Privacy Policy

1. Introduction

ExchangeHandles ("we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Platform.

By using ExchangeHandles.com, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide when you:

• Create an account: Email address, name, password, display name
• Complete KYC verification: Government-issued ID, address, date of birth, verification selfie
• Create listings: Handle/domain details, pricing, descriptions, platform credentials (for verification)
• Make purchases: Billing information (processed by Stripe), transaction details
• Communicate with us: Messages, support tickets, feedback

2.2 Automatically Collected Information

When you use our Platform, we automatically collect:

• Usage data: Pages visited, features used, time spent, search queries
• Device information: IP address, browser type, operating system, device identifiers
• Log data: Access times, error logs, API requests
• Cookies: Session tokens, preferences, authentication state (see Section 4)

2.3 Third-Party OAuth Data

When you connect accounts via OAuth (Google, Twitter, Instagram, etc.), we may receive:

• Profile information (username, display name, profile picture)
• Email address (if granted)
• Access tokens (encrypted and stored securely)
• Account metrics (follower count, engagement, for verification purposes)

Note: We only request permissions necessary for account verification. We do not post on your behalf or access direct messages.

3. How We Use Your Information

We use collected information to:

• Provide, operate, and maintain the Platform
• Process transactions and escrow services
• Verify user identity and prevent fraud
• Facilitate communication between buyers and sellers
• Send transactional emails (purchase confirmations, transfer updates, dispute notifications)
• Improve and optimize the Platform
• Enforce our Terms of Service and legal obligations
• Analyze usage patterns and Platform performance
• Comply with legal requirements and prevent illegal activity

We do not sell your personal information to third parties.

4. Cookies and Tracking Technologies

4.1 What Are Cookies?

Cookies are small text files stored on your device. We use cookies to:

• Authentication: Keep you logged in securely
• Preferences: Remember your theme, language, and settings
• Security: Prevent CSRF attacks and unauthorized access
• Analytics: Understand how users interact with the Platform

4.2 Types of Cookies We Use

• Essential cookies: Required for authentication and security (cannot be disabled)
• Functional cookies: Remember your preferences and settings
• Analytics cookies: Help us understand usage patterns (anonymized)

4.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features.

5. Third-Party Services

We use third-party services that may collect and process your information:

5.1 Stripe (Payment Processing)

• Processes all payments and payouts
• Collects billing information, card details, bank account information
• Subject to Stripe's Privacy Policy: stripe.com/privacy
• We never store full credit card numbers on our servers

5.2 Google OAuth

• Used for Google sign-in and account linking
• Subject to Google's Privacy Policy: policies.google.com/privacy

5.3 Neon (Database Hosting)

• PostgreSQL database hosting
• Data stored in secure, encrypted databases
• Subject to Neon's Privacy Policy: neon.tech/privacy

5.4 Vercel (Hosting & Deployment)

• Hosts the Platform and handles requests
• Collects server logs and performance metrics
• Subject to Vercel's Privacy Policy: vercel.com/legal/privacy-policy

6. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: All data transmitted via HTTPS/TLS encryption
• Password hashing: Passwords hashed with bcrypt (12 rounds)
• Secure sessions: HttpOnly, Secure, SameSite cookies
• Access controls: Role-based permissions and authentication
• Database security: Encrypted at rest, parameterized queries (SQL injection prevention)
• Rate limiting: Protection against brute force attacks
• Security headers: CSP, X-Frame-Options, HSTS, etc.

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your information for as long as necessary to:

• Provide our services and maintain your account
• Comply with legal obligations (tax records, transaction history)
• Resolve disputes and enforce our Terms
• Prevent fraud and abuse

Retention periods:

• Account data: Until account deletion (or 30 days after deletion request)
• Transaction records: 7 years (legal requirement for financial records)
• KYC documents: 5 years after last transaction (compliance requirement)
• Support messages: 2 years
• Server logs: 90 days

8. Your Privacy Rights

Depending on your location, you may have the following rights:

8.1 GDPR Rights (EU/UK Users)

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Withdraw consent for data processing

8.2 CCPA Rights (California Users)

• Know: Right to know what personal information we collect
• Delete: Request deletion of your personal information
• Opt-out: Opt-out of the sale of personal information (we do not sell data)
• Non-discrimination: Equal service regardless of privacy choices

8.3 Exercising Your Rights

To exercise your privacy rights, contact us at:

• Email: privacy@exchangehandles.com
• Account settings: Update/delete your data directly in your account dashboard

We will respond to verified requests within 30 days.

9. Children's Privacy

ExchangeHandles is not intended for users under the age of 18. We do not knowingly collect personal information from children. If we discover that a child has provided us with personal information, we will delete it immediately.

If you believe we have collected information from a child, please contact us at privacy@exchangehandles.com.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure adequate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) for EU data transfers
• Compliance with GDPR and other privacy regulations
• Data encryption in transit and at rest

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the Platform after changes constitutes acceptance of the updated policy.

For material changes, we will notify you via email or a prominent notice on the Platform.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us:

• Email: privacy@exchangehandles.com
• Support: support@exchangehandles.com
• Data Protection Officer: dpo@exchangehandles.com

13. Supervisory Authority

If you are located in the EU/EEA/UK, you have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.