Privacy Policy

1. Introduction

Welcome to BidDrop. This Privacy Policy explains how Bidrop LLC (“BidDrop,” “we,” “us,” or “our”) collects, uses, discloses, and protects your personal information when you use our peer-to-peer campus marketplace mobile application, website, and related services (collectively, the “Platform”).

BidDrop is a mobile application that enables college students to buy, sell, borrow, and rent items, as well as request and fulfill deliveries within their campus communities. By accessing or using the Platform, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Platform.

This Privacy Policy is not legal advice. We encourage you to consult with a qualified attorney if you have specific questions about your privacy rights.

2. Information We Collect

2.1 Personal Information You Provide

We collect information that you voluntarily provide when you register for an account, create or update your profile, or interact with the Platform:

• Account Information: Full name, phone number, verified .edu email address, and date of birth.
• Profile Information: Profile photo, bio, campus affiliation, house or dorm name, and graduation year.
• Student Verification Data: Your .edu email address used to verify your status as an enrolled college student, and associated campus or university name.

2.2 Authentication Data

• Phone Number: Your phone number is collected for account creation and SMS-based verification. When you register or log in, we send a one-time password (OTP) to your phone number via SMS. OTP codes are ephemeral and are not stored long-term by BidDrop or our authentication provider.
• Authentication Provider: Phone-based authentication is provided by Twilio through Supabase Auth. Twilio receives your phone number and transmits the OTP code via SMS. Twilio's handling of your data is governed by Twilio's own privacy policy.
• Phone Number Hashing: Your phone number is cryptographically hashed using SHA-256 for the purpose of contact matching (see Section 2.11). The hash is a one-way transformation; the original phone number cannot be derived from it.

2.3 Financial and Transaction Data

• Stripe Information: We use Stripe Connect to process payments. We do not store your full credit card number, debit card number, or bank account number on our servers. Stripe collects and processes your payment information directly. We store your stripe_customer_id and stripe_connect_account_id to facilitate transactions.
• Transaction History: We maintain records of your transactions, including bids placed, bids received, purchases, sales, rentals, rental deposits, delivery fees, and refunds.
• Payout Information: If you are a seller or service provider, Stripe collects your bank account or debit card information for payouts. We do not have direct access to this information.

2.4 Credits Data

• Credit Balances: We collect and store data related to your BidDrop credits, including credit amounts, the source of each credit (e.g., promotional offer, action reward, dispute resolution), expiration dates, and a full transaction history of credit issuances, redemptions, and expirations.
• Usage: Credits data is used to apply checkout discounts, display your current balance within the app, and maintain an accurate financial ledger.
• Retention: The credit ledger, including all credit transaction records, is retained for 7 years to comply with financial recordkeeping and tax obligations.

2.5 Location Data

• GPS Location: With your permission, we collect precise GPS location data from your mobile device to enable delivery tracking, proximity-based matching, and campus-area features. You may disable location services through your device settings at any time, though this may limit certain functionality.
• Saved Addresses: Addresses you save for delivery pickup and drop-off locations.
• Campus Affiliation: Your university or college campus, used to connect you with your campus community.

2.6 Device and Technical Data

• Push Notification Tokens: Expo push notification tokens used to deliver notifications to your device via Apple Push Notification Service (APNs) or Firebase Cloud Messaging (FCM).
• Device Information: Device type, operating system and version, unique device identifiers, and mobile network information.
• Log Data: IP address, access times, pages viewed, app crashes, and other system activity.

2.7 Usage Data

• Search Queries: Terms you search for on the Platform.
• Bid and Listing History: Your history of creating Quick Needs (requests), posting listings, placing bids, and accepting bids.
• Interaction Data: Features you use, buttons you tap, screens you view, and the frequency and duration of your activities.
• Preference Data: Your match preferences, notification settings, and category preferences.

2.8 Communications Data

• In-App Chat Messages: Messages exchanged between users through our in-app messaging system. Chat messages are stored in our database to facilitate transactions and may be reviewed in connection with dispute resolution or enforcement of our Terms of Service.

2.9 AI-Processed Data

• Image Analysis: All photos uploaded to listings are automatically analyzed by Anthropic's Claude Vision API. This analysis serves two purposes: (1) auto-suggesting a title, description, condition assessment, and recommended price for the listing, and (2) content moderation to detect prohibited or inappropriate items.
• Processing Details: When you upload listing photos, the images are temporarily uploaded to our cloud storage, converted to base64 format, and transmitted to Anthropic's Claude API for analysis. After the analysis is complete, the temporary copies used for processing are deleted. The original listing photos remain stored as part of your listing.
• Data Retention by Anthropic: Anthropic operates a zero data retention policy for API requests. Images sent to their API are not stored, logged, or used for model training by Anthropic.
• No Opt-Out: Because image analysis is integral to both the listing creation workflow and our content moderation obligations, it cannot be disabled on a per-user basis. By uploading photos to the Platform, you consent to this automated analysis.
• Data Minimization: We send only the images and necessary context (such as listing category) to Anthropic. We do not send your personal identity information, account details, or location data to Anthropic for image analysis.

