Legal

Privacy Policy & Terms

Last updated: 1 June 2026. Effective immediately.

1. Scope and Definitions

This Privacy Policy (the "Policy") governs the manner in which PurchasingCorp ("PurchasingCorp," "we," "us," or "our") Processes Personal Data of natural persons ("you," "your," or the "Data Subject") who interact with our website located at purchasingcorp.com and any subdomains, applications, or services made available thereon (collectively, the "Services").

For purposes of this Policy: "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of Regulation (EU) 2016/679 ("GDPR") and equivalent provisions of applicable jurisdictions including, without limitation, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"); "Processing" shall be construed in accordance with Article 4(2) GDPR; and "Controller" means the natural or legal person determining the purposes and means of Processing.

By accessing or otherwise using the Services, you acknowledge that you have read, understood, and agree to be bound by this Policy, and you authorise and consent to the collection, use, retention, disclosure, and other Processing of your Personal Data for the purposes described herein and for any other lawful business or commercial purpose we may determine. The enumerations of data categories, purposes, and recipients set forth in this Policy are illustrative and non-exhaustive; words such as "including," "such as," and "for example" shall be construed without limitation. If you do not consent to the Processing activities described herein, you must immediately discontinue use of the Services.

2. Data Controller

The Controller of Personal Data Processed in connection with the Services is PurchasingCorp, contactable via the methods set forth in Section 14 (Contact). Where this Policy designates third-party service providers (each a "Sub-Processor"), such entities act on behalf of the Controller pursuant to data processing agreements that incorporate, as applicable, the Standard Contractual Clauses adopted by the European Commission.

3. Categories of Personal Data Collected

We collect and Process a broad range of Personal Data in connection with the Services. The categories below are representative and not exhaustive; we may collect any information you provide to us, that is generated through your interaction with the Services, or that we lawfully obtain from third parties:

  1. Identifiers and Contact Information, including names, electronic mail addresses, telephone numbers, postal addresses, instant-messaging usernames (e.g., Discord, Telegram), account identifiers, and any other contact or identity information you provide.
  2. Transaction Inquiry Data, including device make, model, storage capacity, condition, serial numbers and IMEI, preferred handoff method, photographs and other media of devices, payment and disbursement details, and any further information you submit via the quotation form or otherwise.
  3. Communications Content, including the content, metadata, and attachments of messages, chats, emails, and other communications you exchange with us through any channel, and records of your interactions with our personnel.
  4. Marketing and Consent Data, including your communication preferences, the date, time, and scope of any consent granted, and your engagement with our communications (e.g., opens and clicks).
  5. Technical, Usage, and Device Data, including Internet Protocol (IP) addresses, unique and persistent device and browser identifiers, browser type and version, user-agent string, device type, operating system, referring and exit uniform resource locators (URLs), pages and content requested, search and clickstream activity, time-stamps, and session and interaction metrics.
  6. Geolocation Data, including coarse, country- and region-level geolocation, and, where available to us, more precise geolocation derived from network-level or device identifiers.
  7. Commercial and Transaction History, including records of quotations issued, devices tendered, considerations paid, and the history of your dealings with us.
  8. Data from Third-Party Sources, including information we may receive from our service providers, partners, public records, the social or messaging platforms through which you contact us, and fraud-prevention and analytics providers.
  9. Inferences and Profiles, including inferences, scores, and profiles we may derive from the foregoing reflecting your preferences, characteristics, behaviour, and predispositions.
  10. Any Other Information you voluntarily provide to us, or that we may lawfully collect, in connection with the Services.

4. Purposes and Legal Bases of Processing

We Process Personal Data for the purposes and on the legal bases described below, as well as for any other lawful purpose compatible with those described or otherwise disclosed to you at or before the point of collection. The following enumeration is non-exhaustive. Where Processing relies on consent, such consent may be withdrawn at any time without affecting the lawfulness of Processing carried out prior to withdrawal.

