Privacy Policy
AuraGrade is built by collectors who hate black boxes. This policy explains exactly what we collect, where it lives, and how long we keep it. If anything here is unclear, email support@auragrade.com and we will rewrite the section.
1. What we collect
We collect three things and only three things. (a) Your email address, used for account login and transactional notifications such as scan-completion and receipts. (b) The card images you upload for grading — front, back, and any guided-capture frames the QC gate accepts. (c) Payment information, which is collected and stored exclusively by Stripe. We never see or store your card number, CVC, or full billing address. We also store derived data: the grading scores, defect bounding boxes, and confidence bands produced from your images. None of it is linked to advertising identifiers.
2. Where it is stored
Account records and grading reports live in Supabase Postgres, hosted in the AWS us-east region. Image evidence is stored in Supabase Storage with encryption at rest (AES-256). Payment data is stored by Stripe under their PCI-DSS Level 1 attestation. All transit between your device, our servers, and our processors is TLS 1.2+.
3. How long we keep it
Card images are retained according to your account tier (detailed below), alongside the score, defect bounding boxes, and report text — your full history is always available from My Grades. You can permanently wipe any individual report from Settings → Security at any time, which removes the database row and the associated image objects. Account deletion is honored immediately when requested from Settings → Security; this hard-deletes your profile, every grading report row, and every image object you uploaded. Two exceptions: (a) records we are legally required to retain (tax invoices: up to 7 years per applicable jurisdiction); (b) two narrow anti-fraud fingerprints kept for 365 days from account closure, then automatically purged: (i) a one-way SHA-256 hash of your normalized email address, and (ii) where you signed in via Google or another OAuth provider, the provider-issued subject identifier (an opaque ID, e.g. Google `sub`) paired with the provider name. Neither value can be reversed to your email address, and after account deletion neither is linked to any other personal data. Purpose: prevent abuse of the one-free-scan credit via repeat sign-ups. Legal basis: GDPR Art. 6(1)(f) — legitimate interest in fraud prevention; we have conducted a balancing test and consider the intrusion minimal because the data is hashed/opaque, segregated, and time-limited. You may object to this processing under GDPR Art. 21 by emailing support@auragrade.com; we will consider each request on its merits and will only continue processing where we can demonstrate compelling legitimate grounds that override your interests (typically: a documented prior abuse pattern on the account). Free-tier accounts may be subject to automatic background pruning of image data older than 12 months once we activate the policy; we will give 30 days' notice here before the first pruning run. Pro Monthly and Pro Yearly subscribers receive the Aura Vault perk — their original card images and grading reports are exempt from auto-pruning for the lifetime of the subscription; if the subscription lapses, the prior images become eligible for the 12-month pruning policy from the lapse date forward.
4. Who we share with
We do not sell your data or share it for cross-context behavioural advertising (CCPA/CPRA §1798.140 definitions). We use only the service-delivery sub-processors required to operate the product: Supabase (database and storage), Stripe (payments), Anthropic (Claude is used for vision-based defect identification and human-readable narrative), and Cloudflare (CDN + bot defence via Turnstile). Images sent to Anthropic travel over TLS, are retained for up to 7 days per Anthropic's standard API logging policy (Sept 2025), and are not used to train Anthropic's models per their Commercial Terms. We do not share data with advertising networks, data brokers, or analytics vendors that resell behavioral profiles.
5. Your rights
You can export every report, image URL, and profile field as JSON from Settings → Security → Export my data. You can permanently delete your account from the same screen — this is a hard delete, not a soft archive. If you prefer not to use the service at all, simply close this tab; we never collect data from non-users. EU and UK residents have additional GDPR rights including rectification and portability — email support@auragrade.com and we will respond within 30 days.
7. International data transfers
AuraGrade's servers and processors are located in the United States. If you access the service from the European Economic Area, the United Kingdom, Switzerland, or other regions with data-export restrictions, your personal data will be transferred to and processed in the US. Our processors (Supabase, Stripe, Anthropic, Cloudflare) all rely on Standard Contractual Clauses (SCCs) or equivalent safeguards approved by the European Commission for these transfers. We do not transfer data to jurisdictions without recognised adequacy or contractual safeguards.
8. Automated decisions and AI
The core AuraGrade product is an automated decision: an AI vision model identifies defects in your card images and a deterministic rubric translates those defects into a four-axis score and a PSA-equivalent prediction. This is not a legally significant decision (we do not determine credit, employment, housing, or insurance eligibility) but you have the right to request a human review of any specific report you believe is inaccurate. Email support@auragrade.com with the report ID and a brief description; we respond within 2 business days. EU/UK residents can additionally request that we restrict the automated processing of their personal data under GDPR Art. 22.
9. Children
AuraGrade is intended for adults 18 and older. We do not knowingly collect personal data from anyone under 18 and the service is not directed to minors. If you believe a minor has created an account, email support@auragrade.com and we will delete the account and any associated data. This 18+ position aligns with our Terms of Service §3 (account eligibility).
10. California (CCPA / CPRA)
California residents have rights under the CCPA / CPRA including the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to opt out of "sale" or "sharing" of personal information. We do not sell personal information and we do not share it for cross-context behavioural advertising. We have no "Do Not Sell" mechanism to offer because there is nothing to opt out of. You can exercise your CCPA rights from Settings → Security (export and delete) or by emailing support@auragrade.com. We will not discriminate against you for exercising any CCPA right.
11. EU / UK supervisory authority
If you are a resident of the EU, the UK, or Switzerland and believe our handling of your personal data violates applicable law, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU authorities is available at edpb.europa.eu/about-edpb/board/members_en; UK residents can contact the Information Commissioner's Office at ico.org.uk; Swiss residents can contact the FDPIC at edoeb.admin.ch. We encourage you to email support@auragrade.com first so we can attempt to resolve the issue directly.
12. Contact
Questions, complaints, or data requests: support@auragrade.com. We respond within two business days.