PRIVACY POLICY

1. DATA CONTROLLER

FindMeComics (“we,” “us,” or “our”) is the data controller responsible for personal data collected through this website. For GDPR purposes, the controller is the FindMeComics operating entity (United States). We do not currently have an EU establishment.

Contact: privacy@findmecomics.com

Postal / mailing address (GDPR Art. 13(1)(a)): A physical mailing address is available upon written request to privacy@findmecomics.com. We provide it on request rather than publishing it to reduce automated spam and harassment.

We have not designated a Data Protection Officer (DPO) as we do not believe our processing currently meets the thresholds under GDPR Art. 37. We will appoint a DPO and an EU representative (Art. 27) prior to any targeted EU marketing or large-scale EU data processing.

2. WHAT WE COLLECT

Account data: Username, email address, and password hash when you register with email. If you register via Google OAuth, we receive your name, email, and Google profile photo from Google.

Profile data: Optional fields such as bio, location, and profile photo.

Age verification data: Date of birth, collected solely to verify that you are 18 or older. Not used for any other purpose.

Transaction data: Items you list, items you purchase, offers, and order history. Payment processing is handled entirely by Stripe — we never receive or store card numbers, CVV, or other sensitive payment data.

User-generated content: Photos you upload to listings, database edits, and messages.

Communications: Emails or messages you send to us.

Usage and technical data: IP address, browser type, pages visited, and search queries (standard server logs). With your consent, we also collect analytics data via PostHog — page views, click events, and session duration — associated with a pseudonymous device ID. See Section 12.

Consent and compliance records: When you accept our Terms of Service at registration or age verification, we record: (1) the UTC timestamp of acceptance, (2) the IP address used, and (3) the version identifier of the Terms you agreed to. This audit log exists solely to evidence legally valid electronic consent under the Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001) and GDPR Art. 6(1)(c). It is not used for any other purpose and is never sold or shared.

Google OAuth data: If you register via Google, we receive your name, email address, and Google profile photo directly from Google as part of the OAuth flow. We do not receive your Google password or any other Google account data.

3. LEGAL BASIS FOR PROCESSING (GDPR ART. 13(1)(c))

If you are located in the EU / EEA, we process your personal data under the following legal bases set out in GDPR Art. 6:

Where we rely on legitimate interests (Art. 6(1)(f)), we have assessed that our interests are not overridden by your rights — you may object to this processing at any time (see Section 9). Where we rely on consent, you may withdraw it at any time without affecting processing already carried out.

4. HOW WE USE YOUR DATA

• To operate and improve the marketplace.
• To connect buyers and sellers and facilitate transactions.
• To send transactional notifications (wantlist matches, offers, order updates).
• To verify user age in compliance with applicable law.
• To detect and prevent fraud, abuse, and illegal activity.
• To comply with legal obligations (tax, DMCA, mandatory reporting).

We do not sell your personal data to third parties. We do not use your data for behavioural advertising or cross-context tracking.

5. WHO WE SHARE YOUR DATA WITH

Other users: Your username, seller rating, and location (if provided) are visible to other users. Your email is never shown publicly.

Service providers (data processors — GDPR Art. 28):

Each provider below acts as a data processor on our behalf under a written Data Processing Agreement (DPA) that complies with GDPR Art. 28. Each DPA is automatically incorporated into the provider's standard Terms of Service — no separate execution is required. Each DPA includes EU Standard Contractual Clauses (SCCs, Commission Decision 2021/914) governing transfers of EU personal data to the US.

Sub-processors: Each processor above may engage their own sub-processors (e.g. cloud infrastructure providers). We require each processor to impose GDPR-equivalent data protection obligations on any sub-processors and to notify us of material changes to their sub-processor list.

Law enforcement: We will disclose information when required by law, court order, or to protect the safety of users or the public. We are legally required to report child sexual abuse material (CSAM) to NCMEC and to cooperate fully with law enforcement.

We share only the minimum data necessary with each provider.

