Shack Logo

Shack is now available in Switzerland, Germany, Austria & United States

Privacy Policy of Shack

Version 2.0 – 13. Februar 2026

About us

This Privacy Policy ("Privacy Policy") explains how we process and protect your personal data when you use our application ("Platform"), or our services provided via the Platform (together, the "Services").

These Services are operated by Shack AG, Untere Roostmatt 8, 6300 Zug ("Shack", "we", "our", or "us"). Shack is the controller for the data processing described below.

Unless otherwise defined in this Privacy Policy, the definitions used in this Privacy Policy have the same meaning as in the Swiss Federal Act on Data Protection (FADP) or the EU General Data Protection Regulation (GDPR). If you are in the US, additional disclosures in Section 13 apply.

1. Personal data we collect

We may collect or receive personal information for a number of purposes connected with our business operations when you use our Services, namely:

  • Usage and analytics information (e.g., identifiers, numbers of clicks, tracking data)
  • Contact details (e.g., name, address, phone number, birth date)
  • Geolocation (e.g., approximate location (e.g., country/city derived from IP address) and, if you opt in, precise location)
  • Login details (e.g., e-mail address, username, session, profile picture)
  • Payment details (e.g., billing information, credit card details (incl. Apple Pay))
  • Blockchain wallet data (e.g. user public address)
  • Request details (e.g., details and content of your inquiries)
  • Platform visitor details (e.g., IP address, logfiles, terminal ID)
  • Auction details (items, images, number and names of bidders)

There is no obligation to provide your personal data. However, please note that our Services cannot be provided if you do not provide the required data strictly necessary for performing the contract between you and us.

2. How we collect personal data

We collect information about our users when they use our Services, including taking certain actions within it.

Directly

  • Via our Platform and electronic communication
  • When you use our Services
  • When you provide services to us
  • When you correspond with us by electronic means using our Services
  • When you browse, complete a form or make an inquiry while using our Services

Indirectly

Through public sources

  • From public registers (such as commercial registers), news articles and internet searches
  • When our business customers engage us to perform professional services which involve them sharing personal data they control with us as part of that engagement
  • From external Service Providers (see section 5)

3. Legal Basis and purposes

Our legal basis for collecting and using the personal data described in this Privacy Policy depends on the personal data we collect and the specific purposes for which we collect it.

Contract:

To perform our contractual obligations or take steps linked to a contract with you. In particular:

  • To provide you with customer support
  • To set up and manage your account, as well as to verify your credentials when logging in
  • To recruit you
  • To provide our Services

Consent:

We may rely on your freely given consent at the time you provided your personal data. In particular:

  • To analyse, improve, personalise and monitor the usage of our Services and communication
  • To place non-essential cookies and other tools on your browser
  • To provide users with news, special offers, and general information about goods and services which we offer by means of in-app push notifications.To share your contact details with the User selling an item, in case of a concluded Auction

Legitimate interests:

We rely on legitimate interests based on our assessment that the processing is fair and reasonable and does not override your interests or fundamental rights and freedoms. In particular:

  • To place essential cookies and other tools on your browser that are technically necessary for our Services
  • To develop new services
  • To maintain and improve our Services, as well as to detect, prevent, and address security threats

Necessity for compliance with legal obligations:

To meet regulatory and public interest obligations. In particular:

  • To notify you about changes to our Services and our Privacy Policy
  • To comply with applicable regulations and legislation.
  • For the legal enforcement of claims and rights.
  • To apply age-gating and parental-consent requirements, where applicable.

4. Data retention

We retain personal data for so long as it is needed for the purposes for which it was collected and in line with legal and regulatory requirements or contractual arrangements. After this period, we delete or fully anonymize your personal data.

5. Data recipients

We engage third-party companies ("Service Providers") to facilitate the operation of our Services, assist in analysing the usage of the Services, or perform necessary services, such as payment and the provision of IT services. These third parties have access to your personal data only to the extent necessary to perform these tasks.

