Privacy Policy — Grail Den

1. Overview

Backyard Dreaming LLC ("Grail Den," "we," "us," or "our") operates the website grailden.com and its associated services. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our platform.

By accessing or using Grail Den, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this policy, please do not access or use our services.

2. Information We Collect

Information You Provide

Account information: Email address, display name, and password (stored as a bcrypt hash; we never store your password in plain text).
Collection data: Items you add to your collection, including descriptions, photographs, acquisition details, condition grades, and notes.
Search history: Saved searches, search queries, and marketplace preferences.
Authentication submissions: Images submitted through our Deep Verify authentication feature, along with any item details you provide for assessment.
Payment information: Payments are processed through Stripe. We store only your Stripe customer ID and subscription status. We do not store credit card numbers, CVVs, or full bank account details on our servers.
Communications: Support requests, feedback, and any messages you send to us.

Automatically Collected Information

Device information: Browser type and version, operating system, and screen resolution.
Usage data: Pages visited, features used, session duration, and interaction patterns.
IP address: Used for security monitoring, fraud prevention, and determining approximate geographic location.
Cookies: Session management cookies and authentication tokens (see Section 7 for details).
No third-party tracking: We do not currently use Google Analytics or any third-party tracking or advertising scripts.

Information from Third Parties

eBay: If you connect your eBay account, we receive your eBay user ID and OAuth access tokens. We use these solely to search marketplace listings on your behalf. We do not access your eBay purchase history, payment methods, or personal eBay account details.

3. How We Use Your Information

We use the information we collect for the following purposes:

Provide our services: Power marketplace search, collection management, market research, and authentication features.
Process authentication assessments: Analyze submitted images and deliver authentication reports through our Deep Verify system.
Improve authentication accuracy: Use submitted images as training data to improve our authentication models (see Section 6 for details and opt-out options).
Process payments: Manage subscriptions, billing, and payment-related communications through Stripe.
Service communications: Send account-related notifications, security alerts, and service updates.
Prevent fraud and enforce our terms: Detect and prevent unauthorized access, abuse, and violations of our Terms of Service.
Aggregated analytics: Generate anonymized, aggregated usage statistics to understand how our platform is used and identify areas for improvement.

We do NOT:

Sell your personal information to third parties.
Use your data for targeted advertising or ad profiling.
Share your collection data with other Grail Den users without your explicit consent.
Access your eBay purchase history or payment information.

4. Authentication Data — Special Handling

Because our Deep Verify authentication feature involves sensitive item images and assessments, this data receives additional handling considerations:

Image storage: Submitted images are stored on DigitalOcean Spaces, a secure cloud storage service.
Processing: Images are transmitted to our authentication processing server for analysis.
AI analysis: Our authentication engine uses Anthropic's Claude API. Images you submit are sent to Anthropic's servers for AI-powered analysis. Anthropic's handling of this data is governed by their own privacy policy, available at anthropic.com/privacy.
Result storage: Authentication results, including confidence scores and detailed assessments, are stored on our servers and associated with your account.
Quality assurance: Images are retained for quality assurance purposes and to improve the accuracy of future authentication assessments.
Deletion requests: You may request deletion of your submitted authentication images at any time by contacting our contact form.

5. Data Storage & Security

We take the security of your data seriously and implement industry-standard safeguards:

Infrastructure: Our services are hosted on DigitalOcean, a US-based cloud infrastructure provider with SOC 2 Type II compliance.
Encryption at rest: Stored data is encrypted using AES-256 encryption.
Encryption in transit: All connections to Grail Den use TLS/SSL encryption. We enforce HTTPS on all pages and API endpoints.
Password security: Passwords are hashed using bcrypt with a unique salt per user. We never store passwords in plain text.
API token security: All API tokens are stored securely and rotated regularly. Third-party tokens (e.g., eBay OAuth) are encrypted at rest.
Regular backups: Databases are backed up daily. Backups are encrypted and stored in a separate location.
Access controls: Production server access is restricted to authorized personnel only, using SSH key authentication and firewall rules.

While we implement robust security measures, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to our contact form immediately.

6. Training Data Usage

Important: How We Use Authentication Images

Images you submit through Deep Verify may be used to train and improve our authentication models. This section explains what that means and how you can opt out.

Expert review: Submitted images may be reviewed by human expert authenticators who are bound by strict confidentiality agreements.
EXIF data removal: All EXIF metadata (location data, device information, timestamps) is stripped from images before they are used in any training pipeline.
Separated from account data: Training images are stored separately from your account information. They are not linked to your email, name, or other personal identifiers in the training dataset.
Opt out: You may opt out of training data usage at any time by emailing our contact form. Note that opting out may limit the quality of future authentication assessments, as our models improve through accumulated reference data.
Retroactive limitation: Opting out applies to images submitted after your opt-out request. Images already incorporated into training datasets prior to your request may not be individually removable, as they have been anonymized and separated from your account.