2.10 Campus and Community Data

• Verified Student Status: Whether your .edu email has been verified and your associated institution.
• Housing Information: House, dorm, or residential area information you choose to provide to facilitate local transactions and deliveries.
• Community Membership: Campus groups or communities you join within the Platform.

2.11 Contact Data (Optional, With Explicit Consent)

If you choose to use BidDrop's contact sync feature to find friends on the Platform:

• Phone Number Hashes: When you sync your contacts, your contacts' phone numbers are cryptographically hashed (SHA-256) on your device before being transmitted to our servers. We never receive, see, or store your contacts' raw phone numbers. We only receive and store the one-way cryptographic hashes.
• Your Phone Number Hash: Your own phone number is similarly hashed and stored to enable other users to discover you through their contact sync.
• Connection Data: When a hash from your contacts matches a registered BidDrop user's phone hash, we create a connection record between your accounts. This enables the mutual connections feature.
• Consent Record: We record when you consented to contact syncing, the version of the consent text, and if/when you revoked consent.

What we do NOT collect or store:

• Raw phone numbers from your contact list
• Contact names, email addresses, or other contact fields
• Contact list metadata (groups, labels, notes)

Data retention for contact hashes:

• Hashes that match registered BidDrop users are retained as long as your account is active.
• Unmatched hashes (hashes that do not correspond to any BidDrop user) are automatically purged after 30 days.
• All contact hashes are permanently deleted when you delete your contact data or your account.

3. How We Use Your Information

We use the information we collect for the following purposes:

1. To Provide and Operate the Platform: Facilitating account creation, user authentication, transactions, deliveries, rentals, in-app messaging, and all core Platform functionality.
2. To Enable Matching and Discovery: Powering our auto-matching system that connects Quick Needs with relevant Posts based on category, price alignment, and geographic proximity.
3. To Process Payments: Facilitating payments between buyers and sellers through Stripe Connect, including escrow holds, deposit captures, refunds, and payouts.
4. To Manage Credits: Issuing, tracking, redeeming, and expiring BidDrop credits, and applying credit balances to transactions at checkout.
5. To Communicate With You: Sending push notifications about bids, messages, transaction updates, delivery status, and rental reminders. Sending transactional communications related to your account and activity.
6. To Ensure Safety and Security: Verifying student identity through .edu email, verifying phone number ownership through SMS OTP, detecting and preventing fraud, enforcing our Terms of Service, moderating content (including automated AI image analysis), and resolving disputes.
7. To Improve the Platform: Analyzing usage patterns and trends to improve features, fix bugs, develop new functionality, and enhance user experience.
8. To Comply With Legal Obligations: Responding to legal requests, enforcing our agreements, and complying with applicable laws and regulations.
9. To Provide Location-Based Services: Enabling proximity search, delivery tracking, campus-specific features, and geographic matching through PostGIS-powered spatial queries.
10. To Build Trust Networks (With Your Consent): If you opt in to contact syncing, we use hashed phone numbers to identify connections between you and other BidDrop users. This enables mutual connection badges on listings and requests, helping you identify people you know and trust within the marketplace. Contact data is never used for marketing, advertising, SMS invitations, or sharing with third parties.

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

4.1 With Other Users

• Transaction Counterparties: When you engage in a transaction, certain information (such as your first name, profile photo, star rating, and campus) is shared with the other party to facilitate the transaction.
• Delivery Information: For delivery transactions, your delivery address or pickup location is shared with the delivery provider.
• Public Listings and Requests: Information you include in your listings or Quick Needs (item descriptions, photos, price ranges, general location area) is visible to other users.
• Mutual Connections: If you have synced your contacts, other users who share mutual connections with you may see the number of mutual connections and the names/photos of those shared connections. This helps establish trust in marketplace interactions.

4.2 With Third-Party Service Providers

We share information with the following third-party service providers who assist us in operating the Platform:

These service providers are contractually obligated to use your information only to provide services to us and in accordance with this Privacy Policy.

4.3 For Legal Reasons

We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to:

• Comply with a legal obligation, subpoena, court order, or government request.
• Protect and defend the rights or property of Bidrop LLC.
• Prevent or investigate possible wrongdoing in connection with the Platform.
• Protect the personal safety of users of the Platform or the public.

4.4 Business Transfers

If Bidrop LLC is involved in a merger, acquisition, asset sale, bankruptcy, or similar transaction, your personal information may be transferred as part of that transaction. We will notify you via push notification or prominent notice on the Platform before your information becomes subject to a different privacy policy.

