Privacy Policy

Effective May 25, 2026 · v1

1. About this Privacy Policy

This Privacy Policy (the "Policy") describes the personal information that ShopThing Inc. and its subsidiary ShopThing Inc. (USA) (collectively, "ShopThing," "we," "us," or "our") collect, use, and disclose in connection with the operation of the ShopThing platforms.

1.1 Platforms covered

This Policy applies to your use of the following ShopThing platforms (collectively, the "Platforms"):

ShopThing.com (the website);
The ShopThing iOS app;
The ShopThing Android app;
ShopThing Auctions (the online auction platform);
Our official social media pages and accounts;
Communications we send to you (email, SMS, push notifications);
ShopThing VIP. A ShopThing account is a single, shared account across all of the Platforms. The personal information described in this Policy is shared across the Platforms as needed to operate them as a single, integrated customer experience.

1.2 Acceptance of this Policy

By using any of the Platforms, you confirm that you have read, understood, and accepted this Policy and that you consent to the collection, use, and disclosure of your personal information as described here. If you do not consent, you must not use the Platforms.

2. Personal information we collect

2.1 Information you provide to us

When you create or use a ShopThing account, transact on any of our Platforms, or otherwise interact with us, we collect personal information that you provide to us, including:

Your name (first and last), email address, password, and any optional profile information you choose to add;
Your billing address, your shipping address(es), and your phone number;
Your payment information (processed and tokenized by our payment processor — we do not store full payment card numbers);
Your communication preferences, including your consent to marketing communications;
Information related to your orders, bids, returns, and other transactions on the Platforms;
For ShopThing Auctions specifically: your bid amounts, bid timing, maximum (auto) bid amounts you set, lot identifiers, your display currency preference, and a record of your acceptance of our Auction Policies (timestamp and version);
Identity verification information you provide where we are required by law to verify your identity (see §6.3);
The content of any messages you send to our customer support or any reviews, comments, photographs, or other content you submit through the Platforms.

2.2 Information we collect automatically

When you visit or use the Platforms, we automatically collect certain information about your device and your use of the Platforms, including:

Your IP address, browser type and version, screen resolution, preferred language, geographic location, operating system, domain names, access times, referring addresses, and computer/device platform;
Your interactions with the Platforms (pages viewed, items viewed, items added to wishlists, bids placed, durations spent on pages);
For ShopThing Auctions specifically: payment authorization metadata (a payment processor reference identifier, the authorized amount, the currency, whether the authorization was satisfied through 3-D Secure), idempotency keys used for transactional safety, FX rate snapshots applied to lots at listing time, and authentication and quality-control metadata generated during fulfillment;
Click-event data for authenticated users: the page on which a click occurred, the labelled element clicked, the coordinates of the click within your viewport, and the size of your viewport. This information is used internally to identify usability issues, bugs, and product-improvement opportunities;
Cookies and similar technologies — see §7 for the full inventory and your choices.

2.3 Information from third parties

We may receive personal information about you from third parties, including:

Identity verification providers, where we are required by law to verify your identity;
Payment processors (currently Stripe Inc.), which provide tokenized payment-method references and transaction-status information;
Our analytics providers (currently Google Analytics, via Google Tag Manager), which provide aggregate platform-usage data;
Our authentication partners (currently Entrupy) for ShopThing Auctions, which provide authentication outcomes on items shipped through our authentication centers;
Our tax calculation service (currently TaxJar) for ShopThing Auctions, which receives shipping-address and transaction-amount information at the time we capture payment, in order to calculate applicable sales tax;
Public sources (publicly available business directories, social media, etc.) where we use them to confirm identity or comply with legal obligations.

