Grailed Privacy Notice

Last Updated: July 15, 2024

This Privacy Notice describes how Grailed, LLC ("Grailed", "we", "our" or "us") collects, uses and discloses information about you when you use our website at www.grailed.com (the "Site"), mobile app, and other online products and services that link to this Privacy Notice, contact our customer service team, engage with us on social media, or otherwise interact with us (collectively with the Site, the "Services").

WHAT INFORMATION DO WE COLLECT FROM YOU?

We collect personal information about you in connection with your use of our Services. This collection includes information that you may provide in connection with the Services, information from third parties, and information that is collected automatically such as through the use of cookies and other technologies. The information we gather enables us to provide, personalize, improve and continue to operate the Services. We collect the following types of information from our users:

Information You Provide to Us

We collect personal information from you. The categories of information we collect can include:

  • Account and Profile Information, including first and last name, email address, phone number, username and password, profile information, preferences, clothing size, and any other information you provide to us. We use this information to administer your account, provide you with the relevant service and information, communicate with you regarding your account and your use of the Services, for fraud prevention, customer support purposes, and to comply with applicable laws and regulations. Please note that passwords are automatically hashed and Grailed does not have access to them.
  • Transaction Information. If you complete a purchase through our Services, we collect information provided in connection with the transaction. This may include your name, email address, and shipping address, in addition to product details and purchase price. Please note that we use third-party payment processors, including Stripe, PayPal, and Apple Payments to process credit card payments. As such, we do not retain any personally identifiable financial information in connection with credit card payments, such as credit card numbers. Rather, all such information is provided directly by you to our third-party payment processors. The payment processor's use of your personal information is governed by their privacy notice. To view Stripe's privacy policy, please click here. To view PayPal's privacy policy, please click here. To view Apple Payment's privacy policy, please click here.
  • Inquiry and Communications Information, including information provided in custom messages sent through the forms, in chat messages, to one of our email addresses, or via phone. This also includes contact information provided on our Services. We use this information to investigate and respond to your inquiries, to communicate with you, to enhance the services we offer to our users and to manage and grow our organization.
  • Newsletter and Promotional Emails, including email address and communication preferences. We use this information to manage our communications with you and send you information about products and services we think may be of interest to you.
  • Information Collected Through the Use of the Services, including any files, images, data, or information you choose to upload or transmit through your communications with us or your use of the Site and any information you generate when you interact with other users' or brands' pages or activity (for example, "favoriting" or saving listings or following users and brands) (collectively, "User Content"). User Content and any information contained in the User Content, including personal information you may have included, is stored and collected as part of the Services. We use the User Content to provide you with the Services.
  • Contests, Sweepstakes, and Promotions. If you participate in any contests or other promotional events, we may collect your contact information (such as your name, email, phone number, and postal code) and any other information requested on the form, at sign up, or as part of your entry, including photos/videos (each, as applicable). On occasion, we may also collect your shipping information, such as if you are a winner or purchase our products or services (where available). If you are part of our event or a promotion partner, we may also collect your personal information including your name, company email and company address.
  • Feedback Information. We may also collect feedback and ratings you provide relating to our services or products. We use this information to communicate with you, to conduct market research, inform our marketing and advertising activities and improve and grow our business.
  • Identity and Compliance Information, including name, birthdate, address, phone number, email address, bank account information, government ID number and copies of government ID or tax documents, along with a selfie image. We may use data collection and verification services provided by a third-party provider, Persona, to collect and verify such information in order to comply with legal obligations and protect against fraud and abuse. Persona may use a combination of machine-learning tools and optical scans to authenticate your identity document, and may use facial recognition technology to produce a unique biometric identifier based on facial geometry that can be used to compare your selfie to the image on the identity document you provided to determine the likelihood that the images are a "match." We do not receive the biometric identifier generated from the images. It is generated and held by Persona until we inform them that the biometric identifier is no longer needed for the purposes described in this paragraph and must be destroyed. For identity verification and security purposes, we will have access to the selfie image and will receive the information extracted from the scan of the government ID document as well as the results of the identity verification process. We may use this process and associated information to verify your identity, authenticate your identity documents, comply with legal obligations and protect against fraud and misrepresentation. We do not use, disclose or retain your biometric information for any other commercial purpose. Our third-party provider, Persona, processes this information on our behalf strictly in accordance with our contractual agreements. For more information on Persona's data processing practices, please see Persona's Privacy Policy (available here).

