1. Who's responsible
Snapitup is the data controller for the information described below. The operating entity is registered in Belize. Privacy questions: hello@snapitup.bz.
2. What we collect
- Account data: phone number (required for OTP login), name, optional email, optional seller bio, optional Google sign-in identity.
- Addresses: delivery + pickup addresses you add to your profile. Buyer addresses are never shown to sellers; seller addresses are never shown to buyers. Couriers see only the addresses needed for their leg of the handoff.
- Listings: titles, descriptions, prices, photos, category templates. Photos have their EXIF metadata stripped before storage.
- Transactions: orders, reservations, payments, courier shipments, disputes, ratings.
- Payments: we hold the payment reference (e.g. Stripe charge id) and the amount — but not your card number. Card data is held by the payment provider (Stripe, DigiWallet, Atlantic Bank, Ekyash), never by us.
- Telemetry: page views, button clicks, search queries. Sent to a first-party endpoint (
/_t), tied to a per-tab session UUID, and your IP is one-way hashed before storage. We honor theDNT: 1browser header — if you set it, we record nothing. - Notifications: a log of every email, SMS, push, and in-app notification we sent you, so ops can answer "did you actually receive it?".
- Activity log: who-changed-what audit trail on sensitive records (Settings, your verification level, your suspended status, etc.).
3. What we use it for
- Operating the marketplace — matching buyers to listings, coordinating couriers, paying sellers.
- Fraud + safety — pattern matching on listings + messages to block phishing, off-platform contact, and prohibited items.
- Disputes — investigating complaints and issuing refunds.
- Product analytics — understanding what works and what doesn't. Aggregated, not sold.
- Legal compliance — tax reporting and lawful disclosure requests under Belize law.
We do not sell your personal data. We do not run third-party ad tracking. We do not transfer your data outside the parties listed below.
4. Who we share data with
Limited disclosures, each tied to a specific operational need:
- Payment providers — Stripe, DigiWallet, Atlantic Bank (via IMAP receipts), Ekyash. They process the charge; they need the amount, your contact, and a reference.
- Couriers — EZ Delivery, Tropic Air Cargo, Belize Water Taxi. They need the pickup address (seller-side) and delivery address (buyer-side) plus a contact phone for the handoff.
- Email + SMS providers — to deliver transactional and reminder notifications. Mercury Mail for email, our Belize SMS provider for OTP + alerts.
- Hosting — server provider for the application; cloud storage for images.
We require each of these processors to handle your data only for the specific purpose we engaged them for.
5. How long we keep it
- Account + transactions: for as long as your account is open, plus 7 years after closure for tax + dispute purposes (Belize default record-keeping window).
- OTP codes: hashed at rest, expire within minutes.
- Telemetry events: rolling 180-day window. Older rows are purged automatically.
- Notification log: rolling 12 months.
- Compiled views, application logs: 14 days.
6. Your rights
- Download a copy of everything we hold on you at any time: /profile/export.json.
- Correct profile details from /profile.
- Opt out of any notification channel from /notifications.
- Opt out of telemetry by enabling
DNT: 1in your browser settings — we honor it. - Delete your account by emailing hello@snapitup.bz. We retain the minimum required for legal + accounting purposes; everything else is purged within 30 days.
7. Security
Passwords and OTP codes are hashed. Payment-method details (bank account numbers, etc.) are encrypted at rest. The site uses HTTPS end-to-end. We rate-limit authentication attempts, OTP requests, and webhook callbacks. We do not store full card numbers — that's the payment provider's job.
8. Cookies + storage
We use first-party cookies for authentication (your login session, CSRF protection) and one localStorage key
(snapitup:theme) to remember your light/dark preference. Telemetry uses a per-tab session UUID stored
in sessionStorage. We don't use third-party tracking cookies or analytics SDKs.
9. Children
Snapitup is not directed at children under 16. Accounts must be opened by an adult. If we learn we are holding data on a person under 16 we will remove it.
10. Changes to this policy
Material changes are announced via email and an in-app notification at least 14 days before they take effect. The "Last reviewed" date at the top of this page is the source of truth for the current version.
Plain-language summary intended for everyday users. Operator's note: this policy is a starting point and should be reviewed by Belize legal counsel before public launch. Last reviewed 2026-05-18.