Privacy Policy

We collect only what we need to run the Service:

• Account data. Email address, optional full name, hashed authentication credentials managed by our auth provider (Supabase).
• Your card data. Anything you type into the calculator, save to SlabReserve, track in Profit Tracker, or include in Batch Analyzer — card names, prices, grading fees, notes, and the results we compute from those inputs.
• Billing data. If you subscribe to Pro, our payment processor (Stripe) collects your payment method, billing name, and billing address. GradeYield never sees or stores your full card number or CVV — we only store Stripe customer and subscription identifiers.
• Usage data. Basic technical data your browser sends (IP address, user agent, referrer), plus anonymised usage counts (e.g. how many calculations you run in a month, used to enforce free-tier limits).
• Communications. Emails you send us, and your responses to optional product emails.

• To run the calculator, SlabReserve, Profit Tracker, Batch Analyzer, and Compare tools.
• To create and secure your account and enforce free/Pro plan limits.
• To process subscriptions and payments through Stripe.
• To send transactional email (receipts, account notifications, password resets).
• To send optional product emails if you opt in — you can unsubscribe anytime.
• To diagnose bugs, prevent abuse, and improve the product.
• To comply with law or enforce our Terms.

We do not sell your personal information, and we do not share your calculator inputs, saved cards, tracked profit, or billing details with third parties for their own marketing.

We use a small set of vendors to run the Service. Each processes data on our behalf under their own security and privacy terms, and only for the purposes described below:

• Supabase, Inc. — authentication, Postgres database hosting, and row-level security. Stores your account record, saved cards, tracked cards, and usage counters. Supabase also delivers the transactional auth emails the Service relies on (such as signup confirmation, magic-link, and password-reset emails) unless we have configured a custom SMTP provider, in which case that provider would be listed here. Privacy: supabase.com/privacy.
• Stripe, Inc. — subscription billing and payment processing. Stripe collects your payment method, billing address, and any tax-related information needed to process the charge. We never see or store your full payment card number or CVV. Privacy: stripe.com/privacy.
• Vercel Inc. — application hosting, edge delivery, and request logs (typically retained for a short window for debugging and abuse prevention). Vercel may receive standard request metadata such as IP address, user agent, and the URL you are visiting. Privacy: vercel.com/legal/privacy-policy.
• eBay, Inc. — when you use Comp Lookup, Value History, or tracked-card thumbnails, we send a short search query derived from your card details to the eBay Browse API to retrieve public listing data. We do not send your email address, account identifier, or other directly-identifying account data. Privacy: eBay user privacy notice.

This list reflects the subprocessors actually in use at the time of the “Last updated” date above. We do not currently use a separate transactional email vendor, third-party analytics, or third-party error-monitoring service; if that changes, we will update this list before the new vendor begins processing personal information on our behalf.

We may also disclose information when required by law, to respond to valid legal process, to protect our or our users’ rights, or as part of a merger, acquisition, financing, or sale of all or substantially all of our assets (we’ll give you notice in that case).

All payments are handled by Stripe. We do not see or store your full card number, CVV, or bank details. What we store on our end is the minimum needed to link your account to your subscription: Stripe customer and subscription IDs, your plan tier, subscription status, and (optionally) your billing email.

Stripe’s own privacy policy governs the payment data they process. You can review it at stripe.com/privacy.

We use cookies and browser local storage for:

• Authentication — to keep you logged in (Supabase session cookies).
• Preferences — your light/dark theme choice.
• Anonymous calculator state — if you use the calculator without an account, your usage counters and saved calculations live only in your own browser until you create an account.
• Anonymous usage analytics — a single first-party cookie called gy_anon stores a random UUID so we can group your calculations across visits for product improvement. It is HttpOnly, SameSite=Lax, expires after 18 months, and is never shared with third parties. We do not record your IP address, browser fingerprint, or full user-agent string alongside it — only a coarse device class (e.g. desktop_chrome, ios_safari) to help us catch device-specific bugs.
• Calculation analytics — when you run a calculation, we record the inputs and result (card identity, prices, probabilities, recommendation, comp confidence) so we can improve recommendations and surface aggregate trends. We do not record free-text notes, email content, or anything that identifies you beyond the account ID or anonymous session UUID described above.

You can block cookies in your browser, but the Service won’t work properly without session cookies. If you delete the gy_anoncookie, you’ll be treated as a new anonymous visitor on your next calculation.

The Centering Pre-Screen processes uploaded card images locally in your browser. We use the HTML canvas API and standard image-processing routines that run on your device to compute centering measurements. Uploaded images are not transmitted to or stored on GradeYield’s servers in normal operation. Once you close the page or navigate away, the image is discarded by your browser and is not retained by the Service.

Numeric centering measurements derived from your image (for example, left/right/top/bottom border ratios) may be saved to your account if you choose to save the result; the source image itself is not. If a future feature requires server-side image processing, we will disclose that change and ask for your consent before sending an image to our servers.

We host data with Supabase (encryption at rest and in transit) and process payments through Stripe (PCI-DSS Level 1). Row-level security policies in our database restrict each row to its owning user.

We implement administrative, technical, and physical safeguards that we believe are reasonable, including: encryption in transit (HTTPS), encryption at rest at the database layer through Supabase, row-level security policies that restrict each row of saved data to its owning user, scoped service-role keys for server-side operations, and least-privilege access for our team. No method of transmission or storage over the internet is 100% secure, and we cannot guarantee absolute security. If we become aware of a security incident affecting your personal information, we will notify you as required by applicable law.

If you believe your account has been compromised, email us at support@gradeyield.com.

We keep your account and saved data for as long as your account is active. If you cancel, we retain data needed for legal, tax, or fraud-prevention purposes (including Stripe transaction records) and otherwise delete it on request.

You can:

• Access or export your saved cards and tracked cards directly from the app.
• Correct your email or name in your account settings.
• Delete your account (and with it your saved and tracked cards) by emailing support@gradeyield.com.
• Unsubscribe from product emails via the link in any email we send.

Residents of California, the EU/EEA, the UK, and certain other jurisdictions may have additional rights (e.g. access, portability, deletion, restriction, objection). To exercise them, email us and we’ll respond within 30 days.

If GradeYield is involved in a merger, acquisition, financing, restructuring, sale of assets, bankruptcy, or similar transaction, your information may be transferred to the surviving or acquiring entity as part of that transaction. We will require any successor to honor commitments we have made in this Privacy Policy with respect to your personal information, or we will give you notice and a meaningful opportunity to delete your account before any change in how your information is handled.

GradeYield is operated from the United States. If you use the Service from outside the US, your information will be transferred to and processed in the US under appropriate safeguards. By using the Service you consent to this transfer.

GradeYield is not directed to children under 13, and we do not knowingly collect personal information from them. If you believe a child has provided us information, contact us and we’ll delete it.

We may update this policy as the product evolves. We’ll update the “Last updated” date at the top, and for material changes we’ll provide a more visible notice (in-app or by email).

Some browsers transmit “Do Not Track” or “Global Privacy Control” (GPC) signals. We do not currently engage in cross-context behavioral advertising and do not “sell” or “share” personal information as those terms are defined under California law. Where required, we honor GPC signals as a request to opt out of any future sale or sharing.

Questions, requests, or complaints? Email us at support@gradeyield.com.