Sign in
Home Shop About

Privacy

Privacy Policy

Last updated: May 31, 2026

Buy Off-Season is committed to protecting your privacy. This policy explains what information we collect, how we use it, who we share it with, and the choices you have. We've tried to write this in plain English. If anything is unclear, please email us at privacy@buyoffseason.com.

1. Information we collect

1.1 Information you provide directly

You can browse Buy Off-Season without an account. If you choose to sign in (currently via Google), the only personal information we receive directly from you is what you choose to share, including:

  • Your Google profile basics — name, email address, profile picture — passed to us by Google when you click "Sign in with Google"
  • Anything you save while signed in (e.g., favorited products, last-read issues)
  • Information you send us when contacting us by email

1.2 Information collected automatically

When you visit the site, our hosting provider may collect standard log data: your IP address (often anonymized), the browser and device you're using, the pages you view, the time of your visit, and the page that referred you. This is normal web traffic data used for security monitoring and basic site analytics.

1.3 Information stored on your device

If you sign in, we store your account profile basics (name, email, profile-picture URL) in your browser's localStorage so the site recognizes you on return visits. That data lives on your device only — clearing your browser's site data signs you out.

1.4 Floor Pass subscription data

Status — Floor Pass is currently paused. As of 2026-06-21, no subscriptions are being accepted and no payment data is being collected. The fields below describe what would be collected if and when the program resumes.

If you subscribe to Floor Pass, additional data is collected and stored to operate the subscription:

  • Authentication record: your email and a hashed password (or OAuth identifier), stored in our authentication database (Supabase) — never in plaintext.
  • Subscription status: active / trial / canceled flag, plan, billing cycle dates.
  • Watchlist: the products you've hearted, plus per-item alert preferences.
  • Email-alert log: dates and types of alerts we've sent you (so we don't double-send).
  • Payment record: we do not store your full credit-card number. Stripe handles all card data; we store only Stripe's customer ID and the last four digits of the card on file for your reference.

2. Cookies and tracking

We do not use third-party tracking cookies, advertising cookies, or cross-site tracking pixels. We do not run Google Analytics, Facebook Pixel, or behavioral ad networks on this site.

We use only first-party browser storage (localStorage and sessionStorage) for the functional purposes described above. You can disable or clear this storage in your browser settings at any time, though some site features (like your saved cart) will no longer persist.

3. How we use your information

We use the information we collect to:

  • Recognize you on return visits if you've signed in
  • Display your name and avatar in the navigation bar
  • Save your preferences (favorited products, last-read issues) on your device
  • Respond to questions you send by email
  • Improve the editorial picks (e.g., refine which categories we cover)
  • Detect and prevent fraud, abuse, or security incidents

We do not sell your data. We do not share it with advertisers. We do not build behavioral profiles for marketing.

4. Third-party services we rely on

4.1 Amazon links

When you click an outbound product link, you leave Buy Off-Season and arrive on Amazon's own website. We participate in the Amazon Associates program, which means Amazon may earn us a small commission on qualifying purchases at no extra cost to you. We have no control over what Amazon collects once you arrive there. Amazon's own privacy policy governs your interaction with them.

Before navigation, we fire an anonymous "outbound click" event to our analytics provider (Plausible, see Section 4.8) containing only: the destination product's Amazon ASIN, a coarse device bucket ("mobile" or "desktop"), and a coarse page bucket ("product-page", "shop-page", "home-page", or "other"). No personal data, no IP address, no user identifier. We use this aggregate count to measure which products drive engagement and whether mobile clicks are reaching Amazon at all (since affiliate attribution sometimes drops on mobile-app handoff). You can opt out of all Plausible events from the Settings page.

4.2 Authentication (Supabase + Google)

Sign-in is handled by Supabase Auth (powered by Supabase Inc., a US data-processor) with optional Google identity. If you sign in with email/password, Supabase stores your email and a hashed password. If you sign in with Google, Google returns a signed credential containing your name, email, and profile-picture URL — which we pass to Supabase to create your account record. We never see or store your Google password. Supabase's data is hosted in the US and protected by Row-Level Security so users can only read their own records.

