Sabet

Legal

Privacy Policy

Last updated: May 9, 2026

This policy explains what data Sabet collects, why we collect it, who we share it with, and how you can review or remove it. Plain English first; the legal terms are in our Terms of Service.

1. What we collect

We only collect what we need to run the platform:

  • Account data — email address, handle, display name, optional bio, location, profile photo. Provided by you when you sign up.
  • Auth data — passwords are never seen by Sabet; authentication is handled by Clerk. We receive a stable user ID.
  • Payment data— when you buy or bid, Stripe collects card details directly. Sabet stores only a Stripe customer ID, the card brand (e.g. Visa), and the last 4 digits, so we can show what's on file. Full card numbers never touch our servers.
  • Shipping address — collected by Stripe at checkout when you buy a physical piece, then stored with the order.
  • Provenance + ownership — when you own, verify, or transfer a piece, we record it as part of the public ownership chain. This data is intentionally public, except where you mark your profile private.
  • Content you post — community threads, replies, feed posts, images you upload. Public unless explicitly marked otherwise.
  • Operational logs — IP address, request paths, error stack traces, captured by Vercel for security and debugging. Retained 30 days unless tied to a security incident.

2. What we don't collect

  • Browsing data outside Sabet (no third-party advertising trackers).
  • Card numbers, CVCs, or full bank details (Stripe handles those).
  • Government IDs (we don't do KYC; we're not a financial platform).
  • Sensitive demographics (race, religion, health) — we have no use for them.

3. Why we collect it

  • Run your account, show your collection, deliver pieces you bought.
  • Issue and verify certificates of authenticity.
  • Send transactional email (order receipts, verification updates, drop notifications you opted into).
  • Investigate fraud, theft claims, and ToS violations.
  • Improve the product — aggregate, non-identifying analytics only.

4. Who we share it with

We use a small set of vendors to run the platform. Each one only sees the data they need:

  • Clerk — authentication. Receives email, password, profile basics. Their privacy policy.
  • Stripe — payments. Receives card details, shipping address, transaction metadata. Their privacy policy.
  • Vercel — hosting + Blob storage for uploaded images. Their privacy policy.
  • Neon — Postgres database. Their privacy policy.
  • Resend — transactional email delivery. Receives recipient email + message body. Their privacy policy.
  • ShipStation — shipping label generation. Receives shipping address + order details. Used only when an order ships.

We don't sell your data. Ever. We don't share it with advertisers or data brokers. The only time we hand data to a third party outside the vendors above is in response to a valid legal subpoena.

5. Cookies

We use a small number of strictly-necessary cookies for authentication (set by Clerk) and session management. We don't run third-party advertising or behavioral cookies. If we ever add analytics, it'll be a privacy-respecting tool (Vercel Analytics or Plausible) that doesn't require a banner.

6. Public vs. private data

Sabet is a transparent collector platform. By default: handle, display name, bio, photo, owned pieces, and ownership records are public on your profile and the Vault. You can flip your profile to private from /settingsat any time, which hides your identity from public listings while keeping the chain of provenance intact (records show “Private collector” instead of your handle).

7. Your rights

You can:

  • See your data — most of it is visible on your profile + settings page. Email us if you want a complete export.
  • Correct it — edit at any time via /settings.
  • Delete your account— email us. We will remove your account and personal data, but ownership records and certificates remain (anonymized as “Former collector”) because the provenance chain has to stay intact for the integrity of the work.
  • Withdraw email consent — unsubscribe links are in every promotional email; transactional email (receipts, verification) keeps running.

California (CCPA), EU/UK (GDPR), and other regional rights apply where applicable — contact us to exercise them.

8. Children

Sabet is not intended for anyone under 13. If we learn we've collected data from a child under 13, we'll delete it.

9. Security

All traffic is HTTPS. Payment data is tokenized by Stripe. Database backups are encrypted at rest. Admin access is restricted by role and audited. We don't guarantee impenetrability — no platform can — but we follow industry practice and patch promptly.

10. Changes

We'll update this page when we change our practices. Material changes get a banner notice and an email to active accounts. The “Last updated” date at the top of this page reflects the most recent revision.

11. Contact

Questions, requests, complaints — email privacy@sabet.com (or the support address listed in the footer if different). We aim to reply within 5 business days.