Purpose Legal Basis (GDPR Art. 6)
Responding to quotation requests and effectuating transactions.Art. 6(1)(b), performance of, or steps preparatory to, a contract.
Sending promotional and price-update communications.Art. 6(1)(a), explicit consent.
Aggregate analytics and Services improvement.Art. 6(1)(f), legitimate interests, balanced against your rights and freedoms.
Compliance with legal, regulatory, or judicial obligations.Art. 6(1)(c), compliance with a legal obligation.
Detection and prevention of fraud, abuse, and security incidents.Art. 6(1)(f), legitimate interests in safeguarding the Services.
Personalisation of the Services and communications, and development of new products, features, and services.Art. 6(1)(f), legitimate interests; Art. 6(1)(a) where consent is required.
Marketing, advertising, and promotion, including measurement, audience development, and tailored advertising.Art. 6(1)(a), consent; and/or Art. 6(1)(f), legitimate interests.
Disclosure or transfer to affiliates, partners, advertisers, and successors in interest, including in connection with a corporate transaction.Art. 6(1)(f), legitimate interests; Art. 6(1)(b) where applicable.
Any other lawful business or commercial purpose not incompatible with the foregoing.Art. 6(1)(f), legitimate interests, balanced against your rights and freedoms.

5. Cookies and Similar Tracking Technologies

The Services utilize cookies, local storage entries, and analogous technologies (collectively, "Cookies") for the purposes set forth herein. We distinguish between (i) strictly necessary Cookies, the deployment of which does not require consent under Article 5(3) of Directive 2002/58/EC ("ePrivacy Directive"); and (ii) analytics, preference, and advertising Cookies, which may be deployed by us and our partners for analytics, personalisation, and marketing purposes and, where consent is legally required, are conditioned upon your opt-in.

Upon your first visit, a consent interface is presented at the lower portion of the viewport. Selection of "I Agree" constitutes affirmative, unambiguous consent within the meaning of Article 4(11) GDPR. Selection of the dismissal control limits Cookie deployment to those strictly necessary for the operation of the Services. Your election is recorded in browser local storage under the key pc.consent.v1 and persists until cleared by the user.

You may revoke or modify your consent at any time by clearing site data in your browser and revisiting the Services, or by contacting us pursuant to Section 14.

6. Recipients and Third-Party Disclosures

In furtherance of the Processing activities described herein, we engage the following Sub-Processors, each of whom is contractually bound to Process Personal Data solely upon documented instructions of the Controller and to implement appropriate technical and organisational measures:

  1. Vercel Inc., provision of hosting, content delivery, edge compute, and aggregate web analytics services. Vercel Web Analytics is configured in a manner that does not employ cookies or fingerprinting and is designed to comply with the ePrivacy Directive without requiring consent for its operation.
  2. XWiki SAS (CryptPad), provision of an end-to-end encrypted form-collection interface in which quotation submissions are encrypted client-side prior to transmission. Neither PurchasingCorp nor any intermediary possesses the cryptographic keys required to decrypt such submissions in transit or at rest at the CryptPad infrastructure layer.
  3. Supabase, Inc., provision of database hosting for marketing-consent records and electronic mailing list management.
  4. Google LLC (Google Sheets, Google Fonts), provision of pricing data via the Google Sheets export interface and typographical assets via the Google Fonts content delivery network.
  5. Discord Inc. and Telegram FZ-LLC, provision of optional real-time communication channels with our personnel where you elect to engage such channels.
  6. GitHub, Inc., provision of source-code version control. GitHub does not Process Personal Data in connection with end-user interactions with the Services.

Beyond the Sub-Processors listed above, which act upon our documented instructions, we may also disclose, transfer, license, or otherwise make available Personal Data to the following categories of recipients, who may Process it for their own purposes: (a) our affiliates and group entities; (b) business and commercial partners; (c) advertising, marketing, measurement, and analytics partners; (d) professional advisers, insurers, and law-enforcement or regulatory authorities where we deem disclosure necessary or appropriate; and (e) any actual or prospective purchaser, investor, lender, or successor in interest in connection with any merger, acquisition, financing, reorganisation, insolvency, or sale of assets, in each case to the extent permitted by applicable law.