7. Cookies & Local Storage

What We Use

Session cookies: Essential cookies that maintain your logged-in state and session security. These expire when you close your browser or after a set inactivity period.
Authentication tokens: Secure tokens stored in cookies or local storage that keep you authenticated between visits.
Preference cookies: Store your display preferences, such as default search marketplaces or view settings.

What We Do NOT Use

Third-party advertising cookies.
Cross-site tracking cookies or pixels.
Social media tracking pixels (Facebook Pixel, Twitter Pixel, etc.).
Fingerprinting or device-identification technologies for advertising purposes.

8. Third-Party Services

We use the following third-party services to operate Grail Den. Each service has its own privacy policy governing its handling of data:

Stripe — Payment processing. Stripe receives your payment details directly; we never see or store your full card number. Stripe Privacy Policy.
DigitalOcean — Cloud hosting and infrastructure. Our servers and data storage run on DigitalOcean. DigitalOcean Privacy Policy.
Cloudflare — CDN, DDoS protection, and DNS. Cloudflare processes traffic metadata to protect our site. Cloudflare Privacy Policy.
Anthropic — AI processing for authentication analysis. Images submitted through Deep Verify are processed using Anthropic's Claude API. Anthropic Privacy Policy.
eBay (eBay Partner Network) — Marketplace data and affiliate links. We use the eBay API to search listings and may earn commissions through the eBay Partner Network. eBay Privacy Notice.

9. Marketplace Data Sharing

When you use the Grail Den Marketplace to buy or sell collectibles, additional data sharing occurs between parties to facilitate transactions. This section describes what information is shared, with whom, and how it is protected.

What Buyers and Sellers See

Sellers see: Buyer display name and shipping address (after purchase). Sellers do not see buyer payment details, email address, or account information.
Buyers see: Seller display name, seller ratings and transaction history (aggregate), and item listing details. Buyers do not see seller personal address, email, or financial information.

What Stripe Receives

Buyers: Stripe processes your payment card details directly. Grail Den never sees or stores your full card number. Stripe receives your name, billing address, and card details as needed to process the transaction.
Sellers: To receive payouts, sellers provide banking information directly to Stripe (via Stripe Connect or equivalent). Grail Den does not access or store seller bank account details.

See Stripe's Privacy Policy for full details on how Stripe handles your payment data.

What Grail Den Retains

Transaction records: Item ID, sale price, buyer protection fee, buyer ID, seller ID, transaction date, and status. Retained for 7 years for tax and accounting compliance.
Shipping tracking numbers: Retained for 90 days after delivery confirmation, then deleted.
Dispute records: If a dispute is filed, all related communications and evidence are retained for 2 years after resolution.
Seller payout records: Payout amounts and dates (not banking details) are retained for 7 years.

Grail Den does not share buyer shipping addresses or other personal information with third parties beyond the seller fulfilling the specific transaction. We do not use marketplace transaction data for advertising or sell it to data brokers.

10. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

Account data: Retained while your account is active. Upon account closure, personal data is deleted within 30 days, except where retention is required by law.
Collection data: Retained while your account is active. Deleted upon account closure.
Authentication submissions: Images and reports are retained for up to 24 months. Anonymized training data derived from submissions may be retained longer (see Section 6).
Search history: Retained for up to 12 months, then automatically purged.
Payment records: Retained for 7 years as required for tax and accounting compliance.
Server logs: Retained for 90 days for security monitoring and debugging, then automatically deleted.

11. Your Rights

You have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of any inaccurate or incomplete data.
Deletion: Request deletion of your account and associated data.
Opt out of training data: Opt out of having your authentication images used for model training.
Data export: Request an export of your collection data in a portable format.
Withdraw consent: Withdraw consent for any non-essential data processing.

To exercise any of these rights, contact us at our contact form. We will respond to requests within 30 days.

California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.
Right to delete: You may request deletion of your personal information, subject to certain exceptions.
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
No sale of personal information: We do not sell your personal information as defined by the CCPA. We have not sold personal information in the preceding 12 months.

To submit a CCPA request, email our contact form with the subject line "CCPA Request."

12. Children's Privacy

Grail Den is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information as quickly as possible. If you believe a child under 18 has provided us with personal information, please contact us at our contact form.

13. International Users

Grail Den is operated from the United States. If you access our services from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence. By using Grail Den, you consent to the transfer of your information to the United States and its processing in accordance with this Privacy Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (sent to the address associated with your account) and update the "Last Updated" date at the top of this page. We encourage you to review this page periodically to stay informed about how we protect your information.

Continued use of Grail Den after changes to this policy constitutes acceptance of the revised terms.

15. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Backyard Dreaming LLC
Santa Monica, California