Privacy Policy

Last Updated: June 6, 2026

xchngbl (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use our platform at xchngbl.app and xchngbl.com.

1. Information We Collect

1.1 Account and Sign-In Data

You can create an account and sign in using either Sign in with Google or Sign in with Apple. Both are co-equal, primary sign-in methods. From whichever provider you choose, we access:

  • Email address: Used to create and identify your account. With Sign in with Apple, you may choose to hide your email, in which case Apple provides a private relay address
  • Profile name: Displayed on your user profile
  • Profile picture: Where available, displayed on your user profile and listings
  • Provider user ID (Google user ID or Apple ID): Used for authentication purposes

We only request the minimum scopes necessary to provide our service. For Google this is email, profile, and openid; we never request access to your other Google or Apple account data, and we never receive or store your password.

1.2 Information You Provide

When you use xchngbl, you may provide:

  • Items you list for trade (descriptions, photos, categories)
  • Trades and messages
  • Profile information you choose to add
  • Feedback and support requests

1.3 Automatically Collected Information

We automatically collect:

  • Device information (browser type, operating system)
  • Usage data (pages visited, features used)
  • IP address and location (city/region level only)
  • Analytics data (pages visited, features used, button clicks, anonymized usage patterns)
  • Error and performance data (JavaScript errors, page load times, app performance metrics, and limited session-replay captures with on-screen text and media masked)
  • A device push token, if you enable push notifications on a mobile device, so we can deliver notifications to you (deleted when you sign out)

2. How We Use Your Information

2.1 Sign-In Data Usage

We use the account information from your Google or Apple sign-in to:

  • Create and authenticate your account: Your email and provider user ID allow you to sign in securely
  • Display your profile: Your name and profile picture are shown to other users when you list items or propose trades. You can change your profile name and picture at any time on xchngbl
  • Communicate with you: We may send account-related emails to your registered email address
  • Improve our service: We analyze usage patterns to enhance the platform

2.2 Other Data Usage

We use the information you provide to:

  • Enable trading between users
  • Display your items and listings to other users
  • Facilitate trades and messaging
  • Provide customer support
  • Prevent fraud and abuse
  • Comply with legal obligations
  • Analyze usage patterns and feature adoption to improve the platform

3. How We Share Your Information

3.1 Public Information

The following information is visible to other xchngbl users:

  • Your profile name and picture (from Google or Apple, or as you set them)
  • Items you list for trade
  • Public listings and trade history

When you accept a trade, your trading partner sees your name and can message you within the app to coordinate. We do not share your email address or phone number with your trading partner.

Blocking and reporting: You can block another user, which stops you from seeing each other's listings and profiles, cancels any pending trades between you, and prevents further messaging; the other user is not told they were blocked. You can also report a listing, user, or message to our team for review, which we may retain as part of our moderation records.

3.2 Third-Party Services

We use the following third-party services that may access your data:

  • Google: For secure authentication (Sign in with Google), and for location search and geocoding via Google Maps Platform (the Maps JavaScript SDK and the Geocoding API, which receives your coordinates to convert them into a city/state name). Google's Privacy Policy applies
  • Apple: For secure authentication (Sign in with Apple) and for delivering push notifications via the Apple Push Notification service (APNs), which receives your device push token to route notifications. Apple's Privacy Policy applies
  • Supabase: For secure data storage, authentication, and file storage (Supabase Privacy Policy applies)
  • Vercel: For hosting our platform and for web analytics and performance metrics (Vercel Analytics and Speed Insights). Vercel's Privacy Policy applies
  • Capgo: For mobile app delivery and over-the-air app updates (Capgo Privacy Policy applies)
  • Resend: For sending transactional emails such as trade proposals, trade updates, and account notices (Resend Privacy Policy applies)
  • Twilio: For phone-number verification by SMS. Phone verification is not currently active in the app; when it is enabled, your phone number will be sent to Twilio to deliver a one-time code (Twilio Privacy Policy applies)
  • Anthropic: For the optional “analyze image” feature when creating a listing. The photo you upload is sent to Anthropic's API to suggest a title, description, category, and condition. We do not send your name, email, or other identifying information with the image (Anthropic Privacy Policy applies)
  • PostHog: For product analytics and usage tracking. We do not send personal information such as names, emails, or phone numbers to PostHog. Users are identified only by an internal account identifier. PostHog uses cookies to maintain session continuity across xchngbl.com and xchngbl.app. (PostHog Privacy Policy applies)
  • Sentry: For error tracking, performance monitoring, and session replay to maintain platform reliability. Session replays may be recorded for debugging; on-screen text and media are masked so your content (listings, messages, location) is not captured. Approximately 10% of sessions are sampled, with fuller capture on sessions where an error occurs. (Sentry Privacy Policy applies)

We do not sell your personal information to third parties.