6. PHOTOS AND UPLOADS

Photos you upload to listings are stored on Cloudinary and are publicly accessible by URL. They are tagged with your internal user ID for moderation purposes. Do not upload photos containing personal information you do not wish to share publicly.

7. DATA RETENTION SCHEDULE (GDPR ART. 13(2)(a))

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. The specific periods are:

After the applicable retention period, data is either deleted or irreversibly anonymised. If you request account deletion, we will complete the deletion or anonymisation of personal data within 30 days, subject to the legal retention obligations above.

8. INTERNATIONAL DATA TRANSFERS (GDPR ART. 13(1)(f))

FindMeComics is operated from the United States. All principal service providers (Stripe, Railway, Cloudinary, Resend, PostHog, Anthropic) are headquartered in the United States. If you access FindMeComics from the EU / EEA, your personal data will be transferred to and processed in the United States, which does not have an adequacy decision from the European Commission for all sectors.

We rely on the following safeguards for transfers from the EEA to the US:

• EU–US Data Privacy Framework (DPF): Stripe, Cloudinary, Resend, and PostHog are certified under the EU–US DPF (a European Commission adequacy decision per GDPR Art. 45). Google (used for OAuth) is also DPF-certified.
• Standard Contractual Clauses (SCCs): All processors listed in Section 5 (Stripe, Railway, Cloudinary, Resend, PostHog, Anthropic) incorporate EU Standard Contractual Clauses (Commission Decision 2021/914/EU) into their Data Processing Agreements as an independent transfer safeguard alongside or in lieu of DPF certification. See the DPA links in Section 5 for the specific modules used by each processor.

Copies of the applicable DPAs (which include the SCCs) are publicly available at the links in Section 5. You may also request a summary of transfer safeguards by contacting privacy@findmecomics.com.

9. YOUR RIGHTS (ALL USERS)

Regardless of where you are located, you may:

• Access the personal data we hold about you.
• Correct inaccurate data via your account settings or by contacting us.
• Request deletion of your account and associated personal data.
• Opt out of non-essential emails via your account notification settings.

To exercise these rights, email privacy@findmecomics.com or use our online request form. EU residents have additional rights — see Section 16 below.

10. AUTOMATED DECISION-MAKING (GDPR ART. 22)

No decision that produces legal or similarly significant effects on you is made solely by automated means without human review (GDPR Art. 22(1)). The following automated processes are in use:

SELLER RATINGS

Seller ratings are computed automatically from buyer reviews. Scores are visible to other users but do not restrict platform access and are subject to human review on request.

FRAUD DETECTION AND RATE LIMITING

Automated systems may temporarily restrict certain actions (e.g., listing rate limits, login throttling). Any permanent account action is reviewed by a human administrator.

AI-ASSISTED DISPUTE ANALYSIS (GDPR ART. 22 / EU AI ACT ART. 50)

When a dispute is filed, FindMeComics may use an AI system (Anthropic Claude, operated by Anthropic PBC) to assist human administrators in reviewing the case. The AI processes the following data associated with your dispute:

• Dispute reason and written details you provide
• Evidence photos you upload
• The full message thread between buyer, seller, and administrators
• Order details (item, condition, price, shipping, tracking status)
• Aggregated account history for both parties (order count, dispute history, account age, seller rating) — not personal contact details or payment data

The AI produces an advisory recommendation (Refund / Dismiss / Needs More Information) and a confidence score. This recommendation is not a binding decision. A human administrator reviews all AI output, considers any factors the AI may have missed, and makes the final determination. No refund is issued or denied based solely on the AI's output.

Your rights under GDPR Art. 22(3): You have the right to (a) be informed that AI analysis was used in your dispute, (b) obtain human intervention, (c) express your point of view, and (d) contest the outcome. A notice is shown on your dispute page when AI analysis has been performed. To exercise these rights or request further explanation, contact privacy@findmecomics.com.

