PRIVACY POLICY

1. INTRODUCTION

This Privacy Policy describes how Undercity Trading ("Undercity", "we", "us", or "our") collects, uses, stores, shares, and protects your information when you use our website at undercity.co.za, our iOS and Android mobile applications, and any related services (collectively, the "Services").

By using the Services, you agree to the collection and use of information in accordance with this Policy. If you do not agree, please do not use the Services.

2. WHO WE ARE

Undercity Trading is operated from South Africa. The data controller responsible for your personal information is Undercity Trading. Contact: info@undercity.co.za.

3. INFORMATION WE COLLECT

3.1 Information You Provide

• Account Information: name, email address, username, password (stored as a one-way hash), date of birth (for age verification), and optional profile details such as bio, avatar, and banner image.
• Listings & Trade Content: item titles, descriptions, condition, prices, photographs, and trade preferences you upload.
• Messages: the contents of chat threads, trade negotiations, and support requests you send through the Services.
• Transactions: records of trades, claims, auctions, bids, and order status. We do not currently process payments directly; payment between users is arranged outside the platform.
• Reports & Disputes: information you submit when flagging another user, listing, or message.

3.2 Information Collected Automatically

• Device & Technical Data: device model, operating system, app version, browser type, language, time zone, and crash logs.
• Usage Data: pages and screens viewed, features used, search queries within the marketplace, listings interacted with, and timestamps.
• Network Data: IP address and approximate region derived from it (used for security, rate limiting, and abuse prevention).
• Cookies & Local Storage: session cookies and local storage entries used to keep you signed in and remember your preferences. The mobile app uses equivalent secure local storage.
• Push Notification Tokens: if you enable notifications, the device token issued by Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM) is stored so we can deliver alerts (new messages, outbid notices, claim updates).

3.3 Permissions Requested by the Mobile App

• Camera & Photo Library: only used when you choose to add photos to a listing or profile. Images are uploaded to our storage and are not accessed in the background.
• Notifications: only used to deliver in-app activity alerts you opt into.
• Network Access: required to load and submit content.

We do not collect precise location, contacts, microphone audio, health data, SMS, or call logs.

4. HOW WE USE YOUR INFORMATION

• Create and maintain your account and authenticate sign-in.
• Display your listings, profile, and messages to the other users you choose to interact with.
• Operate core marketplace features: search, claims, auctions, bidding, and chat.
• Send transactional notifications (new messages, claim updates, outbid alerts, security alerts).
• Detect, investigate, and prevent fraud, scams, abuse, and violations of our Terms of Service.
• Respond to your support requests and reports.
• Improve and debug the Services using aggregated usage and crash data.
• Comply with legal obligations.

5. HOW WE SHARE YOUR INFORMATION

We do not sell your personal information. We do not share your personal information for third-party advertising. We share data only in the following situations:

• With other users: your username, profile, and listing content are visible to other users of the marketplace. Messages are visible to the recipients of those messages.
• Service providers (processors) acting on our behalf:
  • Supabase — database, authentication, and file storage hosting.
  • Vercel — web hosting and content delivery.
  • Apple (APNs) and Google (FCM) — delivery of push notifications you opt into.
  • Email delivery providers — sending account, security, and support emails.
• Legal & safety: when required by law, valid legal process, or to protect the rights, safety, or property of Undercity, our users, or the public.
• Business transfers: in connection with a merger, acquisition, or sale of assets, subject to the protections of this Policy.

6. DATA SECURITY

All data is transmitted over HTTPS/TLS. Passwords are stored as salted one-way hashes and are never visible to us. Database access is protected by row-level security policies so that users can only read and modify data they are authorised to access. We routinely review our infrastructure and apply security updates. No system is completely secure; if we become aware of a breach affecting your personal data, we will notify you in accordance with applicable law.

7. DATA RETENTION

• Active accounts: we retain your data for as long as your account exists.
• Inactive accounts: accounts inactive for more than 24 months may be deactivated and the associated personal data minimised.
• Deleted accounts: personal data is removed within 30 days of a deletion request, except where we are required to retain limited records for legal, fraud-prevention, or dispute-resolution purposes.
• Server logs & backups: technical logs are retained for up to 90 days; encrypted backups roll over within 30 days.

8. YOUR RIGHTS & CHOICES

Depending on your location (including under POPIA, GDPR, and applicable U.S. state laws), you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request deletion of your account and personal data.
• Export a copy of your data in a portable format.
• Object to or restrict certain processing.
• Withdraw consent for optional features (e.g. notifications).

Account & data deletion: email info@undercity.co.za from your registered address with the subject "Account Deletion Request". We will process your request within 30 days. Alternatively, you can request account deletion here.

9. CHILDREN'S PRIVACY

The Services are not directed to children under 13 (or under 16 in jurisdictions where that is the minimum age). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

10. INTERNATIONAL DATA TRANSFERS

Our infrastructure providers may process and store data in regions outside South Africa, including the European Union and the United States. Where data is transferred internationally, we rely on recognised safeguards provided by those processors (such as Standard Contractual Clauses).

11. CHANGES TO THIS POLICY

We may update this Policy from time to time. Material changes will be communicated through the Services or by email. The "Last Updated" date at the top of this page reflects the most recent revision.

12. CONTACT US

For privacy questions, data requests, or complaints, contact us at info@undercity.co.za.