Collector's Chest Privacy Policy
Effective Date: [DATE]
This Privacy Policy describes how [LEGAL BUSINESS NAME] ("Company," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use the Collector's Chest platform at collectors-chest.com and our mobile application (collectively, the "Service"). By using the Service, you consent to the data practices described in this policy.
1. Information We Collect
1.1 Information You Provide Directly
- Account Information: Email address, first name, last name, and username (required for registration). Your email and name are never displayed publicly. Your username is displayed publicly.
- Optional Location: City, state/province, and country. You control the granularity of location sharing (full, state/country, country only, or hidden). Location is only collected if you affirmatively opt in.
- Age Attestation: When you first access marketplace features, you are asked to confirm that you are at least 18 years old. We store only a timestamp recording when you made this confirmation. We do not collect your date of birth, government-issued identification, or any other age-related personal data.
- Collection Data: Information about your comic book collection, including titles, issue numbers, grades, prices, cover images, and notes.
- Marketplace Data: Listings, bids, offers, counter-offers, trade proposals, feedback, and ratings.
- Community Contributions: If you submit content through the Creator Credits program (such as cover images to the Community Cover Database), we store your submission including the image URL, the associated comic title and issue number, your internal user ID, submission status, and a timestamp. Your contribution count and badge tier (Contributor, Verified Contributor, or Top Contributor) are also stored and are publicly visible on your profile.
- Communications: Messages sent to other users through the Platform's messaging system.
- Payment Information: Payment details are collected and processed directly by Stripe. We do not store credit card numbers, bank account numbers, or other sensitive financial data on our servers. We receive only a Stripe Customer ID and transaction status information.
1.2 Information Collected Automatically
- Usage Data: Pages viewed, features used, scan counts and timestamps, comic titles scanned, click events, and session data. Collected via PostHog analytics.
- Session Recordings: PostHog records a sample of user sessions (approximately 10% of sessions, and 100% of sessions where errors occur) to help us identify and fix bugs. These recordings capture on-screen interactions but do not capture keystrokes in password fields.
- Error Data: JavaScript errors, API failures, and performance metrics are captured by Sentry for debugging purposes. Error session replays are sampled at 10%.
- Authentication Cookies: Our authentication provider (Clerk) sets session cookies necessary for maintaining your logged-in state.
- Analytics Identifiers: PostHog uses first-party cookies and localStorage for analytics purposes. PostHog respects the Do Not Track (DNT) browser setting; if you enable DNT, PostHog analytics will not track your activity.
1.3 Information We Do NOT Collect
- Phone numbers
- Date of birth or government-issued identification
- Full mailing or shipping addresses (shipping is coordinated directly between users)
- Precise geolocation or GPS data
- Biometric data
2. How We Use Your Information
We use the information we collect for the following purposes:
- Service Operation: To create and manage your account, sync your collection, process transactions, facilitate trades, manage Creator Credits and community contributions, and deliver core platform features.
- AI Features: To process comic book images through our AI identification system. Only the compressed image is sent to our AI provider (Anthropic); no personal data accompanies the image.
- Content Moderation: To review user-generated content (messages, listings, feedback, community cover submissions) for compliance with our policies using automated AI moderation and manual review.
- Communications: To send transactional emails including offer notifications, listing alerts, message notifications, feedback reminders, and new listing alerts to followers. Emails are sent from notifications@collectors-chest.com via Resend.
- Improvement: To analyze usage patterns, diagnose technical issues, and improve the Service.
- Security: To detect and prevent fraud, abuse, and unauthorized access.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes.
3. Publicly Visible Information
Certain information associated with your account is visible to other users of the Platform:
- Your username.
- Your location, if you have opted to share it (at the granularity level you selected).
- Your public collection (if you have made it public).
- Your marketplace listings, feedback ratings, and comments.
- Your Creator Credits badge tier (Contributor, Verified Contributor, or Top Contributor) and total approved contribution count.
Your email address, first name, last name, and the identity of specific Community Cover Database submissions you have made are never publicly displayed. Contribution tracking for Creator Credits is internal; other users see only your badge and count, not which specific covers you submitted.
