Privacy Policy — RareLink

What we collect

Account info: email, username, optional display name and bio.
Listing data: card details, photos, prices you upload.
Order data: shipping address (forwarded to seller for fulfillment only), tracking numbers, dispute messages.
Payment data: handled entirely by Stripe. RareLink stores only Stripe identifiers (Customer ID, Payment Intent ID, Connect Account ID) — never card numbers.
Trust signals: sales completed, disputes opened, refunds issued, account age.
Technical: IP address, user agent, referrer (for security and abuse prevention).

What we do NOT collect

Card numbers, CVVs, expiration dates — these never touch our servers.
Your bank account or routing number — Stripe Connect owns that.
SSN/EIN — collected by Stripe for KYC, not by us.
Biometrics or device fingerprints beyond standard cookies.

How we use it

Run the platform — match buyers to sellers, send transactional emails, resolve disputes.
Prevent fraud — flag suspicious patterns, enforce dollar caps, support chargeback evidence.
Improve the product — aggregated, non-identifying usage analytics.

We do not sell your data. We do not run third-party ad tracking. We do not share with data brokers.

Who we share it with

Stripe — for payments and Connect onboarding.
Resend — to send you transactional emails.
Sentry — for error monitoring (scrubbed of PII).
PostHog — for product analytics (Phase 2, anonymized).
Counterparty — your shipping address is shared with the seller of a card you purchase, solely to fulfill the order.
Law enforcement — only in response to a valid subpoena or court order.

Your choices

Delete your account by emailing support@rarelink.ink (subject: "Delete account").
Request your data export by emailing privacy@rarelink.ink.
Opt out of marketing emails via the unsubscribe link (transactional emails are required for active orders).

Cookies

We use first-party cookies for authentication (Supabase session) and CSRF protection. We do not use third-party advertising cookies.

Security

All data is encrypted in transit (TLS 1.2+) and at rest (Supabase Postgres encryption). Service role keys live only in server environment variables and are never bundled to the client. We use row-level security to prevent cross-account data access.

Children

RareLink is not for users under 18. We do not knowingly collect data from minors. If you believe a minor has signed up, email privacy@rarelink.ink and we will delete the account.

Contact

Privacy questions: privacy@rarelink.ink

What we collect

Account info: email, username, optional display name and bio.
Listing data: card details, photos, prices you upload.
Order data: shipping address (forwarded to seller for fulfillment only), tracking numbers, dispute messages.
Payment data: handled entirely by Stripe. RareLink stores only Stripe identifiers (Customer ID, Payment Intent ID, Connect Account ID) — never card numbers.
Trust signals: sales completed, disputes opened, refunds issued, account age.
Technical: IP address, user agent, referrer (for security and abuse prevention).

How we use it

Run the platform — match buyers to sellers, send transactional emails, resolve disputes.
Prevent fraud — flag suspicious patterns, enforce dollar caps, support chargeback evidence.
Improve the product — aggregated, non-identifying usage analytics.

We do not sell your data. We do not run third-party ad tracking. We do not share with data brokers.

Who we share it with

Stripe — for payments and Connect onboarding.
Resend — to send you transactional emails.
Sentry — for error monitoring (scrubbed of PII).
PostHog — for product analytics (Phase 2, anonymized).
Counterparty — your shipping address is shared with the seller of a card you purchase, solely to fulfill the order.
Law enforcement — only in response to a valid subpoena or court order.