4.3 Payments (Stripe)

Floor Pass payments are processed by Stripe. When you subscribe, you enter your card information directly into Stripe's hosted checkout — that data never touches our servers. We receive only a Stripe customer ID, the last four digits of your card, your subscription status, and billing history. Refunds, payment method updates, and cancellations are all handled through Stripe's Customer Portal, accessible from your account page. Stripe's own privacy policy governs how it handles your card data.

4.4 Email alerts (Resend)

If you're a Floor Pass subscriber, we send transactional alert emails (price-drop alerts, seasonal pre-alerts, weekly digests) via Resend. Resend stores your email address and the message contents only as long as needed to deliver and log the message. We do not use Resend for marketing emails, only the alerts you signed up for. Every alert email includes a one-click unsubscribe link.

4.5 Charity donations (Every.org)

10% of every Floor Pass subscription is donated to a rotating quarterly charity via Every.org, a non-profit donation infrastructure. We share with Every.org only the dollar amount and our designated charity ID — never your personal information. Every.org handles all tax-receipt issuance to our business. Your donation appears anonymously in our public quarterly totals on our giving page.

4.6 Price-data sources (Keepa, RapidAPI)

Our product price history and floor calculations are sourced from Keepa and Real-Time Amazon Data (via RapidAPI), independent price-tracking services. These providers receive product identifiers (Amazon ASINs) — never any of your personal information. They are not aware of which user requested which product.

4.7 Hosting and infrastructure

Our site is hosted on Netlify. Hosting providers may process IP addresses and request metadata for security and reliability. They do not have access to the content of your interactions with the site beyond standard server logs.

5. Data retention

We retain personal information only as long as necessary for the purposes outlined in this policy:

  • Account information: retained while your account is active. Deleting your account (from your settings page) permanently removes all profile data, watchlist entries, and alert history within 30 days.
  • Subscription records: if you've ever subscribed to Floor Pass, billing records (Stripe customer ID, invoice history) are retained for 7 years to comply with US tax law, even after you cancel and delete your account. These records contain no card numbers — only transaction amounts and dates.
  • Email-alert logs: retained for 90 days, then purged automatically.
  • Server logs: typically retained for 90 days for security and operational purposes.

6. Your rights

Depending on where you live, you may have the right to:

  • Request a copy of any personal data we hold about you
  • Ask us to correct inaccurate data
  • Ask us to delete your data ("right to be forgotten")
  • Object to or restrict certain processing of your data
  • Receive your data in a portable format
  • Withdraw consent at any time, where consent is the basis for processing

To exercise any of these rights, email us at privacy@buyoffseason.com. We respond to verified requests within 30 days, and there is no charge for reasonable requests.

7. California residents (CCPA / CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

  • The right to know what categories of personal information we collect, the sources, and the purposes
  • The right to delete your personal information
  • The right to correct inaccurate personal information
  • The right to opt out of the sale or sharing of personal information (we do not sell or share)
  • The right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at the email above.

8. European users (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR). Our legal basis for processing your data is:

  • Legitimate interest: running the editorial site, securing the site, and basic analytics
  • Consent: any optional features that ask for your information (e.g., signing in with Google)
  • Contractual necessity: processing required to deliver a service you've signed up for

You can withdraw consent at any time. You also have the right to lodge a complaint with your local data protection authority.

9. Children's privacy

Buy Off-Season is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact us and we will delete it promptly.

10. Security

We use industry-standard measures to protect your information, including HTTPS encryption for all site traffic. However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security, but we work hard to protect your data using commercially reasonable means.

11. International data transfers

We are based in the United States. If you access our site from outside the US, your information may be transferred to, stored in, and processed in the US. By using the site, you consent to this transfer.

12. Changes to this policy

We may update this policy from time to time as the site evolves or laws change. The "Last updated" date at the top reflects the most recent version. For material changes, we'll post a notice on the site for at least 30 days before the changes take effect.

13. Contact us

Questions about this policy or about the data we hold on you?

Email: privacy@buyoffseason.com
Mailing address: Buy Off-Season (a sole proprietorship), Philadelphia, PA — full mailing address available on request to privacy@buyoffseason.com