MicroExits
Privacy

What we hold on you, and what we never touch

You are handing a marketplace your identity and your revenue data to close a five-figure deal. This is the honest account of where each piece goes.

Last updated 17 July 2026

Read this first

This is a plain-English description of how the MicroExits platform handles your data, provided as a starting point. It is not legal advice, and it is not a vetted privacy policy. It must be reviewed by a qualified lawyer before the marketplace handles real money or real personal data. We wrote it by reading our own code, not by copying a template — so it should be accurate about what the system does today, but it is not a substitute for counsel.

01

The short version

We collect what a marketplace needs to match buyers with sellers, verify claims, and move money safely — and no more. Two things are worth stating up front, because they are the ones people worry about:

  • Your ID documents never reach our servers. Identity checks run at Stripe Identity. We store a status and a reference to their record — never a passport or licence scan.
  • Your money never sits with us. A licensed escrow provider holds every deal's funds. We are not a money transmitter and we do not hold user funds.
02

What we collect

Grouped by why it exists:

  • Account data. Your email, display name, and — if you use a password — a one-way argon2id hash of it (never the password itself). Optionally a bio and avatar. If you enable two-factor, your TOTP secret, encrypted at rest; recovery codes are stored hashed.
  • Identity (KYC) data. Only a status (none/pending/verified/failed), the provider name, a reference to the provider's record, and the date you verified. The documents you upload go to Stripe Identity and are never sent to us.
  • Listing content. The title, story, financials, tech stack, domain, and asset checklist you enter for a business you list.
  • Verification connections. When you connect a revenue provider (Stripe, Paddle, Lemon Squeezy) or a traffic provider (GA4, Plausible, Cloudflare), the grant is read-only. We store the resulting refresh token or credential encrypted at rest (AES-256-GCM), plus the point-in-time snapshot we pulled — MRR, sessions, the period covered, and the provider's raw response for audit.
  • Message content — including the unmasked original. Before an offer is accepted, we auto-redact contact details (emails, phone numbers, external URLs, handles) from what the other party sees. You should know that we also keep the original, unmasked text of your message so our trust & safety team can review attempts to take a deal off-platform. After an offer is accepted, masking stops.
  • Audit-log data. Money movements, verification decisions, and admin actions are written to an append-only log that records the actor, the action, a timestamp, and your IP address and user-agent string at the time.
  • Anti-fraud fingerprints. For rate limiting we key on a hashed (SHA-256) form of your IP and related identifiers, not the raw value.
  • Billing data. If you subscribe to seller Pro, we store your Stripe customer and subscription IDs and your plan status. Card details are handled by Stripe — we never see or store them.
03

Why we collect it

Each item above earns its place. Account data runs your login and messages. KYC status gates who can move money. Verification snapshots are the whole point of the product — they let a buyer trust a number instead of a screenshot. Message originals, audit logs, and hashed fingerprints exist to detect fraud and to reconstruct what happened if a deal goes wrong. We do not sell your data, and we do not use it to build advertising profiles.

04

Who we share it with

We use a small set of third parties to run the platform. Data flows to them only for the job named:

  • Stripe — identity verification (your ID documents go directly to Stripe) and the seller Pro subscription. Stripe does not hold deal funds.
  • Escrow.com — the licensed provider that holds and disburses every deal's funds. Deal and party details needed to create and settle the escrow transaction go to them.
  • Resend — transactional email (offers, messages, verification and escrow notifications). They receive your email address and the contents of those messages.
  • Your own analytics and payment providers — when you connect them, the read-only grant flows data to us from them, on your instruction. You can revoke the grant at the provider at any time.

We may also disclose data where the law requires it. We do not sell personal data to anyone.

05

Cookies

We keep cookies to the minimum needed to run a logged-in session:

  • A session cookie that keeps you signed in. It is a standard authenticated session and expires after a period of inactivity.
  • A short-lived step-up cookie set only when you re-enter your two-factor code to authorize a money movement. It is encrypted, HTTP-only, and expires within a few minutes — long enough to complete the action, not to leave a standing authorization.
06

How we protect it

  • Passwords are hashed with argon2id, never stored or logged in the clear.
  • Secrets we must read back — your TOTP two-factor seed and connected OAuth tokens — are encrypted at rest with AES-256-GCM, whose authentication tag also makes tampering detectable.
  • Two-factor (TOTP) is available on every account and required before you can fund escrow or take a payout.
  • IPs used for fingerprinting are hashed, not kept raw.
  • Payment and escrow webhooks are signature-verified, and authorization is checked on every object from the database, not trusted from the session token.
07

Retention, and the audit log

We keep account and listing data for as long as your account is active and as needed to run deals and meet our obligations. One part of the system is deliberately different, and you should understand it:

The audit log is append-only and immutable by design. It records money movements, verification decisions, and admin actions, and the database itself rejects any attempt to update or delete a row — not just our application code, the database engine. This is a feature: it means the record of a deal cannot be quietly rewritten. It also means we cannot selectively delete entries from it.

So when you ask us to erase your data, we can remove or anonymize your account and profile, but audit entries tied to real money movements and trust decisions have to remain as an immutable record — for fraud investigation, dispute resolution, and legal obligations. We will tell you plainly what we can and cannot remove rather than promise a clean wipe we can't deliver.

08

Your rights

Depending on where you live, you can ask us to access, correct, export, or delete your personal data, and object to certain processing. To exercise any of these, contact us and we will respond within the timeframe the applicable law requires. Two honest caveats:

  • Deletion is subject to the audit-log limits in section 07 — immutable trust and money records stay.
  • You can cut off future data from a connected provider yourself at any time by revoking our read-only grant in that provider's settings.
09

Changes and contact

If we change what we collect or how we handle it, we will update this page and move the “last updated” date. For any privacy question, or to make a request under section 08, contact support through your account.