Privacy Policy

Effective Date: April 29, 2026

Last updated: April 26, 2026

1. Information We Collect

We collect information you provide directly and information generated by your use of the Service:

  • Account data: email address, display name, and password hash (stored via NextAuth.js — we never store plaintext passwords).
  • Collection & watchlist data: card titles, images, acquisition prices, AI scores, and P&L entries you create within the platform.
  • eBay account data: OAuth access token, refresh token (encrypted at rest), and watchlist items synced from eBay when you connect your account.
  • Usage data: scan history, search queries, feature interactions, and session timestamps — used for quota enforcement and service improvement.
  • Payment data: billing plan and subscription status are stored by us. Credit card details are processed exclusively by Stripe and are never stored on AgentGRaiL servers.
  • Technical data: IP address, browser type, device identifiers, and server logs — retained for up to 30 days for security and debugging.

2. How We Use Your Information

We use your information to:

  • Provide and improve the AgentGRaiL Service, including AI card analysis, deal detection, P&L tracking, and personalized recommendations.
  • Enforce scan quotas and plan limits associated with your subscription.
  • Send transactional emails (account verification, billing receipts, price alerts, weekly digests) based on your notification preferences.
  • Detect and prevent fraud, abuse, and security incidents.
  • Improve our AI models using aggregated, anonymized scan data.
  • Comply with legal obligations.

We do not sell your personal data to third parties. We do not use your data for targeted advertising.

3. Data Storage & Security

Your data is stored in a PostgreSQL database hosted on Railway (US region). Card images submitted for AI analysis are stored in Cloudflare R2 (US region) under the temp/classify/ prefix and are not retained permanently after processing. eBay OAuth tokens are encrypted at rest using AES-256. We use TLS 1.2+ for all data in transit. Despite these safeguards, no system is perfectly secure — we encourage you to use a strong, unique password for your account.

4. Data Retention

We retain your personal data for as long as your account is active. When you delete your account:

  • Soft delete: your account is immediately deactivated and all personal identifiers (name, email, eBay tokens) are removed within 30 days.
  • Anonymized retention: aggregate scan statistics and AI training labels (stripped of personal identifiers) may be retained indefinitely to improve the Service.
  • Legal hold: certain records may be retained longer if required by law or ongoing disputes.

5. Third-Party Services

We integrate with the following third-party providers, each of which has its own privacy policy:

  • eBay — marketplace data and watchlist sync (developer.ebay.com)
  • Stripe — payment processing (stripe.com/privacy)
  • Resend — transactional email delivery (resend.com/privacy)
  • Vercel — web hosting and edge functions (vercel.com/legal/privacy-policy)
  • Railway — database hosting (railway.app/privacy)
  • Nyckel — AI card image classification (nyckel.com/privacy) — images are submitted for inference and are not stored by Nyckel beyond their processing window.
  • CardSight — sports card catalog and pricing data (used for market comps).

6. Cookies

We use cookies and similar technologies. Here is what is currently in use:

  • Authentication cookies (essential): NextAuth.js sets a session cookie (next-auth.session-token) required to keep you logged in. These cookies are strictly necessary for the Service to function and cannot be disabled.
  • No tracking or advertising cookies are set at this time. If we add product analytics (e.g., PostHog) in the future, we will update this policy and provide a consent mechanism where required by law.

7. Your Rights

Depending on where you are located, you may have the following rights regarding your personal data:

  • Right of access (GDPR Art. 15): request a copy of the personal data we hold about you.
  • Right to rectification (GDPR Art. 16): request correction of inaccurate data from the Account settings page.
  • Right to erasure / Right to be forgotten (GDPR Art. 17): request deletion of your account and all associated personal data. You can initiate this directly from Account > Settings > Delete Account. We will complete the deletion within 30 days and confirm by email.
  • Right to data portability (GDPR Art. 20): export your collection, watchlist, and scan history from Account > Settings > Export Data.
  • Right to object / opt out: you may opt out of non-essential communications (digest emails, price alerts) at any time from Account > Notifications.
  • California residents (CCPA): you have the right to know what personal information is collected and to opt out of any sale of personal information. We do not sell personal information.

To exercise any of these rights, contact us at privacy@agentgrail.ai. We will respond within 30 days.

8. Children’s Privacy

AgentGRaiL is not directed to children under the age of 18. We do not knowingly collect personal information from minors. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above. For material changes, we will notify you via email at least 7 days before the change takes effect.

10. Contact

For privacy questions, data requests, or concerns, contact us at privacy@agentgrail.ai.