Privacy Policy

Effective 2026-05-18 · Last updated 2026-06-04

This policy explains what data nightmarket ("the app", "the service", "we", "us") collects, how we use it, who we share it with, and the choices you have. By using nightmarket you agree to this policy.

1. What we collect

We collect only what we need to run the marketplace and keep users safe.

• Account info. Phone number (verified via SMS), email address, display name, username, optional avatar photo, and your chosen home city or zip code.
• Content you create. Listings, photos you upload, bundles, messages, offers, watchlist entries, scans, portfolio holdings, and reports you file.
• Location. Your device's approximate GPS coordinates while you have the app open, used to compute distance to listings near you and distance to other traders. We do not track your location in the background.
• Device info. Push notification token, app version, OS version, language, and basic crash data.
• Security & access logs. Your IP address and device user-agent, recorded when you create your account and each time you sign in. We use this to keep the marketplace safe — detecting and preventing fraud and abuse, enforcing account bans (including stopping banned users from re-registering), and responding to lawful requests. IP addresses are personal information; we treat them accordingly and retain them only for a limited time (see "Data retention").
• Usage events. In-app actions like screens visited, taps on cards, searches performed, and conversions (sign-up complete, offer made, trade complete). Used for product analytics and to measure the effectiveness of ads we may run to grow the marketplace.
• Verification artifacts. Twilio handles SMS verification on our behalf and returns confirmation tokens; we do not see the SMS contents.

We do not collect payment information. Trades happen in person between users, off-platform.

2. How we use it

• To run the marketplace: show you listings, deliver messages, route offers, complete trades.
• To verify accounts and prevent fraud (phone verification, banned-phone matching, abuse detection).
• To send transactional notifications you've explicitly opted into (new message, offer received, watchlist match).
• To send password-reset and email-verification links from hello@nightmarketapp.com.
• To improve the product (which features are used, where users get stuck).
• To measure ad performance if you've consented via the iOS App Tracking Transparency prompt.
• To keep accounts and the marketplace secure: logging the IP address and device user-agent at sign-up and sign-in to detect fraud, enforce bans and prevent ban-evasion, and investigate abuse.
• To comply with the law — responding to valid legal process (subpoenas, court orders) and law-enforcement requests, and cooperating with safety investigations (including, where legally required, reporting child sexual abuse material to NCMEC).

We do not sell your data. We do not share your data with advertisers for retargeting.

3. Who we share data with

We use trusted third-party processors. Each receives only the minimum data required to perform its function:

• Google Cloud (Firebase Auth, Cloud SQL, Cloud Storage, Cloud Run). Hosts the database, listing photos, and the backend service.
• Twilio Verify. Sends and verifies SMS codes to your phone number during signup.
• Resend. Sends transactional emails (verification, password reset).
• Expo Push (FCM / APNs). Delivers push notifications to your device.
• Meta and TikTok. For ad attribution and audience measurement. This only fires if you've granted tracking permission via the iOS App Tracking Transparency prompt; on Android, the in-app prompt controls whether it fires. When it does, our server sends your hashed account identifier and hashed email, together with your IP address and device user-agent (which these providers require unhashed for attribution), and the conversion event name (e.g. "sign-up complete"). If you opt out of tracking, none of this is sent. We never share your listings, messages, or contact details with these providers.

Other users see only what's necessary for trading: your display name, username, avatar, city, listings you publish, messages you send them, and offers you exchange. Your email address and exact location are never shown to other users.

4. Visibility settings

By default, your portfolio (the cards you own) is visible to other users on your public profile. You can switch your portfolio to private at any time from Profile Settings. Listings are always public until you cancel or sell them.

5. Your choices

• Access and export. Email hello@nightmarketapp.com to request a copy of your data. We respond within 30 days.
• Delete your account. Email us from the address on your account and we'll permanently delete your account, listings, messages, offers, photos, phone-verification record, and security access logs within 30 days. We may retain a minimal record (such as a banned phone number) where needed to keep a removed user off the platform or to meet a legal obligation. Some records may persist in our backups for up to 35 days before they expire.
• Push notifications. Toggle in your device settings (Notifications → nightmarket).
• Location. Toggle in your device settings (Privacy → Location → nightmarket). The app will fall back to your stored home city.
• Ad tracking. Tap "Ask App Not to Track" on the iOS prompt to opt out of third-party ad measurement.

6. Children

nightmarket is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has signed up, email us and we'll delete the account.

7. Security

We use industry-standard encryption in transit (HTTPS) and at rest. Passwords are managed by Firebase Authentication; we never see or store them. We restrict internal access to customer data to founders and on a need-to-know basis.

No system is 100% secure. If we discover a breach affecting your data, we'll notify you within 72 hours.

8. Data retention

We keep your account data while your account is active. After you delete your account, we erase identifying data within 30 days. Aggregated analytics (e.g., "how many users searched for Charizard this week") may persist indefinitely but cannot be traced back to you.

We bound how long we keep security and access data, because IP addresses are personal information:

• Sign-up / sign-in access logs (IP address + user-agent): up to 12 months, then automatically deleted — or sooner if you delete your account.
• Anti-abuse / rate-limit records (which may include an IP address): up to 7 days, then automatically deleted.

9. International users

nightmarket is operated from the United States. By using the app you consent to your data being processed in the U.S. We launch in the Bay Area and serve only U.S. phone numbers at v1.

10. Changes

We may update this policy as the product evolves. When we make material changes, we'll bump the "Last updated" date above and surface a notice in the app. Continued use after a change means you accept the updated policy.

11. Contact

Questions, data requests, or account-deletion requests: hello@nightmarketapp.com.