Privacy Policy

Last updated: May 10, 2026

1. Who we are

TeeBox Market ("TeeBox", "we", "us", "our") operates a peer-to-peer marketplace for golf equipment, apparel, and accessories, available as a website and as a mobile application. This Privacy Policy explains what personal information we collect about you when you use the TeeBox app or website, how we use it, and the choices you have.

If you have any questions about this policy or how your data is handled, contact us at legal@teeboxmarket.com.

2. Information we collect

Information you give us

• Account information. When you create an account we collect your email address and password (passwords are stored as a salted hash by Firebase Authentication; we cannot read them). If you choose phone-number sign-in instead, we collect your phone number for verification.
• Profile information. A display name, optional profile photo, optional short bio, and an optional location (a free-text city/state you type in — we do not read your device's GPS), if you choose to add them. You can also optionally add a golf handicap, a list of clubs in your bag, and pin one of your listings to the top of your profile.
• Listings. When you list an item for sale we collect the title, brand, category, condition, asking price, description, and photos you upload.
• Transactions. When you buy or sell, we record the listing, price, buyer/seller IDs, order status, shipment tracking number and carrier (when the seller provides one), timestamps, and any messages exchanged.
• Shipping address. When you buy an item, you provide a shipping address via Stripe's secure checkout. The address is stored on the order record and shared with the seller for fulfillment. It is never shared with any other party.
• Messages. Direct messages between buyers and sellers are stored so the recipient can read them when they next open the app.
• Reviews and ratings. After a completed sale, buyers can leave a star rating and written review of the seller. Reviews are public on the seller's profile.
• Watchlist and saved searches. Items you favorite ("watch") and search terms you save are stored on your account so you can find them again. You can opt in to push notifications when a new listing matches a saved search.
• Game scores. If you play the daily Logo Bingo game, your score and display name appear on a public leaderboard.
• Support communications. Email or in-app messages you send us about a problem or question.

Information collected automatically

• Authentication tokens. A Firebase Authentication session token so you stay signed in.
• Device and connection data. Standard server-side request logs (IP address, user agent, timestamp) used to detect abuse and operate the service. These logs are kept for a limited period and are not used to build advertising profiles.
• Push notification tokens. If you grant notification permission, we collect a Firebase Cloud Messaging (FCM) device token and a truncated user-agent string. The token is stored at users/{uid}/fcmTokens/{token} and used to send new-message alerts, price-drop alerts, order updates, and saved-search matches. Tokens that fail delivery are pruned automatically, you can revoke notifications at any time in your OS settings, and all tokens are deleted when you delete your account.

Information we do not collect

• We do not collect your precise location.
• We do not collect your contacts, calendar, photos library, microphone audio, or health data.
• We do not embed third-party advertising SDKs and do not track you across other apps or websites.
• We never see or store your full credit card number — payments are processed entirely by Stripe.

3. How we use your information

• To create and authenticate your account.
• To display your listings to other members and let buyers contact you.
• To process payments, payouts, and refunds through Stripe.
• To deliver receipts, order updates, and security notifications.
• To detect, investigate, and prevent fraud, abuse, counterfeit listings, and policy violations.
• To respond to your support requests.
• To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We do not use your data for third-party advertising.

4. Who can see what

• Public: Your listings, seller display name, profile photo, bio, profile location (if you set one), and seller profile (ratings, reviews, completed sales count) are visible to anyone using TeeBox.
• Private to you: Your email address, phone number, password, and payout details are never shown to other members.
• Visible to the other party in a transaction: Once an order is placed, the buyer's shipping address (entered at checkout via Stripe) is shared with the seller so the item can be shipped, and basic order information (item, price, status, tracking number) is shared between the buyer and seller.
• Conversations: Messages are visible only to the two members in the conversation.

5. Service providers we share data with

We use a small number of trusted service providers ("subprocessors") to operate TeeBox. We share with them only the information they need to perform their function, and they are contractually bound to use it only on our behalf.

