Privacy Policy
Version 2026-04-14
1. Controller
Data controller: The Grail Scope (Spain). Contact: thecurator@thegrailscope.com.
2. What data we process and why
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Email, hashed password (or OTP login) | Account creation and authentication | Contract (Art. 6.1.b GDPR) | While account is active + 30 days after deletion |
| Display name / callsign, avatar, preferred currency, shipping zone | Provide the Service | Contract | While account is active |
| Collection, alerts, reactions, scanned figures, proposals | Core feature set | Contract | Until you delete the item or your account |
| Stripe customer ID, subscription status | Paid subscriptions | Contract | 6 years (accounting — Art. 30 Spanish Commercial Code) |
| IP address, user-agent, rate-limit counters, error logs | Security, abuse prevention, debugging | Legitimate interest (Art. 6.1.f) | 90 days (logs); rate-limit counters: 15 minutes |
| View-counter HMAC cookie | Paywall enforcement (free-tier anonymous views) | Legitimate interest / contract | Rolling 24h |
| Transactional emails (login code, password reset, alert notifications) | Operating the Service | Contract | Not stored beyond delivery logs |
3. We do NOT
- Sell your personal data.
- Use tracking pixels for ad retargeting.
- Share your email with third-party marketers.
4. Processors (sub-processors)
Your data is processed on our behalf by:
- Supabase (database + auth) — servers in the EU.
- Vercel (hosting + edge functions).
- Stripe (payments) — payment card data never touches our servers.
- Email provider used by Supabase Auth for transactional emails.
- OpenAI / DashScope (Qwen) — only for figure-scanner and listing-matching features; user-submitted images and listing titles are sent; we do not send account emails or identifying personal data.
Some processors may transfer data outside the EEA. Where this happens, transfers are covered by Standard Contractual Clauses or equivalent safeguards.
5. Your rights (GDPR)
You have the right to:
- Access, rectify, delete your data.
- Restrict or object to processing.
- Data portability.
- Withdraw consent at any time (where processing is based on consent).
- Lodge a complaint with your supervisory authority (in Spain: AEPD, www.aepd.es).
To exercise any right, email thecurator@thegrailscope.com from the address linked to your account, or delete your account from the profile page.
6. Security
Passwords are hashed (never stored in plain text). Premium data is protected by server-side HMAC and row-level security. Access to production data is limited to authorised personnel. Incidents affecting personal data will be notified to affected users and authorities within 72 hours where legally required.
7. Children
The Service is not directed to children under 16. If you believe a minor has created an account, contact us and we will delete it.
8. Changes
We may update this policy. Material changes will be notified by email or in-app banner at least 15 days before taking effect.