Privacy Policy

Last updated: Invalid Date

Last updated: 24 May 2026

XChange Lebanon ("XChange", "we", "us") operates the XChange Lebanon classified marketplace at xchangelb.com and the XChange Lebanon mobile app for iOS and Android. This Privacy Policy describes what personal data we collect, why we collect it, who we share it with, and the rights you have over your data.

1. Who is responsible

XChange Lebanon is the data controller for personal data processed through the website and the mobile app. You can reach our privacy team at privacy@xchangelb.com for any question covered by this policy or to exercise any of the rights described below.

2. Data we collect

We collect only the data we need to operate the marketplace.

Account data — when you register: your name, email address, phone number, password (stored as a one-way hash by our identity provider), and the city or governorate you list from.

Listing data — when you post an ad: the listing title, description, category attributes, photos, price, and location you choose. Listings are public by design — anything you post is visible to other users and indexed by search engines.

Messaging data — when you contact a seller through the in-app messenger: the conversation contents, timestamps, and the IDs of both participants. Message bodies are stored only as long as required to operate the conversation thread and meet our moderation obligations.

Device data — when you use the mobile app: device type, operating system version, app version, push notification token (if you opt in), and crash and performance diagnostics through Sentry.

Usage data — listings you view, searches you run, and ads you save as favourites. This is aggregated for analytics and used to surface relevant listings.

Payment data — if you purchase a paid tier, boost, or featured placement, payment is processed by our payment provider. We receive a transaction reference and the masked card metadata; we never see your full card number or CVV.

3. How we use your data

We use the data described above only for the following purposes: operating your account; publishing and surfacing your listings; enabling messaging between buyers and sellers; processing payments; preventing fraud and abuse; providing customer support; sending service-related notifications and, with your opt-in, marketing communications; and meeting legal obligations.

4. Who we share data with

We do not sell your personal data.

We share data with the following categories of processors, who are contractually bound to use it only on our instructions:

  • AWS (hosting, storage, email): all user data is stored in AWS

facilities. AWS Cognito processes the authentication flow.

  • Sentry (error monitoring): crash reports and limited device

metadata. No listing content or message bodies.

  • Stripe (payments): when paid features are enabled. Stripe is the

data controller for the card transaction itself.

  • SMS and email providers: phone-number verification and

transactional email delivery.

We may disclose personal data when required by law, court order, or binding regulatory request from Lebanese authorities.

5. How long we keep your data

Account data is kept for as long as your account is active. If you delete your account, we erase the bulk of your personal data within 30 days. Some categories are kept longer:

  • Anonymised analytics: indefinitely.
  • Transaction records: 7 years (Lebanese commercial-record law).
  • Moderation history (reports, suspensions): 2 years.

The full retention schedule is published at xchangelb.com/legal/privacy and updated whenever it changes.

6. Your rights

You can:

  • Access the personal data we hold about you.
  • Correct any data that is wrong.
  • Delete your account and the personal data we hold for it.
  • Export your data in a portable format.
  • Object to specific uses such as marketing communications.
  • Withdraw consent for any processing that relies on it.

The fastest way to delete your account is to use the in-app account deletion flow (Settings → Account → Delete account). For all other rights, email privacy@xchangelb.com. We respond within 30 days.

7. Children

XChange Lebanon is not intended for users under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, contact us at privacy@xchangelb.com and we will delete it.

8. Security

We use industry-standard security measures: HTTPS for all traffic, AWS Cognito for credential storage, encrypted backups, server-side input sanitisation, and rate-limiting on sensitive endpoints. No system is ever fully secure, so please use a strong unique password and enable biometric login on your device.

9. International transfers

Some processors (AWS, Sentry, Stripe) operate from data centres outside Lebanon. We rely on the standard contractual terms offered by each processor to keep your data protected when it crosses borders.

10. Changes to this policy

We may update this policy as the service evolves. The "Last updated" date at the top of this page changes whenever we publish a new version. Material changes are also announced in the app.

11. Contact

Privacy questions: privacy@xchangelb.com General support: support@xchangelb.com Postal: XChange Lebanon — Beirut, Lebanon