This Privacy Policy explains how DormSell ("DormSell," "we," "us," or "our") collects, uses, shares, and protects information in connection with your use of our peer-to-peer marketplace web application (the "Platform"). DormSell is designed exclusively for verified MIT students.
1. Introduction & Contact Information
DormSell is the data controller responsible for your personal information processed under this policy. Any concerns should be directed to help@dormsell.com.
2. Information We Collect
We collect information from you when you register, use our services, and interact with the Platform.
2.1. Information You Directly Provide
This information is required for account creation, platform functionality, and transaction facilitation:
| Data Category | Examples Collected | Purpose & Storage Note |
|---|
| Account Data | MIT .edu Email Address, Full Name | Used for verification and platform contact. |
| Authentication Data | Password | Stored only as a hashed output using bcrypt (12 rounds). The original password is never stored. |
| Profile Data (Optional) | Dorm Assignment, Year, Profile Picture | Shared with transaction counterparties (buyers/sellers) upon using the "Ping" feature. Profile pictures are stored on Supabase Storage and converted to WebP format. |
| Listing Content | Item titles, descriptions, images, pricing, location | Displayed publicly on the marketplace. Images are stored on Supabase Storage, processed and converted to WebP format for optimization. |
| Payment Preferences | Venmo/PayPal/Cash usernames or instructions | Stored in plain text. This is necessary to facilitate off-platform transactions. DormSell does not store or process financial details like credit card numbers. |
| Watchlist Data | Product categories, keywords, price ranges | Used to send you notifications when items matching your interests are listed. Stored to provide personalized marketplace recommendations. |
| Communications | Chat Messages, Support Ticket Content | Encrypted before storage (see Section 5.1). |
2.2. Information We Automatically Collect
When you access the Platform, we automatically log certain data for security and operational purposes.
- Activity Logs: Login timestamps, listing creation/update/deletion, purchase intent tracking, transaction completion actions.
- Transaction Compliance: We automatically track incomplete transactions and enforce a 4-day completion policy. Users with incomplete transactions older than 4 days are restricted from creating new listings or starting new chats until their pending transactions are completed.
- Security Logs: IP addresses and User Agent strings are logged only for administrative actions (e.g., account suspension, moderation) to maintain an audit trail and prevent abuse.
- Session Data: Data related to your use of the Platform, which includes authentication tokens (JWTs with a 7-day expiration).
3. How We Use Your Information
We use your information to operate, secure, and improve the DormSell Platform.
- Account Management: To verify your MIT student status, create your hashed password, and manage your account access via secure JWT tokens.
- Platform Functionality: To display listings, facilitate the peer-to-peer connection between buyers and sellers, track transaction progression, and manage the 4-day transaction completion policy.
- Communication: To send essential transactional emails via SendGrid (e.g., email verification, password reset, and the Ping Notifications), as well as watchlist interest notifications.
- Personalization: To send you notifications when items matching your watchlist interests are listed on the marketplace.
- Transaction Compliance: To enforce the 4-day transaction completion requirement and restrict platform access for users with overdue incomplete transactions.
- Security and Moderation: To enforce our Terms of Service, prevent fraud, review flagged content, and maintain an audit log of administrative and security actions.
- Legal Compliance: To comply with legal obligations, respond to court orders, and protect our rights, property, and safety, as well as the safety of our users and the public.
4. How We Share Your Information
We share your information in the following ways, which are essential to providing the marketplace service.
4.1. Sharing with Other DormSell Users
The core function of DormSell requires sharing information between users to complete transactions.
- Public Profile and Listings: Your full name, profile picture, and listing details are visible to all users.
- Transaction-Specific Sharing (The "Ping" System): When a buyer uses the "Ping" feature on a listing, we automatically send a notification email to both the buyer and the seller. This email exchange includes the following contact and profile information for both parties to facilitate the direct, off-platform transaction: Name, Email, Dorm, Year, Profile Picture.
