Privacy Policy

Effective: May 5, 2026

This Privacy Policy describes how Relay (“Relay”, “we”, “us”, or “our”) collects, uses, stores, and protects information when you use our website, our mobile application (listed on the Apple App Store and Google Play as “Relay Marketplace”), and related services (collectively, the “Service”). If you have any questions about this policy, you can reach us at contact@therelay.app.

Relay is a peer-to-peer marketplace. We connect buyers and sellers in the same area so they can list, discover, negotiate, and transact local goods. To do that we have to handle some information about you. We try to handle it carefully, collect only what we need, and tell you plainly what we do with it.

1. Information we collect

1.1 Information you provide directly

• Account information. Your phone number (verified via SMS during signup), your display name, and an optional profile photo. Phone verification is performed by Firebase Authentication.
• Profile content. A short bio, neighborhood or city you choose to display, and any preferences you set (categories you shop, default search radius, notification preferences).
• Listings. Photos, titles, descriptions, prices, conditions, categories, and any other detail you add to a listing you publish on Relay.
• Offers and messages. Offer amounts, counter-offers, and the content of messages you exchange with other users inside the offer thread.
• Reports and blocks. If you report a listing or user, or block another user, we record that action so we can act on it and so the affected user is hidden from you on a going-forward basis.

1.2 Location information

With your permission, the app collects your approximate (coarse) location from your device so we can show you nearby listings and so other users can see the rough distance to your listings. We use coarse location only, never GPS-precise location, and the default search radius is 25 miles.

You can deny or revoke location permission at any time in your device settings. If you do, you can still use Relay by setting a search location manually; some proximity features (e.g., distance-to-listing on the explore feed) will be unavailable or estimated.

1.3 Device information

• A Firebase Cloud Messaging (FCM) device token, used to deliver push notifications about offers, messages, watchlist matches, and account events. Push notifications are optional; if you don't grant notification permission we don't store an FCM token for you.
• Standard request metadata that any web service receives (IP address, user-agent, and timestamps), used for reliability, security, abuse prevention, and to debug issues. This data may appear transiently in our server access logs with limited retention.
• A device or installation identifier used to scope your session and to detect duplicate or fraudulent signups.

1.4 Identity verification (optional)

Relay offers an optional identity verification feature. If you choose to verify, you are briefly redirected to our identity-verification partner, Persona, where you upload a government-issued photo ID and (depending on the flow) take a selfie. Persona processes the document and biometric data on its own platform and returns a pass/fail result to Relay.

Relay never receives, stores, or has access to your ID document, your selfie, or any biometric data. From a verification, Relay only stores:

• The current verification status (verified, pending, failed, expired).
• Timestamps of each successful verification and any state change.
• The Persona inquiry id, used only to correlate webhook events with your account.

Persona is the data controller for the underlying ID and biometric data submitted during verification. Their handling of that data is governed by Persona's Privacy Policy; we recommend reviewing it before verifying. You can use Relay without verifying.

1.5 AI-assisted listing creation

When you publish a listing, you can use Relay's “scan” feature, which uses an AI model to draft the title, description, and category from the photos you upload. To do this, we send your listing photos and a small prompt to a third-party model provider over an encrypted connection. The provider returns suggested text; you can accept, edit, or discard it before publishing.

We do not allow our model providers to train their general-purpose models on your photos or the text generated for you, and we do not use your data to train any AI or machine-learning models ourselves.

1.6 Purchases and subscriptions

Pro subscriptions and AI scan packs are sold as in-app purchases through the Apple App Store and Google Play, and the billing relationship is governed by their terms. Payment instruments (card, Apple Pay, Google Pay) are handled by Apple or Google. Relay does not receive or store your payment-card information. We do receive an entitlement signal (e.g., “Pro active until X”, “5 scans remaining”) from our subscription infrastructure provider, RevenueCat, so the app can unlock the right features for your account.

For waitlist signups on the marketing website, we collect only the email address you provide and store it in a private Notion database we control.

2. How we use your information

We use the information described above to:

• Operate the marketplace: show you relevant nearby listings, route offers and messages to the right user, surface verified status, and deliver push notifications you've opted into.
• Maintain trust and safety: moderate user-generated content, action reports, enforce blocks, detect fraud and abuse, and respond to security incidents.
• Provide and improve user-facing features: the AI-assisted listing flow, the ranking of the explore feed, and watchlist match notifications.
• Comply with legal obligations, respond to valid legal process, and enforce our Terms.
• Communicate service-related messages (verification results, security alerts, billing receipts, material policy updates).

