TwentyList Privacy Policy
Pre-production draft. Recommend licensed attorney review before major scaling. Not legal advice.
Last updated: June 19, 2026
Effective date: June 19, 2026
1. Introduction
TwentyList ("we," "us") explains here how we collect, use, disclose, and protect information when you use the TwentyList mobile app and related services ("Service").
Operator: TwentyList LLC
Privacy contact: support@twentylist.app
This Privacy Policy is incorporated into our Terms of Service. By using the Service, you acknowledge this Policy.
We may update this Policy. We will revise the "Last updated" date and, for material changes, provide notice in the app or by email where appropriate.
2. Information we collect
We group data into the categories below (similar to how major marketplaces disclose data for app stores and state privacy laws).
2.1 Identifiers and account data
| Data | Examples | Source |
|---|---|---|
| Account identifiers | User ID, Google subject ID | Google sign-in |
| Profile | Display name, username, avatar URL, email | Google + profile edits |
| Phone | Phone number, verification timestamp | You (SMS OTP) |
| Terms acceptance | Version id, acceptance timestamp | In-app acceptance flow |
2.2 Location and discovery
| Data | Purpose |
|---|---|
| Home ZIP code | Feed radius and local discovery |
| Derived coordinates | Geocoding ZIP via Mapbox (server-side) |
| Optional device location | Only if you use a "use my location" feature — converted to approximate area, not continuous GPS tracking |
We do not sell your location to data brokers.
2.3 Listing and commerce content
| Data | Purpose |
|---|---|
| Listing title, description, price, photos, category | Marketplace |
| Listing status, expiry, boost timestamps | Lifecycle and monetization |
| Banner ad creative, link URL, campaign stats | Advertising program |
2.4 Communications
| Data | Purpose |
|---|---|
| Direct messages between buyers and sellers | Contact, safety, abuse prevention |
| Reports, blocks, moderation notes | Trust and safety |
| Support emails | Customer support |
2.5 Payment-related data
We use Stripe for boosts, premium subscriptions, and banner ads. We receive payment status, customer IDs, and transaction metadata — not full payment card numbers (Stripe stores those).
2.6 Verification and badges
| Data | Purpose |
|---|---|
| `.edu` email (college badge) | Student badge verification |
| OTP hashes | College email verification (not plain codes in long-term storage) |
2.7 Device and usage data
| Data | Purpose |
|---|---|
| Device type, OS, app version | Diagnostics |
| IP address (server logs) | Security, fraud prevention |
| Product analytics events | Improve the Service (e.g., PostHog) |
| Push notification token | Optional alerts (e.g., listing expiry) |
| Advertising ID (if AdMob enabled) | Ad serving per Google/AdMob policies |
2.8 Information from third parties
| Provider | Data received |
|---|---|
| Sign-in profile (name, email, photo) | |
| Stripe | Payment and subscription status |
| Mapbox | Geocoding results for ZIP |
| Google AdMob | Ad interaction data (when ads enabled) |
| Email provider (e.g., Resend) | Delivery status for college OTP emails |
3. How we use information
We use information to:
We do not sell your personal information. We do not use your data to run a national classifieds index — discovery stays ZIP + radius bounded.
4. How we share information
| Recipient | Why |
|---|---|
| Supabase | Database, auth, storage, edge functions |
| Stripe | Payment processing |
| Mapbox | ZIP geocoding |
| Sign-in; AdMob when enabled | |
| Analytics provider (e.g., PostHog) | Product metrics |
| Email provider | College verification emails |
| Law enforcement / regulators | Valid legal process or to protect safety |
| Business transfers | Merger, acquisition, or asset sale (with notice where required) |
We may share public profile and listing content with other users as part of the Service (for example, seller name on a listing).
5. Your choices and privacy rights
Depending on where you live (including California, Colorado, Virginia, and other U.S. states with privacy laws), you may have the right to:
How to exercise rights: email support@twentylist.app or use in-app Delete account in Settings. We will verify your request and respond within timelines required by law (for example, 45 days under CCPA).
Account deletion cancels subscriptions where possible, removes your profile, and triggers deletion of listings and content per our retention schedule.
We do not discriminate against you for exercising privacy rights.
5.1 State-specific notices
Some U.S. states require additional disclosures. If required by law, we will publish supplements at https://twentylist.app/privacy/states.
6. Retention
| Data type | Typical retention |
|---|---|
| Active listings | Until expired, sold, or deleted |
| Expired listings | Removed from feed day 14; hard delete day 21 (images included) |
| Account profile | Until you delete your account |
| Direct messages | While accounts are active, plus up to 90 days after account deletion for safety and abuse investigations |
| Moderation logs | ~1–2 years for safety and legal defense |
| Phone verification metadata | While account is active |
| College badge data | Until badge expires + grace period |
| Stripe/billing records | As required for tax and fraud (often ~7 years) |
| Terms acceptance record | While account exists + legal hold period |
We may retain information longer when required by law or to resolve disputes.
7. Security
We use technical and organizational measures including encryption in transit, access controls, and database row-level security. No system is 100% secure. Protect your Google account credentials.
8. Children's privacy
The Service is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. Contact support@twentylist.app to request deletion if you believe a child provided data.
9. International users
TwentyList is operated from the United States. If you access the Service from elsewhere, your information may be processed in the U.S. where privacy laws may differ from your country.
10. Cookies and similar technologies
The mobile app does not use browser cookies. Our website (if any) and analytics providers may use cookies or similar technologies — disclosed on our website when published.
11. Changes to this Policy
We will post updates with a new "Last updated" date. Material changes may be notified in-app or by email. Continued use after notice means you accept the updated Policy where permitted by law.
12. Contact
Privacy: support@twentylist.app
Support: support@twentylist.app