Back

Privacy Policy

Last updated: June 9, 2026

RaidTrain ("we", "us") provides a platform for discovering and organizing raid trains for live-selling creators. This policy explains what data we collect, why, how long we keep it, and the rights you have.

1. Data we collect

  • Account data: name, email, password hash, platform username (e.g. Whatnot handle), time zone, role (rider/conductor).
  • Profile data: linked social/platform handles, optional cover photos.
  • Train activity: trains you create or apply to, signup answers, chat messages, slot claims, favorites.
  • Public platform stats: follower/sales counts fetched from your public Whatnot page (used to help conductors evaluate applicants).
  • Technical data: IP address, user agent, push subscription endpoints, error logs, email delivery logs.
  • Cookies & local storage: session tokens, theme/preference flags. See Cookies.

2. Legal basis (GDPR Art. 6)

  • Contract: account creation, train participation, transactional emails (signup confirmation, reminders, stop notifications).
  • Legitimate interest: spam/abuse prevention, service analytics, fetching public platform stats.
  • Consent: push notifications, optional marketing email, non-essential cookies.
  • Legal obligation: responding to lawful requests, record-keeping.

3. How we use your data

  • Operate the service, authenticate you, and process your train signups.
  • Send transactional and (optional) reminder emails.
  • Display your handle/name on conductor and rider screens you participate in.
  • Improve reliability and prevent abuse.

4. Sharing

We do not sell personal data. We share data with processors strictly to run the service:

  • Hosting & database (Supabase — EU/US regions).
  • Email delivery (Resend / SMTP provider).
  • Web scraping for public profile stats (Firecrawl).
  • Push notification gateways (browser vendors).

All processors are bound by Data Processing Agreements (DPAs). Where data leaves the EEA, transfers rely on Standard Contractual Clauses.

5. Retention

  • Account & profile: until you delete your account.
  • Closed trains and chat history: retained while the conductor's account is active.
  • Email delivery logs: 90 days.
  • Error logs: 30 days.

6. Your rights

Under GDPR/UK GDPR/CCPA you can:

  • Access & portability: export your data from the profile page.
  • Rectification: edit your profile at any time.
  • Erasure: delete your account from the profile page.
  • Restriction & objection: email us (see below).
  • Withdraw consent: toggle email/push notifications in profile settings.
  • Lodge a complaint with your local supervisory authority.

7. Security

Data is encrypted in transit (TLS) and at rest. Row-level security restricts data access to authorized accounts. Passwords are hashed by Supabase Auth.

8. Children

RaidTrain is not directed at children under 16. We do not knowingly collect data from minors.

9. Cookies & local storage

We use strictly-necessary cookies/local storage for authentication, session persistence, and remembering your theme and preferences. We do not run third-party advertising or cross-site tracking cookies. Any future analytics will be opt-in.

10. Third-party platforms

RaidTrain is not affiliated with Whatnot. Public information shown about your Whatnot profile (handle, follower/sales counts) is fetched from publicly accessible pages.

11. Changes

Material changes will be announced in-app or by email. The "Last updated" date above reflects the current version.

12. Contact

Privacy questions or rights requests: privacy@raidtrain.app.