Privacy Policy

Important: We receive verification results from Stripe Identity (pass/fail), not copies of your identity documents. Your documents are stored by Stripe under their privacy policy.

Create and manage your account · Display your listings · Process purchases and sales · Manage payments and payouts · Coordinate shipping tracking · Facilitate buyer-seller communication.

This is the most important use of your data. Our safety systems — including KYC verification — exist to protect honest buyers and sellers from scammers.

Verify seller identity via Stripe Connect before payouts · Verify buyer identity via Stripe Identity at dispute time · Detect and prevent fraudulent activity · Operate our strike and ban system · Report verified fraud to NZ Police where legally required.

Transactional emails (order updates, payment notifications) · Security alerts · Dispute notifications · Marketing communications (with your consent, opt-out available).

When you upload a photo to list an item, the image is sent to Anthropic's Claude AI for identification and pricing. Images are sent securely and are not used to train Anthropic's AI models. The result is returned to you immediately.

We share payment-related information with Stripe, Inc. to process transactions and payouts. Stripe's privacy policy applies to information they hold.

Sellers complete Stripe Connect KYC before receiving payouts. Buyers who raise non-receipt disputes complete Stripe Identity verification before their claim is processed. We receive only the verification result (pass/fail) — not copies of your documents.

Listing photos are sent to Anthropic's API for AI identification. Images are not retained by Anthropic beyond the API call.

SaaSy Cookies develops and maintains the What's In? platform. They have access to platform systems and data as necessary to provide their services, under a data processing agreement.

Your public profile information (username, display name, avatar, region, ratings, listings) is visible to other users. Your email, phone, and bank details are never shared with other users.

We will disclose personal information to NZ Police or other authorities when required by law, or when we believe in good faith that disclosure is necessary to prevent harm or fraud.

All data encrypted in transit (TLS 1.3) · Database encrypted at rest (AES-256) · Passwords hashed (bcrypt, never stored in plain text) · Row-level security — users can only access their own data · Payment data stored by Stripe, not on our servers · Regular security audits.

In the event of a data breach that poses a risk of harm, we will notify affected users and the NZ Privacy Commissioner as required by the Privacy Act 2020 (mandatory breach notification).

Request a copy of all personal information we hold about you. We will respond within 20 working days.

Request correction of inaccurate information.

Request deletion of your account and personal information. Note: some information must be retained for legal and financial compliance (see Section 6).

Request your data in a machine-readable format (CSV/JSON). Available via Account Settings → Download My Data.

If you believe we have breached the Privacy Act, contact our Privacy Officer at privacy@whatsin.co.nz. If unresolved, you may complain to the NZ Privacy Commissioner at privacy.org.nz.