MoxMarket

Privacy Policy

Last updated: July 2026 (added referral system and mox_ref_code cookie; updated third-party card data sources)

1. About this policy

MoxMarket (“we”, “us”) operates the MoxMarket platform at moxmarket.app. This policy explains what personal information we collect, how we use it, and your rights under the New Zealand Privacy Act 2020 and, for Australian users, the Australian Privacy Act 1988 (Cth).

2. Information we collect

We collect the following categories of personal information:

  • Account data — email address, username, and password (stored as a secure hash by Supabase Auth).
  • Profile data — avatar image, preferred game, notification preferences, sales history visibility setting.
  • Transaction data — listings created, orders placed or received, offer history, cart bundle offers, want list entries, reviews left or received, wallet transaction history.
  • Shipping addresses — recipient name and address saved for order fulfilment.
  • Manual payment instructions — an optional free-text message a seller may provide (for example a bank account number and reference) for buyers who choose manual payment. It is entered voluntarily, stored separately from the public profile, and shown only to the seller and to a buyer who has a live order with that seller.
  • Uploaded images — listing photos and avatar images you upload to the platform, stored in Cloudflare R2.
  • Business verification data — Trade-tier sellers who apply for a verified badge provide their business name, business email address, website URL, and optionally their NZ Business Number (NZBN). This data is used solely for identity verification purposes and is not publicly displayed beyond the badge itself.
  • Stripe Connect identity data — Sellers who enable card payments complete Stripe’s identity verification process (“Know Your Customer”). This may include name, date of birth, address, and bank account details. This data is collected and held by Stripe directly — MoxMarket stores only your Stripe account ID. See Stripe’s privacy policy for details of how they handle this data.
  • Payment data — Stripe processes card payment data on our behalf. MoxMarket does not store card numbers, CVVs, or full payment instrument details. We store order amounts, payment status, Stripe payment intent IDs, and wallet balances.
  • Communications — the platform surfaces your email address to the counterparty on a completed order to facilitate post-purchase contact. We do not store in-app message content beyond what is included in order records.
  • Technical data — IP address, browser type, and request logs collected automatically by Vercel (our hosting provider).
  • Analytics data — pages visited, session duration, device type, and approximate location (country/city level, derived from a anonymised IP address) collected via Google Analytics 4. This data is aggregated and used solely to understand how the platform is used. IP addresses are anonymised by Google before storage.
  • Referral data — if you arrive via a referral link, we store a temporary cookie recording the referral code. On signup, a referral relationship is recorded (who referred you) along with any qualifying events (your first sale or purchase) that trigger a subscription bonus. Your unique referral code is generated at signup and stored on your account.

3. How we use your information

  • To create and manage your account.
  • To facilitate listings, offers, cart bundle offers, want list matching, and orders between buyers and sellers.
  • To share your email address with the other party when a transaction is completed — both the buyer’s and seller’s email addresses are disclosed on the order page for that transaction solely to facilitate post-purchase communication.
  • To display your manual payment instructions to a buyer who has a live order with you, when you have provided them as a seller.
  • To process and settle card payments via Stripe, including crediting your wallet and processing withdrawals to your bank account.
  • To send transactional emails (offer received, order confirmed, listing approved, instant buy notification, balance due, etc.).
  • To process subscription billing via Stripe.
  • To attribute referrals and grant subscription bonuses when a referred user completes their first transaction.
  • To review business verification applications and issue verified seller badges.
  • To investigate disputes, chargebacks, and enforce our Terms & Conditions.
  • To prevent fraud and maintain platform security.
  • To comply with our legal obligations, including financial record-keeping requirements.

We do not sell your personal information to third parties. We do not use your data for advertising. Analytics data is used only in aggregate to improve the platform.

4. Third-party services

We use the following third-party services to operate the platform. Each processes personal data as described and is bound by its own privacy policy:

ServicePurposeData processed
SupabaseDatabase & authenticationAll account, listing, order, wallet, and transaction data
StripeCard payments, seller payouts (Connect), subscription billingBuyer payment card data; seller identity (KYC), bank account, and payout data via Stripe Connect; subscription billing data
ResendTransactional emailEmail address, email content
Cloudflare R2Image storageUploaded listing photos and avatars
VercelHosting & edge networkIP address, request logs
Google Analytics 4Platform analyticsAnonymised IP address, pages visited, session data, device & browser type, approximate location
ScryfallMTG card dataCard search queries (no personal data transmitted)
poke.churchPokémon card data & pricingCard search queries (no personal data transmitted)
OPTCG APIOne Piece card data & pricingCard search queries (no personal data transmitted)
Card KingdomMTG reference pricingNo personal data transmitted — server-side price fetch only

Some of these services are based outside New Zealand or Australia. By using MoxMarket, you acknowledge that your data may be stored and processed in the United States or European Union. Where data is transferred overseas, we take reasonable steps to ensure it is handled in accordance with applicable privacy law.