7. International Data Transfers

Personal Data may be transferred to, and Processed in, jurisdictions outside your country of residence, including the United States. Where Personal Data of European Economic Area, United Kingdom, or Swiss Data Subjects is transferred to a third country in respect of which the European Commission, the United Kingdom Information Commissioner's Office, or the Swiss Federal Data Protection and Information Commissioner has not issued an adequacy decision, we rely on appropriate safeguards within the meaning of Articles 44–49 GDPR, including the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where applicable, supplementary technical and contractual measures.

8. Retention Periods

We retain Personal Data for as long as necessary to fulfil the purposes described in this Policy, to operate, develop, and improve our business, and to establish, exercise, or defend legal claims, together with any further period required or permitted by applicable law. The periods below are indicative and may be extended where we determine a legitimate business need:

  • Quotation submissions: retained for the duration of our relationship with you and for such further period as we consider necessary for our business, record-keeping, and legal purposes.
  • Marketing list entries: retained until you withdraw consent or we determine the record is no longer useful for our purposes.
  • Analytics, inferences, and derived data: retained indefinitely, including in aggregated or de-identified form.
  • Security and audit logs: retained for as long as necessary for security, fraud-prevention, and compliance purposes.

9. Data Subject Rights

Subject to the limitations and conditions set forth in applicable law, you are entitled to exercise the following rights with respect to your Personal Data:

  1. the right to confirmation of Processing and access to Personal Data (Art. 15 GDPR);
  2. the right to rectification of inaccurate or incomplete data (Art. 16 GDPR);
  3. the right to erasure ("the right to be forgotten") (Art. 17 GDPR);
  4. the right to restriction of Processing (Art. 18 GDPR);
  5. the right to data portability (Art. 20 GDPR);
  6. the right to object to Processing, including for direct-marketing purposes (Art. 21 GDPR);
  7. the right not to be subject to a decision based solely on automated Processing producing legal or similarly significant effects (Art. 22 GDPR); and
  8. the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

Requests may be submitted by the means specified in Section 14. We shall respond without undue delay and in any event within one (1) month of receipt of the request, save where an extension of up to two (2) further months is justified by the complexity or volume of requests.

10. Security Measures

We implement appropriate technical and organisational measures designed to ensure a level of security commensurate with the risk of Processing, in accordance with Article 32 GDPR. Such measures include, without limitation: encryption of data in transit by means of Transport Layer Security version 1.2 or higher; encryption at rest within the systems of our Sub-Processors; principle-of-least-privilege access controls; multi-factor authentication for administrative access; segregation of production and non-production environments; and periodic review of security configurations. Notwithstanding the foregoing, no method of electronic transmission or storage is impervious to compromise, and we cannot guarantee absolute security.

11. Children's Privacy

The Services are not directed to, and we do not knowingly collect Personal Data from, natural persons under the age of sixteen (16), or such higher age threshold as may be applicable under the laws of your jurisdiction. If you become aware that a minor has provided Personal Data to us, please contact us pursuant to Section 14 and we shall take reasonable steps to delete such information.

12. Additional Disclosures for California Residents

If you are a resident of the State of California, you have the rights set forth in the CCPA/CPRA, including the right to know the categories and specific pieces of Personal Information collected; the right to request deletion; the right to correct inaccurate Personal Information; the right to opt out of the sale or sharing of Personal Information; and the right to limit the use and disclosure of Sensitive Personal Information. Consistent with the disclosures in this Policy, PurchasingCorp may "sell" or "share" Personal Information — including identifiers, commercial information, internet and other electronic network activity, geolocation, and inferences — with our partners and advertising, measurement, and analytics providers, as those terms are defined in Cal. Civ. Code § 1798.140. You may exercise your right to opt out of such sale or sharing, and your other rights, by contacting us pursuant to Section 14; we will not discriminate against you for exercising any right. We do not knowingly sell or share the Personal Information of consumers under sixteen (16) years of age without the requisite opt-in consent.

13. Amendments to this Policy

We reserve the right, in our sole discretion, to amend, modify, or supplement this Policy from time to time. The "Last updated" date set forth at the top of this Policy reflects the most recent revision. Material changes shall be communicated by conspicuous notice on the Services, and, where required by applicable law, by direct notice to affected Data Subjects. Continued use of the Services following the effective date of any revision constitutes your acceptance of such revision.

