Legal

Privacy Policy

Effective: July 3, 2026
Version: FINAL-12
Governing Law: State of Colorado
Contact: support@1st-bond.com

About This Policy
1STBOND is a marketplace, meetup coordination, and local business discovery platform intended exclusively for users 18 years of age or older. It is not a safety service, identity verification service, or background check service. Identity verification is optional for most users and mandatory only for Marketplace sellers. Creating a Business Profile does not require identity verification. The pre-meetup confirmation scan is a coordination tool, not a safety feature. This policy will be updated before any new data collection practices launch.

Contents

  1. Introduction
  2. Who Can Use the Services
  3. Information We Collect
  4. How We Use Your Information
  5. Automated Systems and Decision-Making
  6. Third-Party Service Providers
  7. Consent
  8. Data Retention
  9. Data Security
  10. Sharing of Information
  11. Your Privacy Rights
  12. Account Management
  13. International Users
  14. Age Eligibility and Children's Privacy
  15. Changes to This Policy
  16. Governing Law
  17. Contact

1. Introduction

1STBOND LLC ("we," "our," or "us") operates a mobile application and website that allows users to list and discover items for sale, coordinate in-person meetups, discover local businesses, and purchase promoted visibility. This Privacy Policy explains how we collect, use, disclose, and safeguard your information.

We collect only the minimum information necessary to provide the Services and do not sell personal data.

2. Who Can Use the Services

1STBOND is intended exclusively for users 18 years of age or older. By creating an account, you represent and warrant that you are at least 18. During account creation, you are required to confirm your age via a self-declaration before proceeding. 1STBOND LLC does not independently verify the age of general users; the sole exception is Marketplace sellers, whose age is confirmed against a government-issued ID.

AGE VERIFICATION DATA
For Marketplace sellers only, age verification occurs as part of the mandatory identity verification process through Didit. The data collected, how it is stored, and when it is deleted is described in Section 3.2 below. For all other users, age is self-declared and not independently verified. No separate age verification data is collected from general users beyond the age confirmation at account creation, which is a boolean flag stored in our Supabase database (confirmed 18+ or not). This flag is deleted within 30 days of account closure.

1STBOND does not knowingly collect personal information from users under 18. If we become aware that a user is under 18, we will terminate the account and delete their information promptly. Parents or guardians with concerns should contact privacy@1st-bond.com.

3. Information We Collect

3.1 Personal Identifiers

Full legal name

Email address

Date of birth (self-declared; you represent you are 18 or older)

Age confirmation flag (boolean stored in Supabase; confirms 18+ self-declaration at account creation)

Username and @handle (publicly visible and searchable)

Profile photo (optional, visible to other users)

Profile banner photo (optional, visible to other users)

Profile bio (optional, visible to other users)

Meetup codes (alphanumeric identifiers linked to your account and meetup record)

Password (stored encrypted; we cannot access your plain-text password)

3.2 Identity Verification Data (Optional, Except for Marketplace Sellers)

Identity verification is optional for most uses of the Services and mandatory only for Marketplace sellers. If completed, we collect government-issued ID and selfie/liveness images processed by Didit. Extracted identity data (name, date of birth, verification status) is stored in Supabase. We do not store your residential address, raw ID number, or expiration date. We may access full ID data from Didit only to: (a) investigate fraud; (b) respond to a valid legal or law enforcement request; or (c) resolve a safety incident.

3.3 Biometric Information

We collect biometric data in two contexts:

(a) Optional identity verification (mandatory for Marketplace sellers): face scan and liveness photo to match your face against your government-issued ID, processed by Didit and stored in AWS.

(b) Pre-meetup confirmation scan (mandatory for all meetup participants): face scan confirming the person present matches the account that scheduled the meetup. The scan window opens 6 hours before the meetup and closes 10 minutes before. Reminders at 6 hours, 1 hour, and 10 minutes before. This is a logistics and coordination feature — not a safety or identity verification feature.

Face scan photos are stored in AWS. Identity verification status is stored in Supabase. Biometric data is used solely for meetup coordination and identity verification. We do not use it for advertising or profiling.

ILLINOIS RESIDENTS — BIPA NOTICE
Biometric data is never sold or used for advertising. Destroyed within 90 days of account closure. Separate written in-app consent presented before collection. Withdraw consent at privacy@1st-bond.com (will prevent meetup participation). This notice satisfies our written retention policy disclosure obligation.

TEXAS RESIDENTS — CUBI NOTICE
Biometric identifiers collected only with informed consent, never sold, destroyed within 90 days of account closure.

WASHINGTON RESIDENTS — MY HEALTH MY DATA ACT NOTICE
Biometric data used solely for meetup coordination and optional identity verification. Not sold or shared. Destroyed within 90 days of account closure.

