CapStacks
Privacy Policy
Effective Date: May 2026 · Last Updated: June 2026
1. Introduction and Scope
CapStacks ("CapStacks," "we," "us," or "our") operates a peer-to-peer marketplace for buying, selling, and trading baseball and other caps, along with a collection tracking and community platform (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information in connection with your use of the CapStacks mobile application and website.
This Policy applies to all users of the Services. By creating an account or using the Services, you agree to the practices described in this Policy.
State-specific rights and disclosures for California, Virginia, Colorado, Connecticut, Texas, Florida, and other states are set out in Section 10 below.
2. Personal Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address — used to authenticate your account, deliver transactional notifications, and communicate with you about the Services.
- First and last name — used to personalize your account and, for sellers, to appear on EasyPost shipping labels as required by USPS.
- Username — your public-facing display name on the Platform.
- Instagram handle — optionally provided; used for community profile display.
- Self-reported city or region — a text field you fill in manually. We do not collect GPS coordinates or any precise geolocation data.
2.2 Collection and Wear Tracking Data
If you use CapStacks to log your hat collection, we collect:
- Hat details you enter (brand, model, colorway, size, condition, purchase price, tags, notes, and other descriptive fields).
- Up to six photos per hat that you upload.
- Wear logs: the date, an optional note, and an optional photo each time you record wearing a hat.
By default, the hats in your collection are shown on your public profile, and wear logs are private unless you mark them public. Purchase prices, ownership details, and private notes are never public. You control per-hat and per-wear-log visibility in the app (see Section 2.6 below).
2.3 Marketplace and Transaction Data
When you participate in marketplace transactions, we collect:
- Shipping address — collected at checkout or trade confirmation. Your address is passed to EasyPost solely to generate a prepaid USPS shipping label. Addresses are withheld from all parties until both sides of a transaction have completed verification and payment.
- Offer amounts — the dollar amounts of offers made or received.
- Listing details — hat descriptions, asking prices, listing status, and related transaction records.
2.4 Preferences and Saved Settings
We collect the preferences you configure within the app, including your default hat model, hat size, visor curve preference, Wantlist items, saved addresses, and saved searches. These are used solely to personalize your experience.
2.5 Device and Technical Data
We automatically collect limited technical information when you use the Services:
- Expo push notification token — used to deliver push notifications to your device.
- Standard usage and interaction logs (IP address, device type, operating system, app version) — used to operate and improve the Services.
2.6 Public vs. Private Data
Your public profile is visible to other users of the Platform and to anyone with a link to it, including shared links viewable on the web at capstacks.app. Your public profile includes:
- Username and avatar.
- Your hat collection. By default, the hats in your collection appear on your public profile. You can mark any hat as Private at any time, which removes it from your public profile and hides it from all other users and the public. Marking a hat Private does not delete it — it remains in your collection, visible only to you.
- Listing details (asking price, sale notes, trade notes) on hats you mark For Sale or For Trade.
- Wear logs you have explicitly marked as public.
- Public profile statistics (e.g., completed trade count, number of hats in your public collection).
The following remains visible only to you, regardless of whether a hat is shown on your public profile:
- Purchase prices, purchase dates and sources, and ownership history.
- Private flags, tags, organizational notes, Stacks, and Locations.
- Private notes.
Offer photo note: Photos shared in response to a picture request are stored in a publicly accessible bucket. Any user with the direct URL can access those photos. Do not share photos containing personal information in picture requests.
2.7 Information We Do Not Collect or Store
The following sensitive data is collected and held exclusively by our third-party processors — CapStacks never receives, stores, or has access to it:
- Social Security Number (SSN), date of birth, and government-issued identification — collected by Stripe solely for seller identity verification (Stripe Connect KYC) and tax reporting (1099-K).
- Bank account and routing numbers — collected and stored by Stripe for seller payout setup.
- Credit and debit card numbers — collected and processed by Stripe. Card data never touches CapStacks servers.
- Precise GPS or geolocation data — we do not request, collect, or store device location.
- Health data or biometric data — not collected.
