Privacy Policy
Version 2026-07-02-draft · Last updated July 2, 2026
1. What we collect
- Account data: email address and password hash (managed by Supabase Auth).
- Profile data you publish: display name, handle, bio, interests, profile photo, an approximate location label you write yourself, and your local/online preference.
- Precise location (optional): if you tap “Use my current location,” we store your coordinates privately to power distance filters. They are never shown to anyone — other members only ever see bucketed distances such as “1-5 mi.”
- Activity: posts, photos, offers, messages, saves, follows, blocks, reports, and legal consents (with document versions).
- Payments: if you donate or subscribe, Stripe processes your payment. We store only your Stripe customer reference, subscription status, and donation amounts — never card numbers.
2. What we do with it
We use your data to run barter discovery (matching, distance filters, search), messaging, safety features (blocks, reports, moderation), and platform support payments. We do not sell personal data, run third-party advertising, or use your content to train AI models.
3. Who can see what
- Public: your profile (name, handle, bio, photo, interests, approximate location label, follower counts) and your active posts.
- Participants only: offers, offer history, and messages are visible only to the two members in the thread, enforced by database row-level security.
- Only you: precise coordinates, email, saved posts, block list, donation history, and legal consents.
- Moderators: reports and reported content, for review.
4. Processors
We rely on Supabase (database, authentication, storage) and Stripe (payments). Each processes data under its own terms and safeguards.
5. Retention and deletion
Deleting your account permanently removes your profile, posts, photos, offers, messages, saves, follows, and blocks through database cascades. Webhook records of payments are retained as required for nonprofit accounting. Backups age out on the infrastructure provider's schedule.
6. Your rights
You can view and edit your profile in Settings, export your content by request, and delete your account yourself. Depending on your jurisdiction you may have additional rights (access, correction, portability, erasure); contact OMS2 to exercise them.
7. Security
Every application table is protected by row-level security; precise coordinates are excluded from all client-readable queries; payment webhooks are signature-verified; sessions use industry-standard encrypted cookies. No system is perfectly secure — report vulnerabilities via SECURITY.md in the project repository.
8. Children
Battarbox is for adults 18+. We do not knowingly collect data from minors and delete such accounts.
9. Changes and contact
Material changes to this policy will be announced in-app and require renewed acceptance. Questions: contact OMS2 at the address published on the project repository.
