Privacy Policy

Effective date: April 29, 2026 · Last updated: April 29, 2026

This policy describes how PriceScout ("we", "us") collects, uses, and shares information when you use our websites, scanner apps, and related services. Plain English first — statutory headings follow where helpful.

What we collect

  1. Account credentials. Email address and a password hash (bcrypt, cost factor 10). We do not store passwords in plain text.
  2. Tenant metadata. Store or organization display name, brand color choices, subscription status, and identifiers we need to tie your workspace to billing.
  3. Scan records. Structured results from a scan — for example identified title or category hints, comp (comparable resale) price signals, verdict, scan time, device identifier, and related operational fields. Raw camera images are not kept as a long-term archive by default — see the next section.
  4. Device install records. A device or install fingerprint and last-seen timestamps so we can enforce fair per-tenant device limits and troubleshoot reliability.

What we do not collect

  • We do not retain raw scan photos indefinitely as a catalog of donor imagery. Photos may be sent to a vision model provider solely to produce identification outputs; retention beyond short-lived processing queues requires an explicit future product control if we ever ship one.
  • We do not collect GPS location — camera permission may be requested for scanning; there is no continuous location tracking product surface today.
  • We do not pull contacts, SMS, call logs, or browsing history from phones or desktops running our apps.
  • We do not sell personal information "for money" in the common California sense — see Your rights below for opt-out language anyway.

Third parties & data flows

Depending on features you enable and keys configured by your tenant administrator, information may flow to subprocessors including:

  • Vision model providers (for example Anthropic or OpenRouter-backed models) receive ephemeral image + compact text prompts needed for identification — only what is required for that single inference.
  • Stripe handles payment instruments — when Checkout is enabled we typically store Stripe customer Id + subscription status from Stripe webhooks, not full card numbers.
  • Comparable-sales APIs such as Keepa or eBay Browse receive query strings derived from identification — no intentional inclusion of donor names or unrelated personal identifiers.
  • Transactional email vendors when outbound mail is activated — operational notices only unless you opt into marketing toggles later.

Cookies & similar technologies

We use strictly necessary cookies where applicable — for example signed session cookies for authenticated browser sessions (ps_sessionstyle naming may evolve). Stripe Checkout may place its own fraud-prevention cookies during checkout — governed by Stripe's policies when those flows are enabled.

Your rights (GDPR & CCPA-style)

Depending on jurisdiction you may request access, correction, deletion, portability, or restriction — including opting out of sale/share where applicable. Authenticated self-service portals ship over time; until then email hello@pricescout.pro with the subject line Privacy request and enough context to locate your tenant. We respond within statutory timelines that apply.

Retention

Structured scan metadata defaults to roughly twelve months rolling retention for operational analytics unless a longer retention product control exists for your workspace. Backups follow a standard rolling window — ask for deletion timelines if you require a tighter window for compliance.

Security

TLS in transit for web properties, bcrypt for password hashes, principle of least privilege for operational access, and vendor reviews aligned to common SaaS practices. No security program is perfect — if we learn of a breach that likely affects personal data we will notify affected tenants as required by law.

Children

PriceScout is not directed at children under 13 — nonprofit resale crews should administer accounts for adults responsible for pricing floor decisions. If you believe we processed a child's personal information inadvertently, email hello@pricescout.pro.

International transfers

Infrastructure may span regions — where GDPR applies we rely on appropriate safeguards for transfers outside the EEA/UK such as Standard Contractual Clauses combined with vendor diligence.

Changes

We update this policy when practices materially change — revised versions ship here with the effective date above; continued use after updates constitutes acceptance unless prohibited by law.

Contact

Privacy questions or regulator-grade correspondence: hello@pricescout.pro.