The Waffles ("Waffles," "we," "us," or "our") operates thewaffles.co, a peer-to-peer community raffle marketplace. This Privacy Policy explains what personal information we collect, how we use it, and your rights regarding that information.
By creating an account or using Waffles, you agree to the practices described in this policy. If you do not agree, do not use the platform.
Account information: When you register, we collect your email address, username, and password (stored as a secure hash). You may optionally add a display name, profile photo, and short bio.
Contact and shipping information: We collect your phone number (if you opt in to SMS notifications) and shipping address (used to receive items you win).
Payout information: If you choose to receive payouts via Venmo or PayPal, we collect your Venmo handle or PayPal email address. This information is optional and stored only to facilitate payments to you.
Identity verification: If you request ID verification, we collect a photo of a government-issued ID. This document is stored in a private, access-controlled storage bucket and is only accessible to authorized platform staff for the purpose of verifying your identity.
Payment information: We do not collect, store, or process payment card numbers, CVV codes, or bank account details. All payment processing is handled directly by Stripe, Inc. We receive only non-sensitive metadata such as payment confirmation status and a tokenized reference.
Listing and transaction data: We collect information about Waffles you create or participate in, including item descriptions, photos, seat selections, draw outcomes, and shipping tracking numbers.
Communications: We store messages sent through the platform's messaging system between users and between users and platform staff.
Technical data: We collect your IP address at account creation and periodically to assist with fraud detection and account security. We also collect standard web server logs including browser type, pages visited, and timestamps.
To operate the platform: process seat purchases, run draws, facilitate shipping, and release funds to Chefs upon delivery confirmation.
To communicate with you: send transactional emails (draw results, shipping updates, payout confirmations) via SendGrid. If you opt in, we send SMS notifications for key events.
To verify identity: review government ID documents to confirm eligibility for restricted listing categories.
To prevent fraud: analyze IP addresses, account activity, and behavioral signals to detect ban evasion, fraudulent listings, and payment abuse.
To improve the platform: understand how features are used and identify areas for improvement. We do not sell this data.
To comply with legal obligations: respond to lawful requests from law enforcement or regulatory authorities where required.
Seat purchases are processed by Stripe, Inc. When you enter payment card information at checkout, that data is transmitted directly to Stripe and never passes through our servers. Stripe is PCI DSS Level 1 certified.
We use Stripe's Extended Authorization feature to place a hold on your card at seat selection. Your card is only charged if and when a Waffle reaches 100% of its seats. If a Waffle does not fill, holds are released automatically with no charge.
Stripe's privacy policy is available at stripe.com/privacy.
Chef payouts are processed by PayPal, Inc. When a payout is sent, we transmit your Venmo handle or PayPal email address to PayPal along with the payout amount. We do not store PayPal account credentials or financial account numbers.
PayPal's privacy policy is available at paypal.com/privacy.
Transactional emails (draw results, payout confirmations, shipping notifications, account alerts) are delivered via SendGrid, a Twilio service. SendGrid receives your email address and the content of each notification for the purpose of delivery.
SendGrid's privacy policy is available at twilio.com/en-us/legal/privacy.
You may not opt out of transactional emails related to active listings or account security. You may opt out of promotional communications at any time via the unsubscribe link in any such email.
Our database and file storage are hosted on Supabase, which runs on Amazon Web Services infrastructure in the United States. Our web application is hosted on Vercel, Inc. Both providers maintain their own security and privacy programs.
Supabase's privacy policy is available at supabase.com/privacy. Vercel's privacy policy is available at vercel.com/legal/privacy-policy.
We do not sell, rent, or trade your personal information to third parties for marketing purposes.
We share information only as necessary to operate the platform: with Stripe to process payments, with PayPal to send payouts, with SendGrid to deliver emails, and with Supabase and Vercel to host the service.
We may disclose information if required by law, court order, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of Waffles, our users, or the public.
If Waffles is acquired or merges with another entity, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.
We retain your account information for as long as your account is active. If you close your account, we delete your personal profile data within 30 days, subject to legal hold obligations.
Transaction records (completed Waffles, seat purchases, draw outcomes) are retained for up to 7 years to comply with financial recordkeeping requirements.
Government ID documents submitted for identity verification are deleted within 90 days of verification being granted or denied.
IP address logs are retained for up to 12 months.
Access: You may request a copy of the personal information we hold about you.
Correction: You may update most of your account information directly in your account settings. For information you cannot edit yourself, contact us.
Deletion: You may request deletion of your account and associated personal data. Requests are subject to our retention obligations noted above.
Portability: You may request an export of your account data in a machine-readable format.
To exercise any of these rights, email us at info@thewaffles.co. We will respond within 30 days.
Waffles is intended for users 18 years of age and older. We do not knowingly collect personal information from anyone under 18. If we become aware that a minor has created an account, we will terminate the account and delete associated data promptly.
We use session cookies and local storage to maintain your login session and preferences. These are strictly necessary for the platform to function and are not used for advertising.
We do not currently use third-party advertising trackers or cross-site tracking pixels.
We implement industry-standard security measures including encrypted connections (TLS), hashed passwords, row-level security on our database, and access controls limiting which staff can view sensitive data such as ID documents.
No system is perfectly secure. If you believe your account has been compromised, contact us immediately at info@thewaffles.co.
We may update this Privacy Policy from time to time. When we do, we will revise the version date at the top of the page and, for material changes, notify users by email or by a notice on the platform.
Continued use of Waffles after changes are posted constitutes acceptance of the updated policy.
For privacy-related questions, requests, or concerns, contact us at:
The Waffles · info@thewaffles.co · thewaffles.co
Questions? Email us at info@thewaffles.co