COLORADO RESIDENTS — CPA BIOMETRIC NOTICE
In accordance with the Colorado Privacy Act's biometric data amendment (C.R.S. § 6-1-1314), 1STBOND LLC maintains a written policy establishing a retention schedule for biometric identifiers and biometric data, and destroys such data upon satisfaction of the purpose for which it was collected or within 90 days of account closure, whichever is earlier. Biometric data is collected only with your consent, is never sold, leased, traded, or used for advertising, and is not disclosed or disseminated to any third party except as necessary to provide the Services (see Section 6), to complete a financial transaction you requested, or as required by law. Colorado residents have the right to access their biometric identifiers, request correction of inaccurate biometric identifiers, and lodge a complaint regarding our biometric data practices by contacting privacy@1st-bond.com.

3.4 Messaging Data

In-app messages stored on our servers for delivery and safety review. Accessed by staff only for enforcement, investigation, or legal compliance. Not used for advertising or sold to third parties.

3.5 Location Data

Meetup creation — "Use my current location" tap

Address autocomplete — powered by Google Cloud Platform

Built-in GPS navigation to meetup locations

Route preferences (Fastest, No Tolls, No Highways) — used only to generate your route, not stored

Open in Maps App — destination passed to the third-party app you select, subject to its privacy policy

Live tracking — recommended departure time and ETA (Google Cloud Platform)

Business Discovery location — used within the session to surface nearby businesses; not stored beyond that session

We do not track your location in the background outside of an active meetup or navigation session.

3.6 Camera and Photo Library

Pre-meetup confirmation scan and optional identity verification: camera required

Profile, Marketplace listing, Business Profile photos and video (including For You feed): camera or photo library, optional

3.7 Ratings and Reviews

Star ratings and written reviews are stored in Supabase and displayed publicly. Not used for advertising.

3.8 Marketplace Listing Data

Item title, description, price, category, and photos submitted by verified sellers are stored in Supabase and publicly visible in-app and on 1st-bond.com. We do not collect or process payment information.

3.9 Business Profile Data

Creating a Business Profile does not require identity verification. We collect business name, category, description, physical address or service area, operating hours, contact information, and photos or videos including For You feed content. Stored in Supabase and publicly visible in-app and on 1st-bond.com. For Business Directory Subscription users, we also store subscription status, purchase date, and renewal date. We do not receive or store payment card or bank account details.

"VERIFIED BUSINESS" BADGE CLARIFICATION
The "Verified Business" badge shown on a Business Profile reflects only that the business holds an active Business Directory Subscription. It is a paid feature and does not involve any identity verification, background check, licensing check, or vetting process. This badge is unrelated to the identity verification data described in Section 3.2, which applies only to individual users who have completed government ID and biometric verification through Didit.

LEGAL BUSINESS ENTITY REPRESENTATION
When you create a Business Profile, you affirmatively confirm — via an in-app checkbox — that you operate a legitimate, lawfully existing business or entity and have the authority to act on its behalf. We collect and store this confirmation as a boolean flag in Supabase alongside your Business Profile data. This confirmation is a self-declaration; 1STBOND LLC does not independently verify business registration, licensing, or legal formation status. See Terms of Service Section 13.2 for the full representation and warranty.

3.10 Purchase Data

Promoted Listings and Business Directory Subscriptions are billed through Apple, Google, or 1STBOND's web checkout. We receive and store purchase status, date, and duration only.

3.11 Safety Reports and Blocks

Reports include the reason, reported user's identifier, and context you provide. Block records are stored to prevent future contact.

3.12 Device and Usage Data

IP address

Device type and model

Operating system

App interaction and diagnostic data (Sentry)

Push notification token (meetup reminders at 6 hours, 1 hour, and 10 minutes before; scan alerts; message notifications)

3.13 Cookies and Web Tracking (1st-bond.com Website)

When you visit 1st-bond.com, we and our service providers may collect data through cookies and similar technologies:

Session cookies — manage login state and session security

Netlify Analytics — aggregated, cookieless page views and traffic data; no third-party cookies or fingerprinting

Cloudflare — IP address and request metadata for DDoS protection and content delivery; may set security cookies

Local storage — certain preferences and session state stored locally in your browser

We do not use advertising cookies, behavioral tracking cookies, or sell website visitor data. You may control cookies through your browser settings. We do not respond to Do Not Track (DNT) signals.

