Privacy Notice
Effective date: June 12, 2026
Who is responsible for your data
Unsaved Changes, LLC., operating PREGRAiDED, is the data controller for personal data described in this notice. Contact us at support@pregraided.app.
What personal data we collect
- Account data: email address, hashed password (or Google account identifier if you sign in with Google), account creation date, and last sign-in time.
- Scan content: the card photos you upload and the AI outputs we generate from them (grade, sub-scores, authenticity verdict, price estimate).
- API usage: a hashed copy of any API keys you create, the label you gave them, and per-day request counts.
- Billing data: collected directly by Stripe, our payment processor (see below). We receive only what we need to link a payment to your account: a Stripe customer or payment ID, the items purchased, and the result (succeeded, failed, refunded).
- Technical data: standard server logs (IP address, user agent, request paths, timestamps) used for security, debugging, and abuse prevention.
Why we use it and the legal basis
- To provide the service (process scans, return results, show your history) — performance of our contract with you.
- To process payments (route checkouts through Stripe, link transactions to your account, handle refunds) — performance of our contract.
- To keep the service safe (rate limiting, abuse prevention, fraud detection) — our legitimate interest in operating a secure service.
- To improve grading quality (analyse aggregate performance, train models on uploaded card photos) — our legitimate interest in improving the product. You can delete your images at any time from your account page.
- To comply with law (tax records, responding to lawful requests) — legal obligation.
Who we share it with
- Stripe (Stripe Payments Europe, Ltd. and its affiliates) — our payment processor. Stripe processes your payment, calculates and collects sales tax / VAT / GST through Stripe Tax, handles invoicing, fraud prevention, refunds, and chargebacks. See stripe.com/privacy.
- Supabase — hosts our database, authentication, and file storage. Card images and account data are stored on Supabase infrastructure.
- Lovable / Cloudflare — hosts and delivers the website and serverless backend.
- AI model providers reached through the Lovable AI Gateway, which we use to run the vision model that grades your cards. They receive the card image and a grading prompt; they do not receive your account email or identity.
- Google — only if you choose to sign in with Google.
International transfers
The providers above may process data outside your country, including in the United States and the European Union. Where required by law, transfers are protected by Standard Contractual Clauses or equivalent safeguards offered by those providers.
How long we keep it
We keep account data for as long as your account exists. Scan images and AI outputs are kept until you delete them or delete your account. Server logs are kept for up to 90 days. Stripe keeps billing records as long as required by tax law (typically 7–10 years).
Your rights
Depending on where you live, you have the right to access, correct, export, restrict, or delete your personal data, and to object to certain processing. You can:
- Delete your account and all associated data from the account page.
- Request a copy or correction of your data by emailing support@pregraided.app.
- Lodge a complaint with your local data-protection authority if you believe we have mishandled your data.
Cookies
We use only the cookies and local storage needed to keep you signed in and to operate the checkout. We do not use advertising or cross-site tracking cookies.
Children
The service is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.
Changes to this notice
We will post a new version of this notice here when it changes. The updated effective date appears at the top.