Privacy Policy

This Privacy Policy explains what information Grailsnap ("we," "us," "our") collects, how we use it, and the choices you have. By accessing or using Grailsnap (the "Service"), you agree to this Policy. It forms part of, and is governed by, our Terms of Service. If you do not agree, do not use the Service.

In short: we collect only what we need to operate the Service, we do not sell your personal data, and we do not use it to train AI models. The detail follows, and it controls in the event of any conflict with this summary.

1. What we collect

Account information

• Your email address (required to send alerts)
• An account password (stored only as a salted hash; we never see the plain value)
• Optional: phone number for SMS alerts (Curator tier), Discord/Slack webhook URLs

Watchlist data

• The items you want to be alerted about
• Marketplaces and price ranges you're watching
• Alert delivery history

Technical and usage data

We use PostHog in privacy-conscious mode to understand which features are used and to operate, secure, and improve the Service. We do not run third-party advertising scripts and do not embed Facebook, Google Analytics, or similar advertising trackers. We may also process limited technical data (such as request metadata and error logs) necessary to keep the Service secure and functioning.

2. What we do not collect

• Payment card details: these go directly to Paddle, our payment processor and Merchant of Record.
• Your browsing history outside Grailsnap.
• Marketplace credentials. We never ask for your eBay, Heritage, or other marketplace password.

3. Why we process your data (lawful bases)

Where data-protection law requires a lawful basis, we rely on one or more of the following: performance of our contract with you (to deliver the Service and alerts); our legitimate interests (to operate, secure, analyze, improve, and protect the Service and our business, and to prevent fraud and abuse); your consent (where we ask for it, such as optional SMS or marketing); and compliance with legal obligations.

4. How we use it

• To match listings to your watchlist and deliver alerts.
• To send transactional messages (alert digests, password resets, billing receipts, service notices).
• To operate, secure, maintain, analyze, and improve the Service.
• To detect, prevent, and investigate fraud, abuse, and violations of our Terms.
• To comply with law and to establish, exercise, or defend legal claims.

5. What we never do

• We do not sell your personal data, to dealers, marketplaces, or data brokers.
• We do not share your watchlist with anyone outside those needed to operate the Service.
• We do not use your personal data to train machine-learning or AI models on collector intent or buying patterns.

We may create and use aggregated or de-identified data that cannot reasonably be used to identify you for any business purpose, including analytics and product development.

6. When we may disclose data

We may disclose information: to the sub-processors listed below, strictly to operate the Service; to comply with applicable law, regulation, legal process, or an enforceable governmental request; to enforce our Terms or protect the rights, safety, property, or security of Grailsnap, our users, or the public; to detect or prevent fraud or abuse; and in connection with a merger, acquisition, reorganization, financing, or sale of assets, in which case this Policy will continue to govern the transferred data or you will be notified of any materially different policy.

7. Sub-processors

To run Grailsnap, we rely on a small set of vendors:

• Cloudflare: hosting, CDN, edge compute, DNS
• Resend: transactional and broadcast email delivery
• PostHog: product analytics and feature flags
• Paddle: payment processing and Merchant of Record

Each sub-processor is bound by its own terms and processes data only as needed to provide its service to us. We may add or change sub-processors as the Service evolves.

Paddle acts as Merchant of Record and, for payment and billing information, as an independent data controller; its handling of that data is governed by Paddle's privacy notice, not this Policy.

8. Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal data, and to object to certain processing, under laws such as the GDPR and CCPA/CPRA. To exercise a right, submit a request through our contact form and select the Legal or privacy question topic (include "DSAR" for a data-subject access request). We will respond to verified requests within the time required by applicable law (generally within 30 days). We may decline or charge a reasonable fee for requests that are unfounded, excessive, or repetitive, and we may retain certain information where we have a legal basis or obligation to do so. Deletion of your account is final and irreversible.

9. Data retention

We retain your account, watchlist, and alert history for as long as your account is active. After you delete your account, we remove personally identifiable information within 30 days, except where we are required or permitted to retain it longer to comply with law, resolve disputes, prevent fraud or abuse, enforce our agreements, or maintain security and backup integrity. We may retain anonymized, aggregated data indefinitely.

10. Security

We use commercially reasonable technical and organizational measures to protect your data. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your credentials confidential and for all activity under your account. To the maximum extent permitted by law, we are not liable for unauthorized access, loss, or disclosure of data that occurs despite reasonable safeguards. If a breach affecting your personal data occurs, we will notify you and any regulator as, and only to the extent, required by applicable law.

11. International transfers

We and our sub-processors operate infrastructure in multiple regions, including outside the EEA and the United Kingdom. Where applicable, we rely on Standard Contractual Clauses or equivalent safeguards to protect your data when it is transferred across borders. By using the Service, you understand that your data may be processed in countries other than your own.

12. Children

The Service is intended only for users who are at least 18 years old. We do not knowingly collect personal data from anyone under 18. If we learn that we have, we will delete it.

13. Cookies

We use a small number of strictly necessary cookies for authentication and session management, and privacy-conscious analytics. We do not use third-party advertising or cross-site tracking cookies.

14. Changes to this Policy

We may update this Policy as the Service evolves. Material changes will be announced by email and posted in the Service at least 30 days before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

15. Contact

Send privacy requests and questions through our contact form with the Legal or privacy question topic selected. For data-subject access requests, include "DSAR" in your message.