Privacy Policy

Introduction

Grail Seeker IO LLC ("we," "us," or "our") operates the Grail Seeker service at https://grailseeker.io (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

We are committed to protecting your privacy and handling your data in an open and transparent manner. This Privacy Policy applies to all users of our Service.

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Information We Collect

1.1 Information You Provide to Us

Account Information:

Email address (required for account creation)
Phone number (required for SMS notifications)
Password (encrypted, never stored in plain text)

Search Preferences:

Comic book titles, issue numbers, grades, and price ranges you want to track
Notification preferences (SMS timing, quiet hours)
Alert history and search management data

Payment Information:

Payment information is processed by Stripe (our payment processor)
We do NOT store credit card numbers or payment details on our servers
Stripe receives your billing information to process subscription payments
Privacy policy: https://stripe.com/privacy

1.2 Information Collected Automatically

Usage Data:

Log data including IP address, browser type, operating system
Pages visited, time spent on pages, timestamps
Device information (mobile device type, unique device identifiers)

Analytics and Cookies:

Essential Cookies: Session cookies for authentication (required for Service functionality)
Analytics Cookies: Google Analytics to understand usage patterns and improve our Service (can be disabled in browser settings - see Section 8.2 below)
Performance Monitoring: Error tracking and performance analytics to identify and fix issues

We do NOT use:

Advertising cookies
Cross-site tracking
Third-party behavioral advertising

1.3 Information We Do NOT Collect

We want to be clear about what we don't collect:

❌ eBay user credentials or account information
❌ eBay seller or buyer personal data
❌ Browsing history outside our Service
❌ Social media profile data
❌ Precise geolocation data
❌ Biometric data

2. How We Use Your Information

2.1 To Provide Our Service

Create and manage your account
Monitor marketplaces for comics matching your search criteria
Send SMS alerts when matching comics are found
Deliver weekly email reports on search activity
Process your subscription payments

2.2 To Improve Our Service

Analyze usage patterns to improve features
Troubleshoot technical issues
Monitor Service performance and uptime
Conduct internal research and development

2.3 To Communicate With You

Send transactional emails (account confirmations, password resets)
Send SMS notifications for matched comic listings
Send weekly email reports (if enabled)
Respond to customer support inquiries
Send important Service updates (security alerts, policy changes)

We will NEVER:

❌ Sell your personal information to third parties
❌ Share your data for advertising purposes
❌ Use your phone number for marketing calls
❌ Send unsolicited promotional messages

3.1 Service Providers

We share your information with trusted third-party service providers who help us operate our Service:

Supabase (Database & Authentication):

Stores user accounts, search preferences, and alert history
Handles user authentication and session management
Data location: United States
Privacy policy: https://supabase.com/privacy

Twilio (SMS Notifications):

Sends SMS alerts when matching comics are found
Receives phone numbers for notification delivery
Data location: United States
Privacy policy: https://www.twilio.com/legal/privacy

Stripe (Payment Processing):

Processes subscription payments and billing information
We do NOT store credit card numbers (handled entirely by Stripe)
Data location: United States
Privacy policy: https://stripe.com/privacy

eBay and Other Marketplaces (Public Listing Data):

We search public marketplace listings via their APIs
We do NOT share your personal information with eBay or other marketplaces
We do NOT send your name, email, phone number, or search preferences to these platforms
Only public listing information is accessed (titles, prices, grades, images)
When you click affiliate links in our alerts, standard web tracking applies (the marketplace may log your IP address and browser information per their privacy policy)
eBay Privacy Policy: eBay Privacy Policy

Google Analytics (Usage Analytics):

Tracks aggregate usage patterns to improve our Service
We use Google Analytics in privacy-focused mode (anonymized IP addresses)
No personally identifiable information sent to Google
You can opt-out via browser settings (see Section 8.2 below)
Privacy policy: https://policies.google.com/privacy

3.2 Legal Requirements

We may disclose your information if required by law:

To comply with subpoenas, court orders, or legal process
To respond to government requests
To enforce our Terms of Service
To protect our rights, property, or safety
To prevent fraud or illegal activity

4. Data Retention

4.1 How Long We Keep Your Data

User Accounts: Retained until you delete your account. When you delete your account, all associated data is permanently deleted within 30 days.