4. How We Use Your Information

Operate your account and authenticate your identity

Confirm the 18+ age self-declaration at account creation

Process optional identity verification (mandatory for Marketplace sellers) using Didit and Supabase

Perform the pre-meetup confirmation scan using AWS for storage and matching

Enable GPS navigation and live tracking via Google Cloud Platform

Enable in-app messaging

Display and operate Marketplace listings

Display and operate Business Profiles in the Directory, For You feed, and on 1st-bond.com

Process and display Promoted Listing and Business Directory Subscription purchases

Enable meetup creation, code generation, and Join Meetup buttons

Mark meetups as Verified or Unverified based on scan completion

Process and display ratings and reviews

Enable report and block functionality

Process account management actions

Prevent fraud, abuse, and unauthorized activity

Respond to support requests and resolve disputes

Comply with applicable laws and legal obligations, including responding to valid legal requests

Improve the Services through aggregated, anonymized analytics

Send push notifications for meetup reminders, scan alerts, and message notifications

We do not sell, rent, or use your personal data for third-party advertising.

5. Automated Systems and Decision-Making

1STBOND uses automated systems in the following limited contexts:

For You feed ranking: algorithmic ranking based on proximity, category, and engagement signals. Determines display order of business content only — no legal or significant decisions about users.

Marketplace search and sorting: listings ranked by recency, proximity, and Promoted Listing status. No legal or significant decisions about users.

Pre-meetup scan matching: AWS performs automated one-to-one biometric matching between a live scan and the stored account scan.

Identity verification: Didit performs automated document verification and biometric matching for seller verification. Users may dispute outcomes by contacting support@1st-bond.com.

California residents have the right under ADMT regulations to opt out of automated decision-making that produces legal or similarly significant effects. None of the above produce such effects. Contact privacy@1st-bond.com with questions about any automated system.

6. Third-Party Service Providers

Didit — identity verification. Processes government ID and biometric face matching. Retains original ID document data under our data processing agreement.

AWS (Amazon Web Services) — stores face scan photos; performs biometric matching against Supabase account data; hosts core application infrastructure.

Supabase — database and backend. Stores account data, identity verification status, profile data, meetup records, messages, ratings, Marketplace listings, Business Profile data, For You feed content, and purchase records.

Google Cloud Platform (GCP) — navigation, address autocomplete, live tracking, and location-based Business Profile discovery.

Sentry — error monitoring and diagnostics.

Netlify — web hosting for 1st-bond.com, including publicly visible Business Profiles and For You feed content. Netlify Analytics collects aggregated, cookieless analytics.

Cloudflare — CDN, DDoS protection, and web security.

Apple App Store / Google Play Store — in-app purchase billing. Independent controllers of billing and payment data; their own privacy policies govern that data.

All providers are contractually restricted from using your data for purposes other than providing services to 1STBOND LLC. We maintain data processing agreements with all providers handling personal or biometric data.

7. Consent

7.1 General Consent

By creating an account, you consent to data collection and use as described in this policy and represent that you are at least 18 years of age.

7.2 Biometric Consent

Before any biometric data is collected, you will be presented with a dedicated in-app Biometric Data Consent screen disclosing: (a) specific data collected; (b) purpose; (c) storage; (d) retention schedule. You must tap "I Agree" to proceed. You may withdraw consent at privacy@1st-bond.com (will prevent meetup participation).

7.3 Location Consent

We request location permission for navigation, live tracking, and Business Discovery. Revoke at any time in device settings; doing so disables navigation and tracking features.

7.4 Camera and Photo Library Consent

Camera access is required for the pre-meetup scan and identity verification. Camera and photo library access for profile, listing, and Business Profile content is optional. Manage in device settings.

8. Data Retention

Age confirmation flag (boolean): deleted within 30 days of account closure

Face scan photos (AWS): deleted within 90 days of account closure

Identity verification data (Supabase): deleted within 30 days of account closure

Government ID document data (Didit): contractually required to align with our 90-day biometric destruction schedule

Pre-meetup scan records: deleted within 90 days of account closure

Messaging data: up to 90 days after account closure unless required for a legal matter

Meetup records: up to 90 days after the scheduled meetup date

Location and navigation data: not retained beyond the active session

Account and profile data: deleted within 30 days of closure

Marketplace listing data: deleted within 30 days of listing removal or account closure

Business Profile data (including photos, videos, For You feed content): deleted within 30 days of profile or account removal

Business Directory Subscription data: deleted within 30 days of account closure

Promoted Listing purchase data: deleted within 30 days of account closure

Safety reports: retained up to 12 months following resolution of the investigation

Block records: deleted within 30 days of account closure

Aggregated, anonymized analytics: may be retained indefinitely as it contains no personal identifiers

Request deletion at any time. We acknowledge within 10 business days and complete within 45 calendar days.

