Privacy Policy

Last updated: April 21, 2026 · Effective: April 21, 2026

This Privacy Policy explains how Soreva, Inc., doing business as "Off The Rack" ("Off The Rack", "we", "us") collects, uses, and shares personal information when you use the Off The Rack mobile app and offtherack.soreva.company (together, the "Service"). Off The Rack is available only to users located in the United States.

1. Who we are

2. Information we collect

a. Information you provide

• Account information — name, email, avatar, and (optional) bio, provided either directly or via the social identity provider you sign in with (Google, Apple, or Facebook).
• Shipping address — street, city, state, ZIP, and country, used to deliver items you win.
• Influencer profile data — display name, linked social account handles (Instagram, TikTok, YouTube, Twitter/X, Facebook), and any verification materials you submit.
• Listing content — item photos, titles, descriptions, categories, and shipping-tier details you upload.
• Support correspondence — the content of any messages you send us.

b. Information collected automatically

• Device and technical data — device model, OS version, app version, language, IP address, and push-notification tokens.
• Usage data — screens visited, interactions with listings, search queries, and similar telemetry used to operate and improve the app.
• Attribution data — when you open the app from a deep link, we receive the link metadata (e.g., referring influencer, referring item) via our attribution partner, Branch.

c. Information from third parties

• Identity providers — Google, Apple, and Facebook share your name, email, and a unique user identifier with us when you sign in through them. We do not receive your password.
• Payment processor — Stripe processes all card payments. We receive confirmation of the transaction (status, amount, a transaction ID) but we do not receive, store, or have access to your full card number.

3. How we use information

• Create and maintain your account and profile.
• Operate giveaways, including verifying entries, selecting winners, and processing shipping.
• Calculate and collect platform fees and shipping costs.
• Deliver push notifications and transactional email (won/lost, shipped, delivered, comments, follows).
• Detect and prevent fraud, abuse, and violations of our Terms.
• Respond to support requests.
• Improve the Service and develop new features.
• Comply with legal, tax, and regulatory obligations.

4. Legal bases

We process personal information to perform our contract with you (providing the Service), for our legitimate interests (security, fraud prevention, product improvement), to comply with legal obligations (tax records, responses to lawful requests), and with your consent where required (e.g., optional marketing communications).

5. How we share information

We do not sell your personal information. We share it only as follows:

• Service providers ("processors") acting on our instructions:
  • Amazon Web Services — hosting, storage (S3, CloudFront), email (SES), push delivery (SNS), user directory (Cognito), database (RDS).
  • Stripe — payment processing.
  • Branch — deep-link attribution.
  • Expo — over-the-air app updates and push-notification helpers.
  • Google, Apple, and Facebook — identity federation (only when you sign in with them).
• Other users — your display name, avatar, influencer profile, items, comments, reviews, and linked social handles are visible inside the app. Your email and shipping address are not shown to other users. Influencers receive only the shipping information required to fulfill an item you have won.
• Legal, safety, and enforcement — when we believe in good faith that disclosure is required by law or necessary to protect rights, property, or safety.
• Business transfers — in a merger, acquisition, or asset sale, subject to this Policy.

6. Retention

We keep personal information only as long as needed for the purposes described above or as required by law. Transaction and tax records are retained for up to seven (7) years to comply with IRS requirements. Account information is deleted within thirty (30) days of a verified deletion request, except where retention is legally required.

7. Your choices and rights

• Access, correction, deletion, export. You can edit profile data in the app, request a copy of your data, or delete your account — see Delete Account.
• Push notifications. Disable in your device settings at any time.
• Marketing email. Use the unsubscribe link in any marketing message. Transactional email (e.g., shipping confirmations) cannot be unsubscribed while your account is active.

California residents (CCPA/CPRA)

If you are a California resident, you have the right to know the categories of personal information we collect, the right to request deletion, the right to correction, and the right to opt out of "sale" or "sharing". We do not sell personal information and we do not share personal information for cross-context behavioral advertising. To exercise any of these rights, email support@soreva.company or use the deletion flow in the app.

8. Security

We use encryption in transit (HTTPS/TLS), encryption at rest (AWS S3 and RDS managed encryption), hardware-backed secure storage for authentication tokens on device (iOS Keychain / Android Keystore), and tightly scoped access controls. No system is perfectly secure, but we work to protect your information using industry-standard practices.

9. Children

Off The Rack is not directed to children under 13 and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact support@soreva.company and we will delete it.

10. International users

The Service is offered in the United States only, and all personal information is processed and stored in the United States.

11. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you in the app or by email before they take effect. The "Last updated" date at the top indicates the most recent revision.

12. Contact us

Questions about this Policy or your personal information? Email support@soreva.company or write to Soreva, Inc. at the postal address above.