3.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety.

4. Data Storage and Security

4.1 Where We Store Data

Your data is stored securely using:

  • Supabase (PostgreSQL database): Encrypted at rest and in transit
  • Google Cloud Platform: For authentication services
  • Vercel: For application hosting
  • PostHog (US-hosted): For anonymized analytics data
  • Sentry: For error and performance data

All data is stored in secure, encrypted databases in the United States.

4.2 Security Measures

We implement industry-standard security measures:

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest for sensitive data
  • Secure authentication via Google OAuth
  • Regular security updates and monitoring
  • Access controls and authentication requirements

4.3 Data Protection

Your account data is:

  • Stored securely in our database
  • Never shared with other users without your consent
  • Accessed only when necessary to provide service
  • Protected by Supabase's enterprise-grade security

5. Data Retention and Deletion

5.1 How Long We Keep Data

We retain user data as long as needed to provide the service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention varies by data type and purpose. In particular:

  • Account and profile data: Retained while your account is active
  • Trades, messages, and ratings: When you delete your account, these may be kept in anonymized form (shown as “[Deleted user]”) so your former trading partners keep accurate records and public rating aggregates stay intact
  • Safety, moderation, and audit records: Records we keep for safety, moderation, fraud prevention, and law-enforcement compliance — such as message moderation logs and administrative action logs — may be retained indefinitely as part of our audit trail
  • Uploaded photos: Removed from our public listings when you delete the originating record; copies may persist in our storage and backup infrastructure for a period determined by our service providers
  • Legally required records: Kept for as long as the law requires

5.2 Your Right to Delete Data

You can request deletion of your data at any time:

To delete your account and associated data:

  1. In the app, go to Profile → Delete My Account and confirm. This deletes your account directly — no email required
  2. We promptly remove or anonymize your personal data, as described in section 5.1
  3. If you are unable to use the in-app option, you can instead email us at support@xchngbl.com with subject “Account Deletion Request”
  4. Some data may be retained in anonymized form or for legal compliance (e.g., fraud prevention)

To revoke Google access:

  1. Visit your Google Account permissions page
  2. Remove xchngbl from connected apps
  3. Email us at support@xchngbl.com to request data deletion

5.3 Data Portability

You can request a copy of your data by emailing support@xchngbl.com. We will provide your data in a machine-readable format (JSON) within 30 days.

6. Your Rights and Choices

You have the right to:

  • Access your personal information
  • Correct inaccurate information
  • Delete your account and data
  • Export your data
  • Opt-out of non-essential emails
  • Revoke Google OAuth access
  • Opt-out of analytics tracking: You can block analytics by using browser privacy features or extensions that block third-party scripts. Our analytics use cookies for session continuity but do not track personal information

To exercise these rights, contact us at support@xchngbl.com.

7. Children's Privacy

xchngbl is not intended for users under 18. We do not knowingly collect information from children. If we discover we have collected data from a child, we will delete it immediately.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

  • Posting the new policy on this page
  • Updating the “Last Updated” date
  • Sending an email to your registered address (for material changes)

Your continued use of xchngbl after changes constitutes acceptance of the updated policy.

9. Compliance with Google Policies

This privacy policy complies with:

Google User Data Handling

We adhere to Google's requirements:

  • Limited Use: We only use Google user data to provide and improve our service
  • No Sale: We never sell Google user data to third parties
  • User Control: Users can revoke access via Google Account settings
  • Transparency: We clearly disclose what data we access and why
  • Security: We use industry-standard security practices

10. Contact Us

If you have questions about this Privacy Policy or our data practices:

Email: support@xchngbl.com

Website: https://xchngbl.com

For Google OAuth-specific concerns, you can also review:

By using xchngbl, you agree to this Privacy Policy.