Privacy Policy

BagUp is a demand-first marketplace. We built it with a minimal data footprint in mind — we collect only what's needed to operate the service, and we don't sell your data.

01 — Introduction

BagUp, Inc. ("BagUp," "we," "our," or "us") operates a mobile marketplace platform that connects Shoppers, Merchants, and Partners. This Privacy Policy explains what information we collect when you use our app or services, how we use it, and the choices you have.

By using BagUp, you agree to the practices described in this policy. If you don't agree, please don't use our services.

02 — Information We Collect

Information you provide

Phone number — used to verify your identity via one-time passcode (OTP). Required to create an account.
Display name — the name you enter during onboarding, shown on your profile.
Account type — whether you sign up as a Shopper, Merchant, and/or Partner.
Merchant details — store name and category, provided during Merchant onboarding.
Product images — photos uploaded by Merchants when listing items, stored via UploadThing.

Information generated by your use

Earmarks — the items you save as demand signals. These are the core of the BagUp demand engine.
Location (H3 index) — when you interact with Drops, we capture a coarse H3 geospatial hex cell (approximately 1–5 km resolution). We do not capture precise GPS coordinates.
Device and session data — IP address, device type, app version, and request timestamps collected automatically via server logs.

Information we do not collect

Payment card numbers or bank details (payments are out of scope for the current version)
Precise real-time GPS location
Contacts, camera roll, or other device permissions beyond what you explicitly grant

03 — How We Use Your Information

Authentication — your phone number is used solely to send and verify OTP codes via Twilio. We do not use it for marketing calls.
Service delivery — we use your earmarks, account type, and location index to surface relevant drops, compute demand signals for Merchants, and route fulfillment to Partners.
Push notifications — with your permission, we send restock alerts and drop notifications relevant to your earmarks.
Demand analytics — aggregated, anonymized earmark data is shared with Merchants to show demand signals (e.g., "842 shoppers are watching this item"). Individual identities are never exposed.
Safety and fraud prevention — server logs and request metadata are used to detect abuse, rate-limit API access, and investigate violations.
Product improvement — aggregated usage patterns help us improve features. We do not use individual behavioral profiles for this purpose.

04 — How We Share Your Information

We do not sell your personal information. We share it only in these limited circumstances:

Service providers

Twilio — processes your phone number to deliver OTP verification messages.
UploadThing — stores product images uploaded by Merchants. Images are served from UploadThing's CDN.
Neon — hosts our PostgreSQL database in a secure, managed cloud environment.
Vercel — hosts the BagUp API and serves all requests. Subject to Vercel's data processing terms.

Within the platform

Your display name is visible to Merchants and Partners you transact with.
Earmark counts (not identities) are visible to Merchants as demand signals.
Partners see the pickup details for drops they fulfill.

Legal requirements

We may disclose information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect the rights, property, or safety of BagUp, our users, or the public.

Business transfers

If BagUp is involved in a merger, acquisition, or sale of assets, your information may be transferred. We'll provide notice before your data becomes subject to a materially different privacy policy.

05 — Location Data

BagUp uses the H3 geospatial indexing system to associate drops and earmarks with a geographic area. H3 cells at the resolution we use cover approximately 1–5 km² — enough to match you with nearby drops without pinpointing your exact location.

We do not store precise GPS coordinates. Location data is used only to compute drop proximity and is not retained beyond the session in which it was submitted.

06 — Data Retention

Your account data is retained for as long as your account is active.
OTP codes expire after 10 minutes and are marked used immediately upon verification.
Server logs are retained for up to 90 days for security and debugging purposes.
Deleted earmarks are removed from our database within 30 days.

07 — Your Rights & Choices

Depending on where you live, you may have rights regarding your personal information, including the right to access, correct, delete, or export it. To exercise these rights:

Email hello@bagup.shop with your request and phone number on file.
We will respond within 30 days.
Account deletion requests result in permanent removal of your profile, earmarks, and associated data.

You can disable push notifications at any time in your device settings. This does not affect your ability to use BagUp.

08 — Children's Privacy

BagUp is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

09 — Security

We use industry-standard measures to protect your information, including TLS encryption in transit, signed JWTs for session authentication, and environment-isolated database credentials. No system is perfectly secure, and we cannot guarantee absolute security.

10 — Changes to This Policy

We may update this policy from time to time. When we do, we'll update the "Last updated" date above. For material changes, we'll notify you via push notification or in-app message. Continued use of BagUp after changes constitutes acceptance.

11 — Contact

Questions or concerns? We're reachable at:

Email: hello@bagup.shop
Subject line: "Privacy Request"