Privacy Policy

⚠ Draft — pending legal reviewLast updated: [DATE]

Template, not legal advice. Fill the [PLACEHOLDERS] and get attorney review before publishing. Two items must match the real implementation: (a) whether captured screenshots/uploaded images are stored and for how long, and (b) whether any user data/images train AI models.

How [LEGAL ENTITY] ("Pullt," "we") collects, uses, shares, and protects your information across the Pullt website, app, and browser extension (the "Service").

1. Information We Collect

You provide: account (name, email, hashed password), collection data (cards, sets, conditions, notes, valuations), uploaded images (card photos), communications.
Payment: processed by Stripe; we receive limited info (subscription status, last4, brand, country). We don't store full card numbers.
Extension (screenshot capture): when you actively trigger it, the extension captures only the screen region you select, transmits it securely to our servers and/or our AI vision provider to identify the card + return an estimate. It captures only on your action; it does not continuously record your screen. [CONFIRM: whether captures are stored, for how long, and whether used to improve models — must match code + Chrome disclosures.]
Automatic (analytics): IP, browser/extension version, device/OS, features used, timestamps, diagnostics. Cookies (see §6).
From third parties: card/price data (providers) + ID results (AI vision) — about cards, combined with your queries.

2. How We Use It

Operate the Service; store/display your collection + images; process screenshots to ID cards + estimate; billing/renewals for Pro (Stripe); support; analytics to maintain/secure/improve; fraud prevention; service + (opt-out) marketing communications; legal compliance. [CONFIRM model-training disclosure.]

3. How We Share It

We do not sell your personal information. We share with: processors (Stripe payments; hosting [Vercel + Supabase/Cloudflare R2]; AI vision provider; price-data providers — we send card queries, not your identity, where feasible; analytics/error-monitoring); legal/safety; business transfers; with your consent.

4. Storage & International Transfers

Stored/processed in [the United States]. EU/UK transfers rely on Standard Contractual Clauses.

5. Retention

As long as your account is active or as needed for the Service/legal/disputes. On deletion we delete/anonymize within [30–90] days, except records we must keep (billing/tax). [CONFIRM screenshot/image retention.]

6. Cookies

Used to keep you signed in, remember preferences, secure, and measure usage. Control via browser; EU/UK/CA users get a consent/opt-out mechanism for non-essential cookies.

7. Your Rights

Access, correct, delete, port, restrict, object — via settings or [PRIVACY EMAIL]. No discrimination for exercising rights.

7.1 California (CCPA/CPRA):know/access, delete, correct, opt out of sale/share (we don't sell), limit sensitive PI. Categories collected: identifiers, commercial info, internet/usage activity, visual info (card images), inferences.
7.2 Europe/UK (GDPR): legal bases = contract, legitimate interests, consent, legal obligation; rights incl. access/rectification/erasure/restriction/portability/object/withdraw consent; right to complain to your DPA.

8. Security

TLS in transit, access controls, hashed passwords. No system is perfectly secure. Breaches notified as legally required.

9. Children

Not directed to children under 13 (16 in some regions); we don't knowingly collect their data.

10. Third-Party Links/Marketplaces

The Service may interact with third-party sites (Whatnot, eBay). This Policy doesn't cover them; review theirs. Pullt is independent and unaffiliated.

11. Changes

Updates posted with a new date; material changes get extra notice.

12. Contact

[LEGAL ENTITY] · [PRIVACY EMAIL] · [MAILING ADDRESS]