Sign in Apply to sell
v1 invite-only beta Apply now to launch your first group buy on the platform.
Apply →
GB Group Buys
Apply to sell
← Back to home
Legal

Privacy Policy

Last revised . Also see our Terms of Service.

Group Buys ("we," "us," "the platform") takes your privacy seriously. This policy spells out exactly what we collect, how we use it, who we share it with, and the rights you have. Where it matters, we've named the specific DB column, callback, or third party so there's nothing hidden behind hand-wavy language.

1. Who we are

Group Buys is a product of Sphnix, Inc and operates a multi-vendor marketplace at groupbuys.app. Independent vendors set up storefronts on the platform and run group buys; buyers join those buys. We are the marketplace operator, not the seller — we do not manufacture, package, ship, or lab-test any product.

2. Scope of this policy

This policy covers personal data collected by Group Buys at groupbuys.app and any subdomain or custom-domain vendor storefront verified through us. It does not cover:

  • What individual vendors do with your data after you order from them (vendors are independent data controllers — see their own privacy disclosures)
  • Payment apps you use to pay vendors (PayPal, Venmo, Cash App, Zelle have their own policies)
  • The Peptides Calculator mobile app — that's a separate companion product with its own privacy notice on the App Store / Google Play listing

3. What we collect

Account information

Email address + a password we store as a salted bcrypt hash. We never store the plain-text password.

Onboarding waiver

The first time you sign in, we record:

  • The exact text of the platform waiver you saw (snapshotted)
  • The timestamp you accepted it (onboarding_waiver_signed_at)
  • The signature image you drew on the canvas (stored as a PNG via Active Storage)

This is the audit trail showing you agreed to the platform rules — required for our liability framework.

Per-order data

When you place an order on a vendor's storefront, we collect:

  • Shipping fields: ship_name, ship_line1/line2, ship_city, ship_state, ship_postal_code, ship_country, ship_phone
  • Optional billing fields (mirrors of the above with a bill_ prefix)
  • The items + quantities, plus the unit price snapshotted at order time
  • A second per-order signature (the signature Active Storage attachment)
  • The full waiver text you saw at checkout (platform terms + that vendor's own waiver, joined), stored in the order's signed_waiver_text column
  • Your acknowledgement checkbox values, stored as a jsonb acknowledgements column
  • The vendor's tax rate snapshot for your shipping state (tax_rate, tax_state_code, tax_cents)
  • If the buy has third-party lab testing enabled, the lab name + your share of the testing fee (testing_lab_name, testing_share_cents)

Payment receipt

To confirm payment, you upload a screenshot of your PayPal / Venmo / Cash App / Zelle confirmation. We attach this file to your order so the vendor can verify and mark it paid. We never see your payment-app login or account balance — only what you chose to put in the screenshot.

Cookies + session

A signed, HttpOnly, SameSite=Lax cookie named _groupbuys_session carries an opaque session ID; the actual session payload (cart contents, logged-in user reference, flash messages) lives in our server-side cache. A second small cookie (ga_consent) records your choice on the analytics consent banner. Cloudflare may set its own cookies on contact-form submissions for bot/abuse protection. Google Analytics may set cookies only after you click "Accept" on the banner (see Analytics + consent).

Vendor application + identity verification

If you apply to become a vendor, additional fields are collected:

  • Business identity: brand name, contact name, contact email, EIN (if provided), business address, entity type (LLC / Corp / etc.)
  • Sourcing model + lab partner (if any), monthly volume estimate, community links
  • Payment-method handles you want to accept (PayPal / Venmo / Zelle / Cash App)
  • Consent acknowledgements (research-use-only, terms, fee schedule)
  • Identity verification result from Didit (see section 11)

Vendor billing + credit

If you operate as a vendor:

  • Pre-paid credit balance + ledger of every debit (group-buy launches, paid reschedules) and credit (top-up payments confirmed by Invoiless)
  • Top-up records: cents, status (pending / paid / failed / cancelled), Invoiless invoice id + URL, the raw API response, timestamps. Credit purchases are non-refundable once paid — see the Terms for the full rule
  • If you connect a Shippo account, your encrypted API key + origin address + carrier preferences are stored on a vendor-scoped settings row
  • If you register a custom domain, we store the domain string, a TXT-verification token, and the Hatchbox domain id used to provision a Let's Encrypt SSL certificate on your behalf

Security + request logs

Standard request metadata: IP address, user-agent string, timestamp, URL hit, and response code. Used for rate-limiting (e.g. preventing brute-force sign-in attempts), abuse detection, and debugging.

