0
📦 Bundle 0 ×

🔐 Privacy Policy

Version 1.0 · Effective April 28, 2026
Quick jump: What we collect Messages & encryption Moderator access Sharing Your rights

This page explains what data Straw Hat Fits collects from you, how we store it, who can see it, and what you can do about it. We've written it in plain language. The technical specifics in Messages & encryption match how the platform actually works — not marketing copy.

1. What we collect

  • Account info you give us: username, display name, email, password (stored as a bcrypt hash — we never see the plaintext), date of birth (used only to verify you're 18+; not displayed publicly).
  • Profile content you create: avatar image, card uploads, listings, messages, trade history.
  • Payment data: handled by PayPal. We see whether a payment succeeded and an opaque transaction ID — we do not see your card number, bank account, or PayPal login. PayPal's privacy policy applies to that flow.
  • Operational data: server logs (IP, user agent, request URLs) for security and debugging. Logs rotate on a normal cycle.
  • Cookies: a session cookie to keep you signed in. No third-party tracking cookies, no advertising pixels.

2. Messages and encryption

Messages between members are protected at two layers:

  • In transit (TLS): every page and API call uses HTTPS. Anyone sniffing the network sees nothing useful.
  • At rest (AES-256-GCM): message thread files on our server are encrypted with a 256-bit key. A leaked disk image or backup tarball is gibberish without the key.
Important honesty: at-rest encryption protects against server compromise. It does not mean we (the platform operators) can't read messages — the server holds the key. This is the right model for a P2P trading platform: moderators need authority to review reported threads when fraud or abuse disputes happen. If you wouldn't be comfortable with a moderator reading something — for example, a password, a full credit-card number, or sensitive personal data — don't put it in a Straw Hat Fits message. Use the in-app PayPal flow for payments.

3. Moderator access

  • Moderators only see threads that are explicitly forwarded to them via the "Forward to Mod" button inside a thread, or threads that have been the subject of a reported violation.
  • Random browsing of private messages is not permitted, and the system doesn't expose messages to mods unless they're flagged.
  • Block actions are logged to a private audit so we can detect patterns (e.g. one user being blocked by many) — block reasons you write are visible only to moderators, never to the blocked person.

4. What we share with whom

  • Other members: your username, display name, avatar, listed cards, and trader profile are public to anyone signed in. Your DOB, email, and message contents are not.
  • Service providers: we use Mailgun for transactional email (verification, password reset) and PayPal for payments. They process the minimum data needed for that function and are bound by their own privacy policies.
  • Law enforcement: we comply with valid legal requests but will push back on overbroad ones. We do not sell, rent, or trade member data to advertisers or data brokers — full stop.

5. Your rights

  • See your data: email us and we'll send you a copy of your account record.
  • Correct your data: most fields are editable directly on the Account page.
  • Delete your account: email us. We'll remove your profile and listings; we may retain transactional records (trades, payments) for our legal/audit obligations.
  • Block someone: any trader profile has a Block button. Once blocked, they cannot message or offer to you, and their listings disappear from your view.

6. How long we keep things

  • Active account: indefinitely while you're a member.
  • Deleted accounts: profile data scrubbed within 30 days of request; transactional records may be kept for legal retention periods.
  • Server logs: rotated on a normal cycle (typically weeks, not months).
  • Backups: encrypted at rest. We use them for disaster recovery, not browsing.

7. Children

Straw Hat Fits is for 18+ only. We don't knowingly collect data from anyone under 18. If you believe a minor has registered, email us and we'll remove the account.

8. Changes to this policy

If we materially change how we collect or use data, we'll bump the version of this page and you'll see a re-acknowledgment prompt the next time you sign in. Continuing to use the site after that means you accept the updated policy.

9. Contact

Privacy questions, data requests, appeals, or concerns: use the ? Help button on any page, or email tommyshutter@gmail.com. We try to respond within a few business days.

See also: Terms of Service.