3. How We Use Personal Information
3.1 Providing and Operating the Services
- Authenticating your account and maintaining your session.
- Displaying and managing your hat collection, wear logs, and Wantlist.
- Facilitating marketplace transactions between buyers, sellers, and traders.
- Generating prepaid USPS shipping labels via EasyPost using your shipping address.
- Sending transaction-related push notifications and transactional emails (via Expo and Resend, respectively).
- Releasing seller funds upon confirmed delivery via EasyPost tracking webhooks.
- Detecting and flagging non-shipment events (no USPS acceptance scan within 72 hours) and processing automatic refunds where applicable.
3.2 Identity Verification Gating
Shipping addresses are withheld from all parties until both sides of a transaction have completed verification and payment through Stripe. We use verification status data (not the underlying identity data, which lives at Stripe) to enforce this gating logic.
3.3 Dispute Resolution
In the event of a Stripe payment dispute or chargeback, we use transaction records, EasyPost tracking data, identity verification status, system message logs, and Terms of Service acceptance records to compile and submit evidence to Stripe's dispute resolution process. All evidence packets are staged for operator review before submission.
3.4 Legal Compliance and Safety
- Comply with applicable law, including IRS tax reporting obligations (1099-K through Stripe Connect).
- Respond to lawful government requests, court orders, and legal process.
- Detect, prevent, and investigate fraud, abuse, and violations of our Terms of Service.
- Enforce our Terms of Service, including account suspension and termination.
3.5 Communications
- Transactional system messages required to facilitate your active transactions (e.g., offer received, label generated, item delivered). You cannot opt out of these while a transaction is in progress.
- Service announcements, policy updates, and security notices.
- Push notifications to your registered device via Expo.
- Responses to your support inquiries.
3.6 Platform Improvement
We may use aggregated and de-identified usage data to analyze Platform performance, improve features, and develop new functionality. We do not use personal information to build individual profiles for behavioral advertising.
4. Disclosure of Personal Information
4.1 Third-Party Processors
We share personal information with the following service providers, each of whom processes data on our behalf (or as an independent controller for their own compliance obligations) under appropriate agreements:
- Supabase (Supabase Pte. Ltd.) — database, authentication, and file storage. All data is hosted in the United States. Supabase stores your account data, collection data, transaction records, and uploaded photos.
- Stripe (Stripe, Inc.) — payment processing and seller identity verification (Stripe Connect). Stripe is an independent data controller for SSN, bank account, and identity data it collects for KYC and tax compliance. Card data never touches CapStacks servers. Stripe's Privacy Policy governs its use of your data.
- EasyPost (Simpler Postage, Inc. d/b/a EasyPost) — shipping label generation and package tracking. We share your shipping address and seller name with EasyPost to generate prepaid USPS labels. EasyPost transmits address data to USPS in the ordinary course of shipping operations.
- Resend (Plus Five Five, Inc. d/b/a Resend) — transactional email delivery. We share your email address with Resend to deliver transaction notifications and service communications.
- Google (Google LLC) — if you choose to sign in with Google (optional), Google OAuth processes your Google account credentials. We receive only the information necessary to create or authenticate your CapStacks account (typically name and email address).
- Expo (650 Industries, Inc. d/b/a Expo) — push notification delivery. Your device push token is shared with Expo to deliver notifications to your device.
4.2 Data Shared Between Users
The following data is shared with your transaction counterparty as part of a completed transaction:
- Buyer and seller shipping addresses — revealed to each other only after both parties have completed verification and payment.
- Seller name — appears on the EasyPost shipping label, which is included with the shipped package.
No other personal data is shared between users. There is no free-form messaging on the Platform; all communications between parties are pre-approved system-generated messages.
4.3 Legal and Regulatory Disclosures
We may disclose personal information (a) in response to a lawful subpoena, court order, or government request; (b) to protect the rights, property, or safety of CapStacks, our users, or others; (c) to investigate fraud or enforce our Terms of Service; or (d) as required by applicable law.
4.4 Business Transfers
If CapStacks is acquired, merges with another entity, or transfers substantially all of its assets, personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Services before your information is transferred and becomes subject to a different privacy policy.