Anthropic processes dispute content as a data processor acting on our instructions. Anthropic does not use this content to train its models. See anthropic.com/privacy ↗ for Anthropic's privacy policy.

11. SECURITY & DATA BREACH NOTIFICATION

SECURITY MEASURES

We implement industry-standard technical and organisational measures to protect your data:

• Passwords are hashed (bcrypt) and never stored in plain text.
• All data is transmitted over HTTPS with HSTS enforced (2-year pin).
• Database access is restricted by credentials and network firewall rules.
• Payment card data is never processed or stored on our servers — Stripe handles all card data under PCI DSS SAQ A.
• Content Security Policy and other security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) are applied to every response.

No security system is perfect. If a breach does occur, we follow the notification procedures below.

DATA BREACH NOTIFICATION

A “data breach” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed by us. When we become aware of a confirmed breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will:

• Notify affected users within 30 days of confirming the breach — by email to the address on your account — regardless of which state you live in. The notice will describe: what happened; the categories and approximate volume of data involved; the likely consequences; the steps we have taken to address the breach; and what you can do to protect yourself (e.g. reset your password, monitor your accounts).
• Notify regulators as required by applicable law:
  • GDPR Art. 33 — notify the relevant EU supervisory authority within 72 hours of becoming aware of a breach that poses a risk to data subjects. If notification cannot be made within 72 hours, we will provide the reasons for the delay along with the notification.
  • California (Cal. Civ. Code § 1798.82) — notify affected California residents in “expedient time” and without unreasonable delay. If the breach affects more than 500 California residents, we will also notify the California Attorney General.
  • New York (N.Y. Gen. Bus. Law § 899-aa, SHIELD Act) — notify affected New York residents and, where required, the NY Attorney General, Department of State, and relevant consumer reporting agencies, without unreasonable delay.
  • Other states — all 50 US states have data breach notification laws. We will comply with whichever law(s) apply based on the residency of affected users.
• Take immediate containment steps — isolate affected systems, revoke compromised credentials, patch the vulnerability, preserve logs for forensic review, and engage qualified security professionals as needed.

WHAT “CONFIRMED” MEANS

The 30-day clock starts when we have reasonable certainty that a breach has occurred — not merely when we detect an anomaly. We investigate potential incidents promptly; if an investigation is ongoing and we cannot rule out a breach, we will err on the side of notification. We will never delay notification to protect our reputation.

WHAT'S IN A BREACH NOTICE

Every breach notification to affected users will include, at minimum:

• A plain-English description of what happened and when.
• The categories of personal data involved (e.g. email addresses, password hashes, order history).
• The steps FindMeComics has taken or will take to address the breach.
• Specific actions you should take (e.g. change your password, watch for phishing).
• A contact address for questions — legal@findmecomics.com.

IF YOU SUSPECT A BREACH

If you believe your FindMeComics account has been compromised, or you have discovered a security vulnerability, please contact us immediately at legal@findmecomics.com. We take all security reports seriously and will respond within 24 hours.

12. COOKIES

Strictly necessary (always on): A session cookie set by NextAuth.js keeps you signed in. It contains only an encrypted session identifier — no personal information. No consent is required for this cookie.

Analytics (consent required): If you accept analytics when prompted, PostHog sets a cookie and uses localStorage to track page views, click interactions, and session duration. Data is sent to PostHog's US servers (us.i.posthog.com) and associated with a pseudonymous device ID only — no email or name is transmitted. You can withdraw consent at any time by clearing your site data or adjusting your browser's cookie settings. We do not use advertising cookies, tracking pixels, or behavioural profiling.

See our Cookie Policy for the full list of cookies set, their contents, and expiry.

13. CHILDREN

FindMeComics is not directed at children under 18. We do not knowingly collect data from minors. We collect date of birth at registration to enforce this requirement. If you believe a minor has created an account, contact us immediately at legal@findmecomics.com.

14. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will notify registered users by email of material changes at least 30 days before they take effect, and will update the “Last updated” date above. Continued use of the Site after changes take effect constitutes acceptance of the updated policy.