5. Data Security

We implement reasonable administrative, technical, and physical security measures to protect your personal information, including:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS/SSL.
• Encryption at Rest: Sensitive data stored in our database is encrypted at rest.
• Row-Level Security (RLS): Our Supabase database enforces row-level security policies on all tables, ensuring users can only access data they are authorized to view.
• Authentication Security: Phone-based authentication uses one-time passwords delivered via SMS. OTP codes are ephemeral and expire shortly after issuance.
• Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.
• Payment Security: All payment data is handled by Stripe, which is PCI DSS Level 1 certified. We never store full payment card numbers on our servers.
• Infrastructure Security: Our backend infrastructure is hosted on Supabase's managed cloud platform with enterprise-grade security controls.
• Hashing: Phone numbers used for contact matching are hashed using SHA-256 before storage or transmission.

Despite these measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your information.

6. Data Retention

We retain your information according to the following schedule:

• Account Deletion: Upon your request to delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain certain information for the periods specified above for legal, regulatory, or legitimate business purposes (such as transaction records for tax compliance or dispute resolution).
• Anonymized Data: We may retain anonymized, aggregated data that cannot be used to identify you for analytical purposes indefinitely.

7. Your Rights and Choices

7.1 Access and Portability

You have the right to request access to the personal information we hold about you and to receive a copy of that information in a portable, machine-readable format.

7.2 Correction

You have the right to request correction of any inaccurate or incomplete personal information we hold about you. You can update most of your information directly through the app's Profile settings.

7.3 Deletion

You have the right to request deletion of your personal information, subject to certain exceptions (such as information we must retain for legal compliance). You may request account deletion through the app or by contacting us at the email address below.

7.4 Opt-Out of Communications

You may opt out of non-essential push notifications through your device settings or the app's notification preferences. You may not opt out of transactional communications related to your account or active transactions.

7.5 Location Controls

You may disable GPS location collection at any time through your device's operating system settings. Note that disabling location services will limit functionality such as delivery tracking, proximity-based matching, and campus area detection.

7.6 Push Notification Controls

You may disable push notifications through your device settings. You can also manage notification preferences within the app to control which types of notifications you receive.

7.7 Contact Data Controls

If you have opted in to contact syncing:

• Revoke Consent: You may revoke contact sync permission at any time through Profile > Connections > Delete Contact Data. This will permanently delete all stored contact hashes and connection records derived from your contacts.
• Re-sync or Refresh: You may re-sync your contacts at any time to update your connections as new users join BidDrop.
• Disable Discoverability: You may remove your phone number from your account, which prevents other users from discovering you through their contact sync.

8. California Residents — CCPA/CPRA Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which your personal information is collected, the business or commercial purpose for collecting your personal information, and the categories of third parties with whom we share your personal information.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information to that which is necessary to perform the services you request.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, please contact us at privacy@biddrop.app. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

Categories of Personal Information Collected (preceding 12 months):

9. Additional State Privacy Rights

9.1 Virginia (VCDPA)

If you are a Virginia resident, you have the right to access, correct, delete, and obtain a copy of your personal data, as well as the right to opt out of the processing of personal data for targeted advertising, sale, or profiling. We do not sell personal data or use it for targeted advertising or profiling that produces legal or similarly significant effects.

9.2 Colorado (CPA)

If you are a Colorado resident, you have similar rights to access, correct, delete, and obtain a portable copy of your personal data, and the right to opt out of targeted advertising, sale of personal data, or profiling.

9.3 Connecticut (CTDPA)

If you are a Connecticut resident, you have rights to access, correct, delete, and obtain a copy of your personal data, and the right to opt out of the sale of personal data, targeted advertising, and profiling.

To exercise rights under any of these state laws, please contact us at privacy@biddrop.app.

10. Children's Privacy

BidDrop is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18 years of age. Our .edu email verification and phone-based authentication processes are designed to ensure that users are enrolled college students.

The Platform does not include any features designed to be compliant with the Children's Online Privacy Protection Act (COPPA), nor is any portion of the Platform directed at children under 13. We do not knowingly collect, use, or disclose personal information from children.

If we discover or are notified that an individual under 18 has created an account or provided personal information to us, we will take prompt action to:

1. Immediately suspend and then delete the account.
2. Delete all personal information associated with that account, including profile data, transaction history, chat messages, and uploaded photos.
3. Cancel any pending transactions associated with the account.
4. Issue appropriate refunds for any in-progress financial transactions, where applicable.

If you believe that a minor has provided personal information to BidDrop, please contact us immediately at privacy@biddrop.app.

11. Third-Party Links and Services

The Platform may contain links to third-party websites, services, or applications that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Platform.

This includes, but is not limited to, links to university websites, external product pages, and payment service provider portals.

12. International Data Transfers

BidDrop is based in the United States, and your information is processed and stored in the United States. If you access the Platform from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country. By using the Platform, you consent to the transfer of your information to the United States.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:

• Posting the updated Privacy Policy on the Platform with a new “Last Updated” date.
• Sending you a push notification about the changes.
• Requiring you to acknowledge or accept the updated Privacy Policy before continuing to use the Platform, where appropriate.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

We will respond to your inquiry within 30 days, or within the timeframe required by applicable law.