Personal Information Automatically Collected

As is true of many digital properties, we and our third-party partners may automatically collect certain information from or in connection with your device when visiting or interacting with our Services, as listed in further detail below:

  • Log Data, including IP address, operating system, device type and version, browser type and version, browser ID, the URL entered and the referring page/campaign, date/time of visit, other user agent string data, the time spent on our Services, and any errors that may occur during the visit to our Services. Log data may overlap with the other categories of data below.
  • Analytics data, including the electronic path you take to our Services, through our Services and when exiting our Services, UTM source, as well as your usage and activity on our Services, such as the time zone, activity information (e.g., first and last active date and time), usage history (e.g., flows created, campaigns scheduled, emails opened, total log-ins) as well as the pages, links, objects, products and benefits you view, click or otherwise interact with. We may also analyze the interaction between you and other users using our Services.
  • Location data, such as general geographic location that we or our third-party providers may derive from your IP address or your shipping address, if you provide it to us.

We and our third-party providers may use (i) cookies or small data files that are stored on an individual's computer and (ii) other, related technologies, such as web beacons, pixels, embedded scripts, location-identifying technologies and logging technologies (collectively, "cookies") to automatically collect this personal information. We may also use this information to distinguish you from other users of our Services. This helps us monitor and analyze how you use and interact with our Services. It also helps us and our partners to determine products and services that may be of interest to you.

For more information about these practices and your choices regarding cookies, please see our Cookie Policy.

Personal Information from Third Parties

We also obtain personal information from third parties which we often combine with personal information we collect either automatically or directly from you.

We may receive the same categories of personal information as described above from the following third parties:

  • Affiliates: We may receive personal information from other companies and brands under common ownership as Grailed, as well as our ultimate holding company.
  • Other Users or Individuals who Interact with our Services: We may receive personal information from other users or other individuals who interact with our Services. For example, if you communicate with us on a third-party platform, we will be able to see any public communications made within that platform.
  • Social Media: When an individual interacts with our Services through various social media platforms, such as when someone "Likes" us on Facebook or follows us or shares our content on Google, Facebook, Twitter, or other social media platforms, we may receive some information about individuals that they permit such social media platform to share with third parties. The data we receive is dependent upon an individual's privacy settings with the applicable social media platform, and may include your profile information, profile picture, gender, username, user ID associated with your social media account, age range, language, country, and any other information you permit such social media platform to share with third parties. Individuals should always review and, if necessary, adjust their privacy settings on third-party websites and social media platforms and services before sharing information and/or linking or connecting them to other services. We use this information to operate, maintain, and provide to you the features and functionality of the Services, as well as to communicate directly with you, such as to send you email messages about products and services that may be of interest to you.
  • Service Providers: Our service providers that perform services solely on our behalf, such as survey and marketing providers, data collectors in connection with our legal compliance obligations, and payment processors, collect personal information and certain service providers share some or all of this information with us. The information may include contact information, bank account information, tax identification information, information collected about your business, demographic information, information about your communications and related activities, and information about your orders. We may use this information to administer and facilitate our Services, your orders, and our marketing activities.
  • Business Partners: We may receive your personal information from our business partners, such as companies that offer their products and/or services on our Services. We may use this information to administer and facilitate our Services, your orders, and our marketing activities.
  • Information We Receive From Authentication Services You Connect to Our Services: Some parts of our Services may allow you to log in through a third-party social media platform or authentication service such as Facebook. These services will authenticate your identity and provide you the option to share certain personal information with us, which could include your name, email address, or other information. The data we receive is dependent on that third party's policies and your privacy settings on that third-party site. We use this information to operate, maintain, and provide to you the features and functionality of the Services. We may also send you service-related emails or messages (e.g., account verification, purchase confirmation, customer support, changes, or updates to features of the Site, technical and security notices).
  • Information We Receive from Third-Party Platforms/Services You Connect to Our Services: We may receive personal information about you or information about your business from third parties and combine that with information we collect through our Services. For example, if you choose to connect your account to a third-party service (via API), such as PayPal, our records will indicate that you have connected a PayPal account to your Grailed account, but we will not have access to any of your PayPal account information.
  • Other Sources: We may also collect personal information about individuals that we do not otherwise have from, for example, publicly available sources, third-party data providers, or through transactions such as mergers and acquisitions. We use this information to operate, maintain, and provide to you the features and functionality of the Services, as well as to communicate directly with you, such as to send you email messages about products and services that may be of interest to you.

HOW DO WE USE INFORMATION ABOUT YOU?

We use information we collect to administer your account, to facilitate a marketplace where you may browse, search for and purchase products, to customize your experience with us and to understand how our users interact with the Site and listings through the Services. We specifically use the information we collect to:

  • provide (including completing and fulfilling transactions), personalize, maintain, and improve your experience with the Services, including by setting up and authenticating your account;
  • ensure technical functionality of the Services, develop new products and services, and analyze your use of the Services, including your interaction with apps, advertising, products, and services that are made available, linked to, or offered through the Services;
  • communicate with you for Services-related or research purposes including via emails, notifications, text messages, or other messages;
  • send you technical notices (including sending you an SMS text code for multifactor authentication), security alerts, and support and administrative messages and to respond to your and others' comments, questions, and customer service requests;
  • communicate with you for marketing and promotional purposes via emails, notifications, or other messages, consistent with any permissions you may have communicated to us;
  • personalize your online experience and the advertisements you see when you use our Services or third-party platforms based on your preferences, interests, and browsing and purchasing behavior and observe your interactions with our online ads, including by counting ad impressions and verifying positioning and quality of ad impressions;
  • facilitate contests, sweepstakes, and promotions and process and deliver entries and rewards;
  • prevent, detect, or provide notice of fraud, or unlawful or criminal activity;
  • verify your identity and entitlement to products or Services, when you contact us or access our Services;
  • enable security features;
  • monitor and analyze trends, usage, and activities in connection with our Services;
  • comply with any legal, financial, or regulatory obligations;
  • enforce this Privacy Notice, the Terms of Service, and any other terms that you have agreed to, including to protect the rights, property, or safety of Grailed, its users, or any other person, or the copyright-protected content of the Services;
  • support reasonable internal uses that are aligned with your relationship with us and the context in which we collected the information; and
  • carry out any other purpose described to you at the time the information was collected.

Where an individual chooses to contact us, we may need additional information to fulfill the request or respond to the inquiry. We may provide you with additional privacy-related information where the scope of the inquiry/request and/or personal information we require fall outside the scope of this Privacy Notice. In that case, the additional privacy notice will govern how we may process the information provided at that time.

HOW DO WE SHARE INFORMATION?

We share your information with third parties in the following circumstances or as otherwise described in this notice:

  • Service Providers. With vendors, service providers, and consultants that need access to personal information to perform services for us, such as website development and other related services, app development, hosting, maintenance, data analytics and storage, customer support, payment processing, shipping, fraud detection and remediation, user information verification and authentication, advertising, and other services.
  • Other Users. With other users of our Services, such as if you submit a product review, post content in a public area of our Services, and through publicly displayed features of our Services. We also may share your contact details with the buyer or seller you are dealing with if it is necessary for them to buy or sell an item from or to you, or if we are required to do so by applicable laws and regulations. As an essential element of the Services, some of the information you provide to us when you register or update your account profile is displayed on your profile and shared with other users. Your User Content, including photos, messages, posts, item and brand "favorites", follower and following lists, purchase history, and other content you post to the Site may also be displayed for public consumption. We may display this content through our Services, and further distribute it to a wider audience through third-party sites and services. Once displayed on publicly viewable pages, that content can be collected and used by others. We cannot control who reads your content or what other users may do with the content that is made public, so we encourage you to not put any sensitive, confidential, or any other information you do not wish to be shared on your account profile, in your listings, messages, or otherwise throughout the Services. Once content is public, while you may still be able to edit and delete some aspects of it on the Services, you will not be able to edit or delete such information cached, collected, and stored elsewhere by others.

    You may also elect to share some of your information directly with other Grailed users through the Services. We strongly advise you to use the utmost caution before sharing any information with others, including users. You should not, under any circumstances, provide your financial information (e.g., credit card or bank account numbers, etc.) to other individuals.

  • Contests and Promotions Providers. We share personal information with third parties who assist us in delivering our contests, sweepstakes, or survey offerings and processing the responses.
  • Ad Networks and Advertising Partners. We work with third-party ad networks and advertising partners to deliver advertising and personalized content on other websites and services, and across other devices. These parties may collect information directly from a browser or device when an individual visits our Services through cookies or other data collection technologies. This information is used to provide and inform targeted advertising, as well as to provide advertising-related services such as reporting, attribution, analytics and market research. Please see our Cookie Policy for more information.
  • Affiliates. Between and among other entities under common ownership as Grailed, as well as our ultimate holding company (i.e., any organization that owns or controls us) and any subsidiaries it owns, particularly when we collaborate in providing the Services.
  • Legal Obligations and Rights. We may disclose personal information to third parties, such as legal advisors and law enforcement:
    • in connection with the establishment, exercise, or defense of legal claims;
    • to comply with laws or to respond to lawful requests and legal process;
    • to protect our rights and property and the rights and property of others, including to enforce our agreements and policies;
    • to detect, suppress, or prevent fraud;
    • to protect the health and safety of us and others; or
    • as otherwise required by applicable law.
  • Corporate Transactions. In connection with, or during negotiations of, any merger, acquisition, joint venture, or financing or sale of company assets, or acquisition of all or a portion of our business by another company.
  • With Your Consent. We may disclose personal information about an individual to certain other third parties or publicly with their consent or direction. For example, with an individual's consent or direction we may post their testimonial on our Site or service-related publications.

