Privacy Policy

• We collect what we need to operate the Service — account info, listing content, payment info, and verification documents — and nothing we don’t.
• We never sell your personal information.
• We share data with service providers (Stripe, Twilio, Cloudflare, Resend, OpenAI) only to the extent needed to run the Service.
• You can request a copy of your data or deletion of your account at any time by emailing privacy@whipbroker.com.
• If you’re in California, you have specific rights under CCPA/CPRA — see Section 10.

We collect the following categories of information:

Information you provide

• Account information — name, email, profile photo (from your OAuth provider), phone number.
• Identity verification — government-issued ID (driver’s license, passport) and selfie image processed by Stripe Identity. We receive a verification result and the date of verification; we do NOT store the ID images themselves.
• Payment information — credit-card details are handled directly by Stripe and never touch our servers. We retain the Stripe customer ID, payment amounts, and transaction IDs.
• Listing content — vehicle photos, descriptions, asking price, location (ZIP, city, state), and listing metadata.
• Vehicle ownership proof — if you complete the listing ownership verification, you upload a photo of the VIN plate with a platform-issued code. The image is stored in our Cloudflare R2 bucket until the listing is removed.
• Communications — messages you send through the in-app messaging system, support emails.

Information collected automatically

• Usage data — pages viewed, listings viewed, searches performed, clicks. Used to improve the Service and detect abuse.
• Device data — IP address, browser type, OS, device identifiers, referring URL.
• Last seen / activity — used to drive things like the “Responds quickly” badge and to detect inactive accounts.

Information from third parties

• OAuth providers (Google, Apple) — basic profile fields when you sign in.
• Stripe Identity — government ID verification result.
• Twilio — phone OTP verification result and delivery status of SMS messages we send through them.

We use the information we collect to:

• Operate the Service — create accounts, host listings, process payments, send messages, issue refunds.
• Verify identity and prevent fraud — phone OTP, ID checks via Stripe Identity, account-pattern analysis.
• Match buyers with relevant listings — including semantic search using OpenAI’s embedding model (text-embedding-3-small). Embeddings are stored alongside the listing they index.
• Generate listing description suggestions — using OpenAI’s gpt-4o-mini model, only when a seller clicks the “Suggest description” button. The vehicle details you’ve entered are sent to OpenAI to generate the suggestion; the response is not used to train OpenAI models.
• Send transactional notifications — unlock alerts, new-message alerts, refund notices, listing auto-pause notices, day-3 response warnings, and other operational communications.
• Comply with legal obligations and respond to lawful requests from authorities.

We do not use your information for advertising and we do not sell your information to third parties.

We share information in the following circumstances:

• With other users — by your choice. When a buyer unlocks your listing, your shared contact information (email and/or phone) is revealed to that buyer. You control which contact methods are shared via the listing settings.
• With service providers — see Section 4.
• For legal compliance — when required by subpoena, court order, law enforcement request, or to investigate suspected fraud or violations of our Terms.
• In a business transaction — if Whipbroker is acquired, merged, or sells substantially all assets, your information may be transferred. You will be notified before any such transfer is completed.

We use the following third-party service providers. Each has access only to the information they need to perform their function, under contractual confidentiality obligations.

• Stripe — payments, Stripe Identity ID verification, Stripe Financial Connections (future). Stripe’s privacy policy: stripe.com/privacy.
• Twilio — SMS notifications and phone OTP verification. twilio.com/legal/privacy.
• Resend — transactional email delivery. resend.com/legal/privacy-policy.
• Cloudflare R2 — photo storage for listings and verification proof images. cloudflare.com/privacypolicy.
• Neon (PostgreSQL) — primary database. neon.com/privacy-policy.
• OpenAI — semantic search embeddings and listing description suggestions. We have configured the integration so OpenAI does not retain content for model training. openai.com/policies/privacy-policy.
• Google / Apple — OAuth sign-in providers; their privacy policies govern the data they share with us.
• Vercel — hosting and edge infrastructure. vercel.com/legal/privacy-policy.

We send transactional messages — unlocks, refunds, message notifications, listing alerts — by email, SMS, and in-app notification, based on your per-listing preferences.

SMS:If you opt in to SMS notifications for a listing, you will receive messages related to that listing. Message frequency varies based on activity (typically 1-5 messages per month per listing). Reply STOP to any message to unsubscribe at any time; reply HELP for help. Message and data rates may apply per your carrier’s plan.

Email: Transactional emails (those related to your account, listings, refunds, etc.) cannot be opted out of while your account is active. We do not send marketing email at this time; if we begin to, you will have an unsubscribe option.

We use essential cookies to keep you signed in and to maintain your session. We use a small amount of first-party analytics to understand how the Service is used; we do not use cross-site tracking cookies or third-party advertising trackers.

You can control cookies through your browser settings. Disabling essential cookies will prevent you from staying signed in.

We retain your information for as long as your account is active or as needed to provide the Service.

• Account data — until you delete your account, plus a short grace period for fraud-prevention review.
• Listings and messages — kept for at least 1 year after a listing closes for refund-eligibility and dispute purposes.
• Transaction records — retained for at least 7 years to comply with tax and accounting requirements.
• Verification dates and tier — retained while the verification is valid; underlying ID images are not retained (Stripe handles those).
• Verification proof photos (VIN + code) — retained for the lifetime of the listing, then deleted from R2 within 90 days.

We use industry-standard safeguards to protect your information, including encryption in transit (TLS), encryption at rest for databases, hashed credentials, and limited internal access on a need-to-know basis.

No system is perfectly secure. If we become aware of a breach affecting your information, we will notify you and applicable regulators as required by law.

Regardless of where you live, you can:

• Access — request a copy of the personal data we hold about you.
• Correct — update inaccurate information via your account settings or by contacting us.
• Delete — request deletion of your account. Some records may be retained where required by law.
• Opt out of SMS — reply STOP to any message, or uncheck SMS notifications in your listing settings.
• Object to processing — contact us if you believe a specific use of your information exceeds what we’ve described.

To exercise any of these rights, email privacy@whipbroker.com. We will respond within 30 days.

California residents have additional rights under the California Consumer Privacy Act, as amended by the CPRA:

• Right to know — what personal information we’ve collected, used, disclosed, or sold about you.
• Right to delete — request deletion of your personal information (with limited exceptions).
• Right to correct — inaccurate personal information.
• Right to opt out of sale or sharing — we do not sell personal information. We do not “share” personal information for cross-context behavioral advertising.
• Right to limit use of sensitive personal information — government ID and financial-account data are categorized as sensitive; we use them only for verification, fraud prevention, and operating the Service.
• Right to non-discrimination — we will not deny you service, charge you a different price, or provide a different level of quality because you exercised your rights.

To exercise California rights, email privacy@whipbroker.com with the subject line “California Privacy Request.” You may designate an authorized agent to make requests on your behalf.

The Service is not intended for individuals under 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected information from a person under 18, we will delete it. If you believe a child has provided us with personal information, please email privacy@whipbroker.com.

The Service is operated in the United States and intended for US users. If you access the Service from outside the US, you consent to the transfer of your information to and processing in the US. US privacy laws may differ from those of your jurisdiction.

We may update this Privacy Policy from time to time. When we do, we update the “Last updated” date above. For material changes, we will notify you by email or in-app notification. Continued use of the Service after changes constitutes acceptance of the updated Policy.

Privacy questions or requests? Reach us at privacy@whipbroker.com.

Whiptrader LLC, doing business as Whipbroker
California, USA