Sellers who enable card payments are also subject to Stripe’s Connected Account Agreement and Stripe’s own privacy policy with respect to their identity verification and payout data.

5. Cookies

MoxMarket uses the following cookies:

CookiePurposeExpiry
sb-auth-tokenKeeps you signed in (strictly necessary)Session
mox_ref_codeReferral tracking — records which referral link was used so the referrer can be credited if you sign up. Set when visiting a /join/ link; deleted automatically on signup completion. HttpOnly — not accessible to JavaScript.30 days
_gaGoogle Analytics — distinguishes unique users2 years
_ga_*Google Analytics — maintains session state2 years

The authentication cookie is strictly necessary and cannot be disabled without preventing sign-in. The Google Analytics cookies are analytics cookies used to understand aggregate platform usage — they do not track you for advertising purposes. You can opt out of Google Analytics at any time by installing the Google Analytics opt-out browser add-on.

6. Your rights

Under the New Zealand Privacy Act 2020 (and, for Australian users, the Australian Privacy Act 1988), you have the right to:

  • Access your personal information held by us.
  • Correct inaccurate personal information.
  • Request deletion of your account and associated personal data — use the delete account option in Settings, or email us. Note that financial records (orders, wallet transactions, invoices) may be retained as described in section 7 below, and information you have shared with other users (e.g. your username on their order records, reviews) cannot be fully erased from their records.

To exercise these rights, contact us at hello@moxmarket.app. We will respond within 20 working days as required by the Privacy Act.

If you believe we have breached your privacy rights, you may complain to the Office of the Privacy Commissioner (New Zealand — privacy.org.nz) or the Office of the Australian Information Commissioner (Australia — oaic.gov.au).

7. Data retention

We retain your personal profile and account data for as long as your account is active. When you delete your account, your personal profile and authentication record are permanently deleted.

Financial records — including orders, platform fee calculations, wallet transactions, and invoices — are retained for a minimum of 7 years from the date of the transaction to meet our obligations under the Tax Administration Act 1994 and Inland Revenue requirements (New Zealand) or equivalent Australian tax law obligations. These records are retained in a form that identifies the transaction but with personal identifiers minimised where practicable.

Business verification submissions are retained for the duration of the seller’s verified status and for a reasonable period thereafter for audit purposes.

Listing images and avatar photos stored in Cloudflare R2 are deleted when the associated listing is removed or the account is deleted.

8. Security

We take reasonable steps to protect personal information from unauthorised access, loss, or disclosure. These include encrypted connections (HTTPS), row-level security on our database, and access controls limiting staff access to personal data. Passwords are never stored in plain text — authentication is managed by Supabase. Card payment data is handled entirely by Stripe and never touches our servers.

No security system is infallible. If you become aware of a security issue, please contact us at hello@moxmarket.app immediately.

9. Shopify integration

MoxMarket offers an optional Shopify sales channel integration for Trade-tier sellers. If you connect your Shopify store to MoxMarket, the following additional data is collected and processed:

  • Shopify access token — stored encrypted (AES-256-GCM) in our database. Used solely to receive product webhooks and push orders back to your Shopify store.
  • Product data — product titles, descriptions, prices, images, and card metadata metafields from products you publish to the MoxMarket sales channel. Used to create MoxMarket listings.
  • Shopify shipping zones — fetched at install time and on demand via the “Refresh rates” button. Used to calculate shipping costs for your listings.
  • Shopify order ID — stored against each MoxMarket order that is pushed to your Shopify store. Used to sync fulfilment status between the two platforms.

MoxMarket does not store your customers’ personal data from Shopify. Order recipient addresses are used solely to populate the shipping address on the Shopify order and are not retained independently.

You can disconnect your Shopify store at any time via Settings → Shopify. On disconnection your access token link is removed and your Shopify-synced listings are cancelled. Per Shopify’s GDPR requirements, residual install records are cleared within 48 hours of uninstall.

Use of the Shopify integration is also subject to Shopify’s Privacy Policy with respect to data held in your Shopify store.

10. Contact

For privacy-related queries, contact us at hello@moxmarket.app.