Skip to main content
PoofHaul

Last updated 2026-04-25 · Draft

PoofHaul Privacy Policy

Last updated: 2026-05-01 Version: v1.2

This Privacy Policy describes how Poof Haul LLC ("Poof Haul," "we," "us") collects, uses, shares, and protects personal information when you use the PoofHaul platform at poofhaul.com or its mobile experiences (the "Platform"). It is incorporated into our Terms of Service. We are committed to handling your information in compliance with the Virginia Consumer Data Protection Act ("VCDPA") and other applicable laws.

1. Who we are

Poof Haul LLC is a Virginia limited liability company located in Newport News, Virginia. We operate a junk-removal marketplace connecting Hampton Roads residents with independent local haulers. We are the controller of personal information collected through the Platform.

2. Information we collect

From everyone using the Platform

  • Account information: name, email address, phone number, and a hashed password (if you set one). We do not store passwords in plaintext.
  • Device and usage data: IP address, browser user-agent, device type, operating system, language, referring URL, pages visited, links clicked, and timestamps of activity. This data is used for security, abuse prevention, debugging, and basic analytics.
  • Cookies: we use functional, authentication, and (server-side) security cookies. We do not use third-party advertising or behavioral-tracking cookies.

From Customers (people who post jobs)

  • Job posting data: title, description, address (street, city, state, zip), photos, when-by date, and any access notes you add.
  • Payment data: payment-method tokens generated by Stripe. We do not see, collect, or store your card number, CVC, or expiration date. Stripe handles all payment-card data under its own privacy policy (stripe.com/privacy).

From Haulers (people who provide services)

  • Application data: business name (or sole-proprietor name), phone, vehicle description, capacity, service-area zip codes, hauling-experience years.
  • Verification documents: general-liability insurance certificate (uploaded as a PDF or image), photo of you or your business logo for your hauler profile.
  • Stripe Connect data: Stripe Connect account ID, charges-enabled and payouts-enabled flags, business name on file with Stripe, payout schedule. The full underlying Connect data (SSN, bank account, KYC info) is held by Stripe, not by us.
  • IC Agreement acceptance: the version of the agreement you accepted, the timestamp, the IP address you accepted from, and the user-agent string of your browser/device.

From everyone who messages us

  • The contents of any message you send through the Platform's contact form or by email to a Poof Haul address.

3. How we use the information

We use personal information for the following purposes:

  • Service operation: providing the Platform, matching Customers and Haulers, holding payment in escrow, and disbursing payouts.
  • Payment processing: working with Stripe to charge cards, process payouts, and handle refunds and disputes.
  • Notifications: transactional emails about your jobs, bids, payments, and refunds; SMS for time-sensitive job notifications (when SMS is enabled); deliverability via Resend.
  • Fraud prevention and security: detecting suspicious activity, throttling abuse, securing accounts, enforcing the Terms.
  • Customer support: responding to your questions and complaints.
  • Legal compliance: responding to lawful requests from courts and government agencies; meeting tax-reporting obligations (1099-NEC for Haulers, IRS reporting under any applicable thresholds).
  • Internal analytics: understanding how the Platform is used in aggregate to improve the product. We do not use personal information to build a profile about you for advertising purposes.
  • Communication you opt into: marketing emails, but only if you have explicitly opted in. All marketing emails contain a one-click unsubscribe.

4. Who we share information with

We share personal information only as needed to operate the Platform or comply with the law:

  • Stripe (payment processing and Connect payouts).
  • Resend (transactional and opt-in marketing email).
  • Twilio (SMS notifications, when SMS sending is enabled).
  • Supabase (data hosting and authentication infrastructure).
  • Vercel (web application hosting, edge networking, and Speed Insights for page-performance measurement).
  • Cloudflare (DNS and traffic management; we also use Cloudflare's Turnstile widget on form pages such as job posting and hauler application to distinguish humans from bots without traditional CAPTCHAs. Turnstile processes IP address and limited browser-fingerprint signals to score interactions; Cloudflare's privacy practices apply at https://www.cloudflare.com/privacypolicy/).
  • PostHog (cookieless product analytics for understanding site usage; configuration described in Section 5).
  • Anthropic (photo classification and dispute-triage assistance via the Claude API). No customer payment data is sent. Job photos and descriptions may be processed for content moderation, prohibited-items detection, and dispute-triage suggestions to the admin team. Outputs are reviewed by a human before any consequential action.
  • Background check vendor (TBD). When background checks are enabled for haulers, we will list the vendor here (likely Checkr or an equivalent) and disclose what data is shared. Until then, no background-check vendor receives data.
  • Insurance brokers we link to (Thimble, Next Insurance, Hiscox): we share only the data you choose to share with the broker by clicking through the broker's referral link. We may receive a referral confirmation that the broker bound a policy, for our own records, but no policy contents.
  • Government agencies and courts, in response to lawful requests; we will notify you when permitted by law.
  • Other Customers and Haulers, only the limited information needed to complete a job: a Customer's name, address, and phone share with the accepted Hauler; a Hauler's business name, profile photo, vehicle description, and service area share with the Customer when the Hauler bids.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not share mobile phone numbers, SMS opt-in data, or SMS contents with third parties or affiliates for marketing or promotional purposes at any time. Mobile information will not be shared with third parties or affiliates for marketing purposes.

5. Cookies and tracking

The Platform uses cookies sparingly:

  • Authentication cookies: to keep you signed in.
  • Functional cookies: to remember UI preferences and form state.
  • Security cookies: for CSRF protection and session-validity checks.

We do not use third-party advertising cookies, marketing pixels, social-media re-targeting tags, or any cross-context behavioral advertising trackers.

The Platform does run two analytics tools, both configured to minimize data collection:

  • PostHog (cookieless product analytics): captures pageviews and a small set of explicit product events (for example, "job posted" or "bid submitted") so we can understand how the Platform is used in aggregate. PostHog runs in cookieless mode: no cookies are dropped; a per-tab session identifier lives in browser sessionStorage and is discarded when the tab closes. Autocapture (recording every click and form interaction) is turned off. Session recordings and surveys are turned off. Person-level profiles are only built for signed-in users so we can troubleshoot their own session if they contact support; we do not use these profiles for advertising or cross-site tracking, and we do not share them with data brokers.
  • Vercel Speed Insights: measures page-load timing and Core Web Vitals so we can find slow pages. It collects performance metrics and a coarse country code; it does not use cookies and does not assign a per-user identifier.

If we add any analytics, marketing, or advertising tooling beyond what is listed here, we will update this Policy with reasonable notice and provide an opt-out where required by law.

6. Retention

  • Account data: kept for the lifetime of your account plus seven (7) years after deletion, to satisfy tax-reporting and dispute-resolution obligations.
  • Job data and photos: kept for two (2) years after the job is completed (or after deletion, whichever comes later), then deleted on a rolling basis.
  • Payment records and audit log: kept for seven (7) years after the related transaction, for tax and reconciliation purposes.
  • Hauler IC Agreement acceptance records: kept for seven (7) years after the Hauler's last active period, for compliance purposes.
  • Marketing email-list data: kept until you unsubscribe, then deleted within 30 days except where retention is required to honor your unsubscribe request.
  • Analytics events (PostHog): event data, including pageviews, interaction metadata, and anonymous distinct identifiers, is retained on PostHog's infrastructure for up to seven (7) years per their default retention policy, after which PostHog deletes the data on a rolling basis. We do not store these analytics events anywhere else and we do not extend retention beyond PostHog's defaults. Distinct identifiers are anonymous UUIDs scoped to a browser tab; for signed-in users an authenticated identifier is associated with the session for support and debugging, and is removed when the underlying account is deleted.

You may request earlier deletion under Section 8. We will honor those requests except where retention is legally required. For PostHog-held analytics events, we will issue a deletion request to PostHog on your behalf; PostHog's processing of that request is governed by their data-processing agreement.

