Privacy Policy

GoFindStuff LLC (GoFindStuff) operates the application at app.gofindstuff.com and collects the data required to operate the service: the email and password you use to sign in, the photos and inventory metadata you upload to scan and organize your stored items, your listings and messages on the marketplace, and basic device and request metadata. We do not sell your personal information, we do not share it with advertisers, and you can export or delete your account at any time from Settings or by writing to privacy@gofindstuff.com.

The data controller for personal information collected through the GoFindStuff application is GoFindStuff LLC, an Illinois limited liability company, with a mailing address at 1403 W Braymore Cir, Naperville, IL 60564, United States. Privacy questions go to privacy@gofindstuff.com.

• Account data: first name, last name, email address, password hash, optional profile photo, optional bio, and optional address / city / state / ZIP if you provide them for marketplace and garage-sale features.
• Content you upload: photos and videos of your boxes, item titles, item notes, prices, and the structured inventory our AI extracts from your scans.
• Marketplace activity: listings you publish, in-app messages you exchange with other users, favorites, reviews, donations, and the radius you select for nearby events.
• Consent record: when you accept these Terms and this Privacy Policy at signup, we record the policy version, a timestamp, your IP address, and your user-agent string so we can evidence the acceptance later.
• Server logs: IP address, user-agent, request path, and timestamps. Retained for up to 30 days for security, rate-limiting, and abuse-prevention.
• Location: if you opt into garage-sale or nearby-listing features, we store the coordinates you provide so we can compute distance. We do not silently collect device GPS.

We do not knowingly collect special categories of personal data (health, biometrics, financial-account details, government IDs). Don't upload them.

• To operate the scan, inventory, marketplace, and chat features you ask for.
• To send transactional email — account-security messages, password resets, listing replies, share invites.
• To send marketing or product-news email only where you have opted in (separate toggles in Settings → Email).
• To respond to your support requests.
• To improve model accuracy on aggregated, de-identified data only. We do not train models on personally identifiable content without consent.
• To comply with legal obligations and enforce our Terms of Service and Acceptable Use Policy.

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Contract — to provide the service you asked for (operating your account, processing scans, hosting listings and chat).
• Legitimate interests — to keep the service secure, prevent abuse, and improve product quality. We weigh these interests against your rights.
• Consent — for marketing email and any non-essential cookies. You can withdraw consent at any time from Settings.
• Legal obligation — to respond to lawful requests from public authorities.

We use the following sub-processors, each bound by data-processing terms:

• AWS (Amplify Hosting, Lambda, S3, CloudFront) — application hosting and media storage. US region.
• MongoDB Atlas — primary database for accounts, inventory, listings, and messages. US region.
• Anthropic — vision and language inference for box scans, item identification, and chat assistance. Anthropic processes inputs to return inference results and, per its API terms, does not train on customer data submitted via API.
• Resend — transactional and (where opted in) marketing email delivery.
• Upstash QStash — queueing for background jobs (video processing, scheduled alerts). Job payloads include identifiers but not raw user content.

We do not sell or rent your data. We do not share it with advertisers or data brokers. We may disclose information when required by law or to protect rights, property, or safety.

Our infrastructure is hosted in the United States. If you are located outside the US, your data will be transferred to and stored in the US. Where required, we rely on the European Commission's Standard Contractual Clauses (or the UK Addendum) with our sub-processors.

• Server logs: up to 30 days.
• Account data and uploads: while your account is active, then deleted or fully anonymized within 30 days of account closure.
• Consent records and disputed-transaction logs: retained for the period required by law, even after account closure.
• Aggregated, de-identified analytics: retained indefinitely.

Wherever you live, you can ask us to:

• Access a copy of the personal data we hold about you.
• Correct inaccurate data.
• Delete your account and the data tied to it.
• Export your inventory, listings, and messages (data portability).
• Object to or restrict certain processing.
• Withdraw consent for any processing based on consent.

You can exercise the export and deletion rights directly from Settings → Privacy. For anything else, email privacy@gofindstuff.com. We aim to respond within 30 days.

If you are in the EEA or UK and we cannot resolve your concern, you have the right to lodge a complaint with your local supervisory authority.

If you are a California resident, you have the right to:

• Know the categories and specific pieces of personal information we have collected about you.
• Delete personal information we have collected, subject to certain exceptions.
• Correct inaccurate personal information.
• Opt out of the “sale” or “sharing” of personal information. GoFindStuff does not sell or share personal information for cross-context behavioral advertising.
• Limit use of sensitive personal information. We do not knowingly collect sensitive personal information.
• Be free from retaliation for exercising your rights.

Submit California privacy requests to privacy@gofindstuff.com with subject line “California Privacy Request.”

GoFindStuff is intended for adults. You must be at least 18 years old to create an account, and at least 13 years old to interact with the service in any form. We do not knowingly collect personal information from children under 13. If you believe a child has submitted information to us, email privacy@gofindstuff.com and we will delete it.

We use HTTPS in transit, encrypted storage at rest (AWS-managed encryption for S3, MongoDB Atlas-managed encryption for the database), bcrypt-hashed passwords (cost ≥ 12), HttpOnly Secure session cookies with SameSite=Lax, server-side authorization on every read and write, and rate-limiting on authentication endpoints. No system is perfectly secure. Report security issues to legal@gofindstuff.com.

The application sets only strictly-necessary session cookies for authentication. See our Cookie Policy for the full list and consent details.

When we make material changes, we update the policy version at the top of this page and re-prompt active users to accept the new version on their next sign-in. We also email registered users where required.

GoFindStuff LLC
1403 W Braymore Cir
Naperville, IL 60564
United States
Privacy: privacy@gofindstuff.com
General: hello@gofindstuff.com