4. How we use it

  1. Run the marketplace — show vendors their orders, show buyers their order history, route receipts to the right vendor.
  2. Transactional email — order placed, receipt received, order shipped, order fulfilled. Sent via Mailgun.
  3. Auto-lifecycle — every minute, a job (ExpireOrdersJob) flips unpaid orders past their 15-minute payment window to expired so their slot frees up for someone else. CloseExpiredGroupBuysJob closes buys past their deadline.
  4. Fraud + abuse prevention — rate-limit sign-ins, detect bulk-account creation, validate contact-form submissions via Cloudflare Turnstile.
  5. Comply with law — respond to subpoenas and other lawful requests; retain transaction records as required by US tax law.

We do not use your data for advertising, behavioral profiling, or training AI models. Aggregate platform analytics (page views, conversion rates) are collected via Google Analytics 4 only after you opt in — see section 9.

5. Who we share it with

Two categories: vendors you ordered from, and service providers we use to run the platform. Nobody else.

6. What vendors see

A vendor sees, for orders placed on their storefront only:

  • Your name + shipping address + phone
  • The items, quantities, and prices
  • Your payment receipt screenshot
  • Your signature image + the waiver text you signed
  • The buyer email address tied to your account (so they can reach out about the order)

A vendor does not see your other vendors' orders, your password, the payment handles you used to pay anyone else, your account-creation date, or any data about activity on other parts of the platform.

7. Payments + receipt screenshots

Buyers pay vendors directly through the vendor's chosen payment app. Group Buys does not collect, route, or hold buyer funds at any point. We do not see your card number, bank credentials, or payment-app password. We do see the screenshot you upload after paying, because the vendor needs it to confirm receipt.

8. Cookies + session

See section 3 for the cookies we set. Public marketing pages (/contact, /privacy, /terms) can be visited without any cookie; we only set one when you sign in or add to cart.

9. Analytics + consent (Google Analytics 4)

We use Google Analytics 4 (measurement ID G-NKSM5F4P4E) to understand how the platform is used in aggregate — page views, sign-ups, add-to-cart, checkout completions. We do not use it for advertising, cross-site tracking, or behavioral profiling.

GA4 runs in Consent Mode v2: by default before you choose, all storage is denied (ad storage, analytics storage, ad user data, ad personalization). Nothing meaningful is sent to Google until you click "Accept" on the consent banner. If you click "Decline" (or ignore the banner), GA4 receives only a small, cookieless "consent-state ping" with no identifiers, and is then disabled for the session.

When you sign in, we pass an opaque public_id (UUID) as the GA4 user_id so we can analyze platform funnels without exposing your email address. Each session also carries a user_type property (anonymous / buyer / vendor_owner / admin) so we can filter internal traffic out of conversion math.

You can withdraw analytics consent any time by clearing the ga_consent cookie (any browser's "clear site data" does this) and reloading — the banner re-appears.

10. Security + logs

Logs are retained for 90 days then purged. We do not enrich logs with cross-site identifiers.

11. Third-party sub-processors

Every external service that touches your data, what they see, and why:

  • Mailgun — transactional email delivery (orders, receipts, password resets, invoice emails). Receives your email address + the email content we send.
  • Cloudflare — DDoS protection at the edge + Turnstile bot challenge on the contact form, sign-in, and registration pages. May see your IP + user-agent.
  • Hatchbox + Caddy — our hosting platform + reverse proxy. When a vendor registers a custom domain, we call Hatchbox's API to add it; Caddy issues a Let's Encrypt SSL certificate via the HTTP-01 challenge. Let's Encrypt sees the hostname being issued.
  • Didit — identity verification (KYC) for vendor applicants. See section 12.
  • Invoiless — generates the hosted invoice page where vendors pay for platform credit. Receives the vendor's company name, an internal vendor id, the invoice amount, and (when valid) the owner's email address.
  • Shippo (vendor BYO) — only used if a vendor connects their own Shippo account. We forward the order's shipping address to Shippo to fetch live rates + generate labels. Shippo sees the destination + parcel dimensions; the vendor's own Shippo API key is encrypted at rest.
  • USPS Addresses API — at checkout we POST your shipping address to USPS to validate + normalize it. USPS does not get your name or any other order data.
  • Google Analytics 4 — only after you accept the consent banner. See section 9.

