Privacy policy
This policy describes what data Haypublic collects, why, and how it's used. We aim for the minimum collection necessary to operate a safe, free classifieds platform.
1. Who we are
Haypublic ("we", "us", "the platform") is a community-run classifieds website at haypublic.com. The base service is free; an optional Pro subscription plus per-listing add-ons are paid via the IDram Armenian payment gateway. Operated by Haypublic, based in Yerevan, Armenia. Contact: turn.on.everywhere@gmail.com.
2. What we collect — at a glance
| Data | When collected | Why |
|---|---|---|
| Listing content (title, description, category) | When you post | To display your listing publicly |
| Contact name | When you post | So buyers know whom to contact (publicly visible) |
| Phone number | When you post | So buyers can reach you (publicly visible) + per-phone rate limits |
| Email (optional) | If you provide it | So buyers can email you (publicly visible if provided) |
| Language preference | When you toggle | To remember your EN/HY choice across visits |
| IP address | Every request | Per-IP rate limits, fraud detection, audit logs (admin-only — never publicly visible) |
| Approximate timestamps | When you post / your listing is approved | To order listings by recency |
| Server access logs | Every request | Operations, abuse detection — auto-rotated within 30 days |
3. Public data — what's visible to anyone
- Listing title, description, category, sub-category
- Contact name (the name you typed when posting)
- Phone number
- Email address (only if you typed one)
- The language tag of the listing
- The "posted X minutes/hours/days ago" timestamp
Tip: If you don't want a piece of contact info to be public, don't put it in the listing. Email is optional — leave it blank if you'd rather only be reached by phone.
4. Private data — what's only visible to admin moderators
- Your IP address at the time of submission
- Listings you submitted that were rejected
- Internal abuse-flag scores (rate-limit hits, banned-word matches, repeat-offender flags)
This data is used solely to keep the platform safe (block fraud, enforce rate limits, identify repeat policy violators). It is never sold, shared with advertisers, or used for any commercial purpose.
4b. Account data we collect (accounts required to post or view contacts)
Posting a listing, scheduling an event, or viewing another user's contact details (phone number, email) requires a free Haypublic account. When you register we collect:
- Full name — what you typed (your real name, a nickname, a business name — your choice). Public, shown on listings + your profile.
- @username — 3–20 lowercase letters/digits/underscore, unique, public. Appears on every listing/event you post and on your profile page at
/u.html?u=<username>. - Email — used for the verification code at signup and password reset. Private.
- Password — stored as a bcrypt hash (cost 12). We never see your plaintext password. Private.
- Biometric / passkey credentials (optional). If you enroll TouchID, Face ID, Android fingerprint, or Windows Hello on a device, we store only the public key the device generates plus a sign counter and the date you enrolled. Your fingerprint, face scan, or PIN never leaves your device — they live in the device's secure enclave and we never see them. You can remove an enrolled credential at any time from your dashboard.
4c. City of the listing (public)
Every listing must specify a city in Armenia (Yerevan or one of 30+ regional cities). The city is shown publicly on the listings grid and on the listing's detail page. We do not collect or display GPS coordinates, street addresses, or any precise location — only the city you chose.
4d. Why contact info is gated behind sign-in
Phone numbers and email addresses are visible only on a listing's detail page and only to signed-in users. The public listings grid shows just the title, description, photos, category, and city. This protects sellers from scraping bots and reduces SMS / email spam. The phone number itself is still publicly visible on the detail page once you sign in — that's how a buyer reaches the seller.
4e. Subscription and billing data
If you upgrade to Pro, or buy a listing add-on (Boost, Urgent, Refresh, Feature event), we record:
- Your plan (free / pro), the start date, and the end date.
- Each transaction: amount in Armenian Dram (֏), the IDram transaction ID we receive in the callback, the channel (idram / admin / referral), the bill number, and the timestamp.
- Each add-on purchase: which listing or event it was applied to, the add-on type, the duration, the amount paid.
- Your referral code (auto-generated 8-char alphanumeric) and, if you signed up via someone else's link, the user-id of the referrer.
We never store your card number, IDram wallet identifier, CVC, or banking credentials. IDram processes the payment on its own page and sends us back only an opaque transaction ID with a SHA-1 signature we verify. If you exercise your "request a copy" right (Section 8) we email you the full list of your transactions in JSON.
4f. Listing engagement metrics
For analytics — and so Pro users can see how their own listings perform — we count:
- Views: incremented when a signed-in user (other than the listing's owner) opens the detail page.
- Saves: number of users who tapped the heart on the card.
- Contact clicks: number of times the "Call" button was pressed on the detail page.
These counters store no identifying information about who viewed/saved/clicked — only the totals on the listing document. Aggregated counts may appear in the admin "Top viewed" panel.
4g. Reviews and ratings
When you post a star rating (1–5) and an optional comment on someone else's listing, we store: your rating, the comment text, your @username (so other buyers can see who reviewed), the listing ID and seller ID, the time you posted it. Reviews are public and tied to your username — they appear on the listing's detail page and contribute to the seller's rolling average rating shown on their profile. You can edit or delete your own review at any time from the listing's review form. We don't allow reviewing your own listings.
4h. Admin audit log
For accountability, every staff action (approve listing, ban user, grant Pro, etc.) is recorded with: the staff member's user-id and @username, their role at the time, the action name, the target (listing/event/user id), any metadata such as a ban reason, and the timestamp. The audit log is internal; it is never shown to the affected user but is disclosed on request under your data-access right (Section 8) for entries that concern you.
