Mobile App Privacy Policy

Sealed Market ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and disclose information when you use our mobile application.

We collect the following data points through the app:

Personal Data

• Name — provided at sign-up
• Email address — provided at sign-up, used for authentication and email verification
• Password — never stored in plain text; hashed server-side by the authentication service
• User ID — auto-generated on account creation; used to associate all user content

Device Data

• Expo Push Token — a device-specific notification token obtained via the Expo Notifications SDK, sent to our backend to enable push notifications
• Device platform (iOS / Android) — collected alongside the push token to send the correct notification format
• IP address — captured server-side on every API request as part of standard HTTP logging
• Project ID and device platform — sent to Expo's update servers on app launch to check for over-the-air (OTA) updates via expo-updates

Usage Data

• Portfolio items — card name, quantity, condition, language, acquisition price, acquisition date, and optional notes entered by the user
• Wishlist items — cards the user has added to their wishlist
• Price alert configurations — per-card alert thresholds set by the user
• Feedback submissions — type and content of feedback submitted through the app

We do not collect location, photos, contacts, calendar events, health data, payment information, or advertising identifiers.

The following permissions are requested by the app:

We do not use any third-party analytics, advertising, or crash-reporting SDKs.

• Analytics: None
• Advertising: None
• Payments: None
• Push Notifications: Expo Push Notification Service — used solely to route push notifications from our backend to your device. Expo acts as a data processor and does not use your push token for its own purposes.
• OTA Updates: Expo Updates (expo.dev) — on app launch, the app contacts Expo's update servers (u.expo.dev) with the project ID and device platform to check for and download over-the-air updates. No personal data is transmitted in this request.
• Authentication: better-auth — a self-hosted authentication library running on our own servers (api.sealedmarket.com). No data is sent to third-party auth providers.

Local Storage

• Authentication session tokens are stored in the device's secure enclave via expo-secure-store
• App preferences (theme, currency, language, market source) are stored in AsyncStorage
• Notification permission status and push token are stored in AsyncStorage
• Trade wishlist and for-sale listings are stored locally in AsyncStorage (not yet synced to the server)

Cloud Storage

• All server-side data is stored on our backend at https://api.sealedmarket.com
• Account data, portfolio items, price alerts, and notifications are persisted in a PostgreSQL database on our servers

Encryption

• All data in transit is protected by HTTPS/TLS
• Every API request is authenticated with an HMAC-SHA256 cryptographic signature
• Passwords are never stored in plain text

We retain the information collected for as long as necessary to provide the services requested or as required by law. If you delete your account, your personal data and associated content will be permanently deleted from our servers within 30 days.

Users can request the deletion of their data by contacting us at privacy@sealedmarket.com. We are working on an in-app account deletion feature which will be available in a future release.

Depending on your jurisdiction, you may also have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Object to or restrict certain processing
• Data portability — receive a copy of your data in a structured format

If you have questions about this policy, contact us at:

Sealed Market
privacy@sealedmarket.com