15. CONTACT

General privacy questions: legal@findmecomics.com

Privacy rights requests: privacy@findmecomics.com or submit a request online.

16. EU / EEA RESIDENT RIGHTS (GDPR ART. 13–14)

General Data Protection Regulation (EU) 2016/679 — applicable to residents of the European Union, European Economic Area, and (where applicable) the United Kingdom.

If you are located in the EU / EEA, you have the following rights under the GDPR. These are in addition to the general rights in Section 9 above.

YOUR RIGHTS UNDER GDPR

• Right of access (Art. 15). You have the right to obtain confirmation of whether we process your personal data, and if so, to receive a copy of that data together with information about how it is processed (purposes, categories, recipients, retention periods, and the existence of your other rights).
• Right to rectification (Art. 16). You have the right to request correction of inaccurate personal data and completion of incomplete data without undue delay.
• Right to erasure / “right to be forgotten” (Art. 17). You have the right to request deletion of your personal data where: it is no longer necessary for the purposes for which it was collected; you withdraw consent (where applicable); you object and no overriding legitimate grounds exist; or it has been unlawfully processed. This right is subject to legal retention obligations (see Section 7).
• Right to restriction of processing (Art. 18). You have the right to request that we restrict processing of your data where: you contest its accuracy (while we verify); processing is unlawful and you oppose erasure; we no longer need it but you need it for legal claims; or you have objected and we are assessing overriding grounds.
• Right to data portability (Art. 20). Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and to transmit that data to another controller.
• Right to object (Art. 21). You have the right to object at any time to processing based on legitimate interests (Art. 6(1)(f)), including profiling. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You may always object to processing for direct marketing purposes without giving reasons.
• Right to withdraw consent (Art. 7(3)). Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Rights related to automated decision-making (Art. 22). As noted in Section 10, we do not make solely automated decisions with legal or similarly significant effects. If this changes, we will update this policy and implement the required safeguards.

HOW TO SUBMIT A GDPR REQUEST

Submit a verifiable request by either method:

• Online form: findmecomics.com/privacy/request
• Email: privacy@findmecomics.com — include your name, account email, country of residence, and the specific right you wish to exercise.

We will respond within 30 days of receiving a verifiable request (extendable by a further 60 days for complex requests; we will notify you within the initial 30-day period if an extension is needed). We may need to verify your identity before processing the request.

We will not charge a fee for reasonable requests. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.

RIGHT TO LODGE A COMPLAINT (GDPR ART. 13(2)(d))

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that our processing of your personal data infringes the GDPR. Because FindMeComics has no EU establishment, any EU supervisory authority may have jurisdiction. A list of EU data protection authorities is available at edpb.europa.eu ↗.

We would appreciate the opportunity to address your concerns before you approach a supervisory authority — please contact privacy@findmecomics.com first.

NOTE ON EU/UK REPRESENTATIVE (GDPR ART. 27) AND REGISTRATION RESTRICTION

FindMeComics has not yet appointed an EU or UK representative under GDPR Art. 27 / UK GDPR Art. 27. To comply with this requirement while the platform remains small, we block new account registrations originating from EU, EEA, and UK IP addresses. You may browse the site, but cannot create an account from an EU/EEA/UK IP until a representative is appointed.

This restriction does not affect existing EU/EEA/UK account holders, who retain all rights under Section 16. To exercise your GDPR rights or inquire about the registration restriction, contact privacy@findmecomics.com. We intend to appoint an Art. 27 representative and lift this restriction as we expand into European markets.

17. CALIFORNIA RESIDENT RIGHTS (CCPA / CPRA)

California Civil Code § 1798.100 et seq. (California Consumer Privacy Act, as amended by the California Privacy Rights Act)

If you are a California resident, you have the following rights regarding your personal information. These rights are in addition to those in Section 9 above.

