Privacy Policy
Table of Contents
- Who We Are
- What Data We Collect
- How We Use Your Data
- Legal Bases for Processing
- Third-Party Subprocessors
- eBay Data Sources
- When We Share Data
- Data Retention
- Data Security
- Children's Privacy
- Cookies
- Your Rights — California (CCPA/CPRA)
- Additional State Rights
- International Users / GDPR Note
- Breach Notification
- Changes to This Policy
- Contact and DSAR Requests
1. Who We Are
Picker Radar (pickerradar.com) is operated by Qualuxe Goods LLC, located at 7533 S Center View Ct, Ste R, West Jordan, UT 84084, Highland, Utah, United States. For privacy-related questions, contact us at support@pickerradar.com.
2. What Data We Collect
2.1 Account Information
- Name and email address (collected at signup via Clerk authentication)
- Profile photo (if provided via Google OAuth)
- Authentication tokens and session data managed by Clerk
2.2 Photos and Scan Data
- Photos and video frames you upload during scans, stored in Vercel Blob storage
- Identified item attributes (brand, category, condition estimate) returned by AI inference
- eBay comparable sold-listing data retrieved for each scan
- Pick / Leave decisions you record
- Per-store tracking data: store name, location, visit history
- Cost-basis amounts you enter when logging a purchase
2.3 Billing Data
- Subscription tier and billing status (stored in our database)
- Payment processing is handled by Stripe; we receive only billing confirmation, subscription status, and last-4 card digits. Full card data never touches our servers.
2.4 Usage and Technical Data
- Log data: IP addresses, browser type, referring pages, pages visited, timestamps
- Scan count and quota usage per account
- Error logs (which may contain request context but not photo content)
2.5 Optional Location Data
- If you use the store-detection feature, we request your device GPS coordinates to identify nearby stores via the Google Places API. Location is used only during the active session and is not stored persistently on our servers beyond the store association you confirm.
3. How We Use Your Data
| Purpose | Data Used |
|---|---|
| Deliver item identification and eBay comp results | Uploaded photos, transmitted to Google Gemini API |
| Provide Pick/Leave recommendations and profit estimates | AI inference output + eBay comp data |
| Store scan history and per-store stats | Scan records, store associations, pick decisions |
| Manage subscriptions and enforce scan quotas | Subscription tier, scan count |
| Process payments | Billing metadata via Stripe |
| Send transactional emails (e.g., OTP, billing receipts) | Email address, via Clerk |
| Respond to support requests | Account info, scan logs as relevant |
| Monitor service health and debug errors | Log data, error context |
| Comply with legal obligations | As required by applicable law |
We do not sell your personal data. We do not use your data for advertising or share it with advertising networks.
4. Legal Bases for Processing
- Contract performance: Processing account data, scan images, and billing data is necessary to deliver the Service you signed up for.
- Legitimate interests: Security monitoring, error logging, and service analytics are necessary for us to operate a reliable product and detect abuse.
- Legal obligation: We may retain billing records as required by financial regulations.
- Consent: Location access is only used with your in-session consent at the time of the request.
5. Third-Party Subprocessors
| Vendor | Purpose | Data Involved | Privacy / Security Reference |
|---|---|---|---|
| Vercel, Inc. | Frontend hosting, API routes, Blob storage for uploaded images | All data transmitted to the app; uploaded photos stored in Vercel Blob | vercel.com/legal/privacy-policy |
| Railway Corp. | Background worker hosting; PostgreSQL database | All application database records (accounts, scan history, subscriptions) | railway.com/legal/privacy |
| Clerk, Inc. | User authentication, session management, transactional email (OTP) | Email address, name, auth tokens | clerk.com/legal/privacy |
| Stripe, Inc. | Payment processing and subscription billing | Payment card data (processed directly by Stripe; we receive only billing metadata) | stripe.com/privacy |
| Google LLC (Gemini API / GCP) | AI vision inference — item identification from uploaded photos | Photos you upload during scans are transmitted to the Gemini API for processing | cloud.google.com/terms/data-processing-terms |
| Google LLC (Places API) | Store location lookup when you use the store-detection feature | GPS coordinates (optional, session-only) | policies.google.com/privacy |
| ScrapingBee SAS | Retrieval of eBay sold-comp data via proxied web requests | No personal data; requests contain only item search queries | scrapingbee.com/privacy-policy |
| Google LLC (BigQuery / GCP Billing) | Internal billing cost analytics (GCP billing export). Not user-facing data. | Aggregate API usage cost data only — no personal user data exported | cloud.google.com/terms/data-processing-terms |
We may update this subprocessor list as the Service evolves. Material additions will be reflected in an updated Privacy Policy with notice per Section 15.
5a. eBay Data Sources
eBay Data: Picker Radar uses eBay's Marketplace Insights API (and where the API isn't yet provisioned, eBay's public sold-listing search) to display recently-sold item prices that help users make informed reselling decisions. We fetch sold-listing summaries — title, price, item thumbnail, and a link to the source listing — on demand for each user query and display them in the user's active scan session. We do not store eBay data beyond what the user reviewed in that scan, do not redistribute it, do not aggregate it into a separate dataset, and do not use it to train models. All sold-listing displays link back to the source eBay item page as the primary call to action.
