitate vendor payouts through our escrow flow
• Generate shipping labels, track packages, and confirm deliveries
• Send transactional communications: order confirmations, shipping updates, dispute notifications, password resets, and vendor agreement receipts

Keep the marketplace safe and fair

• Detect and prevent fraud, unauthorized access, abuse, and harassment
• Enforce our Terms of Service and vendor agreements
• Apply content moderation (prohibited terms, restricted items, suspicious patterns)
• Track sales tax nexus across all 50 U.S. states so we register and remit in new states when thresholds are reached

Improve and personalize the experience

• Analyze usage patterns to fix bugs, prioritize features, and improve search and discovery
• Personalize product recommendations and recently-viewed lists
• Populate AI-assisted product-fill suggestions for vendors (see section below)

Communicate with you

• Respond to support requests
• Send you information about your account, your orders, or your vendor performance
• Send marketing or promotional messages only if you've opted in (via the newsletter sign-up). You can unsubscribe any time via the link in those emails.

Comply with legal obligations

• Retain order and tax records as required by law
• Respond to lawful subpoenas, court orders, and legal process
• Issue 1099-K tax forms to vendors who exceed IRS reporting thresholds

We use artificial intelligence and automated processing in two specific, limited ways. Neither makes decisions that legally or significantly affect you without a human in the loop.

AI Product Auto-Fill (vendors only)

When a vendor uploads photos of a disc and clicks "Auto-Fill," we send the image URL (hosted on our public CDN) and the partial product title (if any) to OpenAI's GPT-4o vision API. OpenAI returns predicted product attributes (brand, mold, plastic, color, ink status, weight, condition) that we present as suggestions in the vendor's draft product form. The vendor reviews and edits before publishing; no product is listed without the vendor's explicit confirmation.

We log the call (vendor ID, model, tokens used, cost, whether the vendor applied any suggestions) for budgeting and quality measurement. We do not use your data to train OpenAI's models, and we ask OpenAI not to retain data beyond the configured retention window per their enterprise terms.

AI-Assisted Support Reply Drafts (admin use only)

When our support team drafts a reply to a ticket, they may generate a draft using GPT-4.1-mini. The draft is always reviewed and sent by a human staff member; it is never emailed to you automatically.

Automated moderation

We use an automated word-filter system to screen product titles, descriptions, reviews, and messages for prohibited content (hate speech, scam patterns, contact info to circumvent the platform, etc.). Matches result in a flag for human review, not an automatic account action, except for our permanent-ban categories (slurs and hate speech) which block submission at the form level.

We do not sell your personal information, and we do not rent or trade it for advertising. We share it only with the people and services we need to run the marketplace.

With the vendor you buy from

When you place an order, the vendor fulfilling that order receives: your display name, shipping address, the items ordered, the order number, and (once you message them) any messages you send. Vendors do not receive your email address or payment details directly — communication flows through our messaging system.

With third-party service providers

The following processors help us deliver the Services. Each has its own privacy policy linked below:

Provider	What they receive	Purpose
Stripe	Payment details, order totals, vendor Connect account IDs	Process buyer payments and vendor payouts
EasyPost	Shipping addresses, package details, tracking numbers	Generate labels, get calculated rates, update tracking
Resend	Your email and the content of transactional emails	Deliver order confirmations, shipping updates, etc.
Supabase	Account records, database contents, auth sessions	Authentication and database hosting
Firebase (Google)	Push notification tokens and payloads	Deliver mobile push notifications
Cloudflare	Product, profile, and review images you upload	Image hosting and delivery
OpenAI	Image URLs and partial product titles (vendors only; AI Auto-Fill feature)	Generate product-attribute suggestions
Google Analytics / Tag Manager	Page views, clicks, e-commerce events	Platform analytics
Vercel	Request logs, page-load metrics	Hosting, performance monitoring
Sentry	Error stack traces, affected user ID, request context	Error monitoring

For legal reasons

We may disclose information if required by law (subpoena, court order, government request) or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or violations of our Terms.

In a business transfer

If Disc.Market is acquired, merged, or reorganized, your information may transfer to the successor organization, subject to the protections of this policy (or we'll notify you and offer a choice to delete your data before the transfer closes).

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Card numbers, CVV codes, and bank account details never touch Disc.Market's servers — they go directly to Stripe via their client-side SDK over TLS.

Our marketplace operates on an escrow model. When you place an order, Stripe charges your card and the funds land in Disc.Market's platform account. The vendor is not paid immediately. Once delivery is confirmed and a 3-day dispute window passes, we instruct Stripe to transfer the vendor's share to their connected Stripe account (minus our 10% platform fee on the item + shipping subtotal — never on tax). You can read more about this in our Terms of Service and Refund & Returns Policy.