• Google Firebase — authentication, database, file storage, push notifications, and serverless functions. Firebase Privacy
• Stripe — payment processing, payouts to sellers, and Pro Seller subscription billing. Stripe receives the payment information you enter at checkout directly. Stripe Privacy · Stripe DPA
• Stripe Identity — for high-value seller verification, captures a selfie and a photo of your government-issued ID for identity verification. This data goes directly to Stripe and is not stored on TeeBox servers (see Section 6). Stripe DPA
• Google Cloud Vision (SafeSearch) — every uploaded listing photo is automatically scanned for adult, violent, or otherwise prohibited content. Photos are sent to Google Cloud Vision for analysis and not retained by Google beyond that request. Google Cloud DPA
• Google Gemini 1.5 Flash — if you use the optional AI price-suggestion or AI draft-description features, your listing title, brand, category, condition, and up to three photos are sent to Google's Gemini API (generativelanguage.googleapis.com) to generate the suggestion. These features are opt-in and only run when you tap the AI assist button. Google Cloud DPA
• Resend — transactional email delivery (account verification, receipts, password resets, order updates). Resend receives your email address, display name, and the body of the email being sent. Resend DPA
• Plausible Analytics — cookieless, privacy-preserving pageview analytics. Plausible receives the page URL, referrer, and a country-level location derived from a hashed IP. No cookies are set and no cross-site identifier is used. Plausible DPA
• Apple App Store / Google Play — app distribution and crash reporting (only if you've opted into device-level diagnostics in your OS settings).

High-sensitivity data: Stripe Identity

Sellers who request identity verification (typically required for high-value listings or higher payout limits) submit a selfie and a government-issued photo ID. This biometric and identity data is captured by Stripe Identity's hosted flow and transmitted directly to Stripe — TeeBox never stores the selfie or ID image on its own servers. TeeBox only receives the verification outcome (pass / fail / pending) and a Stripe verification session ID. Retention of the selfie and ID image is governed by Stripe's policies; see the Stripe DPA and Stripe Privacy Policy for details.

Pro Seller subscription billing

Pro Seller is an optional $14.99/month subscription billed through Stripe. Subscribing creates a Stripe Customer record with your billing details and invoice history; the subscription state (active, past-due, canceled) is mirrored to your TeeBox user record so we can display the correct features. Refunds for subscriptions purchased on iOS via the App Store are handled by Apple per their policies — see support.apple.com/HT204084. Refunds for subscriptions purchased on the web are handled by TeeBox and Stripe on a case-by-case basis.

We may also disclose information when we have a good-faith belief it is required by law (subpoena, court order, lawful regulatory request) or necessary to protect the safety of our users.

6. Data retention

We keep your account information for as long as your account is active. Account deletion is processed immediately upon request — when you delete your account from inside the app (Account → Delete Account) or by emailing us, your profile, listings, messages, watchlist, saved searches, and FCM tokens are removed right away. We retain certain records (orders, tax records, payout records, and dispute records) for up to 7 years as required by law and to preserve marketplace integrity. Public listings you posted may remain visible in archived form (with the seller name removed) where another user has interacted with them, to preserve the integrity of historical orders.

7. Cookies and similar technologies

TeeBox uses a minimal set of storage technologies. We do not use advertising or cross-site tracking cookies.

• Essential / functional. Firebase Authentication persists your sign-in using browser localStorage on the web and in secure in-memory storage on iOS. Stripe sets its own cookies on js.stripe.com when you reach a payment screen — these are third-party cookies required to process the payment securely.
• Analytics. Plausible Analytics is fully cookieless and does not set any identifier in your browser.
• No advertising or tracking cookies. We do not embed ad networks, retargeting pixels, or social media trackers.

