ReturnToMe

1. What we collect

Subscribers (item owners): name, email address, phone number, shipping address, payment method (stored by Stripe — we store only a Stripe customer ID), and item descriptions assigned to labels.

Finders: name, email address, phone number, shipping address, and the message submitted with a return request. Finders do not create accounts. Before submitting this information, finders are shown this Privacy Policy and a notice describing how their information will be used.

Automatically collected: When you visit our site or use the service, we automatically collect your IP address, browser type, and device information through standard server logs, used for security, fraud prevention, and diagnosing technical issues.

California Notice — Categories of Personal Information Disclosed to Service Providers and Third Parties

Under the California Consumer Privacy Act (CCPA), as amended, we are required to disclose how personal information is shared. Some of our vendors — including our payment processors (Stripe, PayPal) — may use information collected in connection with your transaction for their own purposes, such as fraud detection, risk management, analytics, and the training of machine learning or AI models, in addition to providing services to us. This use is governed by each vendor's own privacy policy:

Depending on the scope of these vendors' independent use, this may constitute a “sale” or “share” of personal information under the CCPA. We are reviewing our vendor agreements to confirm and will update this section and provide a “Do Not Sell or Share My Personal Information” mechanism if required.

We do not use your personal information for our own advertising purposes, and we do not sell personal information for monetary consideration.

2. How we use your data

To operate the return flow — notifying owners, generating shipping labels, disbursing rewards, and facilitating direct owner-arranged handoffs where the owner has opted in.
To process subscription payments via Stripe.
To send transactional emails (return notifications, shipping labels, reward confirmations).
To respond to support and sales enquiries.

We do not use your data for advertising and do not sell personal information for monetary consideration. See Section 1 for CCPA disclosure regarding vendor data use.

3. Privacy between owners and finders

By default, owner personal information — name, email, phone, and address — is not shared with finders. Finders see only the item description and reward amount set by the owner. The owner's shipping address is used only server-side to generate the return label; it does not appear in any finder-facing response.

Local pickup (owner opt-in): Owners may enable a local pickup option on individual labels, allowing them to arrange a direct handoff with a finder instead of using our shipping flow. If an owner enables this option and explicitly chooses to arrange a direct return, their email address is shared with the finder via a one-time notification. The owner is notified at the same time that their email has been disclosed. This disclosure occurs only at the owner's explicit direction and only for the specific find event they are responding to.

4. Data sharing

We share data only with the third-party services necessary to operate ReturnToMe:

Stripe — payment processing and subscription management.
EasyPost — pre-paid return shipping label generation.
PayPal — finder reward disbursement (where PayPal or Venmo is selected).
AWS SES — transactional email delivery.
AWS S3 — label photo storage.

We do not share data with any other third parties.

5. Data retention

Subscriber account data is retained for the life of the account and for 90 days after deletion. Find event records (including finder details) are retained for 2 years for dispute resolution purposes, then deleted. You may request earlier deletion by contacting support.

6. Security

Passwords are hashed with BCrypt and never stored in plain text. All data is transmitted over HTTPS. Access to production systems is restricted to authorised personnel. We use AWS RDS with encrypted storage and automated backups.

7. Your rights

All users. You may request a copy of your data, correction of inaccurate data, or deletion of your account and associated data by emailing support@return-to-me.com. To protect your data, we will verify your identity before fulfilling deletion or access requests — typically by confirming your registered email address or shipping address on file. We will respond within 30 days.

California residents. If you are a California resident, you have additional rights under the CCPA, including the right to:

Know what personal information we have collected, used, disclosed, or sold/shared about you
Delete personal information we have collected from you
Correct inaccurate personal information
Opt out of the sale or sharing of personal information (see Section 1)
Non-discrimination for exercising any of these rights

To exercise these rights, email support@return-to-me.com. We will verify your request before responding. You may designate an authorized agent to make a request on your behalf, subject to verification.

Finders. If you submitted information as a finder (rather than a subscriber), the same rights above apply to you. Because finders do not hold an account, requests will be verified using the email address or phone number you provided at the time of your return submission.

8. Cookies

We use a single session token stored in an HttpOnly cookie to keep you logged in. We do not use tracking cookies or third-party analytics.

9. Changes to this policy

We will notify subscribers by email at least 14 days before material changes to this policy take effect.

10. Contact

Privacy questions or requests: support@return-to-me.com.