Privacy Policy

Last updated: February 6, 2026

Trade Up ("TradeUp Market," "we," "us," or "our") operates the Trade Up mobile application and the tradeupmarket.com website. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

1. Information We Collect

Account & Profile Information

When you create an account, we collect:

  • Email address — used for account creation, login, and communications
  • Name and username — displayed on your public profile
  • Password — securely hashed; we never store plaintext passwords
  • Profile photo / avatar — stored securely in our cloud storage
  • Bio and location — city-level location used for marketplace proximity matching
  • Account preferences and settings — your notification and privacy preferences

2. Authentication Methods

We offer multiple ways to sign in:

  • Email and password — managed through our authentication provider (Supabase Auth). Passwords are cryptographically hashed and never stored in plaintext.
  • Social sign-in (OAuth) — you can sign in with Google, Apple, or Facebook. When you do, we receive basic profile information (name, email, profile photo) and authentication tokens from the provider. We use the industry-standard PKCE (Proof Key for Code Exchange) flow for secure authentication.
  • Biometric authentication — the app supports Face ID, Touch ID, and fingerprint unlock for quick access. Your biometric data never leaves your device. We only store a boolean flag indicating whether biometric unlock is enabled.

3. Identity Verification (KYC)

To maintain trust and safety in our marketplace, we may require identity verification. This process is handled by our third-party provider, Didit (ISO 27001 certified, GDPR compliant).

  • Government-issued ID — your ID document is submitted directly to Didit for verification processing
  • Selfie / liveness check — a biometric liveness check is performed by Didit to confirm your identity
  • What we store — Trade Up only stores your verification status (pass or fail). We do not store your ID documents, selfie images, or biometric data from the verification process. These are processed and retained by Didit in accordance with their own privacy policy.

4. Marketplace & Transaction Data

When you use our marketplace, we collect and store the following:

  • Listing data — photos, titles, descriptions, categories, pricing, and item condition
  • Listing photos — stored in our secure cloud storage
  • Offers and trades — cash amounts, trade items offered, offer status, and trade terms
  • Trade history — records of completed, pending, and cancelled trades
  • Ratings and reviews — feedback you give and receive from other users

We do not currently process payments or store credit card information directly. If we add payment processing in the future, this policy will be updated accordingly.

5. AI-Powered Features

Trade Up uses artificial intelligence to enhance your experience:

  • Image recognition — listing photos may be sent to Google Cloud Vision API for automatic item categorization and content moderation (SafeSearch)
  • AI-assisted descriptions — listing photos and text may be processed by OpenAI (GPT-4o mini) to generate listing descriptions and provide trade analysis

Images and text sent to these services are used solely for processing your request. These providers do not permanently store your data beyond their standard API processing retention periods. Refer to Google Cloud's Privacy Notice and OpenAI's API Data Usage Policies for details.

6. Communications Data

  • In-app messaging — messages between users are stored in our database to provide chat history and facilitate trades
  • Chat images — images shared in conversations are stored in our secure cloud storage
  • Support conversations — communications with our support team are stored to resolve issues and improve service

7. Device & Technical Data

We automatically collect certain technical information:

  • Push notification tokens — to deliver notifications about trades, messages, and account activity
  • Device type and OS version — for compatibility and analytics
  • App version — to ensure you have the latest features and security updates

8. Third-Party Services

We use the following third-party services to operate our platform. Each service receives only the data necessary for its function:

ServicePurposeData Shared
SupabaseBackend infrastructure, authentication, database, file storageAll app data (as our primary infrastructure provider)
DiditIdentity verification (KYC)Government-issued ID, selfie
Google Cloud VisionImage analysis, content moderationListing photos
OpenAIAI-assisted listing descriptions, trade analysisListing photos, listing text
Expo PushPush notificationsPush tokens, notification content
Google / Apple / FacebookSocial sign-in (OAuth)Auth tokens, basic profile info
VercelWebsite hostingStandard web analytics (IP, user agent)

9. Data Storage & Security

We take the security of your data seriously and implement appropriate technical and organizational measures:

  • Database security — our database uses PostgreSQL with Row Level Security (RLS) policies, ensuring users can only access their own data
  • File storage — uploaded images and files are stored with per-user access controls and are not publicly accessible without authorization
  • Authentication — passwords are cryptographically hashed; OAuth tokens are stored securely on-device
  • Data in transit — all communications between your device and our servers are encrypted via TLS/HTTPS

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to following industry best practices.

10. Data Retention

We retain different types of data for different periods based on their purpose and legal requirements:

Data TypeRetention Period
Account dataRetained until you request account deletion
Listing dataRetained while listing is active + 90 days after removal
Chat messagesRetained for 1 year after conversation is closed
Transaction / trade recordsRetained for 3 years (legal and tax compliance)
KYC verification statusRetained until account deletion (raw documents handled by Didit per their retention policy)
Push notification tokensCleared when device unregisters or token becomes invalid
AI processing dataNot retained beyond the API call processing time

Upon account deletion, we will remove or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes as described above.

11. Your Rights

You have the following rights regarding your personal data:

  • Access — you can view your personal data at any time through the app's profile and settings screens
  • Correction — you can update your profile information directly in the app
  • Deletion — you can delete your account through the app (Settings → Account → Delete Account) or by emailing us. Account deletion removes your profile, listings, and associated data within 30 days.
  • Data portability — you can request a copy of your data by contacting us at support@tradeupmarket.com
  • Withdraw consent — you may withdraw your consent for data processing at any time. To do so, you can:
    • Adjust your privacy settings in the app (Settings → Privacy)
    • Disable push notifications through your device settings
    • Request cessation of specific data processing by emailing support@tradeupmarket.com
    Withdrawing consent does not affect the lawfulness of processing performed prior to withdrawal.
  • Revoke OAuth provider access — if you signed in with Google, Apple, or Facebook, you can revoke Trade Up's access at any time through the respective provider's account settings:
    • Google: Google Account → Security → Third-party apps
    • Apple: Settings → Apple ID → Sign-In & Security → Sign in with Apple
    • Facebook: Settings → Apps and Websites
    After revoking access, you will no longer be able to sign in via that provider but your Trade Up account will remain active. You can set a password in the app to continue accessing your account.

12. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

  • Right to know — you can request details about the categories and specific pieces of personal information we have collected about you
  • Right to delete — you can request that we delete personal information we have collected from you, subject to certain exceptions
  • Right to opt-out — we do not sell your personal information to third parties. If this changes, we will provide a "Do Not Sell My Personal Information" mechanism.
  • Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights

Do Not Sell My Personal Information

Trade Up does not sell your personal information as defined under the CCPA/CPRA. We do not share your personal information with third parties for cross-context behavioral advertising.

To exercise your CCPA rights, contact us at support@tradeupmarket.com with the subject line "CCPA Request." We will verify your identity before processing any request.

13. Children's Privacy

Trade Up is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a user under 18, we will promptly delete their account and associated information.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page and, for material changes, notify you through the app or via email.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

← Back to Home