Privacy Policy

Last updated: April 7, 2026

This Privacy Policy explains how PartsMeet ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our website at partsmeet.com and related services (the "Platform"). PartsMeet is a global peer-to-peer marketplace for car parts, serving JDM, Euro, and USDM enthusiasts worldwide.

We believe in plain language. This policy tells you exactly what data we collect, why we collect it, who we share it with, and what rights you have over it.

1. Information We Collect

1.1 Waitlist Information

When you join our waitlist, we collect:

• Email address -- provided directly by you
• Country -- auto-detected from your browser's timezone
• Timestamp -- when you signed up
• Survey responses (optional) -- your role (buyer, seller, or both), cars you own or work on, and the hardest part you have tried to find

Waitlist data is collected through Formspree, a third-party form processing service.

1.2 Account Information

When you create an account on the Platform, we collect:

• Name and email address
• Password -- stored only as a bcrypt hash; we never store your plaintext password
• Google profile data -- if you sign in with Google OAuth (name, email, profile picture)
• Profile information -- bio, avatar image, and other details you choose to add

1.3 Listing and Transaction Data

When you buy or sell parts, we collect:

• Listing details -- part descriptions, fitment data, condition, pricing, and images
• Messages -- conversations between buyers and sellers
• Transaction history -- orders, payment status, escrow events, and payout records
• Shipping addresses -- for generating shipping labels and calculating duties
• Reviews and ratings -- feedback you leave after completed transactions

1.4 Payment Information

Payment processing is handled entirely by Stripe. We never receive, process, or store your credit card numbers, bank account numbers, or other sensitive financial data. Stripe may collect additional identity verification information (via Stripe Identity) when you register as a seller. See Stripe's Privacy Policy for details.

1.5 Images

Listing photos you upload are stored on Cloudflare R2, a cloud object storage service. Images may include metadata (EXIF data) embedded by your camera or phone. We do not actively extract or use EXIF metadata, but it may be stored as part of the image file.

1.6 Automatically Collected Information

When you visit the Platform, we may automatically collect:

• Device and browser information -- browser type, operating system, device type
• IP address
• Pages viewed and actions taken on the Platform
• Referring URL -- how you arrived at our site
• Timezone -- used for country detection on the waitlist

2. How We Use Your Information

We use your information to:

• Operate the Platform -- create and manage your account, display listings, facilitate transactions, and enable messaging between buyers and sellers
• Process transactions -- manage escrow payments, generate shipping labels, calculate landed costs (item + shipping + duties + taxes), and handle payouts to sellers
• Protect the community -- prevent fraud, resolve disputes, verify seller identities, and enforce our Terms of Service
• Communicate with you -- send transactional emails (order confirmations, shipping updates, escrow notifications), respond to support requests, and send waitlist updates
• Improve the Platform -- understand how users interact with PartsMeet, identify issues, and develop new features
• Legal compliance -- meet our legal obligations, respond to lawful requests, and protect our rights

3. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

Legal Basis	Processing Activity
Contract	Processing necessary to provide the Platform, manage your account, facilitate transactions, escrow, and shipping
Consent	Joining the waitlist, submitting survey responses, receiving marketing emails
Legitimate interest	Fraud prevention, platform security, analytics to improve the service, enforcing our Terms of Service
Legal obligation	Tax reporting, responding to lawful government requests, maintaining transaction records as required by law

Where we rely on consent, you can withdraw it at any time by contacting us at hello@partsmeet.com. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

4. Who We Share Your Data With

We do not sell your personal information. We share data only in these situations:

• Other users -- Your public profile, listings, reviews, and messages are visible to other users as part of the marketplace. Shipping addresses are shared with the other party in a transaction to facilitate delivery.
• Service providers -- Third-party companies that help us operate the Platform (see Section 5 below). These providers are contractually obligated to use your data only for the services they provide to us.
• Legal requirements -- If required by law, regulation, legal process, or governmental request, we may disclose your information.
• Safety and fraud -- To protect the rights, property, or safety of PartsMeet, our users, or others, including to detect and prevent fraud.
• Business transfers -- If PartsMeet is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

