whipbroker
Legal

Privacy Policy

Last updated: May 31, 2026 · Effective: May 31, 2026

This Privacy Policy explains how Whipbroker LLC (“Whipbroker,” “we,” “us,” or “our”), collects, uses, shares, and protects information about you when you use the Whipbroker website, mobile applications, and related services (collectively, the “Service”).

This Policy is part of our Terms of Service. By using the Service, you consent to the practices described here.

At a Glance

  • We collect what we need to operate the Service — account info, listing content, payment info, and verification documents — and nothing we don’t.
  • We never sell your personal information.
  • We share data with service providers (Stripe, Twilio, Cloudflare, Resend, OpenAI) only to the extent needed to run the Service.
  • You can request a copy of your data or deletion of your account at any time by emailing support@whipbroker.com.
  • If you’re in California, you have specific rights under CCPA/CPRA — see Section 10.

1. Information We Collect

We collect the following categories of information:

Information you provide

  • Account information — name, email, profile photo (from your OAuth provider), phone number.
  • Identity verification— government-issued ID (driver’s license, passport, or state-issued ID) and a selfie image, processed by a third-party identity verification provider (currently Persona; previously and potentially in the future, Stripe Identity). The provider performs document authentication, facial-geometry extraction, and selfie/document liveness comparison. We receive only a verification result and the date the check was completed — we do NOT store the ID images or the selfie on our servers. See “Biometric Information” below for additional details.
  • Payment information — credit-card details are handled directly by Stripe and never touch our servers. We retain the Stripe customer ID, payment amounts, and transaction IDs.
  • Listing content — vehicle photos, descriptions, asking price, location (ZIP, city, state), and listing metadata.
  • Vehicle ownership proof — if you complete the listing ownership verification, you upload a photo of the VIN plate with a platform-issued code. The image is stored in our Cloudflare R2 bucket until the listing is removed.
  • Communications — messages you send through the in-app messaging system, support emails.

Information collected automatically

  • Usage data — pages viewed, listings viewed, searches performed, clicks. Used to improve the Service and detect abuse.
  • Device data — IP address, browser type, OS, device identifiers, referring URL.
  • Last seen / activity — used to drive things like the “Responds quickly” badge and to detect inactive accounts.

Information from third parties

  • OAuth providers (Google, Apple) — basic profile fields when you sign in.
  • Identity verification provider — government ID and selfie verification result. We currently use Persona (withpersona.com/legal/privacy-policy); we previously used and may in the future use Stripe Identity.
  • Twilio — phone OTP verification result and delivery status of SMS messages we send through them.

2. How We Use Information

We use the information we collect to:

  • Operate the Service — create accounts, host listings, process payments, send messages, issue refunds.
  • Verify identity and prevent fraud — phone OTP via Twilio Verify, government-ID and selfie checks via our third-party identity verification provider (currently Persona), account-pattern analysis.
  • Match buyers with relevant listings — including semantic search using OpenAI’s embedding model (text-embedding-3-small). Embeddings are stored alongside the listing they index.
  • Generate listing description suggestions — using OpenAI’s gpt-4o-mini model, only when a seller clicks the “Suggest description” button. The vehicle details you’ve entered are sent to OpenAI to generate the suggestion; the response is not used to train OpenAI models.
  • Send transactional notifications — unlock alerts, new-message alerts, refund notices, listing auto-pause notices, day-3 response warnings, and other operational communications.
  • Comply with legal obligations and respond to lawful requests from authorities.

We do not use your information for advertising and we do not sell your information to third parties.

3. How We Share Information

We share information in the following circumstances:

  • With other users — by your choice. When a buyer unlocks your listing, your shared contact information (email and/or phone) is revealed to that buyer. You control which contact methods are shared via the listing settings.
  • With service providers — see Section 4.
  • For legal compliance — when required by subpoena, court order, law enforcement request, or to investigate suspected fraud or violations of our Terms.
  • In a business transaction — if Whipbroker is acquired, merged, or sells substantially all assets, your information may be transferred. You will be notified before any such transfer is completed.

4. Service Providers

We use the following third-party service providers. Each has access only to the information they need to perform their function, under contractual confidentiality obligations.

  • Stripe — payments processing, recurring subscriptions, and (previously and potentially in the future) Stripe Identity ID verification. Stripe’s privacy policy: stripe.com/privacy.
  • Persona — government-issued ID verification and selfie/liveness check (our current identity verification provider). Persona processes the ID image, performs document authentication, extracts facial geometry from the selfie, and returns a pass/fail result. Persona’s privacy policy: withpersona.com/legal/privacy-policy. Persona acts as a data processor on our behalf under a written data processing agreement.
  • Twilio — SMS notifications and phone OTP verification. twilio.com/legal/privacy.
  • Resend — transactional email delivery. resend.com/legal/privacy-policy.
  • Cloudflare R2 — photo storage for listings and verification proof images. cloudflare.com/privacypolicy.
  • Neon (PostgreSQL) — primary database. neon.com/privacy-policy.
  • OpenAI — semantic search embeddings and listing description suggestions. We have configured the integration so OpenAI does not retain content for model training. openai.com/policies/privacy-policy.
  • Google / Apple — OAuth sign-in providers; their privacy policies govern the data they share with us.
  • Vercel — hosting and edge infrastructure. vercel.com/legal/privacy-policy.

