About This Policy 1STBOND is a marketplace, meetup coordination, and local business discovery platform intended exclusively for users 18 years of age or older. It is not a safety service, identity verification service, or background check service. Identity verification is optional for most users and mandatory only for Marketplace sellers. Creating a Business Profile does not require identity verification. The pre-meetup confirmation scan is a coordination tool, not a safety feature. This policy will be updated before any new data collection practices launch.
1STBOND LLC ("we," "our," or "us") operates a mobile application and website that allows users to list and discover items for sale, coordinate in-person meetups, discover local businesses, and purchase promoted visibility. This Privacy Policy explains how we collect, use, disclose, and safeguard your information.
We collect only the minimum information necessary to provide the Services and do not sell personal data.
1STBOND is intended exclusively for users 18 years of age or older. By creating an account, you represent and warrant that you are at least 18. During account creation, you are required to confirm your age via a self-declaration before proceeding. 1STBOND LLC does not independently verify the age of general users; the sole exception is Marketplace sellers, whose age is confirmed against a government-issued ID.
AGE VERIFICATION DATA For Marketplace sellers only, age verification occurs as part of the mandatory identity verification process through Didit. The data collected, how it is stored, and when it is deleted is described in Section 3.2 below. For all other users, age is self-declared and not independently verified. No separate age verification data is collected from general users beyond the age confirmation at account creation, which is a boolean flag stored in our Supabase database (confirmed 18+ or not). This flag is deleted within 30 days of account closure.
1STBOND does not knowingly collect personal information from users under 18. If we become aware that a user is under 18, we will terminate the account and delete their information promptly. Parents or guardians with concerns should contact privacy@1st-bond.com.
Full legal name
Email address
Date of birth (self-declared; you represent you are 18 or older)
Age confirmation flag (boolean stored in Supabase; confirms 18+ self-declaration at account creation)
Username and @handle (publicly visible and searchable)
Profile photo (optional, visible to other users)
Profile banner photo (optional, visible to other users)
Profile bio (optional, visible to other users)
Meetup codes (alphanumeric identifiers linked to your account and meetup record)
Password (stored encrypted; we cannot access your plain-text password)
Identity verification is optional for most uses of the Services and mandatory only for Marketplace sellers. If completed, we collect government-issued ID and selfie/liveness images processed by Didit. Extracted identity data (name, date of birth, verification status) is stored in Supabase. We do not store your residential address, raw ID number, or expiration date. We may access full ID data from Didit only to: (a) investigate fraud; (b) respond to a valid legal or law enforcement request; or (c) resolve a safety incident.
We collect biometric data in two contexts:
(a) Optional identity verification (mandatory for Marketplace sellers): face scan and liveness photo to match your face against your government-issued ID, processed by Didit and stored in AWS.
(b) Pre-meetup confirmation scan (mandatory for all meetup participants): face scan confirming the person present matches the account that scheduled the meetup. The scan window opens 6 hours before the meetup and closes 10 minutes before. Reminders at 6 hours, 1 hour, and 10 minutes before. This is a logistics and coordination feature — not a safety or identity verification feature.
Face scan photos are stored in AWS. Identity verification status is stored in Supabase. Biometric data is used solely for meetup coordination and identity verification. We do not use it for advertising or profiling.
ILLINOIS RESIDENTS — BIPA NOTICE Biometric data is never sold or used for advertising. Destroyed within 90 days of account closure. Separate written in-app consent presented before collection. Withdraw consent at privacy@1st-bond.com (will prevent meetup participation). This notice satisfies our written retention policy disclosure obligation.
TEXAS RESIDENTS — CUBI NOTICE Biometric identifiers collected only with informed consent, never sold, destroyed within 90 days of account closure.
WASHINGTON RESIDENTS — MY HEALTH MY DATA ACT NOTICE Biometric data used solely for meetup coordination and optional identity verification. Not sold or shared. Destroyed within 90 days of account closure.