Alert History: Retained indefinitely while your account is active. Provides complete history of opportunities found since account creation. All alert history deleted when you delete your account.

Server Logs: Retained for 30 days, then automatically rotated. Used for debugging and security monitoring.

Marketplace Listing Data: We do NOT store full marketplace listing content. Only alert metadata stored (comic title, price, grade, item ID, timestamp, marketplace source).

4.2 Your Right to Delete

You can delete your account at any time through account settings. Upon deletion:

Your account will be deactivated immediately
All personal data will be permanently deleted within 30 days
Some data may be retained in backups for up to 90 days (security and recovery purposes)
Anonymized usage statistics may be retained for analytics

5. Your Privacy Rights

5.1 Rights for All Users

Regardless of location, you have the right to:

Access: View all personal data we hold about you (available through account settings dashboard)
Correction: Update inaccurate or incomplete personal information (edit via account settings or contact support)
Deletion: Delete your account and all associated data at any time (self-service via account settings)
Portability: Receive a copy of your data in machine-readable format (JSON export available upon request - email [email protected])
Objection: Opt out of non-essential communications

5.2 GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), UK, or Switzerland, you have additional rights under GDPR:

Your Specific GDPR Rights:

Right to Access (Article 15): Obtain confirmation of whether we process your data and access to that data
Right to Rectification (Article 16): Correct inaccurate personal data
Right to Erasure/"Right to be Forgotten" (Article 17): Request deletion of your personal data
Right to Restriction of Processing (Article 18): Limit how we use your data
Right to Data Portability (Article 20): Receive your data in structured, machine-readable format
Right to Object (Article 21): Object to processing based on legitimate interests
Right to Withdraw Consent (Article 7): Withdraw consent for SMS/email communications at any time
Right to Lodge a Complaint: File complaint with your local Data Protection Authority

Legal Basis for Processing:

Contract (Article 6(1)(b)): We process data necessary to provide our Service
Consent (Article 6(1)(a)): You provide consent for SMS notifications and email reports
Legitimate Interests (Article 6(1)(f)): We process data for Service improvement and security

To Exercise GDPR Rights:
Email: [email protected]
Subject: "GDPR Request - [Your Right]"
We will respond within 30 days (as required by GDPR Article 12)

5.3 CCPA/CPRA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Your Specific CCPA/CPRA Rights:

Right to Know: Request details about personal information we collect, use, disclose, and sell
Right to Delete: Request deletion of your personal information (with limited exceptions)
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out: Opt out of sale/sharing of personal information (note: we do NOT sell your data)
Right to Limit Sensitive Data Use: Limit use of sensitive personal information
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

Categories of Personal Information We Collect (CCPA):

Identifiers: Email, phone number, IP address
Commercial Information: Search preferences, subscription status, purchase history
Internet Activity: Usage logs, pages visited, browser information
Inferences: Derived from search patterns for Service improvement only

Important: We do NOT sell personal information. We do NOT share personal information for cross-context behavioral advertising.

To Exercise CCPA/CPRA Rights:
Email: [email protected]
Subject: "CCPA Request - [Your Right]"
We will respond within 45 days (as required by CCPA)

6. Data Security

6.1 How We Protect Your Data

Technical Safeguards:

HTTPS/TLS encryption for all data in transit
AES-256 encryption for data at rest
Bcrypt password hashing (via Supabase Auth)
Row-Level Security (RLS) policies in database
Secure OAuth 2.0 authentication for API access

Organizational Safeguards:

Environment variables for sensitive credentials
Regular security audits and monitoring
Error tracking with sensitive data filtering
Minimal data collection principle
Employee access controls and training

6.2 Limitations

No system is 100% secure. While we strive to protect your personal information:

We cannot guarantee absolute security
You are responsible for keeping your password confidential
Notify us immediately if you suspect unauthorized account access

In the event of a data breach:

We will notify affected users within 72 hours (GDPR requirement)
Notification will include nature of breach and remediation steps
We will report to relevant authorities as required by law

7. Children's Privacy

Our Service is NOT intended for users under 18 years of age.