CATEGORIES OF PERSONAL INFORMATION WE COLLECT

• Identifiers — username, email address, IP address.
• Sensitive personal information — date of birth (collected solely for 18+ age verification; used for no other purpose; not sold or shared).
• Commercial information — purchase history, listing data, offer and order records.
• Internet or network activity — pages visited, search queries, server log data.
• Geolocation — city or region, if you choose to provide a location in your profile.
• Inferences — seller rating derived from transaction reviews.

SOURCES

Directly from you (registration, profile, listings), automatically from your device (server logs), and from payment processors (Stripe) for transaction confirmation data.

BUSINESS PURPOSE FOR COLLECTION

Marketplace operation, fraud prevention, legal compliance, and transactional communications. We do not collect personal information for advertising or sell it to data brokers.

YOUR RIGHTS UNDER CCPA / CPRA

• Right to Know (§ 1798.100, 1798.110). Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purposes, and the categories of third parties with whom we share it.
• Right to Delete (§ 1798.105). Request deletion of personal information we have collected from you, subject to certain exceptions (completing a transaction, detecting fraud, complying with a legal obligation).
• Right to Correct (§ 1798.106). Request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing (§ 1798.120). We do not sell your personal information and do not share it for cross-context behavioural advertising. No opt-out is required, but you may submit a request to confirm this at any time.
• Right to Limit Use of Sensitive Personal Information (§ 1798.121). We collect date of birth only for age verification and use it for no other purpose.
• Right to Non-Discrimination (§ 1798.125). We will not deny you service, charge different prices, or provide a different quality of service because you exercised any of the rights above.

HOW TO SUBMIT A REQUEST

You may submit a verifiable consumer request by either method. We accept two or more requests per consumer in a 12-month period.

• Online form: findmecomics.com/privacy/request
• Email: privacy@findmecomics.com — include your name, account email, California residency confirmation, and the nature of your request.

RESPONSE TIMELINE

We will verify your identity and respond within 45 days. If we need additional time (up to 45 more days), we will notify you within the initial 45-day period.

AUTHORIZED AGENTS

A California resident may designate an authorized agent to submit a request on their behalf. We will require written proof of authorization and may verify the consumer's identity directly.

GLOBAL PRIVACY CONTROL (GPC)

The California Privacy Rights Act and its implementing regulations (11 C.C.R. § 7025) require businesses to treat a Global Privacy Control (GPC) opt-out browser signal as a valid opt-out of the “sale” or “sharing” of personal information for cross-context behavioral advertising. Because FindMeComics does not sell or share your personal information for any such purpose, the GPC signal has no additional practical effect on our data practices — your data is already never sold or shared regardless of whether GPC is enabled. We recognise the signal and record opt-out requests for audit purposes.

SHINE THE LIGHT (CAL. CIV. CODE § 1798.83)

California's “Shine the Light” law (Cal. Civ. Code § 1798.83) gives California residents the right to request, once per calendar year, a list of the categories of personal information (if any) we have disclosed to third parties for those parties' own direct marketing purposes during the preceding calendar year, together with the names and addresses of those third parties.

FindMeComics does not disclose personal information to any third party for that third party's direct marketing purposes. Accordingly, there is no list to provide. We do not sell your data and we do not share your contact information with advertisers.

If you are a California resident and wish to submit a formal Shine the Light request — for example, to receive written confirmation of our non-disclosure practice — you may contact us at: privacy@findmecomics.com with the subject line “California Shine the Light Request”. We will respond within 30 days of receipt (with one permitted 30-day extension if we notify you within the initial period).

OTHER U.S. STATE PRIVACY LAWS

Residents of other states may have equivalent or similar privacy rights under their state's law, including: Colorado (CPA), Virginia (CDPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Montana (MCDPA), Oregon (OCPA), Iowa (ICDPA), Indiana, Tennessee, and others. We process access, correction, deletion, and portability requests from all U.S. residents regardless of state. Submit a request via our online form or email privacy@findmecomics.com.

CONTACT

privacy@findmecomics.com · FindMeComics, Attn: Privacy Request