4.5 What We Do Not Do
- We do not sell your personal information to third parties.
- We do not share your personal information with advertisers or data brokers.
- We do not use your personal information for cross-context behavioral advertising.
5. Data Retention and Account Deletion
5.1 Retention Periods
We retain personal information only as long as necessary for the purposes described in this Policy or as required by law:
- Account information (email, username, name): Retained for the life of your account. Following account deletion, retained for 3 years to support dispute resolution and legal compliance, then deleted.
- Shipping addresses: Shipping addresses associated with completed transactions are retained for 7 years following completion of the relevant transaction, to support dispute resolution, insurance claims, and legal compliance. Saved addresses stored in your account are deleted immediately upon account deletion.
- Transaction financial records (hat_order records): Retained for 7 years following the transaction date for IRS record-keeping compliance. Upon account deletion, your buyer/seller identifiers are set to NULL in these records — the transaction record is preserved for financial integrity but is no longer linked to your identity.
- Hat collection and wear log data: Deleted upon account deletion (see Section 5.2 below). Hats you have sold or traded remain in the database with sold/traded status but are hidden from your profile UI.
- Device push tokens and usage logs: Deleted upon account deletion.
5.2 Account Deletion
You can permanently delete your account at any time using the in-app deletion option in your account settings. Account deletion:
- Deletes all hat collection data, wear logs, notifications, and pending offers associated with your account.
- Removes your public profile from the Platform.
- Anonymizes (sets to NULL) your buyer/seller identifiers in historical transaction financial records, which are retained for 7 years as described above.
Account deletion is blocked if you have any open transactions in progress — meaning you have accepted a trade or sale offer but the transaction has not yet been completed (e.g., shipping is pending, funds are in escrow). You must complete or cancel all open transactions before your account can be deleted. This restriction exists to protect your counterparty and ensure all in-progress obligations are resolved.
If you request deletion but have open transactions, we will notify you of the outstanding transactions and how to resolve them. Once all transactions are complete or cancelled, you may proceed with account deletion.
6. Cookies and Similar Technologies
We do not use cookies or similar tracking technologies to operate the Services, maintain authenticated sessions, or understand aggregate usage patterns. We do not use tracking technologies for behavioral advertising or cross-site tracking.
7. Data Security
We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Key elements of our security architecture include:
- Sensitive financial and identity data (SSN, card numbers, bank accounts) is not stored by CapStacks. It is held exclusively by Stripe under Stripe's PCI DSS-compliant infrastructure, substantially reducing our breach surface.
- All CapStacks data is stored in Supabase Pte. Ltd.'s US-hosted infrastructure with encryption at rest and in transit (TLS).
- Shipping addresses are withheld from transaction counterparties until both parties complete verification and payment, limiting unnecessary data exposure.
- Access to personal data within CapStacks's systems is restricted to personnel with a need-to-know.
- Offer photos are stored in a publicly accessible bucket by design; users should not include personal information in photos shared via picture requests.
No security system is impenetrable. In the event of a data breach affecting your personal information, we will notify you and applicable regulators as required by applicable state breach notification laws (typically within 30–72 hours of discovery, depending on jurisdiction).
8. Children's Privacy and Age Requirements
CapStacks has a split age structure:
- Marketplace features (buying, selling, and trading hats) require users to be 18 years of age or older. Users must affirmatively agree to our Terms of Service, which includes an explicit 18+ confirmation, before accessing any marketplace feature. Sellers and traders must additionally complete Stripe's identity verification process, which requires a legal adult's identity to complete.
- Collection tracking features — adding hats to your collection, logging wears, and maintaining a Wantlist — are available to users 13 and older. We require all users to confirm they are at least 13 years of age at account creation.
We do not knowingly collect personal information from children under 13. If we become aware that a user under 13 has created an account, we will delete the account and all associated personal information promptly. If you believe a child under 13 has created an account, please contact us at privacy@capstacksapp.com.
9. Third-Party Services
The Services interact with third-party services. This Privacy Policy does not govern those services. Key third-party privacy policies:
We encourage you to review the privacy policies of any third-party services you access through or in connection with the Platform.
