Privacy Policy

Last updated: May 2026

This Privacy Policy explains how SmallRun ("SmallRun", "we", "us", or "our") collects, uses, shares, and protects personal information when you use the SmallRun marketplace at smallrun.net (the "Service"). It applies to buyers, sellers, and visitors worldwide.

1. Who We Are

SmallRun is a US-based marketplace headquartered in Indiana, United States. For the purposes of the EU and UK General Data Protection Regulation (GDPR), SmallRun is the data controller for personal information collected through the Service. Sellers using the Service are independent data controllers (or, where applicable, joint controllers with us) for personal information they process to fulfill orders and communicate with their buyers.

You can reach our privacy team at support@smallrun.net.

2. Information We Collect

We collect personal information in the following categories (terms align with the CCPA/CPRA statutory categories where applicable):

• Identifiers and account information - email address, display name, handle, avatar, bio, and authentication credentials. If you sign in via Google or GitHub, we receive a unique identifier and your email from that provider.
• Commercial information - orders placed, products listed, cart contents, shipping addresses, billing addresses, and order history.
• Payment information - collected and stored by Stripe. We receive only payment-method tokens, the last four digits of cards (where applicable), and transaction status. Full card numbers never touch our servers.
• Internet and network activity - IP address, user-agent string, pages visited, search queries, and click events captured in our server-side logs. We do not embed third-party analytics or advertising scripts.
• Geolocation data - approximate location inferred from IP address and shipping address provided at checkout. We do not collect precise GPS location.
• User-generated content - product listings, build logs, comments, messages, reports, and uploaded images.
• Communications - messages you send to us or to other users via the Service, and customer-support correspondence.
• Inferences - limited derived signals such as recommended products based on browse history, computed from data you provide.

We do not knowingly collect "sensitive personal information" as defined by the CPRA (e.g., precise geolocation, racial or ethnic origin, religious beliefs, health information, biometric or genetic data, or contents of mail/email/text messages other than what you address to us). Government IDs and other identity-verification data collected during seller onboarding are handled directly by Stripe under its own privacy policy.

3. Sources of Information

• Directly from you when you register, list a product, place an order, or contact us.
• Automatically from your device when you use the Service (server logs, cookies).
• From third parties you authorize (e.g., Google, GitHub for sign-in; Stripe for payment status; Shippo for shipment tracking).

4. How We Use Your Information - Purposes and Legal Bases

For users in the EU/UK/EEA, we process your personal information on the following legal bases under GDPR Article 6:

• Performance of a contract (Art. 6(1)(b)) - to create and operate your account, process orders, generate shipping labels, calculate and remit taxes, deliver transactional emails (order confirmations, shipping updates, password resets), and provide customer support.
• Compliance with a legal obligation (Art. 6(1)(c)) - to retain order and tax records as required by tax, accounting, and consumer-protection law; to respond to lawful requests from authorities; and to operate the EU One-Stop Shop (OSS) and Import One-Stop Shop (IOSS) schemes once registered.
• Legitimate interests (Art. 6(1)(f)) - to keep the Service secure, prevent fraud and abuse, moderate user-generated content, debug and improve the platform using server-side logs, and produce aggregated, anonymised statistics. You may object to processing on this basis (see Section 10).
• Consent (Art. 6(1)(a)) - for optional email digests and any future non-essential cookies or marketing communications. You can withdraw consent at any time without affecting the lawfulness of prior processing.

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you within the meaning of GDPR Article 22.

5. How We Share Information

• Sellers. When you place an order, the seller receives your shipping address, order contents, and the email associated with the order so they can fulfill and communicate about it. Sellers are independent controllers for that information.
• Buyers. Sellers' shop names, public profile information, and listed products are visible to all visitors. We do not share sellers' home addresses with buyers; ship-from addresses are used for label generation only.
• Service providers (processors). We use a small number of vendors that process personal information on our behalf under written agreements:
  • Stripe, Inc. - payment processing, Stripe Connect payouts, Stripe Tax, and seller identity verification (KYC).
  • Shippo - international shipping rates, label generation, and tracking webhooks.
• Legal and safety. We may disclose information to comply with applicable law, valid legal process, or to protect the rights, property, and safety of SmallRun, our users, or the public.
• Business transfers. If SmallRun is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to this Policy.
• We do not sell your personal information and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

6. International Data Transfers

SmallRun is based in the United States and our primary application, database, and email infrastructure run on US-based servers. If you access the Service from the EU, UK, or EEA, your personal information is transferred to and stored in the United States, which is not the subject of an adequacy decision by the European Commission for transfers from non-DPF-certified infrastructure providers.

