BuyAnything
Sign In
VendorsGuidesHow It WorksAboutContact

Privacy Policy

Last updated: April 26, 2026

This is the BuyAnything Privacy Policy. It incorporates by reference the ConnectionFinder Privacy Policy (reproduced below), which governs how XCOR, LLC processes your data at the network layer, including any third-party account connections you authorize. The canonical source for that policy is connectionfinder.net/privacy. The BuyAnything-specific addendum below describes data collected and processed by BuyAnything specifically.

BuyAnything addendum

1. Information We Collect

Public surface (no account required): When you search without an account, we do not store your search queries. We log clickout events (which products you click through to buy) with anonymized data including: merchant domain, affiliate handler used, browser user-agent, and a hashed IP address. We do not associate this data with any personal identity.

Registered accounts: When you create an account, we collect your phone number (for authentication), and any information you provide in your procurement requests. Your search history and vendor interactions are stored to provide the workspace experience.

Optional inbox connections: If you connect Gmail or Outlook, we store connection status and provider-derived receipt or vendor activity signals so we can improve recommendations, purchase memory, and future automation. We do not expose your inbox contents directly to vendors. This processing is handled by ConnectionFinder and governed by the ConnectionFinder Privacy Policy reproduced below.

2. How We Use Your Information

  • • To provide search results from retail APIs and our vendor network
  • • To facilitate introductions between you and vendors (when you request a quote)
  • • To track affiliate clickouts for revenue attribution (anonymized for non-logged-in users)
  • • To improve our search ranking and recommendation algorithms
  • • To communicate with you about your account and requests

3. Affiliate Links & Third-Party Services

Some links on BuyAnything are affiliate links. When you click through to a retailer (e.g., Amazon, eBay), the retailer may collect information about your visit according to their own privacy policy. We may earn a commission on qualifying purchases at no additional cost to you. See our Affiliate Disclosure for details.

4. Data Sharing

We do not sell your personal information. We share data only in these limited circumstances: with vendors you explicitly request an introduction to, with service providers necessary to operate the platform (hosting, email delivery), with PivotNorth-owned services that collectively deliver BuyAnything (see section 5), and when required by law.

5. PivotNorth Platform Services

BuyAnything is part of the PivotNorth platform. Several of our internal services process your data to power the features you see:

  • Event Hub — Routes shopping events (searches, clicks, purchases, endorsements) between our services so your history and recommendations stay consistent across the platform.
  • Serendipity Engine — Builds a relationship and recommendation graph from events you generate and from shared vendor knowledge across PivotNorth apps. Used to power recommendations and vendor discovery.
  • ConnectionFinder — Handles any third-party account connections you authorize (such as Gmail or Outlook) and centralizes third-party data processing. Operated by XCOR, LLC and governed by the ConnectionFinder Privacy Policy, which applies in addition to this one when you connect an account.

When you create a BuyAnything account, you may also be recognized by other PivotNorth-owned services you use in the future, so that your recommendation history is consistent. This cross-service recognition is limited to PivotNorth-owned services and does not share your data with external third parties outside the sub-processors listed in section 6.

6. Sub-Processors

We use the following third-party service providers to operate BuyAnything. Each processes data on our behalf under a data processing agreement:

  • Railway — Compute and hosting infrastructure. Data at rest is encrypted.
  • PostgreSQL hosting (Railway-managed) — Primary database. Encrypted at rest.
  • Stripe — Payment processing for completed purchases. Governed by Stripe's privacy policy.
  • Clerk — Authentication and user account management. Governed by Clerk's privacy policy.
  • Anthropic (Claude API) — Language model used for query understanding, result ranking, and recommendation logic. Anthropic does not train on our API traffic and discards prompt and completion data within 30 days. Governed by Anthropic's privacy policy.
  • Search and data providers — We query external search APIs (SerpAPI, Rainforest, ScaleSerp, SearchAPI, eBay Browse, Ticketmaster, Google Custom Search, and others depending on request type) to return relevant results. These providers see only the query text, not your account identity.

The complete current list of sub-processors is maintained in our internal compliance documentation and updated when vendors are added or removed. Material changes will be communicated before they take effect.

7. Cookies

We use a secure session cookie (platform_session) for authentication. We use the Skimlinks script for universal affiliate link conversion. No tracking cookies are used for non-logged-in users beyond what is necessary for affiliate attribution.

8. Vendor Privacy

Vendor contact information (email addresses, phone numbers) is never displayed on public pages. Only business name, description, and website URL are shown publicly. Contact is facilitated through our platform, not by exposing vendor PII.

9. Your Rights

You have the right to request a copy of the personal data we hold about you, request correction of inaccurate data, request deletion of your account and associated data, and request that we stop processing your data. To exercise any of these rights, email privacy@buyanything.ai. We respond to verified requests within 30 days.

If you are in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under GDPR, including the right to lodge a complaint with your local data protection authority. If you are in California, you have rights under the CCPA including the right to know what personal information we have collected and the right to request deletion.

10. Contact

For privacy questions, contact us at privacy@buyanything.ai.

ConnectionFinder Privacy Policy

Last updated: April 21, 2026. Canonical source: connectionfinder.net/privacy

Overview

ConnectionFinder provides a secure connection layer allowing users to link Google and Microsoft accounts to applications using the service. This policy describes data collection, usage, and user rights.

Who Operates ConnectionFinder

XCOR, LLC, a California limited liability company, operates ConnectionFinder. When connecting your Google or Microsoft account, you authorize XCOR, LLC to process data per this policy.

Currently, ConnectionFinder is the only product where you interact with processed Google account data. You can view signals, manage connections, and delete data at connectionfinder.net/connected.