4. Third-Party Service Providers
We share information with the following categories of third-party service providers, solely as necessary to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Clerk | Authentication & account management | Email, name, username, session data |
| Stripe | Payment processing, subscriptions | Payment method details, transaction data (handled directly by Stripe) |
| Supabase | Database & file storage | All platform data (profiles, collections, marketplace, messages, contributions) |
| Anthropic (Claude) | AI comic identification, content moderation | Comic book images only (no personal data) |
| Upstash Redis | Caching & rate limiting | Cached pricing, AI results, rate limit counters |
| Resend | Transactional email delivery | Email addresses, notification content |
| PostHog | Analytics & session recording | Usage data, anonymized session recordings |
| Sentry | Error tracking & monitoring | Error logs, performance metrics, sampled session replays |
| eBay API | Market pricing data | Comic book search queries (no user data) |
| Open Library | Book cover images & metadata | Comic title and issue queries only (no user data) |
| Netlify | Web hosting & content delivery | IP addresses, request metadata (standard web hosting logs) |
We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We do not use advertising trackers, marketing pixels, or third-party advertising cookies.
5. Data Retention
We retain your personal information for as long as your account is active or as needed to provide you the Service. Specific retention periods include:
- AI Analysis Cache: Results cached for 30 days by image hash.
- Pricing Data Cache: eBay pricing cached for 24 hours. Barcode lookups cached for 6 months. Certification lookups cached for 1 year.
- Community Cover Images: Approved cover images submitted to the Community Cover Database may be retained indefinitely as they are licensed to the Company, even after the submitting user's account is deleted. The association between the image and the submitter's identity is removed upon account deletion.
- Account Deletion: When you delete your account, all of your personal data is permanently removed from our database (Supabase), including your profile, collection, listings, messages, trades, feedback, follows, Creator Credits history, and Community Cover Database submission records. Stripe retains transaction records in accordance with their own data retention policy and applicable legal requirements.
6. Data Security
We implement reasonable technical and organizational measures to protect your personal information, including: database-level Row-Level Security (RLS) policies in Supabase to ensure users can only access their own data; rate limiting on all API endpoints via Upstash Redis; encryption in transit (HTTPS/TLS) for all data transmission; PCI-compliant payment processing through Stripe (card data never touches our servers); and authentication and session management through Clerk. While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
7. Your Rights and Choices
7.1 All Users
- Access and review the personal information in your account settings at any time.
- Update or correct your profile information.
- Adjust your location privacy settings (full, state/country, country only, or hidden).
- Delete your account and all associated data at any time through the account deletion process.
- Enable the Do Not Track (DNT) setting in your browser to opt out of PostHog analytics tracking.
7.2 California Residents (CCPA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA): the right to know what personal information we collect, use, and disclose; the right to request deletion of your personal information; the right to opt out of the sale of personal information (we do not sell personal information); and the right to non-discrimination for exercising your CCPA rights. To exercise these rights, contact us at [SUPPORT EMAIL].
7.3 European Economic Area, UK, and Swiss Residents (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR), including: the right to access, rectify, or erase your personal data; the right to restrict or object to processing; the right to data portability; and the right to withdraw consent at any time. Our legal basis for processing your data is: performance of a contract (to provide the Service), legitimate interests (analytics, security, service improvement), and consent (optional location sharing, marketing communications if any). To exercise these rights, contact us at [SUPPORT EMAIL].
7.4 Do Not Track
Our analytics provider (PostHog) respects the Do Not Track (DNT) browser setting. When DNT is enabled, PostHog will not track your activity on the Platform. We do not use any other tracking technologies that respond to DNT signals.
8. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information promptly. If you believe a minor has provided us with personal information, please contact us at [SUPPORT EMAIL].
9. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our servers and service providers are located. These countries may have data protection laws that differ from those in your jurisdiction. By using the Service, you consent to such transfers. Where required by applicable law, we take steps to ensure adequate protection for your data during international transfers.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform with a revised effective date and, where appropriate, by sending you an email notification. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.
11. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:
[LEGAL BUSINESS NAME]
[ADDRESS]
[SUPPORT EMAIL]
Website: collectors-chest.com