COLORADO RESIDENTS — CPA BIOMETRIC NOTICE In accordance with the Colorado Privacy Act's biometric data amendment (C.R.S. § 6-1-1314), 1STBOND LLC maintains a written policy establishing a retention schedule for biometric identifiers and biometric data, and destroys such data upon satisfaction of the purpose for which it was collected or within 90 days of account closure, whichever is earlier. Biometric data is collected only with your consent, is never sold, leased, traded, or used for advertising, and is not disclosed or disseminated to any third party except as necessary to provide the Services (see Section 6), to complete a financial transaction you requested, or as required by law. Colorado residents have the right to access their biometric identifiers, request correction of inaccurate biometric identifiers, and lodge a complaint regarding our biometric data practices by contacting privacy@1st-bond.com.
In-app messages stored on our servers for delivery and safety review. Accessed by staff only for enforcement, investigation, or legal compliance. Not used for advertising or sold to third parties.
Meetup creation — "Use my current location" tap
Address autocomplete — powered by Google Cloud Platform
Built-in GPS navigation to meetup locations
Route preferences (Fastest, No Tolls, No Highways) — used only to generate your route, not stored
Open in Maps App — destination passed to the third-party app you select, subject to its privacy policy
Live tracking — recommended departure time and ETA (Google Cloud Platform)
Business Discovery location — used within the session to surface nearby businesses; not stored beyond that session
We do not track your location in the background outside of an active meetup or navigation session.
Pre-meetup confirmation scan and optional identity verification: camera required
Profile, Marketplace listing, Business Profile photos and video (including For You feed): camera or photo library, optional
Star ratings and written reviews are stored in Supabase and displayed publicly. Not used for advertising.
Item title, description, price, category, and photos submitted by verified sellers are stored in Supabase and publicly visible in-app and on 1st-bond.com. We do not collect or process payment information.
Creating a Business Profile does not require identity verification. We collect business name, category, description, physical address or service area, operating hours, contact information, and photos or videos including For You feed content. Stored in Supabase and publicly visible in-app and on 1st-bond.com. For Business Directory Subscription users, we also store subscription status, purchase date, and renewal date. We do not receive or store payment card or bank account details.
"VERIFIED BUSINESS" BADGE CLARIFICATION The "Verified Business" badge shown on a Business Profile reflects only that the business holds an active Business Directory Subscription. It is a paid feature and does not involve any identity verification, background check, licensing check, or vetting process. This badge is unrelated to the identity verification data described in Section 3.2, which applies only to individual users who have completed government ID and biometric verification through Didit.
LEGAL BUSINESS ENTITY REPRESENTATION When you create a Business Profile, you affirmatively confirm — via an in-app checkbox — that you operate a legitimate, lawfully existing business or entity and have the authority to act on its behalf. We collect and store this confirmation as a boolean flag in Supabase alongside your Business Profile data. This confirmation is a self-declaration; 1STBOND LLC does not independently verify business registration, licensing, or legal formation status. See Terms of Service Section 13.2 for the full representation and warranty.
Promoted Listings and Business Directory Subscriptions are billed through Apple, Google, or 1STBOND's web checkout. We receive and store purchase status, date, and duration only.
Reports include the reason, reported user's identifier, and context you provide. Block records are stored to prevent future contact.
IP address
Device type and model
Operating system
App interaction and diagnostic data (Sentry)
Push notification token (meetup reminders at 6 hours, 1 hour, and 10 minutes before; scan alerts; message notifications)
When you visit 1st-bond.com, we and our service providers may collect data through cookies and similar technologies:
Session cookies — manage login state and session security
Netlify Analytics — aggregated, cookieless page views and traffic data; no third-party cookies or fingerprinting
Cloudflare — IP address and request metadata for DDoS protection and content delivery; may set security cookies
Local storage — certain preferences and session state stored locally in your browser
We do not use advertising cookies, behavioral tracking cookies, or sell website visitor data. You may control cookies through your browser settings. We do not respond to Do Not Track (DNT) signals.