We do NOT knowingly collect information from children under 13
If we discover we have collected data from a child under 13, we will delete it immediately
Parents/guardians: Contact [email protected] if you believe your child provided information

8. Cookies and Tracking Technologies

8.1 Cookies We Use

Essential Cookies (Required):

Authentication session cookies
Security tokens for CSRF protection
Cannot be disabled (required for Service functionality)

Analytics Cookies (Optional):

Google Analytics: Usage patterns and feature adoption tracking
Performance monitoring: Error detection and Service reliability
Can be disabled in browser settings (see Section 8.2 below)

We do NOT use:

❌ Advertising cookies
❌ Social media tracking pixels
❌ Third-party behavioral tracking
❌ Cross-site tracking cookies

8.2 How to Disable Analytics and Performance Monitoring Cookies

You can disable optional analytics cookies through your browser settings:

Google Chrome:

Click the three-dot menu (⋮) → Settings
Navigate to Privacy and security → Cookies and other site data
Select "Block third-party cookies" or "Block all cookies"
Note: Blocking all cookies will disable authentication

Mozilla Firefox:

Click the menu button (☰) → Settings
Select Privacy & Security
Under Enhanced Tracking Protection, choose "Strict"
Or click "Manage Exceptions" to block specific sites

Safari (macOS):

Safari → Preferences → Privacy
Check "Prevent cross-site tracking"
Or select "Block all cookies" (will disable authentication)

Microsoft Edge:

Click the three-dot menu (⋯) → Settings
Navigate to Privacy, search, and services
Under Tracking prevention, select "Strict"
Or toggle "Block third-party cookies"

Google Analytics Opt-Out:
Install the Google Analytics Opt-out Browser Add-on to prevent your data from being used by Google Analytics across all websites.

9. International Users

Data Processing Location: Our servers are located in the United States. Your data may be transferred to and processed in the United States.

If you are outside the United States:

Data protection laws may differ from your country
By using our Service, you consent to transfer of data to the United States
We implement appropriate safeguards (SCCs) for international transfers

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

When we make changes:

"Last Updated" date at the top will be revised
Significant changes will be notified via email and/or prominent Service notice
Continued use of Service after changes constitutes acceptance

Your Options: If you disagree with changes, you may delete your account. We will honor the previous policy for data collected under it.

11. Contact Us

Questions about this Privacy Policy?

Privacy Inquiries:
Email: [email protected]
Subject: "Privacy Inquiry"

Data Protection Officer (GDPR):
Email: [email protected]
Subject: "GDPR Request - [Your Right]"

California Privacy Rights (CCPA/CPRA):
Email: [email protected]
Subject: "CCPA Request - [Your Right]"

Business Address:
Grail Seeker IO LLC
United States

Response Time:

General inquiries: Within 2 business days
GDPR requests: Within 30 days
CCPA requests: Within 45 days

Summary (Plain Language)

What we collect: Email, phone number, comic search preferences

Why we collect it: To send you SMS alerts when your grail comics are found on one of our marketplaces

Who we share with: Supabase (database), Twilio (SMS), Stripe (payments), Google Analytics (usage stats)

Who we DON'T share with: We do NOT share your personal information with eBay or other marketplaces

Your rights: View, edit, export, or delete your data anytime

We do NOT: Sell your data, track you across websites, or spam you

Questions? Email [email protected]

Version History

Version	Date	Changes
1.1	November 14, 2025	Updated to include Stripe payments, Google Analytics disclosure, detailed GDPR/CCPA rights enumeration, cookie management instructions, marketplace data sharing clarification
1.0	November 13, 2025	Initial privacy policy published

By using Grail Seeker, you acknowledge that you have read and understood this Privacy Policy.