5.1 Categories of Service Providers

Type(s) of Service Providers who might access your personal data:

  • Professional advisers that we use, such as accountants and lawyers
  • Third parties that are engaged in the course of your matter, such as counsels, banks and other payment providers, KYC/AML service providers, and postal or courier providers
  • Third parties who provide IT and software services
  • Third parties who help us with client insights and marketing

5.2 Sign in with Apple

Sign in with Apple is provided by Apple Distribution International Limited, or Apple Inc. depending on the location this Application is accessed from. Sign in with Apple is a registration and authentication service connected to the Apple network.

For more information you may visit https://www.apple.com/legal/privacy/en-ww/.

6. Data transfers

We and/or our Service Providers may transfer your personal data to and process it in the following countries:

  • EU and EEA
  • USA

We may use Service Providers partly located in so-called third countries (outside the European Union or the European Economic Area or Switzerland) or process personal data there, i.e., countries whose level of data protection does not correspond to that of the EU or Switzerland.

We safeguard your personal data per our contractual obligations and applicable data protection legislation when transferring data abroad.

Such safeguards may include:

  • The transfer to countries that have been deemed to provide an adequate level of protection according to the Federal Council, as well as to countries where there is an adequacy decisions by the European Commission in place
  • Applying standard data protection model clauses, binding corporate rules or other standard contractual obligations that provide appropriate data protection

If a third country transfer takes place and there is no adequacy decision or appropriate safeguards, it is possible and there is a risk that authorities in the third country (e.g. intelligence services) can gain access to the transferred data and that the enforceability of your data subject's rights cannot be guaranteed.

7. Data disclosure

We may disclose your personal data in the good faith belief that such action is necessary:

  • To comply with a legal obligation (i.e., if required by law or in response to valid requests by public authorities, such as a court or government agency)
  • To protect the security of our Services and defend our rights or property
  • To prevent or investigate possible wrongdoing in connection with us

8. Data on the blockchain

When using our Platform or using any applicable blockchain in relationship with our Platform, you should be aware that any transactions will be publicly and irrevocably archived on the applicable blockchain once you sign them and send them to the network. These transactions typically include information about how many tokens have been bought, sold, transferred or otherwise interacted with, a timestamp, and the involved addresses. They do not include data such as your name or e-mail address. Nonetheless, once someone knows that a particular address belongs to you, they can connect all the transactions involving that address to you.

9. Data Security

We take reasonable technical and organisational security measures that we deem appropriate to protect your stored data against manipulation, loss, or unauthorised third-party access. Our security measures are continually adapted to technological developments.

We also take internal data privacy very seriously. Our employees and the service providers that we engage are required to maintain secrecy and comply with applicable data protection legislation. In addition, they are granted access to personal data only insofar as this is necessary for them to carry out their respective tasks or mandate.

The security of your personal data is important to us but remember that no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. We recommend using antivirus software, a firewall, and other similar software to safeguard your system.

10. Your rights

You have the below data protection rights. To exercise these rights, you may contact the above address or send an e-mail to: crew@shack.xyz. Please note that we may ask you to verify your identity before responding to such requests.

  • Right of access: You have a right to request a copy of your personal data, which we will provide to you in an electronic form.
  • Right to amendment: You have the right to ask us to correct our records if you believe they contain incorrect or incomplete information about you.
  • Right to withdraw consent: If you have provided your consent to the processing of your personal data, you have the right to withdraw your consent at any time with effect for the future. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you initially consented to unless there is another legal basis for processing.
  • Right to erasure: You have the right to request that we delete your personal data when it is no longer necessary for the purposes for which it was collected or when it was unlawfully processed.
  • Right to restriction of processing: You have the right to request the restriction of our processing of your personal data where you believe it to be inaccurate, our processing is unlawful, or where we no longer need to process it for the initial purpose, but where we are not able to delete it due to a legal obligation or because you do not want us to delete it.
  • Right to portability: You have the right to request that we transmit your personal data to another data controller in a standard format such as Excel, if this is data which you have provided to us and if we are processing it on the legal basis of your consent or to perform our contractual obligations.
  • Right to object to processing: Where the legal basis for our processing of your personal data is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have a compelling legal basis for the processing which overrides your interests or if we need to continue to process the personal data for the exercise or defence of a legal claim.
  • Right to lodge a complaint with a supervisory authority: You have the right of appeal to a data protection supervisory authority if you believe that the processing of your personal data violates data protection law. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (www.edoeb.admin.ch/edoeb/en/home.html). In the EU and EEA, you can exercise this right, for example, before a supervisory authority in the Member State of your residence, your place of work or the place of the alleged infringement. You can find a list of the relevant authorities here: https://edpb.europa.eu/about-edpb/board/members_en.