10. State-Specific Privacy Rights
10.1 California Residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with the following rights, subject to certain exceptions and verification requirements:
- Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you, the sources, the business purpose for collection, and the categories of third parties with whom we share it.
- Right to Delete: Request deletion of personal information we have collected from you, subject to exceptions for legal compliance, or completing a transaction you have initiated. See Section 5.2 for account deletion details.
- Right to Correct: Request correction of inaccurate personal information we maintain about you.
- Right to Opt Out of Sale or Sharing: CapStacks does not sell your personal information and does not share it for cross-context behavioral advertising. There is nothing to opt out of at this time.
- Right to Limit Use of Sensitive Personal Information: CapStacks does not collect sensitive personal information directly. SSN, financial account data, and government ID are collected by Stripe, not CapStacks.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
To exercise your rights, submit a verifiable consumer request to privacy@capstacksapp.com. We will verify your identity using your registered email address and respond within 45 days (extendable by 45 additional days with notice). You may designate an authorized agent with written proof of authority.
CPRA Sensitive Personal Information: Based on our data architecture, CapStacks does not directly collect categories defined as "sensitive personal information" under CPRA — SSN, financial account numbers, and government-issued ID are held by Stripe. Shipping addresses and self-reported city/region are not classified as sensitive personal information under CPRA.
10.2 Virginia Residents (VCDPA)
Virginia residents have the right to (a) access personal data we process about them; (b) correct inaccuracies; (c) delete personal data; (d) obtain a portable copy of personal data; and (e) opt out of the processing of personal data for targeted advertising, sale, or profiling. CapStacks does not sell personal data or use it for targeted advertising or profiling. To submit a request, contact privacy@capstacksapp.com. Unresolved appeals may be referred to the Virginia Attorney General.
10.3 Colorado Residents (CPA)
Colorado residents have rights substantially similar to those described for Virginia residents above, including access, correction, deletion, portability, and opt-out of sale, targeted advertising, and profiling. To submit a request, contact privacy@capstacksapp.com.
10.4 Connecticut Residents (CTDPA)
Connecticut residents have the right to access, correct, delete, and obtain a copy of personal data, and to opt out of the sale of personal data, targeted advertising, and profiling. To submit a request, contact privacy@capstacksapp.com.
10.5 Texas Residents (TDPSA)
Texas residents have the right to access, correct, delete, and obtain a portable copy of personal data, and to opt out of the sale of personal data, targeted advertising, and profiling. To submit a request, contact privacy@capstacksapp.com.
10.6 Florida Residents (FDBR)
Florida residents have the right to access, correct, delete, and obtain a copy of personal data, and to opt out of the sale of personal data and targeted advertising, for platforms meeting statutory thresholds. To submit a request, contact privacy@capstacksapp.com.
10.7 Nevada Residents
Nevada law (NRS 603A) provides Nevada residents the right to opt out of the sale of covered information to third parties. CapStacks does not sell personal information. Questions: privacy@capstacksapp.com.
10.8 All Other States
Additional state privacy laws are enacted on an ongoing basis. We monitor the regulatory landscape and will update this Policy as new laws take effect. Users in all states may contact us at privacy@capstacksapp.com with privacy-related questions or requests.
11. Your Choices and Controls
- Account information: Update your email address, name, username, Instagram handle, and city/region through your account settings.
- Collection privacy: Control which hats and wear logs are public or private through the per-item visibility settings in the app.
- Push notifications: Manage push notification preferences through your device's notification settings.
- Marketing communications: Opt out of non-transactional emails by following the unsubscribe link in any such message. You cannot opt out of transactional system messages required to facilitate an active transaction.
- Account deletion: Delete your account using the in-app deletion option. See Section 5.2 for details, including the open-transaction restriction.
- Access and correction: Request access to or correction of your personal data by contacting privacy@capstacksapp.com.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by sending an email to your registered address and/or by posting a prominent notice in the app at least 30 days before the change takes effect. Your continued use of the Services after the effective date constitutes acceptance of the revised Policy. Prior versions are available upon request.