CapStacks

Privacy Policy

Effective Date: May 2026  ·  Last Updated: June 2026

1. Introduction and Scope

CapStacks ("CapStacks," "we," "us," or "our") operates a peer-to-peer marketplace for buying, selling, and trading baseball and other caps, along with a collection tracking and community platform (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information in connection with your use of the CapStacks mobile application and website.

This Policy applies to all users of the Services. By creating an account or using the Services, you agree to the practices described in this Policy.

State-specific rights and disclosures for California, Virginia, Colorado, Connecticut, Texas, Florida, and other states are set out in Section 10 below.

2. Personal Information We Collect

2.1 Account Information

When you create an account, we collect:

2.2 Collection and Wear Tracking Data

If you use CapStacks to log your hat collection, we collect:

By default, the hats in your collection are shown on your public profile, and wear logs are private unless you mark them public. Purchase prices, ownership details, and private notes are never public. You control per-hat and per-wear-log visibility in the app (see Section 2.6 below).

2.3 Marketplace and Transaction Data

When you participate in marketplace transactions, we collect:

2.4 Preferences and Saved Settings

We collect the preferences you configure within the app, including your default hat model, hat size, visor curve preference, Wantlist items, saved addresses, and saved searches. These are used solely to personalize your experience.

2.5 Device and Technical Data

We automatically collect limited technical information when you use the Services:

2.6 Public vs. Private Data

Your public profile is visible to other users of the Platform and to anyone with a link to it, including shared links viewable on the web at capstacks.app. Your public profile includes:

The following remains visible only to you, regardless of whether a hat is shown on your public profile:

Offer photo note: Photos shared in response to a picture request are stored in a publicly accessible bucket. Any user with the direct URL can access those photos. Do not share photos containing personal information in picture requests.

2.7 Information We Do Not Collect or Store

The following sensitive data is collected and held exclusively by our third-party processors — CapStacks never receives, stores, or has access to it:

3. How We Use Personal Information

3.1 Providing and Operating the Services

3.2 Identity Verification Gating

Shipping addresses are withheld from all parties until both sides of a transaction have completed verification and payment through Stripe. We use verification status data (not the underlying identity data, which lives at Stripe) to enforce this gating logic.

3.3 Dispute Resolution

In the event of a Stripe payment dispute or chargeback, we use transaction records, EasyPost tracking data, identity verification status, system message logs, and Terms of Service acceptance records to compile and submit evidence to Stripe's dispute resolution process. All evidence packets are staged for operator review before submission.

3.4 Legal Compliance and Safety

3.5 Communications

3.6 Platform Improvement

We may use aggregated and de-identified usage data to analyze Platform performance, improve features, and develop new functionality. We do not use personal information to build individual profiles for behavioral advertising.

4. Disclosure of Personal Information

4.1 Third-Party Processors

We share personal information with the following service providers, each of whom processes data on our behalf (or as an independent controller for their own compliance obligations) under appropriate agreements:

4.2 Data Shared Between Users

The following data is shared with your transaction counterparty as part of a completed transaction:

No other personal data is shared between users. There is no free-form messaging on the Platform; all communications between parties are pre-approved system-generated messages.

4.3 Legal and Regulatory Disclosures

We may disclose personal information (a) in response to a lawful subpoena, court order, or government request; (b) to protect the rights, property, or safety of CapStacks, our users, or others; (c) to investigate fraud or enforce our Terms of Service; or (d) as required by applicable law.

4.4 Business Transfers

If CapStacks is acquired, merges with another entity, or transfers substantially all of its assets, personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Services before your information is transferred and becomes subject to a different privacy policy.

4.5 What We Do Not Do

5. Data Retention and Account Deletion

5.1 Retention Periods

We retain personal information only as long as necessary for the purposes described in this Policy or as required by law:

5.2 Account Deletion

You can permanently delete your account at any time using the in-app deletion option in your account settings. Account deletion:

Account deletion is blocked if you have any open transactions in progress — meaning you have accepted a trade or sale offer but the transaction has not yet been completed (e.g., shipping is pending, funds are in escrow). You must complete or cancel all open transactions before your account can be deleted. This restriction exists to protect your counterparty and ensure all in-progress obligations are resolved.