5. Third-Party Services

We use the following third-party services to operate the Platform. Each has its own privacy policy governing how they handle your data:

Service	Purpose	Data Shared
Formspree	Waitlist form processing	Email, country, survey responses
Stripe Connect	Payment processing, seller verification (Stripe Identity), escrow, payouts	Name, email, payment details, identity documents (for sellers)
EasyPost	Shipping label generation, rate calculation, package tracking	Shipping addresses, package dimensions, tracking events
Cloudflare R2	Image storage	Listing photos
Google OAuth	Account authentication	Name, email, profile picture (only if you choose Google sign-in)
Pusher	Real-time messaging	Message content, user identifiers
Railway	Application hosting, database hosting	All application data is processed on Railway infrastructure

6. International Data Transfers

PartsMeet is a global marketplace, and your data may be processed and stored in multiple countries:

• Application hosting and database -- hosted on Railway, with servers in the United States
• Image storage -- stored on Cloudflare R2, which may use data centers globally
• Payment processing -- processed by Stripe, headquartered in the United States
• Shipping data -- processed by EasyPost, headquartered in the United States

If you are located in the EEA, UK, or Switzerland, your personal data may be transferred to the United States or other countries that may not provide the same level of data protection as your home country. When we transfer data internationally, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with our service providers
• Our service providers' own compliance frameworks (for example, Stripe and Cloudflare maintain their own GDPR compliance programs)

7. Data Retention

We keep your data only as long as necessary for the purposes described in this policy:

Data Type	Retention Period
Waitlist data	Until the Platform launches publicly, or until you request deletion
Account information	As long as your account is active, plus 30 days after deletion request
Listing data	Listings are soft-deleted (hidden but retained) for 90 days after removal, then permanently deleted
Transaction records	7 years after the transaction date (required for tax and legal compliance)
Messages	As long as both users' accounts are active; deleted 90 days after both accounts are closed
Listing images	Deleted from Cloudflare R2 within 30 days of listing deletion
Server logs	90 days

When data is no longer needed, we delete or anonymize it. Some data may be retained longer if required by law or to resolve disputes.

8. Cookies and Similar Technologies

We use a minimal number of cookies to operate the Platform:

Cookie	Type	Purpose	Duration
Session cookie	Essential	Keeps you signed in and maintains your session	Until browser is closed or session expires
Next.js preview bypass	Essential	Used during development to bypass draft content caching	Session
CSRF token	Essential	Prevents cross-site request forgery attacks on forms	Session

Third-party services we integrate with (such as Stripe) may set their own cookies when you interact with their features (for example, during checkout). These cookies are governed by those services' own cookie policies.

9. Your Privacy Rights

Regardless of where you live, you can:

• Access your data -- Request a copy of the personal information we hold about you
• Correct your data -- Update or fix inaccurate information through your account settings or by contacting us
• Delete your data -- Request that we delete your account and personal information (subject to legal retention requirements)
• Export your data -- Request a machine-readable copy of your data
• Withdraw consent -- Where we process data based on your consent, you can withdraw it at any time

To exercise any of these rights, email us at hello@partsmeet.com. We will respond within 30 days.

10. Rights for EU/EEA Users (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) provides you with additional rights:

• Right of access (Article 15) -- You can request a copy of all personal data we process about you, along with information about how and why we process it.
• Right to rectification (Article 16) -- You can ask us to correct inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten") (Article 17) -- You can request deletion of your personal data when it is no longer necessary for the purposes it was collected, when you withdraw consent, or when there is no other legal basis for processing.
• Right to restriction of processing (Article 18) -- You can ask us to temporarily stop processing your data while we verify its accuracy or assess whether our legitimate interests override yours.
• Right to data portability (Article 20) -- You can request your data in a structured, commonly used, machine-readable format and have it transmitted to another controller.
• Right to object (Article 21) -- You can object to processing based on our legitimate interests. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right not to be subject to automated decision-making (Article 22) -- We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

To exercise these rights, contact us at hello@partsmeet.com. We will respond within 30 days. If we need more time (up to 60 additional days for complex requests), we will let you know.

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.

