Privacy Policy

1. Scope of This Policy

This Privacy Policy applies to all information collected through our website at gildsafe.com, our web application, any associated APIs, and any other services we operate that link to this policy (collectively, the “Service”). It applies to all users, including registered subscribers, administrators, and anonymous visitors who submit tips through our recovery system.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please discontinue use of the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your full name, email address, and password (stored in hashed form). You may optionally provide a phone number and profile details.

2.2 Item Registry Data

When you register items, we collect details you provide, including:

• Item descriptions, brand, model, and category (watch, bag, jewelry, art, etc.)
• Serial numbers and unique identifiers
• Photographs (up to 10 per item, maximum 10 MB each)
• Purchase information such as purchase date, price, and retailer
• Supporting documents (receipts, certificates of authenticity, appraisals)
• Insurance policy details you choose to store
• Custom notes and any additional descriptive information

2.3 Payment & Billing Information

GildSafe does not directly store your credit card number, bank account details, or other sensitive financial data. All payment processing is handled by Stripe, Inc., a PCI DSS Level 1 certified payment processor. We receive and store only a limited record from Stripe: your Stripe customer ID, subscription status, billing period dates, and the last four digits of your payment method for display purposes.

2.4 Loss & Theft Reports

If you report an item as lost or stolen, we collect the details you provide about the circumstances, including date, location, police report numbers, and any descriptive narrative. This information is used solely to facilitate recovery efforts.

2.5 Tip & Recovery Data

Our anonymous tip system collects information submitted by third parties who may have information about lost or stolen items. Tips may include a tipster's self-reported name, contact information (if voluntarily provided), dealer type, and the substance of the tip. Tipsters are informed that their submissions are shared with GildSafe administrators.

2.6 Automatically Collected Information

When you use the Service, we automatically collect certain technical data:

• IP address and approximate geographic location
• Browser type, version, and operating system
• Pages visited, features used, and interaction timestamps
• Referring URL and exit pages
• Device type and screen resolution

2.7 Activity Logs

We maintain internal activity logs that record account actions such as logins, item registrations, report filings, status changes, and administrative actions. These logs are used for security auditing, fraud prevention, and service integrity.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery — To create and manage your account, register and catalog your items, and provide our core protection and recovery services
• Payment processing — To process subscription payments, manage billing, and handle refunds or disputes through Stripe
• Recovery facilitation — To operate our tip and bounty system, process anonymous tips, notify you of leads, and coordinate recovery efforts
• Serial number verification — To allow subscribers to search our registry and verify whether an item has been reported lost or stolen before purchase
• Communications — To send transactional emails including account confirmations, tip alerts, recovery updates, billing receipts, and security notices
• Security & fraud prevention — To detect and prevent unauthorized access, abuse, or fraudulent activity on the platform
• Platform improvement — To analyze usage patterns, diagnose technical issues, and improve the functionality and user experience of our Service
• Legal compliance — To comply with applicable laws, regulations, legal processes, or government requests

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing your personal data include:

• Contract performance — Processing necessary to provide the Service you have subscribed to
• Legitimate interests — Processing for fraud prevention, security, service improvement, and business operations, where these interests are not overridden by your rights
• Legal obligation — Processing required to comply with applicable law
• Consent — Where we rely on consent, you may withdraw it at any time by contacting us

5. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

5.1 Service Providers

We share data with trusted third-party service providers who assist in operating our platform:

• Stripe, Inc. — Payment processing. Stripe is PCI DSS Level 1 certified. Their use of your data is governed by the Stripe Privacy Policy.
• Supabase, Inc. — Database infrastructure, authentication, and file storage. Hosted on Amazon Web Services (AWS) with SOC 2 Type II compliance. Their use of your data is governed by the Supabase Privacy Policy.
• Vercel, Inc. — Web application hosting and delivery. Their use of your data is governed by the Vercel Privacy Policy.

5.2 Serial Number Verification

When a subscriber searches our registry by serial number, we may confirm whether a matching item is registered and its status (e.g., registered, lost, stolen). We never reveal the identity of the item owner, photographs, detailed descriptions, or any other personal information through the verification system. Only the item's category, brand, status, and registration date are disclosed.

5.3 Law Enforcement & Legal Requirements

We may disclose your information if required to do so by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of GildSafe, our users, or the public. We will notify you of such requests when legally permitted to do so.

5.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service before your data is transferred and becomes subject to a different privacy policy.

5.5 With Your Consent

We may share your information for purposes not described in this policy if we obtain your explicit consent to do so.

6. Data Storage & Security

We implement multiple layers of security to protect your data:

• Encryption in transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
• Encryption at rest — Databases and file storage are encrypted at rest using AES-256 encryption
• Row Level Security (RLS) — Database-level access policies ensure that each user can only query and access their own data
• Signed URLs — Photos and documents are served through time-limited, cryptographically signed URLs that prevent unauthorized access
• Password security — Passwords are hashed using bcrypt and are never stored in plaintext
• Administrative access controls — Administrative functions require verified admin credentials and are logged for auditing
• Infrastructure security — Our infrastructure partners (AWS, Supabase, Vercel) maintain SOC 2 Type II compliance and undergo regular third-party security audits

While we implement commercially reasonable safeguards, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.