11. Automated Decision-Making

We employ fully automatic decision-making processes that can have legal or similar effects on you. We use these processes for the following purposes:

The automatic decision-making used by us is necessary for the performance of a contract relationship with you, when authorised by law, or when there is a specific, informed, unambiguous and freely given consent from you. Furthermore, we inform you when we collect personal data for automated decision-making purposes, providing further information on the logic involved, as well as its significance and consequences.

We verify your username and profile picture by asking an artificial intelligence system whether your username and/or profile picture are appropriate for the use of our marketplace platform. Upon negative decision by the artificial intelligence system, you are prompted in choosing another username and/or profile picture.

You may contest the results of the automated decision and obtain human intervention from our part, when the activities are needed for the performance of a contract or when based on consent. To do so, you can contact crew@shack.xyz.

12. SDKs

We rely on third-party code commonly known as software development kits ("SDKs"), in order to incorporate certain functionalities in our Platform. We use these products in order to analyse the usage of our application, conduct trend surveys and track your interaction with our Platform, as well as other features described below.

By incorporating SDKs into our Platform, their respective providers may have access to some of your personal data, only to the extent that it is needed for the functionality to work. Furthermore, the providers of the SDKs we use are under the obligation not to disclose it to third-parties, as well as to ensure its security, as per our contractual obligations and the applicable data protection legislation. Some SDKs (such as authentication, crash reporting, and payment processing) are essential for the functioning of the Platform, and we rely on our legitimate interests and on our contractual obligations with you to use them. Others help us improve features, measure usage, and personalize your experience; for those, we rely on your consent

Below, we provide you with the list of SDKs we use, as well as a brief description of their purpose.

Firebase:

  • Analytics: To help us understand app usage patterns and improve features, on an anonymized aggregated basis.
  • Authentication: To allow secure sign-in and account creation.
  • Crashlytics: To monitor crashes and app stability, including device info at the time of a crash.
  • Firestore & Firebase Storage: To store and process user-generated content, such as auction listings and images.
  • Functions & Remote Config: To deliver dynamic features, personalized settings, and backend processes.
  • Messaging: To deliver push notifications and updates.
  • Vertex AI: To provide AI-assisted features such as automated listing suggestions and categorization.
  • Appsflyer: To measure installs, marketing effectiveness, and user attribution]
  • Meta: To enable login with Facebook, optional content sharing, and associated analytics.
  • Google Sign-In: To allow sign-in via Google account.
  • GeoFire / GeoFireUtils: To enable location-based features such as nearby item discovery and Shack Map.
  • RevenueCat: To process in-app purchases and subscriptions.

13. Privacy Disclosures for US Residents

This section applies to you if you are a resident of the United States. For purposes of this Section 13, "personal data" and "personal information" have the meanings given under applicable US state privacy laws.

