Privacy Policy

At Kingpin (operated by Shmaplex), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our global marketplace platform for used fingerboard gear.

By using Kingpin, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use our Service.

1. Information We Collect

1.1 Information You Provide

We collect information you voluntarily provide when you:

• Create an Account: Email, password, username, full name, profile information
• Create Listings: Item descriptions, photos, pricing, shipping information
• Make Purchases: Shipping addresses, payment information (processed by Stripe)
• Communicate: Messages to other users, support inquiries, feedback
• Seller Information: Business details, tax information, bank account details (via Stripe Connect)
• Profile Customization: Bio, avatar, banner images, social media links, business information

1.2 Information Collected Automatically

When you use Kingpin, we automatically collect:

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Data: Pages visited, time spent, clicks, search queries, listings viewed
• Location Data: General location from IP address (for shipping zones, currency)
• Cookies & Tracking: See Section 6 for details
• Transaction Data: Purchase history, sales history, payment amounts

1.3 Information from Third Parties

We may receive information from:

• Stripe: Payment verification, transaction status, fraud detection
• Analytics Providers: Usage patterns, performance metrics
• Other Users: Reviews, ratings, dispute information

1.4 Encrypted Messages

Our platform uses end-to-end encryption for user messages. We store encrypted message content but cannot access the decrypted contents. Encryption keys are derived from your PIN and stored securely.

2. How We Use Your Information

We use your information to:

2.1 Provide the Service

• Create and maintain your account
• Process transactions and payments
• Facilitate communication between buyers and sellers
• Display listings and search results
• Send notifications about account activity
• Provide customer support

2.2 Improve the Service

• Analyze usage patterns and trends
• Develop new features and functionality
• Personalize user experience
• Conduct research and analytics
• Test new features and improvements

2.3 Safety & Security

• Detect and prevent fraud
• Enforce our Terms of Service
• Verify user identity
• Resolve disputes
• Protect against abuse and security threats
• Comply with legal obligations

2.4 Marketing & Communication

• Send promotional emails (you can opt out)
• Notify you of new features or updates
• Conduct surveys and gather feedback
• Share community updates

2.5 Legal Compliance

• Comply with legal requirements
• Respond to legal requests and court orders
• Enforce intellectual property rights
• Protect our rights and property

3. How We Share Your Information

3.1 With Other Users

When you use Kingpin, certain information is visible to other users:

• Your username, profile photo, and bio
• Your listings and their details
• Your seller ratings and reviews
• Transaction history (for reputation purposes)
• Public messages in disputes

Buyers and sellers can see each other's shipping addresses after a purchase is confirmed.

3.2 With Service Providers

We share information with trusted third parties who help us operate:

• Stripe: Payment processing, fraud detection, seller payouts
• Hosting Providers: Data storage and server infrastructure (Supabase, Vercel)
• Analytics: Usage tracking and performance monitoring
• Email Services: Transactional and marketing emails
• Cloud Storage: Images and file hosting (Pinata, Supabase Storage)

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

3.3 For Legal Reasons

We may disclose your information if required to:

• Comply with legal obligations or valid legal requests
• Enforce our Terms of Service
• Protect the rights, property, or safety of Shmaplex, users, or the public
• Investigate fraud or security issues
• Respond to government requests

3.4 Business Transfers

If Shmaplex is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

3.5 With Your Consent

We may share your information with third parties when you explicitly consent, such as when you authorize integration with external services.

4. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: All data transmitted is encrypted using TLS/SSL
• End-to-End Encryption: Messages are encrypted client-side using libsodium
• Secure Storage: Passwords are hashed using bcrypt; sensitive data is encrypted at rest
• Access Controls: Strict access controls and authentication requirements
• Two-Factor Authentication: Optional 2FA for enhanced account security
• Regular Audits: Security reviews and vulnerability assessments
• Payment Security: We never store complete payment card details (PCI-DSS compliant via Stripe)

5. Your Rights & Choices

5.1 Access & Correction

You have the right to:

• Access your personal information
• Update or correct inaccurate information
• Download your data (data portability)
• Request a copy of your information

You can update most information through your account settings.

5.2 Deletion & Account Closure

You may request to:

• Delete specific information
• Close your account entirely
• Revoke consent for data processing

Note: We may retain certain information as required by law or for legitimate business purposes (e.g., transaction records for tax compliance, dispute resolution).

5.3 Marketing Communications

You can opt out of marketing emails by:

• Clicking "unsubscribe" in any marketing email
• Updating preferences in your account settings
• Contacting us at team@shmaplex.com

Note: You cannot opt out of transactional emails (purchase confirmations, shipping updates, etc.).

5.4 GDPR Rights (European Users)

If you are in the European Economic Area, you have additional rights:

• Right to Object: Object to processing of your data
• Right to Restrict: Restrict certain processing activities
• Right to Erasure: Request deletion ("right to be forgotten")
• Right to Portability: Receive your data in a structured format
• Right to Complain: Lodge a complaint with your supervisory authority

5.5 CCPA Rights (California Users)

California residents have the right to:

• Know what personal information is collected
• Know whether personal information is sold or disclosed
• Opt out of the sale of personal information
• Request deletion of personal information
• Non-discrimination for exercising privacy rights

Note: We do not sell your personal information to third parties.

5.6 Exercising Your Rights

To exercise any of these rights, contact us at team@shmaplex.com. We will respond within 30 days.

6. Cookies & Tracking Technologies

6.1 What Are Cookies?

Cookies are small text files stored on your device that help us provide and improve the Service.

6.2 Types of Cookies We Use

• Essential Cookies: Required for the platform to function (authentication, security)
• Performance Cookies: Help us understand how users interact with the platform
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Track usage patterns and traffic

6.3 Managing Cookies

You can control cookies through your browser settings. However, disabling certain cookies may affect platform functionality.

6.4 Other Tracking Technologies

We may also use:

• Web beacons (tracking pixels)
• Local storage
• Session storage
• Analytics tools (e.g., Google Analytics alternatives)

7. International Data Transfers

Kingpin is a global marketplace. Your information may be transferred to and processed in countries other than your own, including:

• South Korea (our primary operations)
• United States (hosting and service providers)
• European Union (GDPR-compliant storage)

When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Standard contractual clauses
• Data processing agreements
• Adequacy decisions (for EU data transfers)
• Privacy Shield frameworks (where applicable)

8. Children's Privacy

Kingpin is not intended for users under 18 years old (or the age of majority in your jurisdiction). We do not knowingly collect information from children.

If we discover that a child has provided us with personal information, we will delete it immediately. If you believe a child has provided us with information, please contact us at team@shmaplex.com.

9. Data Retention

We retain your information for as long as necessary to:

• Provide the Service
• Comply with legal obligations
• Resolve disputes
• Enforce our agreements

Retention periods vary by data type:

• Account Data: Until account deletion, plus legal retention requirements
• Transaction Data: 7 years (for tax and legal compliance)
• Messages: Until deletion by user or account closure
• Marketing Data: Until you opt out, plus 2 years
• Logs & Analytics: Up to 2 years

After the retention period, we securely delete or anonymize your data.

10. Third-Party Links & Services

The Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties.

We encourage you to review the privacy policies of any third-party sites or services you visit or use.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page
• Sending an email notification
• Displaying a prominent notice on the platform

The "Last Updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes constitutes acceptance.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

We aim to respond to all privacy requests within 30 days.

13. EU Representative

For users in the European Economic Area, if you have GDPR-specific concerns or wish to lodge a complaint with a supervisory authority, you may contact your local data protection authority.

You can find your data protection authority here: EDPB Member List