7. Security

We implement industry-standard administrative, technical, and physical safeguards to protect personal information, including:

  • TLS encryption of all traffic between your browser and our servers;
  • Database access controlled by row-level security policies that scope reads and writes to authorized users;
  • Authentication via Supabase Auth, with magic-link by default and optional password;
  • Service-role keys for server-side admin operations are never exposed to client code;
  • Audit logging of admin actions on sensitive records.

No security system is impenetrable. We cannot guarantee absolute security. If we become aware of a personal-data breach affecting you, we will notify you as required by Virginia law.

8. Your rights

You have the following rights with respect to your personal information. To exercise any of them, email privacy@poofhaul.com from the email address associated with your account, or fill out the contact form at /contact. We will verify your identity before responding to a request, typically within 45 days, and we will not charge a fee for the first request in any 12-month period.

Virginia residents (VCDPA)

  • Right to access: request confirmation of whether we process your personal data and a copy of the data.
  • Right to correct: request correction of inaccurate personal data.
  • Right to delete: request deletion of personal data we process, subject to legal-retention exceptions in Section 6.
  • Right to portability: request a copy of your personal data in a structured, machine-readable format.
  • Right to opt out of sale or targeted advertising: we do not sell personal information and do not engage in targeted advertising profiling, so this right is satisfied by default.
  • Right to appeal: if we decline a request, you may appeal by emailing privacy@poofhaul.com with "Appeal" in the subject. If your appeal is denied, you may contact the Virginia Attorney General's office.

California residents (CCPA / CPRA)

If you visit the Platform from California, you have rights to know, delete, correct, and opt out of "sharing" of personal information for cross-context behavioral advertising under the CCPA / CPRA. Because we do not engage in cross-context behavioral advertising or sales, the opt-out is honored by default. The "right to know" and "right to delete" rights operate as described above.

EU/UK residents (GDPR / UK GDPR)

If you visit the Platform from the European Union or the United Kingdom, you have rights to access, rectification, erasure, restriction, portability, and objection under the GDPR or UK GDPR. The legal bases for our processing are: contract (to provide the Platform), consent (for marketing emails), and legitimate interests (security, fraud prevention, basic analytics). We do not currently market the Platform to EU or UK residents and have no intentional EU/UK data flow; if you are an EU/UK resident, exercise of your rights under the GDPR / UK GDPR will be honored on the same channels described above.

9. Children

The Platform is not directed to children under 18 and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact privacy@poofhaul.com and we will delete it.

10. CAN-SPAM

Every transactional and marketing email we send includes a one-click unsubscribe link and a physical mailing address.

  • Transactional emails (job notifications, payment receipts, dispute notices): you cannot fully unsubscribe from these while you have an active account, because they are necessary to operate the service. If you no longer want them, close your account.
  • Marketing emails (product announcements, newsletters): unsubscribe at any time using the link in the footer of any such email. We will honor unsubscribe requests within 10 business days.

The mailing address that appears in our email footers is a private mailbox operated for Poof Haul LLC by a USPS-authorized commercial mail receiving agency: 110 Coliseum Crossing #5133, Hampton, VA 23666. Postal mail sent to that address reaches us.

11. International transfers

We host data with Supabase (US region), Vercel (US edge), and Resend (US). If you are accessing the Platform from outside the United States, your data will be transferred to the US for processing.

12. Changes to this Policy

We may update this Policy. Material changes will be announced by email to your account address at least 30 days before they take effect, with the updated Policy posted at /privacy. Less material changes (typo fixes, vendor swaps with equivalent or stronger protections) take effect on posting.

13. Contact

For all privacy questions, requests, and appeals: privacy@poofhaul.com.

For general support: hello@poofhaul.com.

Mailing address:

Poof Haul LLC
110 Coliseum Crossing #5133
Hampton, VA 23666
United States

Privacy questions? privacy@poofhaul.com.