We do not use your information for cross-app behavioral advertising. We do not sell your personal data to advertisers, data brokers, or any third party.

3. What we store

Account data, listings, offers, messages, verification status, watchlists, blocks, and reports are stored in Google Cloud Firestore. Server-side code runs on Vercel. Listing photos are stored in Google Cloud Storage. Push tokens are held by Firebase Cloud Messaging.

Subscription and entitlement state is stored with RevenueCat. Identity-verification status records reference an opaque Persona inquiry id; the underlying ID and biometric data are held by Persona, not Relay.

Reports submitted via the in-app “Report” flow are written to a private Notion database used as our moderation queue. Waitlist emails are stored in a separate private Notion database.

4. How we share information

We do not sell, rent, or trade your personal information. We share limited information in the following situations:

• With other users of the Service. Your display name, profile photo, neighborhood/city (at the granularity you set), verification status, listings, and the messages you send inside an offer thread are visible to the user(s) you transact with, as necessary for the marketplace to function. Your phone number is never shared with other users.
• With service providers (subprocessors). We rely on a small set of vendors to run the Service. They process information on our behalf under contractual privacy and security commitments. Current subprocessors are:
  • Google Firebase / Google Cloud: authentication, Firestore data, Cloud Storage for photos, Firebase Cloud Messaging for push, hosting infrastructure.
  • Vercel: website hosting and serverless API hosting.
  • Persona: optional identity verification.
  • RevenueCat: subscription and in-app purchase entitlement management.
  • Apple and Google Play: billing and payment processing for in-app purchases.
  • Notion: internal moderation queue and waitlist.
  • AI model providers: third-party large-language and vision model APIs used for the AI-assisted listing draft, contractually prohibited from training on your data.
• For legal reasons. If required by applicable law, subpoena, court order, or other valid legal process, or to protect the rights, safety, or property of Relay, our users, or the public.
• In a corporate transaction. If Relay is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction, subject to the recipient honoring this Privacy Policy.

5. Data retention, revocation, and deletion

You have full control over the data we hold:

• Delete your account. From Profile → Settings → Account → Delete useryou can permanently delete your Relay account. When you do, we delete your profile, listings, watchlists, blocks, FCM token, verification record on Relay's side, and Firebase Authentication record. Messages you sent inside offer threads remain visible to your counterparty in anonymized form where necessary to preserve the integrity of those shared records.
• Edit your profile. Display name, profile photo, bio, neighborhood, and notification preferences can all be edited from Account Settings.
• Revoke device permissions.Location, notification, and photo-library permissions are controlled by your device's system settings and can be revoked at any time.
• Stop receiving emails. Email contact@therelay.app to be removed from waitlist or service-update mailings.

After account deletion we retain a minimal record of the deletion event (timestamp, device identifier, country) for fraud prevention and to comply with legal obligations. Backups are rotated within 30 days. ID documents and biometric data held by Persona are retained or deleted per their retention policy, which you can manage directly with them.

6. Security

We store data in Google Cloud Firestore with encryption at rest, and all data in transit is protected by TLS. Access to production systems is restricted to a small set of Relay team members and is gated by multi-factor authentication. We do not log payment-card information and we do not log Persona biometric responses. While we take reasonable technical and organizational measures to protect your data, no online service can be guaranteed to be 100% secure.

7. Your rights

Depending on where you live, you may have the right to access, correct, port, or delete the personal information we hold about you, and to object to or restrict certain processing. Most of these rights can be exercised directly from the app. Account Settings supports editing your profile, revoking device permissions, and deleting your account. For any request we can't fulfill through the app, including a copy of your data, a list of information we hold about you, or a complaint about how we handle your data, email us at contact@therelay.app. We will respond within a reasonable timeframe and within any deadlines required by applicable law.

California residents have additional rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to know what personal information we collect about you and the right to opt out of any “sale” or “sharing” of personal information. Relay does not sell or share personal information as those terms are defined under California law.

8. Children

The Service is not directed to children under 13 (or under 16 in jurisdictions where that is the applicable age). We do not knowingly collect personal information from children below that age. If you believe a child has provided us with personal information, please contact us at contact@therelay.app and we will promptly delete it.

9. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the app, by email (if we have one on file for you), or by updating the effective date at the top of this page. Your continued use of the Service after the updated policy takes effect constitutes acceptance of the changes.

10. Contact

Questions, concerns, or requests about this Privacy Policy or your data can be sent to contact@therelay.app.