Utah Arms Market
Effective: May 9, 2026
This policy explains what Utah Arms Market (“UTAM,” “we,” “us”) collects from people who use utaharmsmarket.com, why we collect it, who we share it with, how we share it, and how we keep it safe. Plain language, no dark patterns. If anything below is unclear or you want a copy of what we have on you, email [email protected].
UTAM is operated by UTAM LLC, a Utah single-member limited liability company, doing business as Utah Arms Market.
1. Information we collect
We try to collect as little as possible. The categories below are the only data we handle.
- Account data. Email address and authentication state. Passwords are stored hashed by our auth provider (Supabase) and are never visible to us in plaintext.
- Listing data. Information you choose to post — title, description, price, photos, and listing category. Listings are public by design; do not include personal contact info you wouldn’t want public.
- Messages. Conversations between buyers and sellers happen in-app. Message contents are stored so both parties can re-read the thread, and may be auto-purged after a configurable retention window once a listing closes.
- Payment data. When you pay an ad fee (e.g. featured placement), card data is collected and processed directly by Stripe. We never see or store your card number, CVC, or expiration. UTAM only receives a Stripe customer ID and the fee outcome (succeeded / failed / refunded).
- Technical data. IP address, user agent, request paths, and timestamps — collected automatically by our hosting (Vercel) and edge security (Cloudflare) for delivering the site, blocking abuse, and diagnosing errors. We do not run third-party advertising trackers, analytics SDKs, or tracking pixels.
- Error diagnostics. When something breaks, we capture stack traces via Sentry to fix it. Personal identifiers in those traces are scrubbed before they leave the server.
We do notsell personal information, and we do not share it with advertisers. UTAM's revenue comes from ad fees paid by sellers, not from monetizing user data.
2. How we use this information
We use what we collect only for the purposes that follow. Each is required to operate the site.
- Operating the marketplace. Authenticating you, displaying your listings, delivering buyer-seller messages, and generating bills of sale on request.
- Transactional communication. Sending password resets, message notifications, and important account or policy updates.
- Fraud and abuse prevention. Detecting and blocking spam, scraping, account takeover, and policy violations. Cloudflare and our own server logs are the primary tools here.
- Reliability and debugging. Reading error traces (PII-scrubbed) to fix bugs and improve performance.
- Legal compliance. Responding to lawful subpoenas, court orders, and other valid legal process.
3. Parties we share information with
UTAM does not sell personal information and does not share it with advertisers. We do share limited information with the third-party service providers below — strictly as needed for them to perform their function on our behalf.
| Service | Purpose | Data shared |
|---|
| Vercel | Hosting + image optimization | Request metadata (IP, user agent) for serving pages and images |
| Supabase | Auth, database, storage | Email + auth state + listing data |
| Stripe | Payments | Card data (Stripe-managed; never touches our DB) |
| Cloudflare | CDN + WAF + DNS | Request metadata for security/perf |
| Sentry | Error tracking | Stack traces (PII scrubbed per privacy config in sentry.{client,server}.config.ts) |
| Resend | Transactional email delivery | Email addresses + message contents for password resets and listing-message notifications |
We may also disclose information when required by law (subpoena, court order, or similar valid legal process) or when necessary to investigate fraud, abuse, or threats to user safety. If UTAM is ever acquired or merges with another company, your data would transfer under the same protections this policy provides; we will notify you in advance if that happens.
4. How information is disclosed
Disclosure happens only over secure, authenticated channels. There is no batch export, no data broker feed, and no marketing list.
- Server-to-server APIs over TLS. All data sent to the providers in section 3 travels over HTTPS using current TLS versions. Vendor API keys are stored as environment-only secrets and rotated when personnel changes warrant.
- Tokenized payments. Payment information is collected directly by Stripe in your browser using Stripe-hosted form elements; UTAM's servers never see card numbers.
- In-app to other users. Public listing fields are visible to anyone who visits the site. Messages are visible only to the listing owner and the user who sent them.
- Legal process. Disclosure to law enforcement or other parties under valid legal process is made through written response from the company, not via automated channels.
We do not place tracking cookies that share data with third parties. The cookies UTAM sets are limited to authentication, session continuity, and basic site preferences.
5. Security practices
Authentication is enforced server-side on every request, sessions are short-lived and cookie-locked, and dependencies, source code, and the running site are scanned by three independent automated tools on every change. Card data never touches our database; error traces are PII-scrubbed before leaving the server.
For the live numbers — passing test counts, scanner outputs, dependency versions, and the third-party services inventory — see utaharmsmarket.com/trust. That page is regenerated from CI on every deploy, so the figures shown there are always current.
No system is perfectly secure. If you discover a vulnerability, please report it under our responsible disclosure policy.
Your rights
You can email [email protected] at any time to:
- Request a copy of the information we have associated with your account.
- Correct inaccurate account information.
- Delete your account and associated data, subject to limited exceptions for legal record-keeping (e.g. completed payment receipts retained for tax purposes).
- Ask a question about this policy or how your data is handled.
Your California rights
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) give you the right to know what personal information we collect, request deletion, correct inaccuracies, and opt out of any sale or sharing of your data. UTAM does not sell personal information and does not share it for cross-context behavioral advertising. To exercise any California right, email the address above; we will respond within 45 days.
Children
UTAM is not directed to children. Users must be at least 18 years old (see our Terms of Use). We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, email the address above and we will remove the account.
Changes to this policy
We may update this policy as the platform evolves — for example, when we add or remove a third-party service. Substantive changes are reflected by updating the effective date at the top of this page. If a change materially expands what we collect or who we share it with, we will notify account holders by email.
Contact
UTAM LLC (dba Utah Arms Market)
[email protected]