8. Your rights

Regardless of where you live, you can:

• Access — request a copy of the personal information we hold about you.
• Correct — fix any information that is inaccurate.
• Delete — request that we delete your personal information. You can also delete your account directly from inside the app under Account → Delete Account.
• Object / restrict — ask us to stop or limit certain uses of your information.
• Portability — receive a copy of your data in a structured, machine-readable format.

To exercise any of these rights, email legal@teeboxmarket.com from the email address associated with your account. We respond within 30 days.

9. California privacy rights (CCPA / CPRA)

This section is a Notice at Collection for California residents under Cal. Civ. Code §1798.140. It describes the categories of personal information we collect, where we get it, why we use it, and whether we sell or share it.

Categories of personal information we collect

• Identifiers — name, email address, phone number (optional, only if you choose phone sign-in), Firebase UID, and IP address (server-logged). Source: you, and automatically from your device. Purpose: account creation, authentication, fraud prevention. Sold/shared: No.
• Customer records — shipping address (collected at checkout via Stripe) and billing information (collected by Stripe). Source: you, via Stripe's checkout. Purpose: to deliver purchases and process payments. Sold/shared: No.
• Commercial information — purchase history, watchlist, saved searches, and listing activity. Source: you, through your use of TeeBox. Purpose: operate the marketplace and personalize your experience. Sold/shared: No.
• Internet or other electronic network activity — app usage and aggregate pageview data (via Plausible — anonymous and cookieless). Source: automatically from your device. Purpose: to understand which features are used and improve the product. Sold/shared: No.
• Geolocation data — country-level only, derived from your IP address. We never collect GPS or precise location. Source: automatically from your IP. Purpose: coarse analytics and fraud signals. Sold/shared: No.
• Inferences — drawn from your listing activity (for example, an AI price suggestion based on the item you are listing). Source: derived by us from data you provide. Purpose: the AI assist features you choose to use. Sold/shared: No.
• Biometric and identity information (sellers only, optional) — a selfie and a government-issued photo ID, collected only if you request seller identity verification. This data goes directly to Stripe Identity and is not stored on TeeBox servers. Source: you, via Stripe Identity. Purpose: identity verification for high-value seller activity. Sold/shared: No.

We do not sell or share personal information

TeeBox does not sell your personal information and does not share it for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act and California Privacy Rights Act (Cal. Civ. Code §1798.135). We have not done so in the past 12 months, and we do not have any plans to start.

Global Privacy Control (GPC)

TeeBox honors the Global Privacy Control browser signal as a valid opt-out of sale/sharing. Because we do not sell or share personal information to begin with, the GPC signal does not change how we process your data — but we publicly acknowledge the standard and will continue to honor it if our practices ever change.

Exercising your California rights

California residents may request to know, correct, delete, or receive a portable copy of their personal information, and may not be discriminated against for exercising these rights. To make a request, email legal@teeboxmarket.com from the address on your account. We will verify your identity through the email or in-app account you control before fulfilling the request.

10. Children

TeeBox is not directed to children under 13 and we do not knowingly collect personal information from children under 13. If you believe a child has signed up for TeeBox, contact us and we will delete the account.

11. Security

We use industry-standard safeguards to protect your information, including encryption in transit (HTTPS), encryption at rest (Firebase / Stripe), salted password hashing, and least-privilege access controls. No system is perfectly secure — if we ever discover a breach affecting your data, we will notify you and the appropriate authorities as required by law.

12. International transfers

TeeBox is operated from the United States. If you access TeeBox from outside the US, you consent to your information being transferred to and processed in the US, where data protection laws may differ from those in your country.

13. Changes to this policy

We may update this policy from time to time. When we make a material change, we will update the "Last updated" date at the top of this page and notify users in the app. Your continued use of TeeBox after a change means you accept the updated policy.

14. Contact

Questions, requests, or complaints? Reach us at:

• Email: legal@teeboxmarket.com
• General support: support@teeboxmarket.com