Privacy Policy

This Privacy Policy describes how Coat Rack collects, uses, shares, and retains personal data when you use the Platform — the catalog, the seller flow, the checkout, and the buyer-protection claim process. It applies to information we handle as the data controller; where we act as a data processor on behalf of another party, that party’s policy applies.

We collect the following categories of personal data:

• Account data. Email address. We do not store passwords; sign-in is via magic link.
• Listing data. Photos, condition notes, ask, maker, year, category, and any seller-supplied piece-level metadata.
• Order data. Buyer and seller identifiers, order line items, ask, platform fee, shipping data, inspection window state, and any claim filings.
• KYC data. For sellers: legal name, date of birth, last digits of a tax ID, address. We submit this to Stripe Connect for verification; we do not retain the raw documents.
• Device and usage data. IP address, browser user-agent, pages visited on the Platform, and timestamps. Used for security, fraud detection, and basic operational metrics.
• Communications. Emails you send to us and our replies.

We use personal data to:

• Operate the Platform — list, sell, ship, and pay out.
• Run the authentication ensemble. Listing photos are processed by our model pipeline to produce a confidence score and a comparator set. The verification report is public; the raw model outputs are not.
• Adjudicate claims. Listing photos, receipt photos, and order metadata are reviewed by Coat Rack operators when a claim is opened.
• Improve the reference set and the underlying authentication models. Listing photos may be used as training and reference data, including after a listing is sold or removed.
• Send transactional email — order confirmations, claim status, payout notifications.
• Detect and prevent fraud, including pattern analysis on claim submissions, payment anomalies, and account access.
• Comply with legal obligations.

Listing photos and any receipt photos uploaded with a claim are retained for 18 months from the date of upload, unless a longer retention is required by law or by an open or anticipated dispute.

After the retention window, photos are deleted from primary storage. Aggregate, non-identifying derivatives — such as embedding vectors used by the model pipeline — may be retained for longer; these derivatives are not reversible into the original photo.

You may request earlier deletion by emailing privacy@coatrack.app. Deletion of an active listing or an unresolved claim will not be honored until the underlying matter is resolved.

We share personal data only with a small, fixed list of processors and partners, each acting on our instructions under a data-processing agreement:

• Stripe — payments, escrow, Stripe Connect seller onboarding and payouts, and 1099-K issuance.
• Resend — transactional email delivery (magic link, order confirmation, claim status).
• Cloud object storage — listing and receipt photos, hosted on S3 or R2 (subject to migration as the backend matures).
• Cloudflare — CDN, DDoS protection, and edge TLS.
• Vercel — web application hosting.
• Railway — backend API and worker hosting.

We do not sell or rent personal data. We do not share personal data with advertising networks. Beyond the processors above, we will share personal data only when required by law, in response to lawful process, or to defend our rights or the rights of our users.

Coat Rack uses a small set of first-party cookies, all essential to operating the Platform. We do not use advertising cookies, third-party trackers, or analytics cookies at MVP.

• cr-ff — friends-and-family invite cookie, set when you redeem an invite link. Used to gate access to the F&F surface during the stealth phase.
• cr-session — authentication session cookie, set after sign-in. HttpOnly, Secure, SameSite=Lax. Used to identify you across requests.

Both cookies are first-party. No third-party tracking cookies are set by Coat Rack at MVP.

California residents have the right to know what personal information we collect, the right to delete personal information we hold, the right to correct inaccurate personal information, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising these rights.

We do not sell or share personal information for cross-context behavioral advertising. To exercise any other right, email privacy@coatrack.app. We will respond within 45 days.

If you are in the EEA, the UK, or Switzerland, you have the rights under GDPR (and the UK and Swiss equivalents) to access, correct, or delete your personal data; to restrict or object to processing; to data portability; and to withdraw consent where processing is based on consent.

Our legal bases for processing are: (a) performance of the contract with you (operating the Platform), (b) compliance with legal obligations, and (c) our legitimate interests in maintaining a secure, fraud-resistant marketplace and improving the authentication models.

To exercise GDPR rights, email privacy@coatrack.app. You may also lodge a complaint with your local supervisory authority.

The Platform is not intended for individuals under the age of eighteen (18). We do not knowingly collect personal data from minors. If we learn we have collected personal data from a minor, we will delete it.

We use standard technical and organizational measures to protect personal data, including encryption in transit (TLS), encryption at rest for stored photos and database backups, principle-of-least-privilege access controls, and audit logging on sensitive operations.

No system is perfectly secure. If we learn of a security incident affecting your personal data, we will notify you in line with applicable law.

We may update this policy from time to time. Material changes will be announced via email and reflected in the “Effective” date at the top of this page. Continued use of the Platform after a change constitutes acceptance of the updated policy.

Privacy questions, data requests, or complaints? privacy@coatrack.app.

For other matters, see /legal/terms and /legal/buyer-protection.