13.1. Additional Information for California Residents

For California residents, the following disclosures apply:

  • Categories of personal information collected. We collect the categories of personal information described in Section 1 (e.g., identifiers, device and app data, usage and analytics data).
  • Sources of personal information. We collect personal information directly from you, automatically through your use of the Services, from app store providers, and from our service providers and partners as described in Section 2.
  • Purposes of collection and use. We use personal information for the purposes described in Section 3 (including to provide and improve the Services, provide customer support, ensure security, and perform analytics).
  • Categories of third parties we disclose to. We disclose personal information to the categories of recipients described in Section 5 (including service providers, analytics and advertising partners, and infrastructure providers).
  • Sale or sharing of personal information. We do not sell personal information for money. However, as described below, we may share certain identifiers and usage data with advertising partners for cross-context behavioural advertising, which may be considered a "sale" or "sharing" under California law.

13.2. Your Rights under US State Privacy Laws

Depending on your state of residency, you may have certain rights under state consumer privacy laws (including, but not limited to California Consumer Privacy Act (CCPA)) related to your personal data, including:

  • Access / Right to Know and Data Portability. You may confirm whether we process your personal information and access a copy of the personal information we process. To the extent feasible and required by state law, depending on your state, data will be provided in a portable format. Depending on your state, you may have the right to receive additional information, and it will be included in the response to your access request.
  • Correction. You may request that we correct inaccuracies in your personal data that we maintain, taking into account the information's nature and processing purpose.
  • Deletion. You may request that we delete personal data about you that we maintain, subject to certain exceptions under applicable law.
  • Opt out of using personal data for targeted advertising, profiling, and sales. We do not sell personal information for money. However, when we use third-party advertising and analytics tools (e.g., Firebase Appsflyer, Meta and Google), we may disclose certain identifiers and usage data for cross-context behavioural advertising. Under some laws (including California), this may be considered a "sale" or "sharing." You may opt out at any time.
  • Right to limit use of sensitive personal information. If we process "sensitive personal information" (which may include precise geolocation, biometric identifiers, government ID numbers, and account log-in credentials) beyond what is reasonably necessary to provide the Services, you may request that we limit such use to permitted purposes.
  • Right to opt out of profiling. In some US states, you may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. We do not currently conduct profiling that produces legal or similarly significant effects.

13.3. Exercising your Rights

To exercise any of these rights, including your opt-out rights, you may contact us at the address listed in Section 14 or send an e-mail to: crew@shack.xyz. Only you, or someone legally authorised to act on your behalf, may make a request to know, delete, or correct related to your personal information. We will verify requests to protect your privacy. For opt-out or limitation requests, we will only ask for information needed to complete the request. Where permitted, you may use an authorised agent to submit certain requests on your behalf. We may ask the agent to provide proof of authorisation and may require you to verify your identity directly.

We endeavor to substantively respond to a verifiable request within 45 days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing. Our substantive response will tell you whether or not we have complied with your request. If we cannot comply with your request in whole or in part, we will explain the reason, subject to any legal or regulatory restrictions. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal information that we hold about you, or we may have destroyed, deleted, or made your personal information anonymous in compliance with our record retention policies and obligations.

13.4. Appeals

If we deny your request, you may have the right to appeal our decision (where required by applicable law). You can appeal by emailing us at crew@shack.xyz with the subject "Appeal - US Privacy Request".

13.5. Global Privacy Control and universal opt-out signals

Some browsers and browser extensions support the Global Privacy Control ("GPC") that can send a signal to process your request to opt out from certain types of data processing, including data "sales" as defined under certain laws. When we detect such a signal, we will make reasonable efforts to respect your choices indicated by a GPC setting as required by applicable law. Where required by law, we will treat eligible opt-out preference signals as an opt-out of "sale" / "sharing" and targeted advertising.

13.6. Minors under 18

If we have actual knowledge that a user is under 18, we will not "sell" or "share" their personal information (as those terms are defined under applicable law) without the required opt-in consent.

13.7. No Discrimination

We will not discriminate against you for exercising your privacy rights.

14. Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We therefore encourage you to review this Privacy Policy periodically for any changes.

Changes to this Privacy Policy are effective when they are posted on this page.

15. Contact us

If you have any questions about this Privacy Policy, do not hesitate to get in touch with us at:

Shack AG, Untere Roostmatt 8, 6300 Zug, crew@shack.xyz