5. What we do NOT collect
- Government ID, SSN, passport, driver's license, or other identifying documents — we ask for none of it
- Date of birth (other than confirming you are 18+, which we trust by self-attestation)
- Your address, contact list, calendar, photos library, or microphone
- Card / banking data — IDram handles payment on its own page; we never see card numbers, CVCs, IBANs, or wallet identifiers
- Biometric data (fingerprints, face scans, PINs) — these stay inside your device's secure hardware; we only store the public key
- Advertising identifiers — we run no ads, use no ad SDKs, and have no cross-site trackers
- Tracking cookies (we use only localStorage for language preference + your sign-in token)
- Behavioral profiles, retargeting data, or anything used for advertising
- Identifying info about who viewed a listing — view counters are aggregated totals, not per-viewer logs
6. How long we keep your data
| Data | Retention |
|---|---|
| Approved listings | Until they expire (30 days free, 90 days Pro) or you delete them. Expired listings are hidden from search but kept 30 more days for restoration on request, then deleted. |
| Rejected listings | 30 days for moderation audit, then deleted |
| IP addresses tied to listings | 30 days, then anonymized (kept only as country code) |
| Server access logs | 30 days, then auto-rotated |
| Abuse-flag records | 180 days for repeat-offender detection, then deleted |
| Subscription / payment transactions | 7 years for tax + legal compliance (RA accounting law). Cannot be deleted on request before then. |
| Add-on purchases | 7 years (same reason) |
| Pending payment records | 24 hours, then auto-deleted (TTL index) |
| Listing engagement counters | For the lifetime of the listing |
| Admin audit log | 2 years for accountability + compliance, then archived offline |
| Banned account records | Indefinitely (so the same person can't re-register and repeat the abuse). The associated email + phone hash are kept on the blocklist; everything else is deletable on request. |
| Biometric / passkey credentials | Until you remove the device from your dashboard, or until the account is deleted |
| Session tokens | 60 days (auto-expire); revoked instantly on sign-out, ban, or "Sign out other devices" |
| WebAuthn challenges | 15 minutes (TTL index) |
7. Who your data is shared with
Listing content + contact info you provide: shared publicly on haypublic.com — that's the point of a classifieds platform.
Sub-processors:
- DigitalOcean (Frankfurt, EU): hosts our application server. Data at rest is encrypted on the underlying volumes.
- MongoDB Atlas: hosts our database. Data at rest is encrypted.
- IDram (Yerevan, Armenia): processes subscription and add-on payments. When you upgrade, we send IDram only your bill number, the amount, and the description of the plan. IDram receives your card / wallet directly and returns a transaction ID + signature to us. We never see your payment instrument.
- Resend (USA / EU): sends our transactional email (sign-up codes, password resets). Resend receives your email address and the email body.
- Let's Encrypt: issues our TLS certificate.
We do NOT share data with: advertisers, marketing networks, data brokers, social-media trackers, analytics SDKs, or any third party for commercial purposes. Stripe and other gateways are not currently in use.
Law enforcement: we may disclose data in response to valid legal process (subpoena, court order, or search warrant) issued by a competent authority. For severe violations involving the safety of minors (CSAE), we report to the National Center for Missing & Exploited Children (NCMEC) CyberTipline within 24 hours per 18 U.S.C. § 2258A.
8. Your rights
You can exercise these at any time by emailing turn.on.everywhere@gmail.com:
- Delete a listing. Tell us the listing URL or title + phone — we remove it within 24 hours.
- Edit a listing. Same process — tell us what to change.
- Delete all your data. Tell us the phone number you used; we wipe every listing and audit record tied to it within 30 days. EU residents have the same right under GDPR Article 17; California residents under CCPA / CPRA.
- Request a copy. We email you everything we have on you, in JSON format, within 30 days. (GDPR Article 15.)
- Object to processing. If you believe we're processing your data unlawfully, tell us — we'll halt processing pending review.
9. Age requirement — 18 and over
Haypublic is for users 18 years of age or older. We do not knowingly collect data from anyone under 18. If we discover an underage user has posted, we remove the listing and any associated data immediately.
10. Security
- All data in transit uses TLS 1.2 or higher.
- Data at rest is encrypted by our database provider (MongoDB Atlas).
- Server access is restricted to authorized administrators; admin actions are logged.
- Rate limits and a banned-words filter prevent automated abuse.
- We use industry-standard security headers (HSTS, CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin).
- We never store payment data because we don't process payments — Haypublic is free and has no transactions.
- Biometric / passkey sign-in uses the WebAuthn (FIDO2) standard. The Platform sees only the device's public key and a sign counter — never your fingerprint, face scan, PIN, or any other biometric data. That data stays inside your device's secure hardware (Apple Secure Enclave, Android StrongBox, Windows TPM, etc.).
11. International transfers
Our servers are located in Frankfurt, Germany (EU). When you post from outside the EU (e.g., from the US, Russia, or elsewhere), your listing data is transferred to and stored in the EU. EU data protection law (GDPR) applies to this storage.
12. Children's data
Haypublic is not directed at children under 13. We do not knowingly collect data from anyone under 13 in compliance with the U.S. Children's Online Privacy Protection Act (COPPA), nor from anyone under 16 without parental consent in compliance with GDPR Article 8. The platform is for users 18 and over per our community rules.
13. Changes to this policy
We may update this policy as the platform evolves. Material changes will be announced on the homepage. The "Last updated" date at the top reflects the latest revision.
14. Contact
Email: turn.on.everywhere@gmail.com
Operated by: Haypublic, Yerevan, Armenia.
See also: Community Rules · Terms of Service · Billing & refunds · Pricing