This Privacy Policy explains how Barracks Bazaar ("we", "us", "the Site") collects, uses, shares, and protects your personal data, and the rights you have over that data under the EU General Data Protection Regulation (GDPR) and applicable data-protection law. Barracks Bazaar is a members-only, peer-to-peer community marketplace for participating U.S. military installations. Because we serve a community that includes residents of the European Union, we apply GDPR-level protections to everyone.
The data controller responsible for your personal data is Barracks Bazaar. If you have any question about this policy or wish to exercise your privacy rights, contact us at:
Barracks Bazaar is a peer-to-peer marketplace. For items bought and sold on the Site, we handle no funds and process no payments. Buyers and sellers arrange and complete payment directly with each other, in person. We do not collect, store, or transmit card numbers, bank details, or any other payment-instrument data. The one exception is optional supporter contributions, which are processed by Stripe as described in Section 15 - even then, we never receive your card or bank details ourselves.
We collect only what is needed to run a members-only community marketplace:
We rely on the following GDPR lawful bases:
We do not sell your personal data, and we use no third-party advertising or analytics trackers. We rely on a small number of processors: our hosting provider Hostinger (Site and database, on servers in the European Union under a data-processing arrangement), Cloudflare (Turnstile, the privacy-friendly bot-check on our registration and login forms), Stripe for supporter payments (Section 15), Anthropic and product-catalog services for the AI listing tools (Section 16), and our email delivery service. Each receives only what its job requires. Other members of the marketplace see only the limited information needed to transact with you (for example, a seller's listings, or the name/contact details you share to arrange an in-person exchange). We may disclose data where legally required.
The Site and its data are hosted within the European Union. Some of our service providers process data in the United States — Cloudflare (bot-check), Stripe for supporter payments, and Anthropic and the product catalogs for the AI tools (see Sections 15 and 16). Stripe certifies to the EU-U.S. Data Privacy Framework; we share only the minimum each service needs. Where any transfer were to occur, we would rely on an appropriate GDPR safeguard (such as an adequacy decision or standard contractual clauses).
The Site is login-gated and uses only strictly necessary cookies: a PHP session cookie that keeps you logged in during your visit, and the core "Remember Me" cookie if you choose that option. Our bot-check on the registration and login forms (Cloudflare Turnstile) may set a temporary, strictly-necessary cookie solely to confirm you are human; it is not used for tracking, advertising, or analytics. We use no tracking, advertising, or analytics cookies. Because these cookies are essential to the service, they do not require opt-in consent; we show a short notice disclosing them.
You have the right to: access your data; rectify inaccurate data; request erasure ("right to be forgotten"); restrict or object to processing; data portability; withdraw consent at any time (without affecting prior processing); and lodge a complaint with a supervisory authority (for residents of Italy, the Garante per la protezione dei dati personali, or your local EU authority).
To exercise your rights, use the Site's built-in data-request page at Privacy Data Request, where you can submit an information (access) or removal (erasure) request, or email us at
We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on you.
The Site is intended for adults. You must be 18 or older to register or use the marketplace. We do not knowingly collect data from children.
We may update this Privacy Policy from time to time. Material changes will be reflected by an updated "Last updated" date above and, where appropriate, by notice on the Site.
If a personal-data breach occurs that is likely to put your rights at risk, we will notify the competent supervisory authority within 72 hours of becoming aware of it and, where required, notify you directly without undue delay.
We do not sell or share personal information as defined by the California Consumer Privacy Act (CCPA/CPRA), and we do not use your data for cross-context behavioural advertising. US residents may exercise the rights to know, correct, and delete their personal information using the same Data Request tool or by emailing
Voluntary contributions are processed by Stripe, Inc. (stripe.com), our payment processor. Stripe collects and processes your name, email address, and full payment details directly, under its own privacy policy (stripe.com/privacy). We never receive or store your card or bank details.
What we receive and keep: the Barracks Bazaar username you enter at checkout, the email address used to pay, the amount and currency, the contribution type (one-time or subscription), Stripe's transaction and subscription reference IDs, and your resulting access status. We use this to switch your AI access on and off, to answer questions about your contribution, and for basic accounting.
Subscriptions and refunds: for recurring contributions, Stripe notifies us automatically about renewals, cancellations, and refunds so your access can follow your payments without manual handling; those notifications carry the same limited details listed above. Stripe also sends you its own payment receipts by email.
Retention and deletion: contribution records are kept while your access is active and afterwards as reasonably needed for accounting and dispute handling; we process them to carry out your contribution and for our legitimate interest in funding the Site. You can request deletion of your account data at any time through the Privacy Data Request page; contribution records that must be retained for accounting are kept in minimal form and deleted when no longer required.
International transfer: Stripe processes payments in the United States. Stripe certifies to the EU-U.S. Data Privacy Framework for transfers of European personal data.
If you use the AI listing tools, the text you type about an item is sent to our AI provider (Anthropic) to generate the draft, and any barcode or product name you look up is sent to product-catalog services (such as UPCitemdb and Google Books) - these lookups contain product identifiers only. Do not include personal information in item descriptions. Photos you attach to a listing are stored on the Site and are not analyzed by the AI. If you turn on notifications, we store the delivery address your device issues for that purpose (revocable in your browser settings at any time); messages sent through the private relay are stored so they can be delivered.