Operate your account and authenticate your identity
Confirm the 18+ age self-declaration at account creation
Process optional identity verification (mandatory for Marketplace sellers) using Didit and Supabase
Perform the pre-meetup confirmation scan using AWS for storage and matching
Enable GPS navigation and live tracking via Google Cloud Platform
Enable in-app messaging
Display and operate Marketplace listings
Display and operate Business Profiles in the Directory, For You feed, and on 1st-bond.com
Process and display Promoted Listing and Business Directory Subscription purchases
Enable meetup creation, code generation, and Join Meetup buttons
Mark meetups as Verified or Unverified based on scan completion
Process and display ratings and reviews
Enable report and block functionality
Process account management actions
Prevent fraud, abuse, and unauthorized activity
Respond to support requests and resolve disputes
Comply with applicable laws and legal obligations, including responding to valid legal requests
Improve the Services through aggregated, anonymized analytics
Send push notifications for meetup reminders, scan alerts, and message notifications
We do not sell, rent, or use your personal data for third-party advertising.
1STBOND uses automated systems in the following limited contexts:
For You feed ranking: algorithmic ranking based on proximity, category, and engagement signals. Determines display order of business content only — no legal or significant decisions about users.
Marketplace search and sorting: listings ranked by recency, proximity, and Promoted Listing status. No legal or significant decisions about users.
Pre-meetup scan matching: AWS performs automated one-to-one biometric matching between a live scan and the stored account scan.
Identity verification: Didit performs automated document verification and biometric matching for seller verification. Users may dispute outcomes by contacting support@1st-bond.com.
California residents have the right under ADMT regulations to opt out of automated decision-making that produces legal or similarly significant effects. None of the above produce such effects. Contact privacy@1st-bond.com with questions about any automated system.
Didit — identity verification. Processes government ID and biometric face matching. Retains original ID document data under our data processing agreement.
AWS (Amazon Web Services) — stores face scan photos; performs biometric matching against Supabase account data; hosts core application infrastructure.
Supabase — database and backend. Stores account data, identity verification status, profile data, meetup records, messages, ratings, Marketplace listings, Business Profile data, For You feed content, and purchase records.
Google Cloud Platform (GCP) — navigation, address autocomplete, live tracking, and location-based Business Profile discovery.
Sentry — error monitoring and diagnostics.
Netlify — web hosting for 1st-bond.com, including publicly visible Business Profiles and For You feed content. Netlify Analytics collects aggregated, cookieless analytics.
Cloudflare — CDN, DDoS protection, and web security.
Apple App Store / Google Play Store — in-app purchase billing. Independent controllers of billing and payment data; their own privacy policies govern that data.
All providers are contractually restricted from using your data for purposes other than providing services to 1STBOND LLC. We maintain data processing agreements with all providers handling personal or biometric data.
By creating an account, you consent to data collection and use as described in this policy and represent that you are at least 18 years of age.
Before any biometric data is collected, you will be presented with a dedicated in-app Biometric Data Consent screen disclosing: (a) specific data collected; (b) purpose; (c) storage; (d) retention schedule. You must tap "I Agree" to proceed. You may withdraw consent at privacy@1st-bond.com (will prevent meetup participation).
We request location permission for navigation, live tracking, and Business Discovery. Revoke at any time in device settings; doing so disables navigation and tracking features.
Camera access is required for the pre-meetup scan and identity verification. Camera and photo library access for profile, listing, and Business Profile content is optional. Manage in device settings.
Age confirmation flag (boolean): deleted within 30 days of account closure
Face scan photos (AWS): deleted within 90 days of account closure
Identity verification data (Supabase): deleted within 30 days of account closure
Government ID document data (Didit): contractually required to align with our 90-day biometric destruction schedule
Pre-meetup scan records: deleted within 90 days of account closure
Messaging data: up to 90 days after account closure unless required for a legal matter
Meetup records: up to 90 days after the scheduled meetup date
Location and navigation data: not retained beyond the active session
Account and profile data: deleted within 30 days of closure
Marketplace listing data: deleted within 30 days of listing removal or account closure
Business Profile data (including photos, videos, For You feed content): deleted within 30 days of profile or account removal
Business Directory Subscription data: deleted within 30 days of account closure
Promoted Listing purchase data: deleted within 30 days of account closure
Safety reports: retained up to 12 months following resolution of the investigation
Block records: deleted within 30 days of account closure
Aggregated, anonymized analytics: may be retained indefinitely as it contains no personal identifiers
Request deletion at any time. We acknowledge within 10 business days and complete within 45 calendar days.