3. How we use your information

We use the personal information we collect for the following purposes:

To create and maintain your ShopThing account and to authenticate you when you sign in;
To operate the Platforms, fulfill your orders and bids, and complete the transactions you initiate;
To process payments, including authorization holds, captures, refunds, and chargebacks;
To operate the bidding system on ShopThing Auctions, including placing automatic bids on your behalf up to a maximum you set, calculating minimum next bids, and reconciling outcomes after lots close;
To authenticate items at our authentication centers (ShopThing Auctions);
To deliver your orders and bid wins, including arranging for shipping, customs documentation, and carrier coordination;
To send you transactional communications, including order confirmations, shipping updates, payment receipts, bid status updates, and outcome notifications;
To send you marketing communications about new arrivals, exclusive offers, and similar promotional content, but only where you have given us express consent (see §10 below);
To comply with our legal obligations, including identity verification, sanctions screening, anti-money-laundering, and tax-reporting obligations;
To prevent and respond to fraud, including disputes, chargebacks, account-takeover attempts, and other security incidents;
To handle customer-support inquiries, returns, claims, and disputes;
To improve the Platforms, including by analyzing usage patterns, debugging, and conducting A/B testing of new features;
To enforce our Terms and other policies.

We share your personal information only as described below.

4.1 Within ShopThing

Personal information is shared between ShopThing Inc. (the Canadian parent) and ShopThing Inc. (USA) (the US subsidiary) for the purpose of operating the Platforms as a single integrated experience. Both entities act jointly as data controllers (under US law) and jointly as accountable parties (under Canadian law) for personal information that is shared between them. You may exercise any of your rights under this Policy with respect to either entity, and we will coordinate as needed to fulfill your request.

4.2 With our service providers

We share personal information with service providers who help us operate the Platforms, only to the extent necessary for them to provide those services, and under written agreements that require them to protect your information. Our service providers include:

Stripe Inc. (payment processing). We share tokenized payment-method information, transaction amounts, currencies, and metadata referring to your account, lot, and bid.
TaxJar (sales tax calculation). For ShopThing Auctions, we share your shipping address and the lot amount at the time we capture payment, so TaxJar can return the applicable sales tax to add to your charge.
Entrupy (authentication services). For ShopThing Auctions, we share photographs and item descriptions of lots we send through authentication. We do not share your name or directly identifying personal information with Entrupy unless required to investigate a specific claim.
Google (analytics, captcha, tag management). We use Google Analytics via Google Tag Manager and Google reCAPTCHA Enterprise. We share usage data with these services as described in §7 (Cookies and Tracking Technologies).
LaunchDarkly (feature flags). For authenticated users of ShopThing Auctions, we share an anonymous identifier and user-context attributes (account identifier, email, email-verified status, currency) with LaunchDarkly for the purpose of feature-flag evaluation.
Identity verification providers (currently Stripe Identity and similar services). Where required, we share identity documents you provide for verification.
Cloud infrastructure providers (currently Google Cloud Platform via Firebase). Data is stored on cloud servers operated by these providers.
Email and SMS providers, who help us send transactional and marketing communications.
Shipping carriers (currently FedEx, DHL, UPS, and others), to whom we provide the shipping address and contents description necessary to deliver your orders.
Customs brokers and import-handling providers, for the purpose of moving lots across borders.
Customer-support tools and platforms that help us manage your inquiries.
Professional advisors (legal counsel, auditors, tax advisors).

4.3 With third parties for legal reasons

We may disclose personal information to third parties where we believe in good faith that disclosure is necessary or appropriate to:

Comply with applicable law, regulation, legal process, or governmental request;
Enforce our Terms and other policies, or to detect, prevent, or otherwise address fraud, security, or technical issues;
Protect the rights, property, or safety of ShopThing, our customers, or others, including exchange of information with other companies and organizations for the purposes of fraud protection and credit-risk reduction;
Comply with FinCEN reporting obligations (for transactions of USD $10,000 or more) and FINTRAC reporting obligations (for transactions of CAD $10,000 or more), where applicable.

4.4 In a business transaction

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of company assets, your personal information may be transferred as part of that transaction. We will require the acquiring party to honor your privacy rights as described in this Policy.

We will share your personal information with any other third party where you have given us your express consent.

5. Public visibility of certain ShopThing Auctions information

On ShopThing Auctions, bid history on a Lot is visible to other authenticated ShopThing Auctions users in a masked form. Specifically:

Other Bidders are displayed under masked identifiers (for example, "Bidder ***XYZ"). You are displayed to yourself as "You." Your name, account email, and other directly identifying personal information are not exposed to other users.
Bid amounts and the timing of each bid are visible to other authenticated users viewing the same Lot. By bidding on ShopThing Auctions, you consent to this masked visibility of your bid amounts and bid timing to other authenticated users. This visibility is a feature of the auction experience and is essential to its operation.

6. ShopThing Auctions — specific data practices

This section describes the data practices that are specific to ShopThing Auctions. It supplements the general practices described in the rest of this Policy.

6.1 Bid records

We retain a record of every bid you place, including the bid amount, bid timing, lot identifier, any proxy bid maximum you set, your authentication and verification status at the time of bid, your shipping address at the time of bid, an audit trail (your IP address, user-agent string, session identifier, and the processor reference for any payment authorization), and your acceptance of the Auction Policies (the timestamp and the version accepted). We retain these records for five (5) years from the date of each bid, for legal, regulatory, and audit purposes.

6.2 Authentication step

We authenticate items at our authentication centers before they are shipped to you. Authentication is performed by our in-house team, by our authentication partner Entrupy, or both. As part of the authentication step, we generate photographs, condition notes, and quality-control records that we retain for compliance and audit purposes.

6.3 Identity verification

Depending on the value of your bidding activity, we may require additional identity verification before accepting your bids. The information involved may include billing-address-and-shipping-address match information, government-issued identification, and verification by a third-party identity-verification provider. We also screen for sanctions and anti-money-laundering compliance as required by applicable law. We may be required by law to report transactions above certain thresholds to financial-intelligence regulators (FinCEN in the United States, FINTRAC in Canada).

6.4 Payment metadata

Each payment authorization or capture we create on ShopThing Auctions is tagged with metadata that links the payment to a specific bid, including our internal identifiers for your account, the lot, and the bid; the amount of the authorization; the currency; the authorization tier; and whether the payment was made on a saved card or a one-time card. This metadata is retained by our payment processor (Stripe) as described in their Privacy Policy and is retained by us as part of our bid records for the period described in §6.1.

6.5 Cross-border data flows for fulfillment

To fulfill Lots you have won on ShopThing Auctions, your shipping address is shared with shipping carriers and customs brokers. This may include cross-border data flows. Where shipments cross borders, your shipping information may also appear on customs documentation as required by applicable customs law.

7. Cookies and tracking technologies

We use cookies and similar technologies to operate the Platforms, to remember your preferences, to authenticate you, to prevent fraud, and to analyze how the Platforms are used. The following table lists the cookies and similar technologies in use at the time of this Policy.

Identifier	Type	Purpose	Retention
archive_currency	First-party cookie	Stores your selected display currency preference (USD or CAD) on ShopThing Auctions.	1 year
First-party local storage entries	First-party local storage	Feature-flag anonymous identifier, recently viewed lots.	Until cleared
Firebase Auth session	First-party cookie	Maintains your authenticated session.	Per Firebase configuration
Stripe (js.stripe.com)	Third-party cookie	Card data tokenization, 3-D Secure authentication, anti-fraud detection at the payment processor.	Per Stripe retention
Google reCAPTCHA	Third-party cookie	Multi-factor authentication and bot/abuse prevention.	Per Google retention
Google Analytics via Google Tag Manager	Third-party cookie	Analytics — to understand platform usage and improve the product.	Per Google retention

We use a consent management interface to gather your consent for non-essential cookies (analytics, marketing). Strictly necessary cookies (those required for the Platforms to function, including authentication and payment) are deployed without consent as permitted by applicable law. You may change your cookie preferences at any time through the consent interface on the Platforms.

7.2 Do Not Track

Some browsers offer a "Do Not Track" (DNT) preference. The DNT signal is not currently a standardized protocol; we do not respond to DNT signals at this time. We honor cookie preferences set through our consent management interface.

8. Security

We take reasonable physical, organizational, and technical measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction. These measures include access controls, encryption in transit and at rest, vulnerability management, audit logging, and security training for our personnel. However, no system is perfectly secure; we cannot guarantee absolute security. If you have reason to believe that your account has been compromised or that your personal information has been accessed without authorization, contact us immediately at privacy@shopthing.com.

