Privacy Policy

When you sign in, we receive your email address from Supabase Auth. When you complete onboarding, we record whether you are a buyer, seller, or both. When you post a listing or request, we collect the hardware specifications, pricing targets, warehouse preferences, and any notes you provide. When you open an escrow, we record the parties, amount, and state transitions. We do not collect cards, passwords, or biometric data.

No third-party analytics SDKs, no advertising trackers, no client-side error reporters. We do not load fonts or scripts from CDNs that could log requests; the brand fonts are self-hosted. We do not sell, rent, or share user data with marketing partners under any circumstances.

As a financial intermediary, we collect identity and sanctions-screening data during KYC. This includes name, business affiliation, and government-issued identification where required by the applicable jurisdiction. KYC records are retained for the period mandated by financial-services regulation (currently five years after account closure) and are accessible only to staff with a documented business need.

Operational use: running the platform, matching parties, routing communications, performing inspections, processing disputes, calculating insurance premiums. Compliance use: KYC, sanctions screening, recordkeeping. Security use: detecting and mitigating fraud and unauthorized access. We do not use platform data for marketing.

We set session cookies via Supabase Auth (httpOnly where the architecture allows; SameSite=Lax; Secure in production). No third-party cookies. No tracking pixels.

Application data is stored in Supabase (Postgres). Magic- link emails are sent via the configured SMTP provider. Inspection reports and shipping records are stored in our application database. Backups are encrypted at rest. Transfers between us and our subprocessors use TLS in transit.

Subprocessors: Supabase (database + auth), our SMTP provider (email delivery), our insurance carrier (when you attach a policy — only the data required for underwriting and claim handling), and our shipping partners (when hardware moves — only the data required for fulfillment). We do not share data with anyone else unless legally compelled.

Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal data. To exercise any of these, email privacy@gpuescrow.com. We respond within 30 days. Some compliance records (KYC, transaction history) we are required to retain even if you request deletion — we will explain which records fall into that category and why.

GPUEscrow is a business-to-business platform and is not directed at individuals under 18. We do not knowingly collect data from minors.

We notify account holders by email of material changes and update the effective date at the top of this page. Continued use after notice constitutes acceptance.

Privacy questions, data-rights requests, and breach reports: privacy@gpuescrow.com.