14. Contact

For any inquiries concerning this Policy, the exercise of your rights, or any other privacy-related matter, you may contact PurchasingCorp via the following channels:

15. Terms of Use

15.1 Acceptance. Your access to or use of the Services is conditioned upon your acceptance of, and continuing compliance with, these Terms of Use ("Terms"). By accessing or using the Services, you represent that you have the capacity to enter into a binding contract under the laws of your jurisdiction and that you agree to be bound by these Terms.

15.2 Eligibility. The Services are available only to natural persons aged eighteen (18) years or older, or such higher age of majority as may be applicable in your jurisdiction. By using the Services, you represent and warrant that you satisfy this eligibility requirement.

15.3 Quotation Process; No Binding Offer. Quotations issued through the Services constitute non-binding indications of value, subject in all instances to physical inspection of the relevant device(s) upon receipt at our designated facility. PurchasingCorp reserves the right to revise any quotation, in its sole discretion, upon verification of the actual condition, authenticity, configuration, or operational status of the device(s) tendered. No binding agreement of purchase shall arise unless and until both parties have manifested unambiguous assent to final, post-inspection terms.

15.4 Title and Risk of Loss. Title to, and risk of loss in respect of, devices tendered to PurchasingCorp shall pass to PurchasingCorp only upon (i) successful completion of inspection; (ii) acceptance by PurchasingCorp; and (iii) disbursement of the agreed consideration. Prior to such transfer, the tendering party retains all right, title, and interest in such devices, including the burden of risk of loss during transit, save where carriage is arranged at our cost pursuant to a prepaid shipping label provided by us.

15.5 Representations and Warranties of Seller. You represent and warrant that (a) you are the lawful owner of, or have the unconditional right to transfer, the devices tendered; (b) the devices are not subject to any lien, encumbrance, financing arrangement, mobile carrier balance, activation lock, or third-party claim; (c) the devices are not the subject of any report of theft, loss, or fraud, nor are they otherwise unlawfully obtained; and (d) you have removed all personal data and disabled all anti-theft and account-locking features prior to tender.

15.6 Indemnification. You shall indemnify, defend, and hold harmless PurchasingCorp, its affiliates, officers, directors, employees, and agents from and against any and all claims, demands, actions, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or in connection with (i) your breach of these Terms or the representations and warranties set forth herein; (ii) any device tendered to PurchasingCorp that is found to have been stolen, lost, or otherwise unlawfully obtained; or (iii) any violation by you of applicable law or third-party rights.

15.7 Disclaimer. EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE," WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. PURCHASINGCORP DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE FROM HARMFUL COMPONENTS.

15.8 Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL PURCHASINGCORP, ITS AFFILIATES, OR ITS LICENSORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUES, DATA, OR GOODWILL, ARISING OUT OF OR IN CONNECTION WITH THE SERVICES OR THESE TERMS, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF PURCHASINGCORP HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL PURCHASINGCORP'S AGGREGATE LIABILITY EXCEED THE GREATER OF (I) THE AMOUNT PAID BY PURCHASINGCORP TO YOU IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (II) ONE HUNDRED UNITED STATES DOLLARS (US$100).

15.9 Governing Law and Forum. These Terms shall be governed by, and construed in accordance with, the laws of the State of Delaware, without regard to its conflict-of-laws principles. Any dispute, controversy, or claim arising out of or relating to these Terms or the Services shall be resolved exclusively in the state or federal courts located in the County of New Castle, State of Delaware, and the parties irrevocably consent to the personal jurisdiction and venue of such courts.

15.10 Severability; Entire Agreement. If any provision of these Terms is found to be unenforceable or invalid, such provision shall be limited or eliminated to the minimum extent necessary so that these Terms shall otherwise remain in full force and effect. These Terms, together with the Privacy Policy and any documents expressly incorporated by reference, constitute the entire agreement between you and PurchasingCorp with respect to the subject matter hereof and supersede all prior or contemporaneous communications and proposals.

This document is provided as a general framework reflecting current operational practices and should be reviewed by qualified counsel of competent jurisdiction prior to reliance for any specific compliance purpose.