Last updated: May 30, 2026

Privacy Policy

Hand Me Downs is a peer-to-peer textbook marketplace built exclusively for ASU students. This policy explains exactly what data we collect, why we collect it, and the choices you have. We've written it to be readable, not to obscure anything.

1.Information We Collect

Account Information

When you create an account, we collect your first name and your Arizona State University email address (@asu.edu). We require an ASU email to verify that you are a current student. We do not collect a last name unless you choose to provide one. Your password is hashed using bcrypt and is never stored in readable form.

Listing Content

When you post a textbook listing, we store the information you provide: the book title, author, ISBN, course code, asking price, condition rating, description, and any photos you upload. This content is publicly visible to other users browsing the marketplace.

Messages

When you send or receive messages through Hand Me Downs, the content of those messages, the sender and recipient identifiers, and timestamps are stored in our database. Messages are visible only to the two participants in each conversation.

Automatically Collected Information

Like most web services, our infrastructure provider (Supabase) automatically records standard server log data, including IP addresses, browser type, referring URLs, and the date and time of requests. This data is used for security monitoring and is not linked to your profile.

We also use Google Analytics (GA4) to understand aggregate traffic patterns — which pages are popular, how users navigate the site, and similar non-identifying usage data. Google Analytics uses cookies and collects anonymized identifiers. See Google's privacy policy for details on how Google processes this data. You can opt out using the Google Analytics Opt-out Browser Add-on.

Local Storage

We store a single item in your browser's localStorage — a timestamp recording the last time you visited the Messages page. This is used solely to display the unread-message badge in the navigation. It is never sent to our servers.

2.How We Use Your Information

We use the information we collect for the following purposes and no others:

• Authentication: To verify your identity and maintain your session when you log in.
• ASU student verification: To confirm you hold a valid @asu.edu email address before granting access to the marketplace.
• Marketplace operations: To display your listings to other students browsing Hand Me Downs and to connect buyers and sellers through in-app messaging.
• Transactional emails: To send email-verification and password-reset messages. We do not send marketing emails.
• Safety and trust: To detect and prevent fraudulent or prohibited listings and to respond to user reports of misconduct.
• Product improvement: Aggregate, anonymized usage data from Google Analytics helps us understand how to improve the platform. No individual-level data is used for this purpose.

3.Information We Do Not Share

We do not share your personal information with advertisers, data brokers, or marketing platforms. We do not build advertising profiles on you or permit third parties to do so through our platform.

We may disclose information only in the following narrow circumstances:

• Service providers: Supabase (database and authentication) and Google (analytics) process data on our behalf under their own privacy policies, as described in Section 4.
• Legal requirements: If we receive a valid court order, subpoena, or legal process requiring disclosure, we will comply with applicable law. Where legally permitted, we will attempt to notify you before disclosing.
• Safety: If we believe disclosure is necessary to prevent imminent harm to a person's physical safety, we may share information with appropriate authorities.
• Business transfers: If Hand Me Downs is acquired by or merged with another entity, your information may be transferred as part of that transaction. We will notify users via email and a prominent notice on the site before any such transfer occurs.

4.Third-Party Services

Hand Me Downs is built on two third-party platforms:

Supabase

All user data — accounts, profiles, listings, messages, and uploaded photos — is stored on Supabase, a managed database platform. Supabase runs on Amazon Web Services (AWS) infrastructure in the US-East-1 region (Northern Virginia). Supabase's privacy policy is available at supabase.com/privacy.

Google Analytics

We use Google Analytics 4 (GA4) to collect anonymized, aggregate data about how users interact with Hand Me Downs. We have not enabled any Google Signals features, and we do not share any individual-level analytics data with Google for advertising purposes. Google's privacy policy is available at policies.google.com/privacy.

Open Library / Google Books

Book cover images on the browse page may be loaded from Open Library (openlibrary.org). Fetching these images exposes your IP address to those services, as with any third-party image. No other data is shared.

5.Data Security

We take reasonable technical and organizational measures to protect your information:

• All data is transmitted over HTTPS/TLS. Unencrypted connections are not supported.
• Passwords are hashed using bcrypt before storage. We never store plaintext passwords.
• Database access is restricted by Row-Level Security (RLS) policies. A buyer cannot read another user's private messages; a seller cannot read another user's profile data beyond what is publicly displayed.
• Authentication tokens are short-lived JWTs with automatic refresh. Sessions expire after periods of inactivity.
• Storage buckets for uploaded images are configured with access controls.

No system is perfectly secure. While we work hard to protect your information, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately at handmedownsapp@gmail.com.

6.Data Retention

We retain your data for as long as your account is active. Specific retention practices:

• Active listings are visible on the marketplace and stored indefinitely until you mark them as sold, hide them, or delete them.
• Listings older than 120 days are automatically marked as expired and hidden from the public browse page, but they remain in your profile page and in our database.
• Messages are retained for the life of the associated conversation. Deleting a listing does not delete the messages in the conversation thread about that listing.
• Account data (name, email, profile) is retained until you request deletion.
• Server logs collected by Supabase are subject to Supabase's own retention policies.

7.Your Rights and Choices

You have the following rights with respect to your personal information:

Access

You can view and access all information in your account by logging in. Your listings are visible on your profile page. Your messages are accessible from the Messages page.

Correction

You can update your display name from your profile settings. If you need to correct other account information (such as your email address), contact us and we will assist.

Deletion — Listings

You can delete any of your listings at any time directly from your profile page. Deletion removes the listing from public view immediately. A soft-delete record is retained internally for a limited period to support fraud prevention.

Deletion — Full Account

To delete your entire account — including your profile, all listings, and all messages — email us at handmedownsapp@gmail.com with the subject line "Account Deletion Request" from your registered ASU email address. We will permanently delete your account and all associated data within 7 business days and confirm when complete.

Note: Deletion of your account does not delete messages from the other participant's inbox, as those belong to them. Deleted accounts are replaced with an anonymous placeholder in conversation threads.

Opt Out of Analytics

You can opt out of Google Analytics data collection at any time using the Google Analytics Opt-out Browser Add-on.

8.Children's Privacy

Hand Me Downs is intended for use by university students who are at least 18 years of age. We do not knowingly collect personal information from anyone under 18. Enrollment at Arizona State University generally requires users to be at least 18, and our @asu.edu email verification reinforces this requirement. If you believe we have inadvertently collected information from a minor, please contact us immediately and we will delete it.

9.California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:

• Right to Know: You may request a report of the personal information we have collected about you and how it has been used or shared in the past 12 months.
• Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• Right to Opt Out of Sale: We do not sell personal information. No opt-out is necessary, but you have the right to direct us not to sell your information should our practices ever change.

To exercise these rights, email handmedownsapp@gmail.com with the subject "CCPA Request." We will respond within 45 days.

10.Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make material changes, we will update the "Last updated" date at the top of this page and, where the changes are significant, send a notification to your registered email address.

We encourage you to review this policy periodically. Continued use of Hand Me Downs after changes are posted constitutes your acceptance of the revised policy.

11.Contact Us

For any questions, concerns, or requests related to this Privacy Policy — including account deletion requests — please contact: