Launch Pricing live — $0 listing fee, 50% off buyer premium
The vintage watch marketplace

Privacy Policy

Grey Market — grymrkt.co · Effective Date: April 20, 2026

1. Introduction

Grey Market (“we,” “us,” or “our”) operates the website grymrkt.co and related services (the “Platform”). This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you use the Platform.

By using the Platform, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform.

2. Information We Collect

2.1 Information You Provide

  • Account information. When you create an account, we collect your name, email address, and password. If you register through Google, we receive your name, email address, and profile picture from Google.
  • Profile information. You may optionally provide a profile photo and biographical text. Profile photos are stored securely and displayed publicly alongside your username. Your bio is visible to other members. Contact information (email, phone, social media handles, URLs) is not permitted in bios and may be automatically rejected or removed.
  • Identity verification (KYC). To participate in auctions (buying or selling), we collect government-issued identification (such as a passport or driver’s license), your legal name, date of birth, and credit card information, and we verify this information through third-party identity and payment verification providers.
  • Biometric identifiers. Our KYC and payments provider, Stripe, Inc. (Stripe Identity), performs face-match and facial-liveness analysis during identity verification, comparing a live selfie image to the photograph on your government-issued ID to confirm that the person presenting the ID is its rightful holder. This process generates a biometric identifier derived from your facial geometry (a “face template”). The face template is generated and stored in Stripe’s infrastructure; Grey Market does not receive or store the raw biometric template. Grey Market receives only the pass/fail result and associated risk signals. Face templates are used solely for the limited purpose of confirming your identity. Biometric identifiers are handled in accordance with our Biometric Information Privacy Notice, described in Section 9.2, and Stripe’s own privacy practices for Stripe Identity. We do not sell, lease, trade, or otherwise profit from biometric identifiers, and we do not use them for advertising.
  • Waitlist information. When you join our waitlist, we collect your email address, name, and optionally, information about watches you are interested in buying or selling.
  • Listing information. If you submit a watch for sale, we collect photographs, descriptions, serial numbers, service history, and other details about the watch.
  • Shipping information. To ship watches between Sellers, our designated third-party Verifier, and Buyers, we collect and use shipping addresses, contact phone numbers, and related logistics information.
  • Communications. We collect information you provide when you contact us, participate in community discussion threads, post comments, or respond to surveys.
  • Payment information. When you participate in transactions, we collect payment and billing information necessary to process escrow payments. Payment processing is handled by third-party processors; we do not store full credit card numbers on our servers.

2.2 Information Collected Automatically

  • Usage data. We collect information about how you interact with the Platform, including pages visited, features used, search queries, and auction activity.
  • Device and browser information. We collect your IP address, browser type, operating system, device identifiers, and screen resolution.
  • Cookies and tracking technologies. We use cookies, pixels, and similar technologies to operate the Platform, remember your preferences, and analyze usage. See Section 7 for more detail.
  • Location data. We may infer your general location from your IP address. We do not collect precise geolocation data.

2.3 Information from Third Parties

  • Authentication providers. If you sign in through Google, we receive basic profile information as described above.
  • Identity verification services. We may receive verification results from third-party identity and fraud prevention services, including validation status and risk signals.
  • Analytics and advertising partners. We receive aggregated data from analytics providers and advertising platforms to measure campaign performance and improve the Platform.

3. How We Use Your Information

We use the information we collect to:

  • Operate the Platform. Create and manage your account, facilitate auctions, process escrow transactions, coordinate shipments, and provide customer support.
  • Verify identity. Confirm your identity and payment credentials to maintain a trusted marketplace and prevent fraud. We also generate and store hashed or tokenized identity identifiers (derived from your government ID, legal name, and date of birth) for the fraud-prevention and account-enforcement purposes described in Section 5.
  • Curate listings. Review, draft, and present watch listings accurately and compellingly.
  • Provide the Identify service. Analyze uploaded watch photographs to generate identification and condition reports.
  • Communicate with you. Send transactional emails (auction updates, payment confirmations, shipping notifications), respond to inquiries, and provide waitlist updates.
  • Improve the Platform. Analyze usage patterns, troubleshoot issues, and develop new features.
  • Marketing. With your consent where required, send promotional communications about Grey Market. You can opt out at any time.
  • Enforce our Terms. Detect and prevent fraud, abuse, and violations of our Terms of Service, including identifying and acting on attempts to circumvent account suspensions or bans.
  • Legal compliance. Comply with applicable laws, regulations, and legal processes.

4. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

  • With other users. Your public profile information, listing details, and auction activity are visible to other Platform users. Your full name, email address, shipping address, and identity documents are not shared with other users.
  • With the third-party Verifier. When a transaction is completed, we share the information necessary for the Verifier to receive, inspect, and forward the watch. For Sellers, this typically includes legal name and return address. For Buyers, this typically includes legal name and delivery address. We do not share payment information with the Verifier. The Verifier is engaged as a “service provider” within the meaning of the California Consumer Privacy Act (Cal. Civ. Code § 1798.140(ag)): the Verifier processes personal information only on our behalf and only for the specific authentication, inspection, and forwarding purposes set out in our written agreement with it, and is contractually prohibited from (i) selling or sharing the personal information, (ii) retaining, using, or disclosing the personal information outside of the direct business relationship with Grey Market, or (iii) combining the personal information with personal information received from another source. The Verifier is an independent contractor and not our agent (except to the limited extent necessary to carry out inspection and custody of the watch).
  • With service providers. We share information with third-party vendors who help us operate the Platform, including hosting providers (Vercel), database services (Supabase), payment processors, identity and biometric verification services, shipping and courier partners, and email providers. These vendors are contractually obligated to use your information only to perform services on our behalf and, where applicable, are engaged as CCPA service providers under Cal. Civ. Code § 1798.140(ag).
  • With analytics and advertising partners. We share usage data with analytics services (Google Analytics via Google Tag Manager) and advertising platforms (Meta/Facebook) to measure ad performance and understand how users find and use the Platform. This data is typically aggregated or pseudonymized.
  • For legal reasons. We may disclose information if required by law, legal process, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others, including to investigate or prevent fraud or abuse of the Platform.
  • In a business transfer. If Grey Market is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services, comply with legal obligations, resolve disputes, and enforce our agreements.

If you delete your account, we will remove your personal information within a reasonable timeframe, except:

  • Transaction records. We retain transaction history (including invoices, payout records, and tax-related records) as required by law and for auditing purposes.
  • Fraud prevention and ban enforcement. Because Grey Market operates a high-trust marketplace for high-value goods, we retain a minimal identity-match record after account deletion for the purpose of detecting and preventing circumvention of account suspensions and bans. This record consists of hashed or tokenized identifiers derived from KYC information (such as a one-way hash of your government ID number, legal name, and date of birth). It is not used for marketing and is not shared with advertisers. Retention under this paragraph is time-limited: seven (7) years after the later of (i) account closure or (ii) last account activity, except where longer retention is required by applicable law or by an active fraud investigation. We rely on the CCPA’s exception permitting retention to detect security incidents and prosecute those responsible (Cal. Civ. Code § 1798.105(d)(2)). After the retention period, the identity-match record is deleted or further de-identified such that it can no longer be associated with you.
  • Biometric identifiers. Face templates generated during KYC are retained only as long as necessary to confirm your identity at the time of verification, and in any event are permanently deleted within one (1) year after the initial verification or when the account is closed, whichever occurs first, consistent with the requirements of applicable biometric information privacy laws. Biometric identifiers are not used for the fraud-prevention retention described above; only non-biometric hashed identifiers are retained post-deletion.
  • Legal hold. We may retain information subject to legal hold, litigation, or regulatory inquiry for as long as necessary.

Uploaded watch photographs submitted through the Identify service may be retained in anonymized form to improve the service and to train our own watch-identification and authentication-assistance models, as described in Section 12 of our Terms of Service.

6. Data Security

We implement reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS/SSL), secure authentication, and access controls.

However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information.

7. Cookies and Tracking Technologies

We use the following categories of cookies and tracking technologies:

  • Essential cookies. Required for the Platform to function, including authentication and session management. These cannot be disabled.
  • Analytics cookies. We use Google Tag Manager and associated analytics tools to understand how visitors use the Platform. These cookies collect aggregated, anonymized usage data.
  • Advertising cookies. We use Meta Pixel to measure the effectiveness of our advertising campaigns on Facebook and Instagram and to deliver relevant ads. These cookies may track your activity across websites.

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect Platform functionality.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access. Request a copy of the personal information we hold about you.
  • Correction. Request correction of inaccurate or incomplete information.
  • Deletion. Request deletion of your personal information, subject to legal retention requirements and the limited fraud-prevention retention described in Section 5.
  • Portability. Request a copy of your data in a portable format.
  • Opt out of marketing. Unsubscribe from promotional emails using the link in any marketing email or by contacting us.
  • Opt out of targeted advertising. You may opt out of interest-based advertising through your browser or device settings, or by using industry tools such as the Digital Advertising Alliance’s opt-out page.

To exercise any of these rights, contact us at the email address listed in Section 12. We will respond within 30 days or as required by applicable law.

9. State-Specific Privacy Rights

9.1 California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act (collectively, “CCPA”) provide you with additional rights, including the right to know what personal information we collect, the right to delete it, the right to correct inaccurate personal information, the right to limit use of sensitive personal information (such as government identifiers and biometric identifiers), and the right to opt out of the sale or sharing of personal information. We do not sell or share your personal information as those terms are defined under the CCPA. Our fraud-prevention retention described in Section 5 is maintained under the CCPA’s exception permitting businesses to detect security incidents, protect against fraudulent activity, and prosecute those responsible for such activity (Cal. Civ. Code § 1798.105(d)(2)).

California “Shine the Light” disclosure. California Civil Code § 1798.83 permits California residents to request, once per year, a list of the categories of personal information we have disclosed to third parties for those third parties’ own direct marketing purposes during the preceding calendar year, together with the names and addresses of those third parties. We do not share personal information with third parties for those third parties’ own direct marketing purposes. To submit a Shine the Light request or any other California privacy request, contact us using the information in Section 12.

9.2 Biometric Information Privacy Notice (Illinois BIPA, Texas CUBI, Washington)

This Section is provided to comply with the Illinois Biometric Information Privacy Act (740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001), and comparable biometric privacy laws in other states, including Washington.

  • What is collected. As described in Section 2.1, during identity verification Stripe Identity captures a live selfie image and the image on your government-issued ID, then generates a face template (a mathematical representation of facial geometry) used to confirm that you are the person depicted on your ID.
  • Who controls the data. Stripe, Inc. acts as Grey Market’s processor for the purpose of running identity verification. The face template is generated and stored on Stripe’s systems. Grey Market does not receive or retain the raw face template.
  • Purpose and use. The face template is used solely to confirm your identity at the time of KYC. It is not used to tag you in photographs, to profile you for advertising, to track you across websites, or for any purpose unrelated to identity verification.
  • Disclosure. Face templates are not disclosed, sold, leased, traded, or otherwise transferred to any third party by Grey Market or by Stripe (when acting on Grey Market’s behalf) except: (i) to Stripe and its sub-processors acting as processors; (ii) as required by a valid warrant or subpoena; or (iii) as necessary to complete a financial transaction specifically requested or authorized by you. We will not disclose face templates to any other party without your written consent.
  • Retention and destruction. Face templates are retained only as long as necessary to confirm your identity at the time of verification, consistent with Stripe’s own retention and destruction schedule for Stripe Identity, and in any event are permanently destroyed within the earlier of: (a) one (1) year after the date of initial collection; or (b) account closure.
  • Written release (Illinois residents). Illinois residents complete Stripe Identity’s hosted verification flow, which presents a BIPA-compliant written release at the time of collection; biometric processing does not proceed without your affirmative consent through that flow. For a copy of the applicable Stripe Identity biometric notice and release, see Stripe’s Privacy Center at stripe.com/privacy-center/legal or contact us using the information in Section 12.

If you have questions about our biometric practices or wish to revoke a prior consent, contact us using the information in Section 12. Requests to revoke consent will result in deletion of any face template held by Stripe on our behalf and will terminate your ability to continue using features that require KYC verification.

9.3 Other State Privacy Rights

Residents of other states with comprehensive consumer privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Tennessee, and others) may have rights to access, correct, delete, or port their personal information, and to opt out of targeted advertising. To exercise any of these rights, contact us using the information in Section 12. We will verify your identity and respond within the timeframes required by applicable law.

10. Children’s Privacy

The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we learn that we have collected information from a child under 18, we will promptly delete it. If you believe a minor has provided us with personal information, please contact us.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting a notice on the Platform or by email. The “Effective Date” at the top of this page indicates when this policy was last revised.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

Grey Market
Email: hello@grymrkt.co
Website: grymrkt.co

This Privacy Policy was last updated on April 20, 2026.

Back to Home