← GrailNest

Privacy Policy

Last updated: June 22, 2026

This Privacy Policy explains how GrailNest (“we,” “us”) collects, uses, and shares personal data when you use the GrailNest website and services (the “Service”). For users in the European Economic Area (EEA) and the United Kingdom, GrailNest is the “data controller” of your personal data.

1. Data We Collect

CategoryExamples
Account dataEmail address, username, password (hashed), email-verification status.
Profile dataDisplay name, bio, avatar image, location/region, collector categories, privacy preferences.
Collection dataItems you catalog (title, brand, franchise, condition, purchase price, notes), uploaded photos, grails, hunts, trade interests.
Usage & device dataPages viewed, actions taken, approximate location from IP, browser and device type, log data.
CookiesSession and authentication cookies, and analytics cookies (see “Cookies” below).
Payment dataIf you subscribe, billing details are processed by our payment processor; we do not store full card numbers.

You control how much collection data is public via your shelf and profile privacy settings (public, followers-only, or private).

2. How We Use Data

  • To create and operate your account and Digital Shelf;
  • To provide core features: collection tracking, grails, hunts, drop and store alerts, trades, and gamification;
  • To send transactional and alert emails (e.g., grail matches, drop notifications, account notices);
  • To process subscriptions and payments;
  • To secure the Service, prevent fraud and abuse, and enforce our Terms;
  • To analyze and improve the Service; and
  • To comply with legal obligations.

3. Legal Bases (EEA/UK)

We rely on: performance of a contract (to provide the Service you request); legitimate interests (to secure, analyze, and improve the Service); consent (for non-essential cookies and certain marketing, which you may withdraw at any time); and legal obligation (to meet our legal duties).

4. How We Share Data

We do not sell your personal data. We share it only:

  • Publicly, at your direction — content you mark public (e.g., your shelf, featured items, display name) is visible to others.
  • With service providers (sub-processors) who process data on our behalf under contract — see the Data Processing Addendum for the current list (hosting, image storage, email delivery, payments, analytics).
  • For legal reasons — to comply with law, enforce our Terms, or protect rights, safety, and security.
  • In a business transfer — as part of a merger, acquisition, or sale of assets, subject to this Policy.

Note: product, price, and availability information shown in discovery is aggregated from public store catalogs and third-party marketplaces (such as the eBay Browse API) and is not your personal data.

5. Cookies & Analytics

We use strictly necessary cookies for authentication and security, and—subject to your consent where required—analytics tools (such as Plausible or PostHog) to understand usage. You can control cookies through your browser settings; disabling essential cookies may break parts of the Service.

6. Data Retention

We keep your data for as long as your account is active and as needed to provide the Service. When you delete your account, we delete or anonymize your personal data within a reasonable period, except where we must retain certain records to comply with legal, tax, accounting, or security obligations, or to resolve disputes.

7. Your Rights

Depending on your location, you may have the right to access, correct, delete, port, or restrict processing of your personal data, to object to certain processing, and to withdraw consent. EEA/UK users may lodge a complaint with their supervisory authority. California residents have rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of “sharing” for cross-context behavioral advertising (we do not sell personal data). To exercise any right, contact privacy@grailnest.com; we may need to verify your identity.

8. International Transfers

We may process and store data in the United States and other countries. Where we transfer EEA/UK personal data internationally, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

9. Security

We use technical and organizational measures—including encryption in transit, hashed passwords, access controls, and least-privilege practices—to protect your data. No system is perfectly secure, and we cannot guarantee absolute security.

10. Children

The Service is not directed to children under 16, and we do not knowingly collect their data. If you believe a child has provided us personal data, contact us and we will delete it.

11. Changes

We may update this Policy. Material changes will be notified in-product or by email. The “Last updated” date above reflects the latest version.

12. Contact

For privacy questions or requests, contact our privacy team at privacy@grailnest.com.

Data controller: GrailNest, [LEGAL ENTITY NAME], [REGISTERED ADDRESS].