Privacy Policy

1. Introduction

CollectKeys ("we", "us", "our", or "the Service") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our collectibles tracking platform. Please read this policy carefully. By using the Service, you consent to the practices described in this Privacy Policy.

2. Information We Collect

2.1 Information from Google OAuth

When you sign in using Google, we receive the following information from your Google account:

• Google User ID - A unique identifier used to associate your data
• Email address - Used for account identification
• Display name - Shown within the Service
• Profile picture URL - Displayed in the navigation bar

We do not access your Google password, contacts, files, or any other Google account data beyond what is listed above.

2.2 Collection and Activity Data

We store data you voluntarily provide while using the Service, including:

• Comics and collectibles you add to your collection (titles, issue numbers, condition, purchase prices)
• Watchlist entries and notes
• Items listed for sale and pricing details
• Grading information (CGC, CBCS, and other grading company data)
• Event participation records
• Messages sent through the Service
• User preferences and settings

2.3 Automatically Collected Information

When you access the Service, we may automatically collect:

• Browser type and version
• Device type and operating system
• IP address
• Pages visited and features used
• Date and time of access
• Referring URL

2.4 Push Notification Data

If you opt in to push notifications, we store your browser push subscription endpoint and associated encryption keys solely for the purpose of delivering notifications.

3. Lawful Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Service you requested (account creation, collection management, data storage)
• Legitimate interests: Processing necessary for our legitimate interests (Service improvement, security, fraud prevention) where such interests are not overridden by your rights
• Consent: Processing based on your explicit consent (push notifications, optional public sharing of collections)
• Legal obligation: Processing necessary to comply with legal requirements

4. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Authenticate your identity and manage your account
• Store and display your collection data
• Provide collection analytics and insights
• Display market deals and pricing information relevant to your interests
• Enable communication between users through the messaging feature
• Send push notifications (only if you opt in)
• Detect and prevent fraud, abuse, and security incidents
• Respond to your requests and provide support
• Comply with legal obligations

We do not use your data for automated decision-making or profiling that produces legal effects concerning you.

5. Data Storage and Security

5.1 Storage Location

Your data is stored on servers located in the United States. If you are accessing the Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

5.2 Storage Architecture

Your collection data is stored in a per-user database that is isolated from other users' data. Shared reference data (such as the issue database) is stored separately and is read-only for users.

5.3 Security Measures

We implement appropriate technical and organizational security measures to protect your data, including:

• Encrypted connections (HTTPS/TLS) for all data transmission
• Session-based authentication with secure, HTTP-only cookies
• Per-user database isolation
• Regular security updates and monitoring
• VAPID-based encryption for push notifications

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties.

We may share your information only in the following circumstances:

• Public collections: If you enable public sharing of your collection, watchlist, or sale listings, that data will be accessible to anyone with the link. You can disable this at any time in Settings
• User messaging: Messages you send are visible to the recipient
• Service providers: We may share data with trusted third-party service providers who assist in operating the Service (e.g., cloud hosting), subject to confidentiality obligations
• Legal requirements: We may disclose your information if required by law, regulation, subpoena, court order, or other legal process
• Protection of rights: We may disclose information to protect the rights, property, or safety of CollectKeys, our users, or the public
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, who will be bound by this Privacy Policy

7. Cookies and Local Storage

The Service uses the following types of storage technologies:

7.1 Essential Cookies

These are strictly necessary for the Service to function and cannot be disabled:

• Session cookie: Maintains your authentication state and login session

7.2 Functional Storage

These enhance your experience but are not strictly required:

• Service Worker cache: Enables offline functionality and faster page loads
• Local storage: Stores user preferences and filter settings locally on your device

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. You can manage cookies through your browser settings. Note that disabling essential cookies will prevent you from using the Service.

