Plain English. No legal waffle. Here's exactly what we collect, how we protect it, and who can see it.
We collect only what we need to run the site. Your data is yours. We don't sell it, we don't share it with advertisers, and we don't hand it to third parties unless we've told you about them explicitly below.
Everything sensitive — passwords, private messages, security tokens — is stored using proper cryptography, not wishful thinking. We're a volunteer-run community site hosted entirely in New Zealand, on New Zealand infrastructure, on a New Zealand ISP. Your data doesn't leave the country.
If you have a question about your data that isn't answered here, contact us. We'll do our best to give you a straight answer.
The technical bits, in plain English.
Your password is hashed using bcrypt with a cost factor of 12 before it's stored. The original password is never written anywhere — not to the database, not to logs, not anywhere. Even the site administrators cannot see or recover your password.
Every message you send is encrypted at rest using AES-256-GCM, with a unique key derived per conversation using HMAC-SHA-256. Messages are not readable by staff in the normal course of moderation — decryption only occurs if a formal report is filed and admin review is triggered.
Login sessions use HttpOnly, Secure, SameSite=Lax cookies, which means they can't be accessed by JavaScript or sent cross-site. Sessions expire after 2 hours of inactivity and are wiped entirely when you close your browser (unless you tick "Remember me").
Password reset links, email verification links, and "remember me" tokens are never stored in the database as-is. Only a SHA-256 hash is stored. The raw token exists only inside the link or cookie you received. Reset links expire in 1 hour; verification links in 24 hours; remember-me tokens in 90 days.
If you enable 2FA, your TOTP secret is saved to the database. The six-digit codes you generate are never stored — they expire after 30 seconds and are verified on-the-fly. 2FA is powered by RobThree's TwoFactorAuth library, which runs entirely on our server with no external calls.
The site runs on a New Zealand server, on a New Zealand ISP. Your data is stored in New Zealand and is subject to New Zealand law (including the Privacy Act 2020). We have no offshore data centres or cloud storage for your personal data.
Here's a plain list of the data we hold about you when you have an account:
We don't collect payment information — ever. All transactions happen directly between buyers and sellers. We never see, handle, or record any financial details.
Here's exactly what moderators and administrators can access, and what they can't.
Moderators can see:
Administrators can additionally see:
Nobody can see:
Staff access is logged. Abuse of admin access is a serious matter and would be treated accordingly.
We use a small number of third-party tools. Here's exactly what each one does and what, if anything, it sees about you.
We use Google Analytics to understand how people use the site — page views, popular sections, that kind of thing. Google anonymises IP addresses. We don't share any personally identifying information with Google, and Analytics data is used only to improve the site, not to profile users. Google's privacy policy →
Cloudflare sits in front of the site to provide DDoS protection and faster delivery. This means Cloudflare sees your IP address and HTTP request headers as part of normal traffic handling. We don't pass any account or personal data to Cloudflare. Cloudflare's privacy policy →
Our HTTPS certificate is issued by Let's Encrypt, a free, automated certificate authority. During certificate issuance and renewal, Let's Encrypt validates that we control the domain — no user data is involved or shared. Let's Encrypt's privacy policy →
System emails (verification links, password resets, message notifications) are sent using PHPMailer via our own on-server mail system. Email is routed through our own infrastructure — we don't use a third-party email service provider. Your email address is used only to deliver transactional messages from us to you.
Two-factor authentication is powered by RobThree's open-source TwoFactorAuth PHP library. It runs entirely on our server — no data is sent to any external service. TOTP codes are generated and verified locally.
The site's CSS and JavaScript framework (Bootstrap 5) is loaded from the jsDelivr CDN. This means jsDelivr's servers handle those requests and will see your IP address and browser details as part of normal CDN operation. jsDelivr's privacy policy →
The fonts used on this site (Bebas Neue and Barlow) are loaded from Google Fonts. When your browser fetches them, Google's servers see your IP address. We don't pass any account or personal data to Google via this route — it's a standard font load. Google's privacy policy →
That's the complete list. We don't use advertising networks, social login providers, tracking pixels, or marketing automation tools. We don't sell, rent, or broker your data to anyone.
Under the New Zealand Privacy Act 2020, you have the right to access the personal information we hold about you, to request corrections, and to delete your account and associated data.
Account deletion is self-service — you can delete your account at any time from Account Settings. Deletion is immediate and permanent. The following data is removed at that point:
Standard server access logs (IIS) are not tied to your account and are not deleted individually — they rotate automatically over time.
Privacy requests — to request a copy of your data, ask for a correction, or raise any other privacy concern, email us at [email protected]. Because we're volunteer-run there's no guaranteed turnaround time, but we take these requests seriously.
If you believe we've breached your privacy, you can also complain to the Office of the Privacy Commissioner.
These policies are subject to change. We'll update the date below whenever we make a meaningful change. Continued use of the site after a policy update means you accept the revised terms.
Last reviewed: April 2026
Now you know exactly what we store, how we protect it, and who can see it. Go find something good.