Privacy Policy

Effective May 23, 2026

This Privacy Policy explains how Goose Tech LLC, a Florida limited liability company that operates the ZAAR service ("ZAAR," "we," "us," or "our"), collects, uses, stores, and shares information when you use the ZAAR websites at getzaar.com and zaar.app and the related services we provide (collectively, the "Service"). ZAAR helps collectors manage buy, sell, and trade deals, build a portable reputation through reviews, and share a single collector profile.

By using the Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree, do not use the Service.

1. Who we are

ZAAR is operated by Goose Tech LLC, a limited liability company organized under the laws of the State of Florida, United States. For purposes of the EU General Data Protection Regulation, the UK GDPR, and the California Consumer Privacy Act (as amended by the California Privacy Rights Act), Goose Tech LLC is the controller of personal information processed through the Service.

You can contact us at contact@zaar.app.

2. Information we collect

We collect the following categories of information. We try to collect only what we actually need to run the Service.

Information you provide directly

  • Account information. When you create an account we collect your name (or chosen display name), email address, and, if you sign up with email and password, a password (which we store only as a salted hash).
  • Sign in with Google. If you choose to sign in with Google, we receive your name, email address, Google profile picture URL, and a Google account identifier (the OpenID Connect sub claim). We request only the basic openid, email, and profile scopes. We do not request access to your Gmail, Google Drive, Google Calendar, Google Contacts, or any other restricted Google data.
  • Public profile content. Anything you choose to add to your public collector profile, including your username, display name, bio, avatar image, social or custom links, and which collectible categories you have enabled.
  • Payment preferences. If we make payment-method settings available to you, the off-platform payment methods you choose to accept (such as Venmo, Cash App, PayPal, Zelle, cash, or card-in-person) and any handles you choose to associate with them (for example a Venmo username, Cash App $cashtag, PayPal.me handle, or Zelle email or phone number). Whether and to whom these settings are visible depends on the options you select, and we will update this Policy as those features ship.
  • Delivery preferences. If we make delivery settings available to you, whether you accept in-person or shipped exchanges and any free-text notes you add. Whether and to whom these settings are visible depends on the options you select.
  • Collectible preferences. The collectible categories you enable on your profile, including custom categories you create.
  • Deal information. Details of any deal you create or participate in, including the deal intent (buy, sell, or trade), category, item descriptions, proposed and accepted prices, proposed payment methods, location and shipping details (which can include street address, city, region, postal code, country, and notes), tracking numbers, reopen requests and notes, and timestamps for proposals, acceptances, and completions.
  • Messages and uploaded photos. Text messages, photo attachments, and structured terms proposals you send within a deal. Photos you upload to a deal are not publicly indexed or searchable through the Service, but may be viewable by anyone with the direct file URL.
  • Reviews. Star ratings (1–5) and optional text reviews you leave on other users' profiles.
  • Waitlist email. If you submit your email to our marketing waitlist at getzaar.com, we store it with our email provider (see "Subprocessors" below) so that we can email you about launch and product updates.
  • Communications with us. Information you send us when you email support, request data access or deletion, send a DMCA notice, or otherwise correspond with us.

Information we collect automatically

  • Usage and device data. Standard technical information, including IP address, browser type and version, device and operating system, referring and exit pages, the pages and routes you visit, and approximate timestamps. This information is collected through our hosting provider and our analytics provider.
  • Cookies and similar technologies. We use cookies and similar local storage that are strictly necessary to operate the Service, including authentication session cookies set by our auth provider and lightweight preference cookies for UI state (for example, whether the sidebar is collapsed). We do not currently use advertising cookies, third-party tracking pixels, or cross-site tracking.

Information we create automatically

  • Auto-created accounts. If you start a deal as an initiator and do not already have a ZAAR account, we create a confirmed, password-less account tied to the email address you provided in the start-a-deal form so that you can access the deal through a one-time email sign-in link. Because the start-a-deal form on a public profile accepts any email address, it is possible for an account to be created from an email address that does not belong to the person who submitted the form. If you receive a ZAAR email about a deal you did not start, you may ignore the email or contact us at contact@zaar.app to have the account deleted. An auto-created account contains only the email address until the account owner signs in and adds further information.

Information from third parties

  • Google. If you sign in with Google, we receive the information described above from Google.
  • Reviews left about you. Any authenticated ZAAR user may post a review on your public profile. These are stored on your profile and described under "Public information" below.

We do not knowingly purchase personal information about you from data brokers, ad networks, or other third parties.

