Nightwatch.

Privacy Policy

Last updated: March 21, 2026

NightwatchMarket ("we," "our," or "us") operates a food rescue marketplace connecting restaurants and food businesses with nonprofit organizations. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, password (hashed), and organization details.
  • Business Information: Business name, address, phone number, EIN (for nonprofits), and business type.
  • Transaction Data: Donation records, listing details, fair market value estimates, and tax documentation.
  • Identity Verification: Government-issued ID documents and selfie images submitted for KYC compliance (stored encrypted).
  • Payment Information: Processed by Stripe. We do not store credit card numbers directly.

1.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, and interaction patterns.
  • Device Information: IP address, browser type, operating system, and device identifiers.
  • Location Data: Approximate location based on IP address or user-provided location for marketplace search.
  • Cookies: See our Cookie Policy for details.

2. How We Use Your Information

  • To provide, maintain, and improve our marketplace platform.
  • To process food donations and generate tax documentation.
  • To verify identity for regulatory compliance (KYC/AML).
  • To communicate with you about your account, transactions, and platform updates.
  • To detect, prevent, and address fraud, security issues, and technical problems.
  • To comply with legal obligations, including tax reporting requirements.

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data under the following legal bases:

  • Contract: Processing necessary to provide our services.
  • Legitimate Interest: Fraud prevention, platform security, and service improvement.
  • Legal Obligation: Tax reporting, food safety compliance, and KYC requirements.
  • Consent: Marketing communications and optional analytics.

4. Data Sharing

We share your information only in these circumstances:

  • Between Marketplace Participants: Donor business name and food listing details are shared with claiming nonprofits. Nonprofit organization name and EIN are shared with donors for tax documentation.
  • Service Providers: We use Stripe (payments), Vercel (hosting), Supabase (database), and Square (POS integration).
  • Legal Requirements: When required by law, regulation, or legal process.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets.

We do not sell your personal information to third parties.

5. Data Security

  • All data is transmitted over TLS/HTTPS encryption.
  • Sensitive personal data (phone, address, tax ID) is encrypted at rest using AES-256-GCM.
  • OAuth tokens are encrypted with a separate encryption key.
  • KYC documents are stored with private access controls.
  • Passwords are hashed using bcrypt.
  • Sessions use HTTP-only, secure cookies with automatic expiration.

6. Data Retention

  • Account Data: Retained while your account is active, deleted upon account deletion request.
  • Tax Documentation: Retained for 7 years as required by IRS regulations (26 USC 6501).
  • KYC Documents: Retained for 5 years after account closure per BSA/AML requirements.
  • Audit Logs: Retained for 3 years for security compliance.

7. Your Rights

7.1 All Users

  • Access your personal data.
  • Correct inaccurate data.
  • Delete your account and associated data (subject to legal retention requirements).
  • Export your data in a portable format (JSON).
  • Opt out of marketing communications.

7.2 EEA Users (GDPR)

  • Right to restriction of processing.
  • Right to object to processing based on legitimate interest.
  • Right to withdraw consent at any time.
  • Right to lodge a complaint with your local data protection authority.

7.3 California Users (CCPA)

  • Right to know what personal information is collected and how it is used.
  • Right to delete personal information.
  • Right to opt out of the sale of personal information (we do not sell personal information).
  • Right to non-discrimination for exercising privacy rights.

8. International Data Transfers

Our servers are located in the United States. If you are accessing our platform from outside the US, your information will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) for transfers from the EEA.

9. Children's Privacy

Our platform is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of the platform after changes constitutes acceptance.

11. Contact Us

For privacy inquiries, data requests, or questions about this policy:

  • Email: privacy@nightwatchmarket.com
  • Mail: NightwatchMarket, Attn: Privacy Officer, [Address]

For GDPR inquiries, our Data Protection Officer can be reached at dpo@nightwatchmarket.com.