9. Retention

We retain your personal information for as long as your ShopThing account is open, and after closure for the periods required by applicable law and legitimate business purposes. The retention periods that apply to ShopThing Auctions specifically are set out below.

Category	Retention period
Account information	While your account is open; after closure, only as required by law
Order history (shopthing.com)	Per applicable consumer-protection and tax law (typically 7 years)
Bid records (ShopThing Auctions)	5 years from the date of the bid
Tax records (transaction amounts, tax calculations)	7 years from the date of capture
Authorization-hold metadata	30 days after the hold is released or captured
Identity-verification documents	Per third-party provider retention; we retain a verification reference identifier only
Sanctions-screening logs	5 years
Regulatory-reported transactions (FinCEN, FINTRAC)	Per applicable regulatory retention
Marketing preferences	Until you change them
Account-closure records	After closure, we retain only the data we are legally required to retain

10. Marketing and communications

We send transactional communications (order confirmations, shipping updates, bid outcomes, account notices) to all customers. These communications are essential to providing the Platforms and you cannot opt out of them while your account remains open.

We send marketing communications (new arrivals, promotions, exclusive offers, content) only to customers who have given us their express consent. You can withdraw your consent at any time by clicking the unsubscribe link in any marketing email, by replying STOP to any marketing SMS, by updating your communication preferences in your account settings, or by emailing us at privacy@shopthing.com.

Under the Canadian Anti-Spam Legislation (CASL) and similar laws in other jurisdictions, we maintain a record of your marketing consent and any withdrawals.

11. Your rights

Subject to applicable law, you have certain rights with respect to your personal information. The specific rights available to you depend on where you live; the rights below are available to all our customers.

Access. You may request a copy of the personal information we hold about you.
Correction. You may request that we correct inaccurate or incomplete personal information about you. You can also update much of your information directly in your account settings.
Erasure. You may request that we delete your personal information. We will delete the information except where we are legally required to retain it.
Restriction. You may request that we restrict our processing of your personal information.
Objection. You may object to our processing of your personal information for direct marketing or where we are processing on the basis of our legitimate interests.
Portability. You may request a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format.
Withdrawal of consent. Where we rely on your consent, you may withdraw it at any time. To exercise any of these rights, contact us at privacy@shopthing.com. We will respond within the timeframes required by applicable law (generally 30 days, with extensions for complex requests).

11.1 Account closure

You may close your ShopThing account from your Account settings on ShopThing Auctions. Because your ShopThing account is shared across the Platforms, closing your account through ShopThing Auctions also closes your account on shopthing.com and the ShopThing iOS and Android apps. If you have difficulty using the closure flow on ShopThing Auctions, you may also email privacy@shopthing.com to request closure. Closing your account erases all personal information we are not legally required to retain. Personal information we are required to retain for tax records, dispute records, bid audit logs, or other legal-retention obligations is retained for the duration of the applicable retention period and then erased.

12. Regional privacy rights

12.1 Canadian residents (PIPEDA)

If you are a resident of Canada, your personal information is governed primarily by the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial legislation. Under PIPEDA you have the rights described in §11 above, with timeframes and processes as required by the Act.

ShopThing Inc. is the entity accountable for personal information collected from Canadian residents, with the Designated Privacy Officer named in §17 below.

12.2 Quebec residents (Law 25)

If you are a resident of Quebec, the following additional rights and obligations apply to your personal information under An Act respecting the protection of personal information in the private sector and the Act to modernize legislative provisions as regards the protection of personal information (commonly referred to as "Law 25"):

12.2.1 Designated Privacy Officer

Our Designated Privacy Officer is identified in §17 below. The Privacy Officer is responsible for ensuring our compliance with Law 25 and is the primary contact for privacy-related concerns or requests from Quebec residents.

12.2.2 Confidentiality incident response

If we experience a confidentiality incident that creates a risk of serious harm to you, we will (a) take reasonable measures to reduce the risk and prevent recurrence; (b) notify the Commission d'accès à l'information du Québec and you as soon as practicable upon discovering the incident; and (c) keep a register of confidentiality incidents in the manner required by Law 25.

