Your data, explained plainly.

We collect data in these categories:

• Identity. Your display name, email address, and profile photo — pulled from your Google (or LinkedIn) OAuth login. We never see your Google password.
• Listings. Title, description, price, category, and metro-level location (city/suburb) for items you post. You may optionally add a cross-street or neighborhood hint — this is never required and never auto-populated from GPS.
• Messages. Text content of conversations between members. Phone numbers, emails, and other personal identifiers are automatically redacted before storage by our Sentinel system — see the Sentinel page for details.
• Reviews. Star ratings (1–5) and written feedback you leave for other members. These are associated with your account.
• SOS check-in.If you use the safety check-in feature, we store your emergency contact's name and phone or email, plus the scheduled meeting location and time. This data is used solely to escalate to your contact if you don't confirm safety by the deadline.
• Student verification. A cryptographic hash of your university email address and your institution name. We store the hash, not the email itself.
• Subscription tier. Whether your account is on the Free, Kaapi, Biryani, or Reserve plan.

• To operate the marketplace — matching listings to buyers, enabling messages.
• To display trust signals — verification badges, review counts, trust scores.
• To screen listings for fraud and prohibited content via Sentinel.
• To send transactional emails — student verification OTPs, saved-search alerts, SOS escalations. We send very little marketing email.
• To enforce community guidelines and respond to reports.

We do not use your data for advertising, behavioural profiling, or resale to third parties.

Your public profile shows: display name, profile photo, trust score, review count, and verification badges (Google-verified, student, LinkedIn).

Your email address, subscription tier, SOS contacts, and private account details are never visible to other members.

We use a small set of infrastructure providers. We do not use ad networks, tracking pixels, or analytics SDKs.

• Firebase (Google Cloud, US region) — authentication, database (Firestore), and file storage. All data at rest is encrypted with Google-managed keys. Data in transit uses TLS.
• Google Identity Services — OAuth sign-in UI hosted on accounts.google.com. Governed by Google's Privacy Policy.
• ipapi.co — IP-based city detection to pre-fill your metro on first visit. Your IP is sent to this service once per session. We do not store the raw IP.
• OpenStreetMap — map tiles for the safety-zones map. Tile requests include your IP but no account data.
• Google Fonts — Inter typeface loaded from fonts.googleapis.com. Standard font request, no personal data beyond IP.

ChaiandCity works at metro level — city and suburb. We do not collect GPS coordinates from your device.

Listings may include an optional free-text address or cross-street field, entered manually by the seller. Safe Zones (suggested meeting locations) are publicly known locations like police stations and malls — not your home address.

If you use SOS check-in, your emergency contact's details (name plus phone or email) are stored in your private account data, readable only by Veklo systems. They are used exclusively to send an alert if an SOS check-in is not confirmed by the deadline. They are never shared with other users or used for any other purpose. You can update or remove them at any time from your profile.

We do not use advertising cookies or third-party tracking cookies. Firebase Authentication stores a session token in your browser's localStorage to keep you signed in between visits. This token identifies your session with Firebase and is never shared with advertisers. Clearing your browser storage will sign you out.

• Active listings are visible until you archive or delete them. Stale listings are automatically archived after an inactivity window.
• Messages are retained while both accounts are active. We may retain them for a limited period after account deletion for abuse investigation.
• SOS check-ins expire automatically after the check-in deadline passes.
• Account deletion removes your profile and listings. Contact hello@veklo.io to request full erasure.

• Access and export. Request a copy of your data from Account → Profile.
• Deletion. Delete your account at any time. This removes your profile and listings.
• Correction. Update your display name and profile through your account settings.
• Opt-out of marketing email. Unsubscribe link in any email we send, or contact us directly.
• California residents (CCPA). You have the right to know what personal data we hold, request deletion, and opt out of any sale of personal data. We do not sell personal data. Submit requests to legal@veklo.io.

ChaiandCity is intended for users aged 13 and older. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, contact us at hello@veklo.io and we will remove the account.

When we make material changes — to data collected, how it is used, or retention windows — we will notify members by email and post an update notice at the top of this page. Changes are not effective until 14 days after notice.