Data Protection Officer: For GDPR-related inquiries, contact our data protection team at hello@partsmeet.com with the subject line "GDPR Request."

11. Rights for California Users (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you specific rights regarding your personal information:

• Right to know -- You can request that we disclose what personal information we have collected about you, the categories of sources, our purpose for collecting it, and the categories of third parties with whom we share it.
• Right to delete -- You can request deletion of personal information we have collected from you, subject to certain exceptions (for example, we may need to retain transaction records for tax compliance).
• Right to correct -- You can request that we correct inaccurate personal information.
• Right to opt out of sale or sharing -- See Section 12 below. We do not sell your personal information.
• Right to limit use of sensitive personal information -- We only use sensitive personal information (such as account login credentials) for purposes authorized by the CCPA.
• Right to non-discrimination -- We will not deny you service, charge you different prices, or provide a different quality of service because you exercise your CCPA rights.

Categories of personal information we collect (as defined by the CCPA):

• Identifiers (name, email address, IP address, account ID)
• Commercial information (transaction history, listings, purchase details)
• Internet or electronic network activity (pages visited, interactions with the Platform)
• Geolocation data (country, derived from timezone or IP address)

To make a request, email hello@partsmeet.com with the subject line "CCPA Request." We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

We will respond to verifiable consumer requests within 45 days. If we need additional time (up to 45 more days), we will notify you.

12. Do Not Sell or Share My Personal Information

We do not sell your personal information. We have not sold personal information in the preceding 12 months, and we have no plans to do so.

We do not share your personal information for cross-context behavioral advertising. We do not use tracking technologies for targeted advertising purposes.

We share data with third-party service providers (listed in Section 5) only as necessary to operate the Platform. These providers act on our behalf and are contractually prohibited from using your data for their own purposes.

If our practices change in the future, we will update this policy and provide a clear "Do Not Sell or Share My Personal Information" opt-out mechanism on our website.

13. Email Communications (CAN-SPAM)

We comply with the CAN-SPAM Act. When we send you emails:

• We will not use false or misleading subjects or email addresses
• We will identify the message as an advertisement when applicable
• We will include our contact information in every email
• We will honor opt-out requests promptly

How to unsubscribe:

• Click the "unsubscribe" link at the bottom of any marketing email
• Email us at hello@partsmeet.com with the subject line "Unsubscribe"
• Update your notification preferences in your account settings

We will process your opt-out request within 10 business days. Note that even if you opt out of marketing emails, we will still send you transactional emails related to your account and orders (such as order confirmations, shipping updates, and escrow notifications).

14. Children's Privacy (COPPA)

PartsMeet is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are under 13, do not use the Platform or provide any information to us.

If we learn that we have collected personal information from a child under 13, we will delete that information as quickly as possible. If you believe a child under 13 has provided us with personal information, please contact us immediately at hello@partsmeet.com.

Users between 13 and 18 may use the Platform only with the involvement and consent of a parent or guardian.

15. Data Security

We take reasonable measures to protect your personal information, including:

• Encryption in transit -- All data transmitted between your browser and our servers uses HTTPS/TLS encryption
• Password security -- Passwords are hashed using bcrypt before storage; we never store plaintext passwords
• Payment isolation -- Credit card and financial data is handled entirely by Stripe and never touches our servers
• Access controls -- Application-level authorization ensures users can only access their own data
• Infrastructure security -- Our hosting provider (Railway) and storage provider (Cloudflare) maintain their own security certifications and compliance programs

No method of transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. If we become aware of a data breach that affects your personal information, we will notify you and any applicable regulatory authorities as required by law.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

• We will update the "Last updated" date at the top of this page
• For significant changes, we will notify you by email or by placing a prominent notice on our website
• We will not reduce your rights under this policy without your explicit consent

We encourage you to review this policy periodically. Your continued use of the Platform after changes are posted constitutes your acceptance of the updated policy.

17. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how we handle your data, contact us:

• Email: hello@partsmeet.com
• Website: partsmeet.com

For GDPR-related requests, use the subject line "GDPR Request." For CCPA-related requests, use the subject line "CCPA Request." We aim to respond to all privacy inquiries within 30 days.