3. How we use your information

We use the information we collect to:

  • create and authenticate your account, including verifying your email address;
  • operate the Service, including showing your public profile to others, transmitting messages between deal participants, recording and updating deal terms, and showing reviews;
  • send transactional messages (for example, deal creation, new messages, accepted terms, completion notifications, password reset emails, and one-time sign-in links);
  • send marketing and product update emails if you join our waitlist or otherwise opt in (you can unsubscribe from these at any time);
  • maintain the security, integrity, and availability of the Service, including detecting and preventing fraud, abuse, and unauthorized access;
  • comply with our legal obligations, respond to law-enforcement and regulatory requests, and enforce our Terms of Service;
  • analyze aggregated and anonymized usage in order to improve the Service.

Data we receive from Sign in with Google is used solely to authenticate you and to populate your account email, name, and profile picture. We do not use Google user data for advertising, and we do not sell it.

4. Legal bases for processing (EU and UK users)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information on the following legal bases under the GDPR and UK GDPR:

  • Performance of a contract. To provide the Service you have signed up for and to take steps you request before entering into the contract (for example, creating your account or initiating a deal).
  • Legitimate interests. To secure the Service, prevent fraud and abuse, improve our product, and communicate with you about your account. Where we rely on legitimate interests, we have considered the impact on you and concluded that our interests are not overridden by your rights.
  • Consent. Where required by law, such as for non-essential cookies, marketing emails, or other optional processing. You may withdraw your consent at any time.
  • Legal obligation. To comply with applicable laws and binding requests from public authorities.

5. How we share your information

We do not sell your personal information, and we do not "share" your personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act. We share information only as described below.

  • With other users. Information you make public on your profile, post in a review, or share with another user in a deal is visible to that audience. See "Public information" below for details.
  • With service providers (subprocessors). We use a small number of trusted vendors to operate the Service. They process information on our behalf under written contracts that restrict how they may use the data. Our current subprocessors are listed under "Subprocessors" below.
  • With professional advisers. Lawyers, accountants, auditors, and insurers who provide professional services to us under confidentiality obligations.
  • For legal reasons. When we believe in good faith that disclosure is necessary to comply with applicable law, a court order, subpoena, or other legal process; to respond to lawful requests from public authorities including for national-security or law-enforcement purposes; to enforce our Terms of Service; or to protect the rights, safety, and property of ZAAR, our users, or the public.
  • In connection with a business transaction. If ZAAR or substantially all of its assets are acquired, merged, reorganized, sold, or financed, your information may be transferred to the acquiring or successor entity, subject to commitments substantially similar to those in this Policy.
  • With your consent. For any other purpose with your direction or consent.

6. Subprocessors

We rely on the following service providers to operate the Service. Each has been engaged under a data processing or services agreement.

  • Supabase (United States and Singapore) — database, authentication, file storage, and realtime services.
  • Vercel Inc. (United States) — application hosting, edge delivery, and Vercel Analytics for aggregated traffic measurement.
  • Google LLC (United States) — Sign in with Google (OAuth) and Google Fonts content delivery used to render the Service.
  • Resend Inc. (United States) — transactional email delivery for the product, and marketing audience storage for the getzaar.com waitlist.

This list may change as we improve the Service. We will update this Policy when it does.

7. Public information

Some information you provide is intentionally public so that other collectors can find and evaluate you. By using the Service, you understand that the following is visible to anyone, including unauthenticated visitors:

  • your username, display name, bio, avatar image, and any social or custom links on your profile;
  • the collectible categories you have enabled on your profile;
  • reviews left on your profile (including the reviewer's username, display name, and avatar, plus the rating and any review message); and
  • your public profile page is reachable at a URL of the form https://zaar.app/{username}.

If we make profile-level settings for payment methods, payment handles, or delivery preferences available to you in the future, your selections and any handles or notes you enter may be visible to other users on your profile or in deal flows, depending on the options you choose. We will update this Policy as those features ship. For deals you are a party to, the payment method, payment timing, and delivery and shipping details recorded in the deal are visible to the other deal participant.

Uploaded images (avatars and deal photos) are not publicly indexed or searchable through the Service, but may be viewable by anyone with the direct file URL. We do not list those URLs anywhere except where you have shared them yourself (for example, in your profile or in a deal). As a best practice, do not upload images you would not be comfortable sharing publicly.

You can hide or remove some of this information by editing your profile or by deleting content.