XCOR, LLC may introduce additional products using derived signals from authorized data. Before sharing signals with new products, the company will update this policy, notify existing users, and provide opt-out options. Products from other entities cannot access your data through this service.

What Data We Collect

When connecting Google or Microsoft accounts, we may access authorized data categories, potentially including:

  • • Gmail or Outlook messages and metadata
  • • Google or Outlook Contacts data
  • • Google or Outlook Calendar data
  • • Sending email on your behalf (only when you explicitly invite specific contacts from ConnectionFinder applications; never bulk or automated email)

We collect basic account information like email addresses to associate connections with user accounts.

ConnectionFinder may store access-restricted third-party identity records to improve recommendations in chosen applications. These records contain one-way cryptographic hashes of identifiers compared locally during signup.

How We Use Your Data

Data is used solely to provide and improve user-facing features in chosen apps, including:

  • • Relationship discovery
  • • Contact matching and enrichment
  • • Personalized product functionality
  • • Network-based recommendations

Third-Party Identity Enrichment

Status: Not currently active. This describes planned functionality for transparency purposes. The policy will be updated before activation.

ConnectionFinder serves as the centralized boundary for third-party data processing by XCOR, LLC. Beyond OAuth connections, the company plans to maintain an access-restricted dataset of pre-ingested identity records licensed from third-party providers. During signup to XCOR, LLC-operated applications, hashed email addresses or phone numbers may be checked against this dataset.

The lookup process:

  • • Computing one-way cryptographic hashes of provided email addresses or phone numbers
  • • Comparing hashes against the pre-loaded dataset within ConnectionFinder
  • • Passing third-party entity identifiers to the Serendipity Engine for relevant recommendations if matches occur
  • • Retaining no record if no matches occur

XCOR, LLC will not:

  • • Share raw email, phone numbers, or identifiers with third-party data providers
  • • Use this process for advertising, profiling, cold outreach, or purposes outside recommendation personalization
  • • Use Google API data (such as Gmail content) as enrichment process input
  • • Sell personal information

Opt-out: Email lance@xcor-cto.com with subject line "Opt out of enrichment" to opt out at any time. Identifiers are added to suppression lists and associated enrichment records are deleted within thirty days. Opting out does not affect application usage.

The enrichment dataset remains isolated from OAuth-connected data. Only a single probe function within ConnectionFinder can access it, with every probe audited.

Google User Data

ConnectionFinder's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements.

What ConnectionFinder never does with Google data:

  • • Selling Google user data
  • • Transferring Google user data or derived signals to advertisers, data brokers, or entities outside XCOR, LLC
  • • Using Google user data or derived signals to train, develop, or improve general-purpose artificial intelligence or machine learning models
  • • Using Google user data for advertising, ad targeting, or ad measurement
  • • Allowing humans to read Gmail content except with affirmative prior consent for specific messages, when necessary for security or abuse investigation, to comply with applicable law, or for limited internal operations where data is aggregated and anonymized
  • • Using Google user data for purposes beyond providing and improving visible user-facing features

Information derived from Google APIs: Generated or derived information from Gmail, Contacts, or Calendar data — including aggregated statistics, relationship scores, quality dimensions, and anonymized signals — is treated as Google user data and governed by the same Limited Use commitments. Aggregation or anonymization does not change handling procedures.

Per-scope use:

  • gmail.readonly — reading message bodies, headers, and attachment metadata to score relationship strength. Bodies are processed in memory, retained in encrypted form for at most thirty days for signal extraction, then deleted. Bodies are never transmitted outside ConnectionFinder.
  • gmail.metadata — reading sender, recipient, subject, and date to compute interaction frequency without accessing bodies.
  • gmail.send — sending invitation emails you explicitly initiate from ConnectionFinder-built applications. Never used for bulk, automated, marketing, or system-initiated email.
  • calendar.readonly — reading event titles, times, and attendees to identify co-attendance as relationship signals.
  • contacts.readonly — reading contact names, emails, phones, and notes to disambiguate and enrich records across services.

Data Sharing

Data is not shared with third parties except:

  • • With the specific authorized app
  • • With listed sub-processors processing data on the company's behalf
  • • When required by law or legal process
  • • To protect service security or investigate abuse

Sub-Processors

The following third-party vendors process your data:

  • Anthropic (Claude) — LLM-based analysis of email content powering relationship and signal extraction features. Email content is redacted to remove obvious identifiers before transmission. Anthropic does not train on this data and discards it within thirty days.
  • Railway — Compute and infrastructure hosting with encrypted-at-rest storage only.
  • MongoDB Atlas — Primary database with application-level AES-256-GCM encryption for sensitive content.

The complete current sub-processor list is maintained in compliance documentation. The policy will be updated before engaging additional sub-processors processing Google user data or derived data.

Data Retention and Deletion

Data is retained while your account connection remains active. Upon disconnection or deletion requests:

  • • OAuth tokens are revoked immediately at Google (and Microsoft, where applicable)
  • • Stored data is queued for erasure
  • • Erasure is completed within thirty days

Instructions for managing or deleting data are available at connectionfinder.net/connected.

Your Rights

You have the right to:

  • • Disconnect your account at any time from where you connected it
  • • Request a copy of held data
  • • Request data deletion
  • • Revoke access via your Google Account permissions

Security

All data is encrypted in transit using TLS. OAuth tokens and sensitive content are encrypted at rest using AES-256-GCM with versioned key rotation. User data access is restricted to automated systems; human access requires explicit authorization and is logged.

Contact

For privacy-related questions or data requests, contact lance@xcor-cto.com.