This escrow design protects you: if something goes wrong before delivery, we can refund you directly from the funds on file, without needing to recover them from the vendor.

We use the following types of cookies and similar technologies:

Strictly necessary

Login sessions, shopping cart persistence, CSRF protection. These cannot be disabled without breaking core functionality.

Functional

Product-browsing history, recently-viewed list, UI preferences like list-vs-grid view. Optional.

Analytics

Google Analytics and Vercel Analytics help us understand traffic patterns and page performance. Data is aggregated and does not contain your name or email.

Global Privacy Control

We honor the Global Privacy Control (GPC) signal. If your browser sends GPC, we treat it as an opt-out of analytics and a "do not sell or share" signal under CCPA/CPRA.

What we don't use

We do not use cross-site advertising cookies or share data with ad networks for retargeting.

We retain different kinds of information for different periods:

• Account records: for the life of your account. If you delete your account, we anonymize your email, username, and display name, but retain a minimal record tied to your past orders for financial and tax compliance.
• Order records: indefinitely, for tax reporting, dispute resolution, and regulatory compliance (state sales-tax audits are open for up to 7 years in some states).
• Live-chat messages: approximately 30 days, then auto-deleted by a scheduled cleanup job.
• Server logs and error reports: 30–90 days (Sentry and Vercel retention).
• Analytics data: per Google Analytics' default retention (currently 14 months).
• Backups: encrypted database backups are retained per Supabase's backup policy.

You always have the following rights, regardless of where you live:

• Access: request a machine-readable copy of the personal information we hold about you. Account settings → "Export my data" downloads a JSON archive including your profile, addresses, orders, reviews, favorites, conversations, and support tickets.
• Correction: edit your profile, display name, avatar, and saved addresses at any time from your account settings.
• Deletion: delete your account from account settings. We anonymize your personally identifying information and delete your cart, favorites, and non-essential records. Order history and financial records are retained as required by law (see Data Retention above).
• Unsubscribe from marketing: every marketing email has an unsubscribe link; you can also toggle it off from your account settings. Transactional emails (order confirmations, dispute notifications, etc.) continue — these are not marketing.
• Turn off analytics: use your browser's Do Not Track / Global Privacy Control, or a privacy extension. We honor GPC platform-wide.

California residents (CCPA / CPRA)

If you're a California resident, you additionally have the right to: know what categories of personal information we collect and the purposes; request deletion; correct inaccurate data; opt out of "sale" or "sharing" of your personal information (we don't sell or share it, but the right is absolute); and not be discriminated against for exercising these rights. To exercise these rights, email privacy@disc.market.

EU / UK / EEA residents (GDPR / UK GDPR)

If you're in the EU, UK, or EEA, you have the additional rights to: restrict processing, object to processing based on legitimate interests, data portability, and to lodge a complaint with your local supervisory authority. Our legal basis for processing is: contract (to operate the marketplace), legitimate interests (fraud prevention, security, service improvement), consent (marketing emails, optional analytics), and legal obligation (tax, records retention).

International data transfers rely on standard contractual clauses where required. The Services are operated from the United States.

Disc.Market is intended for adults. The Services are not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If we become aware that we've received personal information from a child under 13 without verifiable parental consent, we will delete it. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@disc.market and we'll take prompt action.

Users between 13 and 18 should only use the Services with involvement of a parent or guardian, especially when making purchases. Vendor accounts require users to be at least 18.

We take reasonable and appropriate measures to protect your information, including:

• TLS (HTTPS) encryption for all traffic between your browser and our servers
• Password hashing via Supabase Auth (never stored in plaintext)
• Row-level authorization enforced in our application layer for every request
• Rate limiting on authentication, messaging, and mutation endpoints to prevent abuse
• Idempotent handling of Stripe webhook events to prevent double-charges and duplicate payouts
• Regular dependency scans and security updates
• Encrypted database backups via our infrastructure providers

Despite these measures, no online service is 100% secure. In the event of a security incident that affects your personal information, we will notify you and any required regulators without undue delay and in accordance with applicable law.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business. When we do, we'll revise the "Last updated" date at the top of this page. If changes are material, we'll also post a notice on the homepage and email users with active accounts at least 7 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

For privacy-specific questions, data-rights requests, or complaints:

• Email: privacy@disc.market
• General support: support@disc.market
• Contact form: disc.market/contact

We aim to respond to all privacy inquiries within 10 business days, and to data-rights requests within 30 days (or sooner if required by law).