6. When We Share Data
We do not sell, rent, or trade your personal data to third parties. We share data only:
- With subprocessors listed in Section 5, solely to deliver the Service.
- In a business transfer — if Picker Radar is acquired or merges with another entity, your data may transfer to the successor as part of that transaction. We will notify you via email before such a transfer and you will have an opportunity to delete your account.
- To comply with law — we may disclose data when required by valid legal process (court order, subpoena, or government request). Where permitted, we will notify you before complying.
- To protect rights — we may disclose data to prevent fraud, abuse, or illegal activity, or to protect the safety of our users.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account profile (name, email) | Until account deletion + 30-day grace period |
| Scan records and item data | Until account deletion + 30-day grace period |
| Uploaded photos (Vercel Blob) | Until account deletion + 30-day grace period |
| Pick/Leave decisions and store stats | Until account deletion + 30-day grace period |
| Billing records (subscription history) | 7 years (financial record-keeping requirement) |
| Server logs (IP, request metadata) | 90 days, then automatically purged |
| Error logs | 30 days |
After account deletion, data is permanently deleted from our systems within 30 days, except billing records retained for legal compliance. Note that subprocessors may have their own retention schedules.
8. Data Security
We apply industry-standard security practices to protect your data, including:
- HTTPS encryption in transit for all communications between your device and our servers
- Access controls limiting who within our organization can access production data
- Authentication and session management handled by Clerk, a purpose-built security vendor
- Payment data handled entirely by Stripe, a PCI-DSS compliant payment processor — full card numbers never reach our servers
No system is perfectly secure. If you believe your account has been compromised, contact us immediately at support@pickerradar.com.
9. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal data from children under 13. If we learn that we have collected data from a child under 13 without parental consent, we will delete it promptly. If you believe a child under 13 has provided us with personal data, contact us at support@pickerradar.com.
10. Cookies
We use cookies and similar technologies as described in our Cookie Policy. We use strictly necessary cookies for authentication (Clerk), payment flow (Stripe), and CSRF protection. We do not use advertising or tracking cookies. Clerk and Stripe set their own cookies subject to their respective privacy policies.
11. Your Rights — California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: You may request a disclosure of the categories and specific pieces of personal data we have collected about you in the past 12 months, the sources, the purposes for collection, and the categories of third parties with whom we share it.
- Right to Delete: You may request that we delete personal data we have collected from you, subject to limited exceptions.
- Right to Correct: You may request correction of inaccurate personal data we hold about you.
- Right to Data Portability: You may request a copy of your data in a portable format.
- Right to Opt Out of Sale / Sharing: We do not sell your personal data and do not share it for cross-context behavioral advertising. You do not need to opt out of a sale because no sale occurs. We honor Global Privacy Control (GPC) signals as a "do not sell or share" request.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Service.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.
To exercise these rights, submit a Data Subject Access Request (DSAR) to support@pickerradar.com with the subject line "CCPA Request" and your account email address. We will respond within 45 days (extendable by an additional 45 days with notice). We may need to verify your identity before processing the request.
12. Additional State Rights
Residents of the following states have rights under their respective state privacy laws. To exercise these rights, follow the DSAR process in Section 11.
- Virginia (VCDPA): Rights to access, correct, delete, obtain a portable copy, opt out of sale and targeted advertising, and appeal our decision. Contact us if a request is denied to receive an appeal process.
- Colorado (CPA): Rights to access, correct, delete, data portability, and opt out of targeted advertising and the sale of personal data. You may also appeal a denial.
- Utah (UCPA): Rights to access and delete your data, data portability, and opt out of the sale of personal data and targeted advertising.
We do not sell personal data or use it for targeted advertising under any of these statutes. Response time for DSAR requests from these states is 45 days.
13. International Users / GDPR Note
Picker Radar is operated in the United States and is primarily directed at US users. We do not actively market to users in the European Economic Area or the United Kingdom. All data processing occurs on servers located in the United States or with US-based subprocessors. If you are located outside the US and choose to use the Service, you understand that your data will be transferred to and processed in the United States, which may have different data protection rules than your country.
If we later expand to serve EU/UK users, we will update this section to address GDPR transfer mechanisms and appoint a representative as required.
14. Breach Notification
In the event of a data breach that affects your personal data, we will notify you and any required regulatory authorities in accordance with applicable law (including California Civil Code §1798.82 and other applicable state breach-notification statutes). We will notify affected users without undue delay and within any legally required time frame, describing the nature of the breach, the types of data affected, steps you can take to protect yourself, and what we are doing to address the incident.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email to your account address and by posting an updated version with a new "Last updated" date. Your continued use of the Service after the effective date of the updated policy constitutes acceptance. If you do not agree, please contact us to close your account and we will delete your data per Section 7.
16. Contact and DSAR Requests
To exercise your privacy rights, ask questions, or submit a Data Subject Access Request:
- Email: support@pickerradar.com — subject line: "Privacy Request"
- Mail: Qualuxe Goods LLC, 7533 S Center View Ct, Ste R, West Jordan, UT 84084
We will acknowledge your request within 5 business days and complete it within 45 days (extendable by 45 days with notice).