Market values powered by PriceCharting · Data & attributions · Contact

CollectVault

Privacy Policy

This policy explains what CollectVault(the “Service”), operated by CollectVault LLC, collects about you, why, and your choices. We aim to collect only what we need to run the Service.

Last updated: July 2, 2026.

1. Information we collect

Account info— your email, name, username, optional avatar, and the authentication provider you used (Clerk). We don't see your password. Collection data — every comic and card you add: title, issue, variant, grade, cost basis, purchase source, location, notes, photos you upload, tags, sale records, and wishlist items. Profile data — display name, bio, favorite genres / publishers, and (when you opt in) follow relationships. Billing info — your plan, subscription status, renewal date, and a Stripe customer ID. Card numbers and payment details are collected and stored by Stripe, not by us. Marketplace data (forward-looking — the marketplace is not enabled at launch) — if and when we turn on the marketplace, listings, offers, accepted-sale comps, and the buyer/seller pairings on completed transactions will be collected. A supplemental disclosure will be published in this policy before that feature ships. Scan training data— when you take a scan photo, we store the photo + the AI's output + your confirmation / correction as a labeled example to improve future scans. These examples are scoped per-user in our private training dataset and retained indefinitely while your account is active. You can request deletion of your scan feedback at any time by emailing support@collectvault.net (note: this does not retroactively remove anonymized aggregates already incorporated into model evaluations). Usage & device data — basic logs, IP address, user agent, page paths, and timing information needed to operate and secure the Service. We use Sentry to capture application error reports for diagnosis: these may include your user ID, the URL you were on, request metadata, and a recent breadcrumb trail of your in-app actions to help us reproduce the bug — they explicitly exclude passwords, payment details, and form inputs. With your cookie consent we also use Vercel Analytics + Speed Insights for aggregated, anonymous traffic measurement. Communications — any messages you send us via email or in-app forms.

2. How we use it

To provide and improve the Service — store and display your collection, compute valuations and analytics, run alerts and hunts, process subscriptions, send transactional and (with your permission) notification emails, provide support, prevent abuse, and improve the AI scanner over time using the labeled scan dataset. We use error reports to fix bugs. We use analytics to understand what features are used so we can prioritize the roadmap. We do not sell your personal information.

3. Who we share it with

Service providers that process data on our behalf, only as needed to run the Service:
  • Clerk — authentication, account management
  • Stripe — payments + customer portal
  • Vercel — hosting, edge compute, Vercel Blob storage, Vercel Analytics + Speed Insights (analytics gated on cookie consent)
  • Railway — managed Postgres database
  • Sentry — production error monitoring (see Section 1 for what error reports include)
  • Resend — transactional + notification email
  • Anthropic — AI photo scan + grade estimation (we send photos you choose to scan)
  • PriceCharting — catalog metadata + comp data (no user data sent)
  • Pokémon Trading Card Game API (pokemontcg.io) — card images + metadata (no user data sent)
  • eBay — live market data for Deal Hunt + arbitrage
We do not share your personal information with third parties for their own marketing purposes. We may disclose information if required by law (subpoena, court order, lawful government request), to investigate fraud or abuse, or to protect rights and safety. If CollectVaultis involved in a merger, acquisition, or sale of assets, personal data may transfer; we'll notify you in advance via email and in-app.

4. Where data lives

Primary storage: Railway (Postgres) and Vercel Blob (photos), both currently in US data centers. We use Vercel's edge network for static content; that content (no personal data) may be cached globally. Stripe, Clerk, and other processors host data per their own policies.

5. Your rights & choices

You can view and edit your data in the Service at any time. You can:
  • Export your collection as CSV (Settings → Collection) or as a complete JSON dump of every record we hold about you (Settings → Your data → Download all my data, available to every user including free tier — required by GDPR)
  • Make your profile / want list public or private from Settings (default is private)
  • Mute notification categories from /notifications → Preferences
  • Withdraw cookie consent for analytics from the cookie banner (clear site data in your browser or revisit /privacy will re-prompt)
  • Delete your account from Settings → Danger zone (type your username to confirm). Deletion is permanent and cascades; cancel any active Stripe subscription via the customer portal first.
GDPR / UK GDPR / CCPA & CPRA: if you live in the EU, UK, California, or another jurisdiction with applicable rights, you have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to processing. The self-serve tools above cover most of these; for anything else, email support@collectvault.net and we'll respond within 30 days. We don't sell or “share” personal information as defined under the CCPA.

6. Children

The Service is not directed to children under 13 (or the age of digital consent in your country). We don't knowingly collect data from children under that age. If you believe a child has provided us with personal information, email us and we'll delete it.

7. Retention & security

We keep your data while your account is active. After you delete your account, we remove or anonymize your personal data, except records we need to retain (e.g. payment/tax records — Stripe retains its own copies per its terms; aggregated, anonymized scan-training data that contains no identifying information). Backups are rolled forward and overwritten within 30 days. We use reasonable technical and organizational measures — encryption in transit (TLS), access controls, monitoring, regular dependency updates — to protect your data, but no system is perfectly secure.

8. International transfers

Our primary data processors — Vercel, Stripe, Clerk, Railway, Anthropic, Resend, and Sentry — operate primarily in the United States and may transfer data there to provide the Service. Where required, transfers rely on Standard Contractual Clauses or equivalent safeguards. EU/UK residents: you may request a copy of the applicable safeguards by emailing support@collectvault.net.

9. Changes to this policy

We may update this policy; material changes will be communicated in the Service or by email at least 30 days before they take effect. The current version always lives at this URL with a “last updated” date at the top.

10. Contact

Privacy questions or requests: support@collectvault.net.

Last updated 2026-07-02