Privacy Policy
Last updated: May 2026 (updated to reflect addition of Google Analytics)
1. About this policy
MoxMarket (“we”, “us”) operates the MoxMarket platform at moxmarket.nz. This policy explains what personal information we collect, how we use it, and your rights under the New Zealand Privacy Act 2020.
2. Information we collect
We collect the following categories of personal information:
- Account data — email address, username, and password (stored as a secure hash by Supabase Auth).
- Profile data — avatar image, preferred game, notification preferences, sales history visibility setting.
- Transaction data — listings created, orders placed or received, offer history, cart bundle offers, want list entries, reviews left or received, wallet transaction history.
- Shipping addresses — recipient name and address saved for order fulfilment.
- Bank account number — bank account number provided by sellers for display to buyers on order pages. This is entered voluntarily by sellers and is visible to buyers of their listings.
- Uploaded images — listing photos and avatar images you upload to the platform, stored in Cloudflare R2.
- Business verification data — Trade-tier sellers who apply for a verified badge provide their business name, business email address, website URL, and optionally their NZ Business Number (NZBN). This data is used solely for identity verification purposes and is not publicly displayed beyond the badge itself.
- Stripe Connect identity data — Sellers who enable card payments complete Stripe’s identity verification process (“Know Your Customer”). This may include name, date of birth, address, and bank account details. This data is collected and held by Stripe directly — MoxMarket stores only your Stripe account ID. See Stripe’s privacy policy for details of how they handle this data.
- Payment data — Stripe processes card payment data on our behalf. MoxMarket does not store card numbers, CVVs, or full payment instrument details. We store order amounts, payment status, Stripe payment intent IDs, and wallet balances.
- Communications — the platform surfaces your email address to the counterparty on a completed order to facilitate post-purchase contact. We do not store in-app message content beyond what is included in order records.
- Technical data — IP address, browser type, and request logs collected automatically by Vercel (our hosting provider).
- Analytics data — pages visited, session duration, device type, and approximate location (country/city level, derived from a anonymised IP address) collected via Google Analytics 4. This data is aggregated and used solely to understand how the platform is used. IP addresses are anonymised by Google before storage.
3. How we use your information
- To create and manage your account.
- To facilitate listings, offers, cart bundle offers, want list matching, and orders between buyers and sellers.
- To share your email address with the other party when a transaction is completed — both the buyer’s and seller’s email addresses are disclosed on the order page for that transaction solely to facilitate post-purchase communication.
- To display your bank account number to buyers on order pages when you have provided it as a seller.
- To process and settle card payments via Stripe, including crediting your wallet and processing withdrawals to your bank account.
- To send transactional emails (offer received, order confirmed, listing approved, instant buy notification, balance due, etc.).
- To process subscription billing via Stripe.
- To review business verification applications and issue verified seller badges.
- To investigate disputes, chargebacks, and enforce our Terms & Conditions.
- To prevent fraud and maintain platform security.
- To comply with our legal obligations, including financial record-keeping requirements.
We do not sell your personal information to third parties. We do not use your data for advertising. Analytics data is used only in aggregate to improve the platform.
4. Third-party services
We use the following third-party services to operate the platform. Each processes personal data as described and is bound by its own privacy policy:
| Service | Purpose | Data processed |
|---|---|---|
| Supabase | Database & authentication | All account, listing, order, wallet, and transaction data |
| Stripe | Card payments, seller payouts (Connect), subscription billing | Buyer payment card data; seller identity (KYC), bank account, and payout data via Stripe Connect; subscription billing data |
| Resend | Transactional email | Email address, email content |
| Cloudflare R2 | Image storage | Uploaded listing photos and avatars |
| Vercel | Hosting & edge network | IP address, request logs |
| Google Analytics 4 | Platform analytics | Anonymised IP address, pages visited, session data, device & browser type, approximate location |
| Scryfall | MTG card data | Card search queries (no personal data transmitted) |
| TCGdex / poke.church | Pokémon card data & pricing | Card search queries (no personal data transmitted) |
| Card Kingdom | MTG reference pricing | No personal data transmitted — server-side price fetch only |
Some of these services are based outside New Zealand. By using MoxMarket, you acknowledge that your data may be stored and processed in the United States or European Union. Where data is transferred overseas, we take reasonable steps to ensure it is handled in accordance with the New Zealand Privacy Act 2020.
Sellers who enable card payments are also subject to Stripe’s Connected Account Agreement and Stripe’s own privacy policy with respect to their identity verification and payout data.
5. Cookies
MoxMarket uses the following cookies:
| Cookie | Purpose | Expiry |
|---|---|---|
| sb-auth-token | Keeps you signed in (strictly necessary) | Session |
| _ga | Google Analytics — distinguishes unique users | 2 years |
| _ga_* | Google Analytics — maintains session state | 2 years |
The authentication cookie is strictly necessary and cannot be disabled without preventing sign-in. The Google Analytics cookies are analytics cookies used to understand aggregate platform usage — they do not track you for advertising purposes. You can opt out of Google Analytics at any time by installing the Google Analytics opt-out browser add-on.
6. Your rights
Under the New Zealand Privacy Act 2020, you have the right to:
- Access your personal information held by us.
- Correct inaccurate personal information.
- Request deletion of your account and associated personal data — use the delete account option in Settings, or email us. Note that financial records (orders, wallet transactions, invoices) may be retained as described in section 7 below, and information you have shared with other users (e.g. your username on their order records, reviews) cannot be fully erased from their records.
To exercise these rights, contact us at hello@moxmarket.nz. We will respond within 20 working days as required by the Privacy Act.
If you believe we have breached the Privacy Act 2020, you may complain to the Office of the Privacy Commissioner.
7. Data retention
We retain your personal profile and account data for as long as your account is active. When you delete your account, your personal profile and authentication record are permanently deleted.
Financial records — including orders, platform fee calculations, wallet transactions, and invoices — are retained for a minimum of 7 years from the date of the transaction to meet our obligations under the Tax Administration Act 1994 and Inland Revenue requirements. These records are retained in a form that identifies the transaction but with personal identifiers minimised where practicable.
Business verification submissions are retained for the duration of the seller’s verified status and for a reasonable period thereafter for audit purposes.
Listing images and avatar photos stored in Cloudflare R2 are deleted when the associated listing is removed or the account is deleted.
8. Security
We take reasonable steps to protect personal information from unauthorised access, loss, or disclosure. These include encrypted connections (HTTPS), row-level security on our database, and access controls limiting staff access to personal data. Passwords are never stored in plain text — authentication is managed by Supabase. Card payment data is handled entirely by Stripe and never touches our servers.
No security system is infallible. If you become aware of a security issue, please contact us at hello@moxmarket.nz immediately.
9. Contact
For privacy-related queries, contact us at hello@moxmarket.nz.