8. Third-party payment apps

ZAAR does not process payments, hold funds, or act as an escrow. When you use a feature such as Quick Pay, the Service constructs a deep link that opens an external payment app (such as Venmo or Cash App) prefilled with deal information you have entered. Your interaction with that third-party app is governed entirely by its terms and privacy policy, and ZAAR has no visibility into the resulting transaction. You should review those third parties' privacy disclosures before using them.

9. Data retention

We keep your personal information for as long as your account is active, as needed to provide the Service, and as needed to comply with our legal obligations, resolve disputes, and enforce our agreements.

When you delete your account or when we delete it for you on request, we delete or anonymize your personal information within a reasonable period, except where we are required or permitted to retain it (for example, transaction records that are needed for tax, accounting, anti-fraud, or legal-defense purposes, or messages and reviews involving other users where deletion would interfere with the other party's legitimate use of the Service).

Aggregated or de-identified data that cannot reasonably be used to identify you may be retained indefinitely.

10. Security

We use industry-standard administrative, technical, and organizational measures to protect your information, including encryption in transit (TLS), encryption at rest where supported by our subprocessors, access controls, role-based authorization, and row-level security on user data in our database. We restrict access to your data to personnel and contractors who need it to operate the Service.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for promptly notifying us at contact@zaar.app if you suspect any unauthorized use.

11. International data transfers

ZAAR is based in the United States, and our subprocessors are primarily located in the United States. If you access the Service from outside the United States, your personal information will be transferred to, stored in, and processed in the United States, which may have different data-protection laws than your jurisdiction. Where required by law, we rely on appropriate transfer mechanisms, including the Standard Contractual Clauses approved by the European Commission and the UK Addendum issued by the Information Commissioner's Office.

12. Your rights and choices

You can access and update most of your information directly within the Service. You can also:

  • Access and correct your personal information by editing your profile or by emailing contact@zaar.app.
  • Delete your account and associated personal information by emailing contact@zaar.app from the email on file. (Self-service account deletion is on our roadmap.) Some information may be retained as described under "Data retention."
  • Withdraw consent for any processing based on consent, including unsubscribing from marketing emails using the link in any marketing email or by contacting us. Withdrawing consent does not affect processing that occurred before withdrawal.
  • Revoke Google access. If you signed in with Google, you can revoke ZAAR's access at any time through your Google Account permissions page.

Depending on where you live, you may have additional rights described below. We will not discriminate against you for exercising any of these rights.

California (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what categories of personal information we collect, the sources, the purposes of collection, and the categories of recipients.
  • Access the specific pieces of personal information we hold about you.
  • Correct inaccurate personal information.
  • Delete personal information we have collected from you, subject to certain exceptions.
  • Opt out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising. ZAAR does not sell or share personal information as those terms are defined under the CCPA.
  • Limit the use of your sensitive personal information. ZAAR does not use or disclose sensitive personal information for purposes other than those permitted by the CCPA without additional notice.
  • Non-discrimination. We will not deny you service, charge you a different price, or provide a different quality of service because you exercised your privacy rights.

To exercise these rights, email contact@zaar.app. We may need to verify your identity before responding. You may also designate an authorized agent to make a request on your behalf, subject to verification.

EU, UK, and EEA users (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

  • Access your personal information;
  • Rectify inaccurate or incomplete personal information;
  • Erase your personal information ("right to be forgotten");
  • Restrict processing of your personal information;
  • Object to processing, including processing based on legitimate interests and direct marketing;
  • Receive your personal information in a portable, machine-readable format and have it transmitted to another controller where technically feasible; and
  • Lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents can contact the Information Commissioner's Office.

To exercise these rights, email contact@zaar.app.

13. Children's privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at contact@zaar.app so we can delete it. Users aged 13–17 may only use the Service with the consent of a parent or legal guardian.

14. Do Not Track and Global Privacy Control

Some browsers offer "Do Not Track" signals. Because there is no industry consensus on how to interpret DNT signals, the Service does not currently respond to them. Where required by law, we treat browser-level Global Privacy Control (GPC) signals as a valid opt-out of the "sale" or "sharing" of personal information; as noted above, we do not sell or share personal information.

15. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective" date above and, where appropriate, notify you by email or through a notice on the Service. If a change is material, we will give you reasonable advance notice. Your continued use of the Service after the updated Policy takes effect constitutes acceptance of the changes.

16. Contact us

If you have questions about this Policy or about your personal information, contact us at contact@zaar.app.