By using the "Ping" feature, you explicitly consent to this direct sharing of your contact information with the counterparty.
4.2. Sharing with Service Providers
We use third-party providers to operate the Platform, who are contractually bound to protect your data.
| Service Provider | Data Shared | Purpose |
|---|
| Supabase | All User Data (Hashed Passwords, Encrypted Messages, Profile Pictures, Listing Images) | Cloud-hosted database, authentication infrastructure, and image storage services. |
| SendGrid | Name, Email Address, Transaction-related Data | Transactional email delivery (Verification, Resets, Ping Notifications, Watchlist Interest Notifications). |
4.3. Legal and Safety Disclosures
We may disclose your information if we believe it's necessary to: (a) comply with legal processes (subpoena, court order); (b) enforce our Terms of Service; (c) respond to claims that any content violates the rights of third parties; or (d) protect the rights, property, or personal safety of DormSell, our users, or the public.
5. Data Security & Encryption Measures
We prioritize the security of your data using a range of technical measures.
5.1. Encryption in Storage and Transit
- Message Encryption: All chat messages and support ticket content are encrypted before database storage using industry-standard encryption methods.
- Important Note on Encryption: Messages are encrypted at rest but are not end-to-end encrypted. Platform administrators with authorized access can decrypt messages for legal compliance, safety investigations, and security purposes. Messages are decrypted only when displayed to authorized users (chat participants).
- Image Processing: All uploaded images (profile pictures and listing images) are processed and optimized for efficient storage and delivery.
- Password Security: Passwords are never stored in plain text. They are hashed using industry-standard cryptographic hashing algorithms with salting to ensure maximum security.
- Data in Transit: All connections to our database and API requests utilize encrypted connections (HTTPS/TLS) to protect your data during transmission.
5.2. Authentication and Token Security
- Access Tokens: We use secure token-based authentication to verify user identity. These tokens have limited lifespans and are automatically refreshed as needed.
- Verification Tokens: We use secure random tokens for email verification and password resets. These tokens expire after a set period and are deleted after one-time use.
- API Security: We implement rate limiting and monitoring to protect against abuse and denial-of-service attacks on our API endpoints.
- Security Headers: We use industry-standard security headers to help mitigate common web vulnerabilities.
6. Data Retention
We retain your personal information for as long as your account is active and necessary to fulfill the purposes outlined in this policy.
- Active Accounts: Data is retained for the duration of your active DormSell account.
- Account Deletion: You have the ability to delete your account. If you choose to delete your account, we will delete or anonymize your personal information within 90 days, except where retention is necessary for:
- Complying with legal obligations (e.g., tax, audit, court orders).
- Maintaining transaction and administrative audit logs for security and legal purposes.
- Resolving disputes or enforcing our agreements.
- Enforcing the 4-day transaction completion policy.
- Encrypted Messages and Transaction History: Encrypted messages and transaction history may be retained beyond the 90-day period in an anonymized or aggregated form for platform security and the integrity of the reputation system.
- Transaction Records: Records of incomplete transactions and compliance actions may be retained to enforce our transaction completion policies and prevent abuse.
7. Transaction Completion Policy
To maintain platform integrity and encourage timely transaction completion, DormSell implements the following policy:
- 4-Day Completion Requirement: Users with incomplete transactions older than 4 days are restricted from creating new listings or starting new chats until their pending transactions are completed.
- Active Transaction Messaging: Users can continue to send messages within existing chat rooms related to their active transactions, even if they have incomplete transactions older than 4 days.
- Automated Tracking: Our system automatically tracks transaction status, timestamps, and completion state to enforce this policy.
- Policy Enforcement: We may restrict platform features, send reminder notifications, or take other actions to encourage transaction completion as outlined in our Terms of Service.
8. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new policy on the Platform and updating the "Last Updated" date. Your continued use of the Platform after the effective date of the revised policy constitutes your acceptance of the terms.