9. Data Security

We implement commercially reasonable safeguards including TLS encryption in transit and at rest, need-to-know access controls, contractual security obligations with vendors, and MFA for administrative access to production systems. In the event of a breach affecting your personal information, we will notify you as required by applicable state and federal law.

10. Sharing of Information

We do not sell personal data. We may share your information only:

With service providers acting as data processors on our behalf (Section 6)

Business Profile data is publicly visible by design in the app and on 1st-bond.com

To comply with a legal obligation, court order, or lawful government request

To protect user safety or investigate fraud or abuse

In connection with a merger, acquisition, or asset sale, provided the successor agrees to honor this policy

With Apple or Google in connection with in-app purchase billing (limited to what is necessary)

We require a valid subpoena, court order, or warrant before disclosing personal data to law enforcement, where permitted.

11. Your Privacy Rights

11.1 General Rights (All Users)

You have the right to access, correct, or delete your personal data; request a portable copy of your data; clear your meetup history; change account settings; withdraw biometric consent; block or report users; and remove your Marketplace listings or Business Profile at any time. Contact privacy@1st-bond.com, use Settings → Account → Delete Account, or visit https://1st-bond.com/delete-account.

11.2 Data Portability

Request a machine-readable copy of your personal data by emailing privacy@1st-bond.com with subject "Data Portability Request." We will respond within 45 calendar days. Biometric data is excluded from portability exports for security and legal reasons.

11.3 Business Profile Public Data

Deleting your account or Business Profile removes it from 1STBOND promptly. Third-party search engine caches may retain previously indexed data; we are not responsible for that caching.

11.4 California Residents — CCPA / CPRA Rights

California residents have the Right to Know, Right to Delete, Right to Correct, Right to Opt Out of Sale or Sharing (we do not sell or share personal information for cross-context behavioral advertising), Right to Data Portability, Right to Limit Use of Sensitive Personal Information, Right to Opt Out of ADMT (see Section 5), and Right to Non-Discrimination. Submit requests to privacy@1st-bond.com with subject "CCPA Request." We will respond within 45 calendar days.

11.5 Colorado Residents — Colorado Privacy Act (CPA)

Colorado's Privacy Act (Colo. Rev. Stat. § 6-1-1301 et seq.) grants Colorado residents rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of certain processing including targeted advertising (which we do not conduct), the sale of personal data (which we do not do), and profiling in furtherance of decisions that produce legal or similarly significant effects (which we do not do). To exercise any Colorado privacy right, contact privacy@1st-bond.com with subject "Colorado Privacy Request." We will respond within 45 calendar days. If we cannot fulfill your request, you may appeal by re-contacting us at the same address. For biometric-specific rights under the CPA's biometric amendment, see Section 3.3.

11.6 Illinois Residents — BIPA Rights

Illinois residents have the right to receive our biometric retention policy in writing prior to collection (satisfied by Section 3.3 and this policy) and to seek relief under BIPA for violations.

11.7 Do Not Track

We do not respond to browser Do Not Track signals. We do not use your data for cross-site behavioral tracking.

12. Account Management

Manage your account through Settings: change password, email, username; delete account (Settings → Account → Delete Account or https://1st-bond.com/delete-account); clear meetup history; manage Marketplace listings; manage Business Profile and For You feed content; block or report users.

13. International Users

1STBOND LLC is operated in the United States. Data is stored and processed in the U.S. We do not currently direct the Services at users in the European Union or other international jurisdictions with distinct regulatory frameworks.

14. Age Eligibility and Children's Privacy

1STBOND is strictly 18+. By creating an account, you represent you are at least 18. We do not independently verify age for general users; Marketplace sellers' age is confirmed via government-issued ID. We do not knowingly collect data from users under 18 or children under 13. If we become aware of either, we will terminate the account and delete information promptly. Contact privacy@1st-bond.com with concerns.

15. Changes to This Policy

For material changes, we provide at least 30 days' advance notice via in-app notification and email. The updated policy is posted at https://1st-bond.com/privacy. Continued use after the effective date constitutes acceptance.

16. Governing Law

This Privacy Policy is governed by the laws of the State of Colorado. Disputes are subject to the exclusive jurisdiction of the courts in Denver County, Colorado.

17. Contact

Privacy Email: privacy@1st-bond.com
General Support: support@1st-bond.com
Copyright Agent: copyright@1st-bond.com
Website: https://1st-bond.com/privacy
Account Deletion: https://1st-bond.com/delete-account
Mailing: 1500 N Grant St Ste N, Denver County, CO 80203

Note
The Privacy & Security screen in the app is a plain-language summary. In the event of any conflict between the in-app summary and this Privacy Policy, this Privacy Policy controls.