None of these sub-processors are advertising networks, data brokers, or profiling services. A full data-processing agreement is on file with each one.

12. Identity verification (KYC) — vendor applicants only

Buyers do not undergo KYC. Vendors who apply to sell on Group Buys complete an identity-verification session with Didit as part of the application flow. Didit captures (server-side, in their environment) a photo of a government ID, a selfie, and runs liveness checks. We do not hold the photos — those stay with Didit per their retention policy.

What lands on our side from Didit:

  • Verification status: pending / approved / declined / expired
  • The session id (opaque, for audit + re-fetching)
  • The decision payload: verified first/last name, date of birth, document type, document country, document number (we display only the last 4), document expiry, nationality
  • Timestamp of the verification decision

This data is retained on the vendor application + (after approval) mirrored to the user account so re-verification isn't required at every sign-in. It is shared only with platform administrators reviewing the application. KYC data is purged when the account is deleted, except where retention is required by anti-money-laundering law.

13. Retention schedule

  • Account record — for as long as your account is active. After account deletion: 7 years on identifying fields where required by tax law, then purged.
  • Order records (incl. waiver text + signature) — 7 years from the order date. These are our audit trail.
  • Receipt screenshots — 7 years.
  • Request logs — 90 days, then purged.
  • Cart state — 30 days from last cart change.
  • Sessions — 30 days from last sign-in.

14. Your rights

You can, at any time:

  • Access a copy of your data. Email us; we'll send a JSON export within 30 days.
  • Correct account fields via your account settings, or by emailing us.
  • Delete your account. We'll erase identifying fields and keep only legally-required transaction records.
  • Withdraw consent for transactional email (this means you can no longer receive order updates, so we can't keep your account active afterward).
  • Object to a specific processing purpose by emailing us.

15. GDPR + CCPA

EU/UK residents: under GDPR / UK-GDPR you have all the rights above plus the right to data portability, the right to object to automated decision-making (we don't do any), and the right to lodge a complaint with your local supervisory authority. Our legal bases for processing are: (a) performance of a contract for orders + accounts, (b) legal obligation for tax records, (c) legitimate interest for fraud prevention.

California residents: under CCPA / CPRA you have the right to know, correct, delete, and limit use of sensitive personal information. We do not "sell" your personal information as that term is defined in CCPA, and we do not "share" it for cross-context behavioral advertising. To exercise any right, email us.

16. Security

TLS 1.2+ for everything in transit. bcrypt for passwords (cost factor 12+). Encrypted credentials for third-party API keys. Sessions in a signed HttpOnly cookie. Database backups encrypted at rest. Rate-limited sign-in. Cloudflare in front of public forms.

No system is perfectly secure. If you suspect unauthorized access to your account, email us at hello@groupbuys.app right away.

17. International transfers

Our servers + database are hosted in the United States. If you access the platform from outside the US, your data is transferred to and processed in the US under the safeguards above.

18. Children

The platform is intended for users 18 years of age or older. We do not knowingly collect personal data from minors. If you believe a minor has registered, contact us and we'll delete the account immediately.

19. Do-not-track signals

We don't track you across sites, period — so a "Do Not Track" header has nothing to change about our behavior. The header is ignored only because there's nothing to opt out of in the first place.

20. Changes to this policy

We may revise this policy from time to time. The "last revised" date at the top always reflects the current version. For material changes (anything that expands what we collect or who we share it with), we'll notify active users by email at least 14 days before the change takes effect.

21. Contact us

Questions or requests under this policy: hello@groupbuys.app, or use the contact form. We aim to respond within 1–2 business days.