PUBLIC CONTENT

Some of the information and activity associated with your user account profile is always public. This includes your username, bio, country of residence, profile picture, average shipping time as a seller, and listing activity as a seller. If you do not want third parties to see this information, we suggest changing your username, profile picture, or bio. Some of the information and activity associated with your user profile is public by default but may be made private by you through your Account Settings (e.g., listing and brand "favorites" lists, follows of other users' account profiles or your account profile followers). However, parts of your follow activity may remain public if those you follow or that follow you maintain their account settings as public (e.g., you may still be visible as a follower on the account profile of someone you follow that has a public list of followers). Other content (e.g., your purchase history, including price of the purchased items) is private by default but you may choose to make it public and may then change your mind at any time through your Account Settings. Your "saved" listings are always private. In order to publicize your "saved" listings, add them to your "favorites" list and ensure your "favorites" list is public. When content is public, it can be seen by anyone on or across our Services. Grailed, you and other users on the Services may send public content (such as your profile photo, listings, or information you share) to anyone on or off the Services. For example, users may share it in a public forum, or it may appear in search results on the internet. You can control which parts of your user account profile and activity are made public within your Account Settings.

THIRD-PARTY DATA COLLECTION AND ONLINE ADVERTISING

We may participate in interest-based advertising and use third-party advertising companies to serve you targeted advertisements based on your browsing history. We permit third-party online advertising networks, social media companies and other third-party services, to collect information about your use of our online services over time so that they may play or display ads on other websites or services you may use, and on other devices you may use. Typically, though not always, the information used for interest-based advertising is collected through tracking technologies, such as cookies, web beacons, embedded scripts, location-identifying technologies, and similar technologies, which recognize the device you are using and collect information, including clickstream information, browser type, time and date you visited the Site, AdID, precise geolocation and other information. We may share a common account identifier (such as a hashed email address or user ID) with our third-party advertising partners to help identify you across devices. We and our third-party partners use this information to make the advertisements you see online more relevant to your interests, as well as to provide advertising-related services such as reporting, attribution, analytics and market research to us. We may also use services provided by third parties (such as social media platforms) to serve targeted ads to you and others on such platforms. We may do this by providing a hashed version of your email address or other information to the platform provider.

For more information about these practices and your choices regarding cookies, please see our Cookie Policy.

Data Retention and Deletion

Grailed retains user data for as long as necessary for the purposes described above, and in accordance with our legitimate business interests and applicable law. However, if necessary, we may retain personal data for longer periods of time, until set retention periods and deadlines expire, for instance where we are required to do so in accordance with legal, tax and accounting requirements set by a legislature, regulator or other government authority. The period for which we retain user data is determined by the type of data, the category of user to whom the data relates, and the purposes for which we collected the data.

To determine the appropriate duration of the retention of personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of personal data and if we can attain our objectives by other means. The length for which we retain user data may further be determined by legal and regulatory requirements, purposes of safety, security, and fraud prevention, or by issues relating to the user's account such as an unresolved claim or dispute.

For example:

  • We retain user data that is collected in order to provide our Services, such as the user profile information and credentials, for the lifetime of the user's account.
  • We retain certain categories of data of all users for a period unrelated to the lifetime of the user's account to avoid fraudulent use of the Services. The period for which the data is retained will be determined by the necessity of the data for purposes of safety, security, and fraud prevention, as well as legal and regulatory requirements. Examples include customer service communications on safety or trust incidents, which are retained for 12 years.
  • Pursuant to legal and regulatory requirements, for purposes of safety, security, and fraud prevention, or because of an issue relating to the user's account such as an unresolved claim or dispute, we may retain certain categories of data after the deletion of the user's account, such as user profile information and tax data. This generally means that we retain such data for 12 years after a deletion request.