12.2.3 Right of de-indexation

Where personal information about you is disseminated in a manner contrary to law, where the harm caused by its dissemination clearly outweighs the public interest in knowing the information, or where you have a serious and legitimate reason to request it, you may ask us to remove, de-index, or otherwise cease to disseminate that information. We will respond within 30 days of your request.

12.2.4 Right to data portability

On request, we will provide you with a copy of the personal information we hold about you in a structured, commonly used, technological format. We will respond within 30 days of your request.

12.2.5 Privacy impact assessments

Before we engage in any new processing activity that materially changes the nature, scope, context, or purposes of our handling of your personal information, including any new cross-border data transfer, we will conduct a privacy impact assessment and document our risk-mitigation measures.

12.2.6 Automated decision-making

ShopThing Auctions uses automated decision-making in certain operational steps, including automated identity-verification triggers based on the value of your bidding activity, and automated authorization-hold sizing based on your bid amount. If you would like a human review of any automated decision affecting you, you may request one by contacting our Privacy Officer.

12.2.7 French-language availability

This Privacy Policy is provided in English. We accept service of privacy-related requests from Quebec residents in French. Where this version of the policy is inconsistent with the rights of Quebec consumers under Law 25 or the Quebec Charter of the French Language, the Quebec law prevails to the extent of the inconsistency.

12.3 California residents (CCPA)

If you are a resident of California, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to notice, access, and deletion of your personal information. We do not discriminate against you for exercising your California rights. You may submit a request via the privacy@shopthing.com email or via the request form linked from our website. We will respond within the timeframes required by the CCPA, typically 45 days.

"Do Not Sell or Share My Personal Information." We do not sell or share your personal information for cross-context behavioral advertising purposes within the meaning of the CCPA. You may opt out of any future selling or sharing by contacting privacy@shopthing.com.

12.4 Other Canadian provinces with substantially similar legislation

Residents of British Columbia, Alberta, and other provinces with substantially similar provincial privacy legislation have the rights provided under that legislation. We comply with all applicable provincial requirements and your rights under those laws are in addition to your rights under PIPEDA.

13. Cross-border data transfers

Personal information we collect from you is stored on cloud infrastructure operated by our service providers, which may include data centres located in the United States. We have entered into the contractual protections required by applicable Canadian privacy law to ensure your personal information is afforded a level of protection equivalent to that of Canada and, where applicable, Quebec. Notwithstanding these protections, you should be aware that personal information stored in the United States may be subject to disclosure under United States law, including disclosure to United States government authorities, where lawfully required.

14. Children

The Platforms are not intended for, and we do not knowingly collect personal information from, individuals under the age of majority in their jurisdiction of residence. If you believe we have collected personal information from a minor, please contact us at privacy@shopthing.com so we can investigate and, where appropriate, delete the information.

15. Changes to this Policy

We may update this Policy from time to time. When we do, we will update the "Effective Date" at the top of the Policy. Where the change materially affects how we handle your personal information, we will notify you through the Platforms or by email and may require your express acknowledgment before continuing to provide certain services. Your continued use of the Platforms after a change becomes effective constitutes your acceptance of the change, except where applicable law requires your express consent.

16. Contact us

Questions about this Policy, requests to exercise your privacy rights, and notices of privacy-related concerns can be sent to:

Email: privacy@shopthing.com
Postal mail: ShopThing Inc., [address — to be inserted]

17. Designated Privacy Officer

Pursuant to Quebec's Law 25 and the corresponding requirements of other applicable Canadian privacy laws, we have designated a Privacy Officer with the following contact information:

Name: [TO BE INSERTED BY SHOPTHING]
Title: [TO BE INSERTED]
Email: privacy@shopthing.com
Postal address: ShopThing Inc., [address — to be inserted] The Privacy Officer is responsible for ensuring our compliance with applicable privacy laws and is the primary contact for any privacy-related concerns or requests, particularly from Quebec residents.