If you request deletion but have open transactions, we will notify you of the outstanding transactions and how to resolve them. Once all transactions are complete or cancelled, you may proceed with account deletion.

6. Cookies and Similar Technologies

We do not use cookies or similar tracking technologies to operate the Services, maintain authenticated sessions, or understand aggregate usage patterns. We do not use tracking technologies for behavioral advertising or cross-site tracking.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Key elements of our security architecture include:

No security system is impenetrable. In the event of a data breach affecting your personal information, we will notify you and applicable regulators as required by applicable state breach notification laws (typically within 30–72 hours of discovery, depending on jurisdiction).

8. Children's Privacy and Age Requirements

CapStacks has a split age structure:

We do not knowingly collect personal information from children under 13. If we become aware that a user under 13 has created an account, we will delete the account and all associated personal information promptly. If you believe a child under 13 has created an account, please contact us at privacy@capstacksapp.com.

9. Third-Party Services

The Services interact with third-party services. This Privacy Policy does not govern those services. Key third-party privacy policies:

We encourage you to review the privacy policies of any third-party services you access through or in connection with the Platform.

10. State-Specific Privacy Rights

10.1 California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with the following rights, subject to certain exceptions and verification requirements:

To exercise your rights, submit a verifiable consumer request to privacy@capstacksapp.com. We will verify your identity using your registered email address and respond within 45 days (extendable by 45 additional days with notice). You may designate an authorized agent with written proof of authority.

CPRA Sensitive Personal Information: Based on our data architecture, CapStacks does not directly collect categories defined as "sensitive personal information" under CPRA — SSN, financial account numbers, and government-issued ID are held by Stripe. Shipping addresses and self-reported city/region are not classified as sensitive personal information under CPRA.

10.2 Virginia Residents (VCDPA)

Virginia residents have the right to (a) access personal data we process about them; (b) correct inaccuracies; (c) delete personal data; (d) obtain a portable copy of personal data; and (e) opt out of the processing of personal data for targeted advertising, sale, or profiling. CapStacks does not sell personal data or use it for targeted advertising or profiling. To submit a request, contact privacy@capstacksapp.com. Unresolved appeals may be referred to the Virginia Attorney General.

10.3 Colorado Residents (CPA)

Colorado residents have rights substantially similar to those described for Virginia residents above, including access, correction, deletion, portability, and opt-out of sale, targeted advertising, and profiling. To submit a request, contact privacy@capstacksapp.com.

10.4 Connecticut Residents (CTDPA)

Connecticut residents have the right to access, correct, delete, and obtain a copy of personal data, and to opt out of the sale of personal data, targeted advertising, and profiling. To submit a request, contact privacy@capstacksapp.com.

10.5 Texas Residents (TDPSA)

Texas residents have the right to access, correct, delete, and obtain a portable copy of personal data, and to opt out of the sale of personal data, targeted advertising, and profiling. To submit a request, contact privacy@capstacksapp.com.

10.6 Florida Residents (FDBR)

Florida residents have the right to access, correct, delete, and obtain a copy of personal data, and to opt out of the sale of personal data and targeted advertising, for platforms meeting statutory thresholds. To submit a request, contact privacy@capstacksapp.com.

10.7 Nevada Residents

Nevada law (NRS 603A) provides Nevada residents the right to opt out of the sale of covered information to third parties. CapStacks does not sell personal information. Questions: privacy@capstacksapp.com.

10.8 All Other States

Additional state privacy laws are enacted on an ongoing basis. We monitor the regulatory landscape and will update this Policy as new laws take effect. Users in all states may contact us at privacy@capstacksapp.com with privacy-related questions or requests.

11. Your Choices and Controls

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by sending an email to your registered address and/or by posting a prominent notice in the app at least 30 days before the change takes effect. Your continued use of the Services after the effective date constitutes acceptance of the revised Policy. Prior versions are available upon request.

13. Contact Us

Questions, requests to exercise your rights, or privacy complaints:

CapStacks

Privacy: privacy@capstacksapp.com

General: capstacks@capstacksapp.com

We will respond to all privacy-related inquiries within 45 days. California residents who are not satisfied with our response may contact the California Privacy Protection Agency (cppa.ca.gov) or the California Attorney General's office. Residents of other states may contact their respective state attorneys general.

CapStacks  ·  Terms & Conditions