Privacy

What we collect

When you request a buyback quote we collect:

• Your name, email, and phone number.
• Your shipping or pickup ZIP (and full street address if you choose to ship the device).
• The device’s IMEI or serial number.
• The condition you reported (functional / screen / body grades).
• Your selected payout method and the account details for it (PayPal email, Cash App $cashtag, Venmo @handle, Zelle / Apple Pay identifier, or ACH bank + routing + account if you chose ACH).

We do not collect device photos or geolocation.

How we use it

• Quote & payment: to compute your offer and pay you out via your selected method. Stolen-device-database verification is on the v2 roadmap; today, the buyback operator may decline a quote on receipt if the device fails their own checks.
• Shipping: if you ship the device, your address generates one prepaid carrier label per order.
• Communication: confirmation emails, status updates, payment notification.

How we store it

• IMEIs and payout details are encrypted at rest using PostgreSQL pgcrypto. Plaintext is only decrypted on demand by the buyback operator, and every decryption is recorded in our audit log with the operator’s identity and timestamp.
• Application logs automatically redact 14–16 digit numeric strings to prevent IMEI leakage.
• We do not sell or share your data with third parties beyond the carriers and processors required to fulfill your buyback (EasyPost for shipping labels, Stripe for buyback operator billing, Resend for email).

Retention & auto-purge

IMEIs and payout details are automatically purged 12 months after quote creation. After that point they are wiped from our database (replaced with NULL) and a purge timestamp is stored on the lead record.

Other lead fields (your name, email, the offered price, status history) may be retained longer for tax, accounting, and dispute-resolution purposes, but are never used for marketing or shared.

Your rights

You can request, at any time:

• A copy of the data we hold about you.
• Correction of inaccurate data.
• Deletion of your data (“right to be forgotten”) — subject to the retention requirements above for completed buybacks.
• The name of the buyback operator who received your submission.

To exercise any of these, email [email protected] from the address you used to submit the quote, or contact the buyback operator directly.

Region-specific rights

The rights above apply to everyone. Some regions add specific rights or contact requirements on top — below is the jurisdiction-specific detail. If you live somewhere not named here and have rights under a regulation we haven’t listed, email [email protected] and we’ll honor them.

European Union, EEA, and United Kingdom (GDPR / UK GDPR)

Full GDPR rights apply to your data: access, rectification, erasure (subject to retention requirements above), restriction of processing, portability, and objection. Lawful bases, sub-processor list, international-transfer safeguards (SCCs + UK addendum), and breach notification commitments are documented in our GDPR notice and Data Processing Agreement. You may also lodge a complaint with your local supervisory authority (ICO in the UK; your national DPA in the EU).

California residents (CCPA / CPRA)

You have the right to know what personal information we collect and how it’s used (covered above), the right to delete it (subject to retention requirements), the right to correct inaccurate information, the right to limit use of sensitive information, and the right to non-discrimination for exercising these rights.

We do not sell your personal information and we do not share it for cross-context behavioral advertising. We have not done so in the preceding 12 months and we have no plans to do so. Because of that, we do not display a “Do Not Sell or Share My Personal Information” link — there is nothing to opt out of. If that ever changes, we will provide the opt-out mechanism CCPA requires before any such sale or sharing begins.

Other US states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, etc.)

Substantively similar rights to California: access, correction, deletion, portability, and the right to opt out of targeted advertising or profiling. We don’t do targeted advertising or profiling. We respect Universal Opt-Out Mechanisms including the Global Privacy Control (GPC) browser signal — if your browser sends GPC, we treat it as an opt-out signal for any future tracking, even though we run no tracking today. Email [email protected] to exercise rights or for questions about your specific state law.

Canadian residents (PIPEDA + provincial laws)

You have the right to access your personal information, request corrections, withdraw consent (subject to legal and contractual obligations), and challenge our handling of your data. Canadian residents in Quebec have additional rights under Law 25, including data portability. Direct requests to [email protected]. You may also contact the Office of the Privacy Commissioner of Canada.

Australian residents (Privacy Act 1988 / Australian Privacy Principles)

You have the right to access and correct your personal information and to complain about our handling of it. Email [email protected] for either. Unresolved complaints can be escalated to the Office of the Australian Information Commissioner (OAIC).

South African residents (POPIA)

You have the right of access, correction, deletion, objection, and to lodge a complaint. Direct requests to [email protected]. You may also contact the Information Regulator (South Africa). Note: WerOrg currently relies on the founder’s direct oversight rather than a designated Information Officer; for POPIA-grade requests we will route you to a named officer on first contact.

Brazil (LGPD), India (DPDPA), and other jurisdictions

We honor data-subject rights granted by your local law on a best-effort basis. If your jurisdiction grants rights we haven’t named here, email [email protected] with a description of the right you’re exercising and we will respond within 30 days.

Browser signals we honor

We do not run analytics or advertising tracking on this site. If we ever do, we will:

• Global Privacy Control (GPC): treat the Sec-GPC: 1 request header as a binding opt-out for any tracking and cross-context advertising.
• Do Not Track (DNT): treat as a non-binding signal that we still respect for analytics.
• Cookie consent: show a granular EU/UK consent banner with separate Accept/Reject controls of equal weight, never auto-accept.

Buyback operators

WerOrg powers branded buyback websites for independent mobile-phone resellers. The operator who owns the website you submitted on is the data controller for your submission; WerOrg is the data processor. If you’re unsure who that is, check the URL of the page you submitted from — the subdomain or custom domain identifies the operator.