We implement commercially reasonable safeguards including TLS encryption in transit and at rest, need-to-know access controls, contractual security obligations with vendors, and MFA for administrative access to production systems. In the event of a breach affecting your personal information, we will notify you as required by applicable state and federal law.
We do not sell personal data. We may share your information only:
With service providers acting as data processors on our behalf (Section 6)
Business Profile data is publicly visible by design in the app and on 1st-bond.com
To comply with a legal obligation, court order, or lawful government request
To protect user safety or investigate fraud or abuse
In connection with a merger, acquisition, or asset sale, provided the successor agrees to honor this policy
With Apple or Google in connection with in-app purchase billing (limited to what is necessary)
We require a valid subpoena, court order, or warrant before disclosing personal data to law enforcement, where permitted.
You have the right to access, correct, or delete your personal data; request a portable copy of your data; clear your meetup history; change account settings; withdraw biometric consent; block or report users; and remove your Marketplace listings or Business Profile at any time. Contact privacy@1st-bond.com, use Settings → Account → Delete Account, or visit https://1st-bond.com/delete-account.
Request a machine-readable copy of your personal data by emailing privacy@1st-bond.com with subject "Data Portability Request." We will respond within 45 calendar days. Biometric data is excluded from portability exports for security and legal reasons.
Deleting your account or Business Profile removes it from 1STBOND promptly. Third-party search engine caches may retain previously indexed data; we are not responsible for that caching.
California residents have the Right to Know, Right to Delete, Right to Correct, Right to Opt Out of Sale or Sharing (we do not sell or share personal information for cross-context behavioral advertising), Right to Data Portability, Right to Limit Use of Sensitive Personal Information, Right to Opt Out of ADMT (see Section 5), and Right to Non-Discrimination. Submit requests to privacy@1st-bond.com with subject "CCPA Request." We will respond within 45 calendar days.
Colorado's Privacy Act (Colo. Rev. Stat. § 6-1-1301 et seq.) grants Colorado residents rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of certain processing including targeted advertising (which we do not conduct), the sale of personal data (which we do not do), and profiling in furtherance of decisions that produce legal or similarly significant effects (which we do not do). To exercise any Colorado privacy right, contact privacy@1st-bond.com with subject "Colorado Privacy Request." We will respond within 45 calendar days. If we cannot fulfill your request, you may appeal by re-contacting us at the same address. For biometric-specific rights under the CPA's biometric amendment, see Section 3.3.
Illinois residents have the right to receive our biometric retention policy in writing prior to collection (satisfied by Section 3.3 and this policy) and to seek relief under BIPA for violations.
We do not respond to browser Do Not Track signals. We do not use your data for cross-site behavioral tracking.
Manage your account through Settings: change password, email, username; delete account (Settings → Account → Delete Account or https://1st-bond.com/delete-account); clear meetup history; manage Marketplace listings; manage Business Profile and For You feed content; block or report users.
1STBOND LLC is operated in the United States. Data is stored and processed in the U.S. We do not currently direct the Services at users in the European Union or other international jurisdictions with distinct regulatory frameworks.
1STBOND is strictly 18+. By creating an account, you represent you are at least 18. We do not independently verify age for general users; Marketplace sellers' age is confirmed via government-issued ID. We do not knowingly collect data from users under 18 or children under 13. If we become aware of either, we will terminate the account and delete information promptly. Contact privacy@1st-bond.com with concerns.
For material changes, we provide at least 30 days' advance notice via in-app notification and email. The updated policy is posted at https://1st-bond.com/privacy. Continued use after the effective date constitutes acceptance.
This Privacy Policy is governed by the laws of the State of Colorado. Disputes are subject to the exclusive jurisdiction of the courts in Denver County, Colorado.
Privacy Email: privacy@1st-bond.com General Support: support@1st-bond.com Copyright Agent: copyright@1st-bond.com Website: https://1st-bond.com/privacy Account Deletion: https://1st-bond.com/delete-account Mailing: 1500 N Grant St Ste N, Denver County, CO 80203
Note The Privacy & Security screen in the app is a plain-language summary. In the event of any conflict between the in-app summary and this Privacy Policy, this Privacy Policy controls.