8. Third-Party Services

The Service integrates with or links to the following third-party services:

• Google OAuth: For authentication (subject to Google's Privacy Policy)
• External marketplaces: Deal links may redirect to third-party sites (eBay, etc.) which have their own privacy policies

We are not responsible for the privacy practices of third-party websites or services. We encourage you to review their privacy policies before providing any personal information.

9. Your Privacy Rights

9.1 Rights for All Users

Regardless of your location, you have the following rights:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your account and all associated data
• Export: Export your collection data through the Service's built-in export features (CSV, PDF)
• Withdrawal of consent: Withdraw consent for optional processing (e.g., push notifications, public sharing) at any time

9.2 Additional Rights for EEA/UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, you additionally have the right to:

• Restriction: Request restriction of processing of your personal data
• Portability: Receive your personal data in a structured, commonly used, machine-readable format
• Object: Object to processing based on legitimate interests
• Complaint: Lodge a complaint with your local data protection supervisory authority (e.g., the ICO in the UK, CNIL in France, or the relevant authority in your country)

9.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it
• Right to delete: You may request deletion of your personal information, subject to certain exceptions
• Right to opt-out of sale: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights
• Right to correct: You may request correction of inaccurate personal information

Categories of personal information collected: Identifiers (name, email, Google ID), internet activity (pages visited, features used), and user-generated content (collection data, messages).

To exercise your CCPA/CPRA rights, contact us at privacy@collectkeys.com. We will verify your identity before processing your request.

9.4 How to Exercise Your Rights

To exercise any of the above rights, you may:

• Email us at privacy@collectkeys.com
• Use the account deletion and data export features in the Settings page
• Contact us through the in-app messaging feature

We will respond to your request within thirty (30) days, or within the timeframe required by applicable law.

10. Data Retention

We retain your data according to the following schedule:

• Active account data: Retained for as long as your account is active
• After account deletion: Your per-user database and all associated collection data are permanently deleted within 30 days of your deletion request
• Backup copies: May persist in encrypted backups for up to 90 days after deletion, after which they are permanently purged
• Server logs: Automatically collected data (IP addresses, access logs) is retained for up to 90 days for security and troubleshooting purposes
• Legal obligations: Some data may be retained longer if required by law or to resolve disputes

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users via email within 72 hours of becoming aware of the breach
• Notify the relevant supervisory authority within 72 hours where required by law (e.g., GDPR)
• Provide details about the nature of the breach, the data affected, and the measures taken to address it
• Recommend steps you can take to protect yourself

12. International Data Transfers

Your personal data is stored and processed in the United States. If you are located outside the United States (including the EEA, UK, or Switzerland), your data will be transferred internationally. We ensure appropriate safeguards are in place for such transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission where applicable
• Compliance with the UK International Data Transfer Agreement (IDTA) where applicable
• Your explicit consent to the transfer when you create an account

13. Children's Privacy

The Service is not intended for children under the age of 16 (or under 13 in jurisdictions where 13 is the applicable minimum age under laws such as COPPA). We do not knowingly collect personal information from children under these ages. If we become aware that we have collected personal data from a child under the applicable minimum age without parental consent, we will take steps to delete that information within a reasonable timeframe. If you believe a child has provided us with personal information, please contact us at privacy@collectkeys.com.

14. Do Not Track Signals

Some browsers offer a "Do Not Track" (DNT) setting. Since we do not use third-party tracking cookies or engage in cross-site tracking, the Service operates the same way regardless of your DNT setting.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide notice through one or more of the following: updating the "Last updated" date at the top of this page, sending an email notification, or displaying a prominent notice within the Service. We encourage you to review this Privacy Policy periodically. Continued use of the Service after changes are posted constitutes acceptance of the updated policy. If you do not agree with the revised policy, you should stop using the Service and may request deletion of your account.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: privacy@collectkeys.com
• General contact: support@collectkeys.com
• In-app: Through the messaging feature within the Service (logged-in users)

For EEA/UK residents: If you are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with your local data protection supervisory authority.