To safeguard those transfers, we rely on the following mechanisms under GDPR Article 46 (and the equivalent UK GDPR provisions):

• The European Commission's Standard Contractual Clauses (SCCs) - Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Processor) as applicable - with each US-based processor.
• The UK International Data Transfer Addendum to the SCCs for transfers originating in the United Kingdom.
• A Transfer Impact Assessment covering the destination country's surveillance laws and the supplementary technical and organizational measures we apply.
• Supplementary measures including TLS encryption in transit, encryption at rest for backups, least-privilege access controls, and minimization of personal data shared with each processor to what is strictly necessary.

A copy of the relevant transfer safeguards is available on request from support@smallrun.net.

7. Cookies and Similar Technologies

We use only the cookies that are strictly necessary to operate the Service:

• An authentication session cookie to keep you signed in.
• An antiforgery cookie to protect form submissions against cross-site request forgery.
• A cart cookie so guest carts persist between page loads.

We do not set third-party advertising or tracking cookies and we do not load third-party analytics scripts. Because we use only strictly-necessary cookies, no cookie banner consent is required under the ePrivacy Directive; if that ever changes, we will deploy a compliant consent mechanism before any non-essential cookies are set.

8. How Long We Keep Information

• Account data - until you delete your account, plus a short post-deletion buffer for backup-cycle expiry.
• Order, invoice, and tax records - retained for up to seven (7) years from the date of the transaction to satisfy US and EU tax-record obligations.
• Server logs - retained for up to 90 days for security and troubleshooting, then rotated or aggregated.
• Support correspondence - retained for up to three (3) years from the last interaction.
• Backups - encrypted backups are retained on a rolling schedule and expire automatically.

We may retain limited information longer where required to comply with a legal obligation, resolve disputes, or enforce our agreements.

9. Security

SmallRun runs in a US-region, ISO/IEC 27001-certified data center operated by IONOS. ISO 27001 is the international standard for Information Security Management Systems - in practical terms, it means the facility is independently audited against a defined set of controls covering physical access, environmental safeguards (power, fire, climate), 24×7 monitoring, access management, change management, vulnerability management, and incident response. The certification is renewed on a regular audit cycle.

On top of that physical and operational baseline, we apply application-level safeguards:

• All traffic to and from the Service is encrypted in transit using TLS.
• Passwords are stored as salted hashes using ASP.NET Core Identity's PBKDF2 implementation - we cannot read your password.
• Database backups and stored credentials are encrypted at rest.
• Access to production systems is restricted on a least-privilege basis and protected by multi-factor authentication.
• Payment-card data is handled entirely by Stripe under its PCI-DSS Level 1 certification and never reaches our servers.

If a security incident affecting your personal information does occur, we will notify the relevant supervisory authorities and affected users as required by GDPR (Articles 33 and 34) and applicable US state breach-notification laws.

10. Your Rights - EU, UK, and EEA Residents

If you are in the EU, UK, or EEA, you have the following rights under GDPR/UK GDPR. To exercise any of them, email support@smallrun.net:

• Access - obtain a copy of the personal information we hold about you.
• Rectification - correct inaccurate or incomplete information.
• Erasure ("right to be forgotten") - delete your information, subject to retention obligations.
• Restriction - ask us to limit how we use your information.
• Portability - receive your information in a structured, machine-readable format.
• Object - object to processing based on our legitimate interests.
• Withdraw consent - for any processing based on consent, at any time.
• Lodge a complaint with your national data protection supervisory authority. A list is maintained by the European Data Protection Board at edpb.europa.eu.

We will respond to verifiable requests within one month, extendable by two further months for complex requests as permitted by GDPR.

11. Your Rights - California Residents (CCPA/CPRA)

California residents have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to know what personal information we have collected about you, the categories of sources, the business purpose, and the categories of third parties with whom we share it.
• Right to delete personal information we have collected, subject to legal exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing. As noted above, we do not sell or "share" personal information for cross-context behavioral advertising, so this right is not currently triggered.
• Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes that would trigger this right.
• Right to non-discrimination for exercising your rights.

To exercise these rights, email support@smallrun.net. We will verify your identity using the email associated with your account before fulfilling any request. You may use an authorized agent; we will require written authorization and may verify directly with you.

We honor Global Privacy Control (GPC) signals as an opt-out preference signal where applicable.

12. Your Rights - Other US States

Residents of Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, and other states with comprehensive privacy laws have rights similar to those described above - including the rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of certain processing. To exercise these rights, email support@smallrun.net. If we deny your request, you may appeal by replying to our response; appeal procedures are described in our reply.

13. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 13 in the United States (per COPPA) or under 16 in the EU/UK/EEA. If you believe a child has provided us with personal information, contact support@smallrun.net and we will delete it.

14. Do Not Track

Because we do not track users across third-party websites or services, we treat all users consistently and do not respond differently to "Do Not Track" browser signals. We do honor Global Privacy Control (GPC) signals as described in Section 11.

15. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated by email to registered users and/or by a prominent notice on the Service before the change takes effect.

16. Contact

For privacy questions, requests, or complaints, email support@smallrun.net. For general support, see our contact page.