5. Communications

We send transactional messages — unlocks, refunds, message notifications, listing alerts — by email, SMS, and in-app notification, based on your per-listing preferences.

SMS:If you opt in to SMS notifications for a listing, you will receive messages related to that listing. Message frequency varies based on activity (typically 1-5 messages per month per listing). Reply STOP to any message to unsubscribe at any time; reply HELP for help. Message and data rates may apply per your carrier’s plan.

Email: Transactional emails (those related to your account, listings, refunds, etc.) cannot be opted out of while your account is active. We do not send marketing email at this time; if we begin to, you will have an unsubscribe option.

6. Cookies and Similar Technologies

We use essential cookies to keep you signed in and to maintain your session. We use a small amount of first-party analytics to understand how the Service is used; we do not use cross-site tracking cookies or third-party advertising trackers.

You can control cookies through your browser settings. Disabling essential cookies will prevent you from staying signed in.

7. Biometric Information

For certain verification flows (currently Luxury-tier listing unlocks and Premium-listing seller verification), our identity verification provider captures and processes biometric identifiers and biometric information as those terms are defined under applicable state law (including, where applicable, the Illinois Biometric Information Privacy Act, the Texas Capture or Use of Biometric Identifier Act, and the Washington Biometric Identifiers Act). Specifically:

  • What is collected: a selfie image and the facial-geometry data extracted from that image, used to confirm that the person presenting the government ID is the same person submitting the selfie.
  • Purpose: identity verification, anti-fraud, and compliance with platform policies that require verification on high-value listings. The biometric data is not used for any other purpose, including advertising, marketing, targeting, or model training.
  • Who processes it: our identity verification provider (currently Persona) acts as a service provider/data processor under a written agreement. Whipbroker does not receive or store the underlying biometric data — we receive only the verification result and the date of the check.
  • Retention by the provider:the identity provider retains biometric data only as long as needed to perform the verification and respond to fraud or compliance investigations, and in accordance with the retention periods set out in their own privacy policy. Whipbroker requests deletion of the underlying biometric data on the timeline allowed by the provider’s data-processing terms.
  • Consent: by initiating the identity verification flow, you provide written informed consent (within the meaning of applicable biometric privacy laws) for the collection, processing, and storage of your biometric identifiers and biometric information as described in this Policy. You can withdraw consent at any time by emailing support@whipbroker.com — however, withdrawing consent will mean we cannot complete identity-gated transactions on your account (such as unlocking Luxury-tier listings).
  • No sale: we do not sell biometric information, and we do not permit our identity verification provider to do so.

8. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service.

  • Account data — until you delete your account, plus a short grace period for fraud-prevention review.
  • Listings and messages — kept for at least 1 year after a listing closes for refund-eligibility and dispute purposes.
  • Transaction records — retained for at least 7 years to comply with tax and accounting requirements.
  • Verification dates and tier — retained while the verification is valid; underlying ID images are not retained (Stripe handles those).
  • Verification proof photos (VIN + code) — retained for the lifetime of the listing, then deleted from R2 within 90 days.

9. Security

We use industry-standard safeguards to protect your information, including encryption in transit (TLS), encryption at rest for databases, hashed credentials, and limited internal access on a need-to-know basis.

No system is perfectly secure. If we become aware of a breach affecting your information, we will notify you and applicable regulators as required by law.

10. Your Rights and Choices

Regardless of where you live, you can:

  • Access — request a copy of the personal data we hold about you.
  • Correct — update inaccurate information via your account settings or by contacting us.
  • Delete — request deletion of your account. Some records may be retained where required by law.
  • Opt out of SMS — reply STOP to any message, or uncheck SMS notifications in your listing settings.
  • Object to processing — contact us if you believe a specific use of your information exceeds what we’ve described.

To exercise any of these rights, email support@whipbroker.com. We will respond within 30 days.

11. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act, as amended by the CPRA:

  • Right to know — what personal information we’ve collected, used, disclosed, or sold about you.
  • Right to delete — request deletion of your personal information (with limited exceptions).
  • Right to correct — inaccurate personal information.
  • Right to opt out of sale or sharing — we do not sell personal information. We do not “share” personal information for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information — government ID, biometric identifiers (selfie / facial geometry), and financial-account data are categorized as sensitive personal information under California law. We use them only for identity verification, fraud prevention, and operating the Service.
  • Right to non-discrimination — we will not deny you service, charge you a different price, or provide a different level of quality because you exercised your rights.

To exercise California rights, email support@whipbroker.com with the subject line “California Privacy Request.” You may designate an authorized agent to make requests on your behalf.

12. Children's Privacy

The Service is not intended for individuals under 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected information from a person under 18, we will delete it. If you believe a child has provided us with personal information, please email support@whipbroker.com.

13. International Users

The Service is operated in the United States and intended for US users. If you access the Service from outside the US, you consent to the transfer of your information to and processing in the US. US privacy laws may differ from those of your jurisdiction.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we update the “Last updated” date above. For material changes, we will notify you by email or in-app notification. Continued use of the Service after changes constitutes acceptance of the updated Policy.

15. Contact

Privacy questions or requests? Reach us at support@whipbroker.com.

Whipbroker LLC
California, USA