If your personal information is subject to the European Union General Data Protection Regulation (GDPR) or United Kingdom GDPR, the criteria used to determine the period for which personal data about you will be retained varies depending on the legal basis under which we process the personal data:

  • Contract. Where we are processing personal data based on contract, we generally will retain your personal data for the duration of the contract plus some additional reasonable period of time that is necessary to comply with law or that represents the statute of limitations for legal claims that could arise from our contractual relationship.
  • Legitimate Interests. Where we are processing personal data based on our legitimate interests, we generally will retain such information for a reasonable period of time based on the particular interest, taking into account your fundamental interests and your rights and freedoms.
  • Consent. Where we are processing personal data based on your consent, we generally will retain your personal data until you withdraw your consent, or otherwise for the period of time necessary to fulfill the underlying agreement with you or provide you with the applicable service for which we process that personal data.
  • Legal Obligation. Where we are processing personal data based on a legal obligation, we generally will retain your personal data for the period of time necessary to fulfill the legal obligation.
  • Legal Claim. We may need to apply a "legal hold" that retains information beyond our typical retention period where we face threat of legal claim or intent to establish a claim. In that case, we will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved.

When an individual discontinues the use of our Services, we will retain their personal data for as long as necessary to comply with our legal obligations, including fraud prevention, to resolve disputes and defend claims, as well as, for any additional purpose based on the choices they have made, such as to receive marketing communications. In particular, we will retain personal data supplied when joining our Services, including complaints, claims and any other personal data supplied during the duration of an individual's contract with us until the statutory limitation periods have expired.

In all cases, in addition to the purposes and legal bases, we consider the amount, nature and sensitivity of the personal data, as well as the potential risk of harm from unauthorized use or disclosure of your personal data.

Once retention of the personal data is no longer necessary for the purposes outlined above, we will either delete or de-identify the personal data or, if this is not possible (e.g., because personal data has been stored in backup archives), then we will securely store the personal data and isolate it from further processing until deletion or deidentification is possible.

Control Over Your Information

  • Device Permissions. You may control the Services' access to your device information through the "Settings" app on your device. For instance, you can withdraw permission for the Services to access your network devices and geolocation and to integrate with your other apps.
  • Accessing Data. Users can access their data including their profile data and transaction history through theGrailed app or via the Site. Users can also request access to their data by emailing help@grailed.com, or submitting a contact form request here.
  • Email Communications Preferences. You can stop receiving promotional email communications from us by clicking on the "unsubscribe" link provided in such communications. You may not opt out of service-related communications (e.g., account verification, transactional communications, changes/updates to features or legal updates of or to the Services, and technical and security notices).
  • Push Notifications. You can stop receiving push notifications from us by changing your preferences in the iOS or Android notifications settings menu.
  • Modifying or Deleting Your Information. Users can edit the username, address, email address, and bio information associated with their account through the Settings menu in the Services. You may request to delete your account through the "Settings" menu in the Grailed app, by emailing help@grailed.com, or submitting a contact form request here. We may not be able to modify or delete your information in all circumstances.

CHILDREN'S PERSONAL INFORMATION

The Services are not directed to, and we do not intend to, or knowingly, collect or solicit personal information from children under the age of 16. If an individual is under the age of 16, they should not use the Services or otherwise provide us with any personal information either directly or by other means. If a child under the age of 16 has provided personal information to us, we encourage the child's parent or guardian to contact us to request that we remove the personal information from our systems. If we learn that any personal information we collect has been provided by a child under the age of 16, we will promptly delete that personal information.

LINKS TO THIRD-PARTY WEBSITES OR SERVICES

Our Services may include links to third-party websites, plug-ins and apps. Except where we post, link to or expressly adopt or refer to this Privacy Notice, this Privacy Notice does not apply to, and we are not responsible for, any personal information practices of third-party websites and online services or the practices of other third parties. To learn about the personal information practices of third parties, please visit their respective privacy notices.

CHANGES TO THE PRIVACY NOTICE

We may change this Privacy Notice from time to time. If we make changes, we will notify you by revising the date at the top of this policy. If we make material changes to this Privacy Notice, we will provide you with additional notice (such as by email to your registered email address, by prominent posting on our Services, or through other appropriate communication channels). We encourage you to review this Privacy Notice regularly to stay informed about our information practices and the choices available to you.

REGION-SPECIFIC DISCLOSURES

Residents of U.S. States with Relevant Data Legislation

If you are a resident of a U.S. state that has enacted applicable and enforceable data privacy legislation, you may have certain additional privacy rights. Please review the Supplemental U.S. State Privacy Notice.

European Economic Area, United Kingdom or Switzerland

If you are located in the European Economic Area (i.e., Member States of the EU together with Iceland, Norway, and Liechtenstein), United Kingdom, or Switzerland, please see the Additional Disclosures for EU Users for additional European-specific privacy disclosures.