Privacy Policy

Account data. Email, display name, handle, password hash, optional avatar, bio, and account preferences.

Collection data. Pieces you add to your Vault, photos you upload, notes, provenance, authentication submissions, and trade history on the platform.

Payment data. Billing address and purchase records. Card numbers and bank details are collected and stored by our payment processors — we do not store full card numbers on our servers.

Device and usage data. IP address, browser type, pages visited, and interactions with the service. Used for security, fraud prevention, and product improvement.

Push notifications. If you enable push, we store the browser-issued push subscription token and the preferences you set (drop alerts, trade offers, etc.). You can revoke push at any time in your settings or at the browser level.

We use your data to:

• ◆Run your Vault, Registry activity, and Marketplace transactions.
• ◆Authenticate pieces and prevent counterfeits.
• ◆Process payments, payouts, and refunds.
• ◆Send transactional emails (order confirmations, auth results, drop timing).
• ◆Send push notifications you opted into.
• ◆Detect fraud, abuse, and security threats.
• ◆Improve the platform and build new features.

We rely on a small set of vetted processors to run the platform. Each is bound by a data-processing agreement.

• ◆Supabase — Database, authentication, file storage, edge functions.
• ◆Vercel — Hosting the web application and edge delivery.
• ◆Stripe — Payment processing and payouts.
• ◆Crossmint — On-chain minting and wallet operations for authenticated pieces.
• ◆Resend / Google Workspace — Transactional and account email delivery.
• ◆Netlify — DNS management for the carrycollect.app domain.

We share what each processor needs to do its job, and nothing more.

We use a small number of first-party cookies to keep you signed in, remember your preferences, and protect against fraud. We do not run third-party advertising cookies.

We may use a privacy-respecting analytics tool to understand which pages load, where people get stuck, and what breaks. That data is aggregated and does not identify you as an individual.

Account data: while your account is open, plus a short window after closure for dispute and tax purposes.

Transaction records: at least seven years, to meet US tax and accounting rules.

Vault photos and notes: kept until you delete them or close your account. You can delete individual pieces from your Vault at any time.

Push tokens: kept until you revoke permission or we detect the token is no longer valid.

Depending on where you live, you may have the right to:

• ◆Ask for a copy of the personal data we hold about you.
• ◆Correct data that's wrong or incomplete.
• ◆Delete your data (with some exceptions for records we must keep).
• ◆Object to, or restrict, certain processing.
• ◆Port your data to another service.
• ◆Withdraw consent for anything you opted into.

To exercise any of these, email vault@carrycollect.app. We respond to verified requests within forty-five days, and may extend once for another forty-five days if the request is complex (consistent with CCPA and GDPR timelines). We may need to verify your identity before releasing or deleting data.

If you are a California resident, you have additional rights under the CCPA — including the right to know what categories of personal information we collect, whether we disclose that information, and to request deletion. We do not "sell" personal information as that term is defined by the CCPA.

If you are in the EU or UK, we process data under the GDPR / UK GDPR. Our lawful bases are: performance of a contract (running your account), legitimate interest (fraud prevention, product improvement), legal obligation (tax records), and consent (push notifications, marketing email).

You can lodge a complaint with your local supervisory authority if you believe we mishandled your data.

CarryCollect is not intended for anyone under 18. We do not knowingly collect personal information from children. If you believe a child has given us data, email us and we will remove it.

We use industry-standard practices to protect your data — encryption in transit, restricted production access, least- privilege database policies, and routine audits.

No system is perfectly secure. If we detect a breach that affects you, we will notify you promptly and cooperate with regulators as required.

We may update this Policy as the platform grows. Material changes will be announced in-platform and by email at least seven days before they take effect.

Questions, requests, or concerns: vault@carrycollect.app

CarryCollect, LLC is an Ohio limited liability company. A physical mailing address for legal notices is available upon request by writing to the address above.