7. Data Retention

We retain your data according to the following schedule:

• Active accounts — Data is retained for the lifetime of your subscription
• Cancelled accounts — Upon cancellation, your data is retained in a deactivated state for 12 months to facilitate potential reactivation. During this period, your data remains secured but is not accessible through the Service
• Post-retention deletion — After 12 months of account inactivity following cancellation, your data may be permanently and irreversibly deleted, including item records, photos, documents, and reports
• Activity and audit logs — Retained for 24 months for security and compliance purposes
• Payment records — Billing records are retained for 7 years as required by tax and financial regulations
• Anonymous tips — Tip data is retained for the duration of an active investigation and may be retained thereafter for legal and evidentiary purposes

You may request immediate deletion of your data at any time by contacting us at info@gildsafe.com. Immediate deletion requests are honored except where retention is required by law.

8. Cookies & Tracking Technologies

8.1 Essential Cookies

We use strictly necessary cookies for authentication, session management, and security. These cookies are required for the Service to function and cannot be disabled.

8.2 Analytics

We may use anonymized analytics to understand how users interact with our Service and identify areas for improvement. Analytics data is aggregated and does not contain personally identifiable information.

8.3 What We Do Not Use

We do not use third-party advertising cookies, cross-site tracking pixels, social media tracking widgets, or any technology that tracks your browsing activity across other websites. We do not participate in ad networks or retargeting programs.

9. Your Privacy Rights

Regardless of your location, we provide all users with the following rights:

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate or incomplete data
• Deletion — Request deletion of your personal data, subject to legal retention requirements
• Data portability — Request an export of your data in a structured, machine-readable format
• Restriction — Request that we restrict processing of your data in certain circumstances
• Objection — Object to processing of your data based on legitimate interests
• Withdraw consent — Where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, contact us at info@gildsafe.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

10. California Residents — CCPA / CPRA

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know — You may request details about the categories and specific pieces of personal information we have collected about you in the past 12 months, including the sources, purposes, and third parties with whom we shared it
• Right to delete — You may request deletion of your personal information, subject to certain exceptions
• Right to correct — You may request correction of inaccurate personal information
• Right to opt out of sale or sharing — We do not sell or share your personal information for cross-context behavioral advertising. No opt-out action is required
• Right to limit use of sensitive personal information — We only use sensitive personal information as necessary to provide the Service
• Non-discrimination — We will not discriminate against you for exercising your privacy rights

To submit a verifiable consumer request, contact info@gildsafe.com. You may also designate an authorized agent to make a request on your behalf.

11. European Residents — GDPR

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation:

• All rights listed in Section 9, which are guaranteed to all users
• Right to lodge a complaint — You may file a complaint with your local data protection supervisory authority
• Right to object to automated decision-making — We do not use automated decision-making or profiling that produces legal or similarly significant effects

International Data Transfers

Your data may be transferred to and processed in the United States, where our infrastructure partners are located. When transferring data outside the EEA/UK, we rely on Standard Contractual Clauses approved by the European Commission or other appropriate safeguards to ensure an adequate level of data protection.

12. Anonymous Tip & Recovery System

Our tip-based recovery system has specific privacy considerations:

• Tips may be submitted anonymously — we do not require tipsters to identify themselves
• If a tipster voluntarily provides contact information, it is stored securely and shared only with GildSafe administrators for verification and follow-up purposes
• Item owners are never given direct access to tipster contact information
• Tip content is reviewed by GildSafe administrators before any action is taken
• Bounty-related communications are facilitated through GildSafe — we do not share direct contact details between item owners and tipsters

When a subscriber uses our serial number verification feature and a match is found for a lost or stolen item, our administrators are automatically notified. The searcher's identity is not disclosed to the item owner.

13. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

• Notify affected users via email within 72 hours of becoming aware of the breach
• Provide details about the nature of the breach, the data affected, and steps we are taking to mitigate harm
• Notify relevant data protection authorities as required by applicable law (including GDPR Article 33 and applicable US state breach notification laws)
• Offer guidance on steps you can take to protect yourself
• Document the breach internally, including its effects and remedial actions taken

14. Children's Privacy

GildSafe is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have collected data from a person under 18, we will take prompt steps to delete that information. If you believe a minor has provided us with personal data, please contact us at info@gildsafe.com.

15. Third-Party Links

Our Service may contain links to third-party websites or services (e.g., Stripe's payment portal). We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party services before providing them with your information.

16. Do Not Track Signals

Our Service does not track users across third-party websites and therefore does not respond to Do Not Track (DNT) browser signals. However, because we do not engage in cross-site tracking, our practices are consistent with the intent of DNT signals.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email at least 30 days before the changes take effect and post a prominent notice on our platform. The “Last updated” date at the top of this page indicates when the policy was last revised. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.