Skip to main content
Retro Market

// LAST UPDATED 17 May 2026

Privacy Policy

This policy explains how RetroMarket handles your personal information. It is aligned to the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). RetroMarket is operated from Australia; data hosting routes through providers that store data in Australia or the United States as described in §6 below.

1. Kinds of personal information

We collect the following categories of personal information from you when you sign up, fill in your profile, create listings, transact, or otherwise interact with the platform:

  • Account identifiers — email, password hash (or OAuth subject), display name, handle.
  • Profile details — avatar, bio, country, postcode area (optional), preferences.
  • Listing content — titles, descriptions, condition notes, asking prices, photos you upload.
  • Interaction data — messages with other users, offers, watchlist, saved searches, wanted ads, reviews you author.
  • Subscription data — the Stripe customer ID and subscription state if you opt into the Store tier. We do not store full card numbers; Stripe handles card data directly.
  • Technical metadata — IP address (transient, for fraud prevention), browser user agent, anonymised performance telemetry.

2. How collected and held

We collect personal information directly from you (signup form, profile editor, listing creation, messaging UI, settings panel) and from the OAuth providers you choose to link (currently Google). We hold the information in our Convex database, which encrypts data in transit and at rest. Listing photos are stored in Convex file storage. Email delivery is handled by Resend. Payment events are handled by Stripe. Anonymised Core Web Vitals telemetry is collected by Vercel Speed Insights.

3. Purposes

We collect, hold, use, and disclose personal information for the following purposes:

  • Operating the marketplace — rendering listings, matching searches, delivering messages and offers, surfacing reviews, calculating recently-viewed sections.
  • Managing accounts — authenticating users, enforcing one-account-per-person rules, recovering credentials, prompting for re-acceptance of updated Terms.
  • Billing — processing the optional Store-tier subscription and listing upgrades through Stripe.
  • Transactional notifications — sending confirmation emails for sign-ups, password resets, offer activity, and similar direct-response messages.
  • Fraud and abuse prevention — investigating reports of scamming, harassment, off-platform-payment fraud, or AUP breaches; applying scammer flags where evidence supports it.
  • Performance and reliability — using Vercel Speed Insights to measure anonymised Core Web Vitals so we can improve page load behaviour.
  • Legal compliance — responding to lawful requests and meeting tax, dispute, and recordkeeping obligations.

4. Access and correction

You can access and correct most of your personal information directly in your account settings. The “Privacy & Data” section there also includes an “Export my data” button that emails you a JSON bundle of your first-person personal information — listings, watchlist, saved searches, wanted ads, your authored reviews, the user-side of your inquiries and offers. This satisfies your APP 12 right of access. Exports are throttled to once per 24 hours per user.

If you need to correct information that you cannot edit yourself — for example a misspelled handle that conflicts with another account — email privacy@retromarket.com.au.

5. Complaints

If you believe we have mishandled your personal information, email privacy@retromarket.com.au with the details. We will acknowledge your complaint within seven days and respond substantively within 30 days. If you are not satisfied with our response, you can escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au/privacy/privacy-complaints ↗.

6. Overseas disclosure

We rely on the following service providers to operate the platform. Each receives only the personal information needed for the task they perform:

  • Convex (United States) — database, authentication, file storage.
  • Resend (United States) — transactional and digest email delivery.
  • Stripe (United States) — Store-tier subscription billing and listing-upgrade payments.
  • Vercel Speed Insights (United States) — anonymised Core Web Vitals telemetry; no cookies set.

For OAuth-linked users, Google (United States) also receives the minimum data needed to authenticate you (your Google account identifier and email).

Sentry, Better Stack, and Axiom are NOT currently in use — future processor additions will be reflected here before deployment.

7. Cookies and telemetry

We use first-party cookies for authentication only. We do not run third-party advertising trackers. See the Cookies & Tracking notice for the full inventory.

8. Retention

Per APP 11.2, we destroy or de-identify personal information once we no longer need it for any purpose set out in this policy and no legal obligation requires us to retain it. Transactional records (Stripe events, subscription history) are retained for tax and dispute purposes as required by Australian law. Listings that have been sold or expired remain visible for a limited window so buyers and sellers can reference past activity, then are archived.

9. Account deletion and anonymisation

You can request account deletion from your account settings. Deletion is scheduled for seven days after your request — this gives you a window to cancel by signing in again. After the grace period:

  • Your email, name, handle, avatar, and bio are blanked.
  • Your display name is set to “deleted user”.
  • Your authored reviews remain visible under that “deleted user” attribution so counterparties retain context.
  • Reviews written about you remain attached with their original author.
  • Inquiries, offers, and messages remain linked to the record so the counterparty's history is intact, but your handle is replaced with “deleted user”.
  • Any active Store subscription is cancelled with Stripe before the user record is updated.

We retain a minimal anonymised record because deleting the user row outright would orphan counterparty reviews and break their transaction history — an outcome that itself would interfere with other users' rights.

10. Children's privacy

RetroMarket is for users aged 16 or older (see Terms §4). We do not knowingly collect personal information from anyone under 16. If you believe a child has created an account, contact privacy@retromarket.com.au and we will investigate and, if confirmed, anonymise the account.

11. Changes to this policy

We may update this policy from time to time. Material changes trigger a re-acceptance prompt for signed-in users on their next visit. The footer on this page shows the current version and as-at date.

12. Contact

Privacy questions, access or correction requests, and complaints should be addressed to privacy@retromarket.com.au.

// As at · v1.6.0