Privacy Policy

Last updated: July 2026

This policy describes what CollectibleIQ actually collects and stores, in plain language. If something here is unclear or looks wrong, email us and we will fix it.

1. What we collect

Account information. Email address, and anything you choose to add to your profile: display name, first and last name, username, phone number, and avatar. Sign-in is handled by Supabase Auth, using either Google sign-in or email and password.

Collection and inventory data. The items you track (cards and other collectibles), their details, photos you upload, purchase and sale transactions, valuations, tags, watchlists, listings, and CSV files you import. This includes financial data you enter, like what you paid and what you sold for.

eBay data. If you connect an eBay account, we store data from eBay on your behalf. Section 2 covers this in detail.

Payment information. Billing is handled by Stripe. We store your Stripe customer and subscription IDs so we know what plan you are on. We never see or store your card number.

Usage and diagnostics. If you accept the analytics banner, we collect product analytics through PostHog: which features you use, page views, and your account profile (email, display name, plan, item count). PostHog may also record a small sample of sessions for debugging, with all input fields masked. We also use Sentry for error reporting; error reports are scrubbed of emails, tokens, and keys before they are sent. If you decline the banner, analytics and session recording stay off.

Email delivery records. When we send you an email (welcome, digest, import complete), we log the address, subject, template, and delivery status so we can debug delivery problems and honor opt-outs.

2. The eBay integration

Connecting your eBay account is optional. If you connect, here is exactly what happens:

  • OAuth tokens. We store the access and refresh tokens eBay issues for your account, encrypted at rest with AES-256-GCM, along with your eBay user ID and the exact scopes you granted. We use these tokens only to make eBay API calls on your behalf.
  • Scopes. We request sell.inventory (create and manage your listings), sell.fulfillment (read your sold orders), sell.account (read your business policies), and sell.finances (read payouts and final fees so your P&L is accurate).
  • Order data.We sync your sold orders, including sale amounts, fees, payouts, refunds, tracking numbers, and the buyer's ship-to name and address. Buyer information is used only to show you your orders and help you fulfill them. We do not contact buyers, market to them, or sell their information to anyone.
  • Listing and policy data. Your listings, listing defaults, and the names of your eBay business policies.
  • Disconnecting. You can disconnect eBay at any time from Settings, which removes your tokens. Synced order and sale records remain in your account because they are part of your financial history; deleting your account removes them.
  • eBay account deletion notices.We subscribe to eBay's marketplace account deletion notifications. When eBay tells us a user has closed their eBay account, we record the notice and remove the matching eBay connection data (eBay user ID, tokens, connection metadata) from any linked CollectibleIQ profile.

We also read public eBay listing data (through eBay's Browse API) to power market prices and comps. That is public marketplace data, not data about you.

3. How we use your information

  • Provide the service: track your collection and inventory, list to eBay, sync sales
  • Calculate cost basis, P&L, and generate reports
  • Send transactional emails (welcome, import complete, trial reminders)
  • Send optional weekly digest emails (you can opt out in Settings)
  • Process payments and manage subscriptions
  • Understand what features get used so we can improve the product
  • Respond to support requests

We do not sell your personal data, and we do not sell or share the buyer data that comes through your eBay orders.

4. Photos and AI processing

When you use auto-crop or photo identification, the photo you upload is processed by third-party AI services: Anthropic (image understanding) and Replicate (image segmentation models). Only the image is sent, not your account information.

Card photos are stored in a public storage bucket, which means anyone with a photo's direct URL can view it. Do not upload photos you consider private. Import files (CSVs) are stored in a private bucket.

5. Third-party services

We use the following services to operate CollectibleIQ:

  • Supabase — authentication, database, and file storage
  • Vercel — application hosting and CDN
  • Stripe — payment processing and subscription management, subject to Stripe's privacy policy
  • Resend — transactional email delivery
  • Sentry — error tracking and diagnostics
  • PostHog — product analytics (only after you accept the analytics banner)
  • eBay APIs — listing, order sync, and market data when you connect an eBay account
  • Anthropic and Replicate — AI image processing when you use photo features

6. Cookies and analytics consent

We use essential cookies to keep you signed in. Analytics (PostHog) and session recording (PostHog and Sentry replay) only run if you accept the consent banner, and you can decline it with no loss of functionality. We do not use advertising cookies.

7. Data storage and security

Your data lives in Supabase's PostgreSQL database with row-level security, so your records are only readable by your account. Data is encrypted in transit (TLS) and at rest by our infrastructure providers. eBay OAuth tokens get an additional layer of application-level encryption (AES-256-GCM) before they are stored.

8. Data retention

We keep your data for as long as your account exists. We do not currently run time-based purges of older records; your transaction history is your financial record and we keep it until you delete it or your account. Email delivery logs and eBay deletion notices are kept for operational and compliance records. Analytics data at PostHog and error data at Sentry are retained under those vendors' standard retention policies.

9. Deleting your data

You can delete your account from Settings. Deletion runs immediately: we cancel any active Stripe subscription, delete your database records (profile, items, transactions, eBay orders, imports, and the rest), and delete your login. This is permanent and cannot be undone.

One honest caveat: photos and import files you uploaded to storage are not yet purged automatically as part of account deletion. If you want them removed, email us after deleting your account and we will remove them.

10. Your rights

  • Access your data at any time through the app
  • Export your data via CSV exports in reports
  • Delete your account and associated data from Settings
  • Opt out of non-essential emails from Settings, and decline analytics via the consent banner

For California residents (CCPA) and EU residents (GDPR): we honor requests to access, correct, or delete personal information. Contact us at the email below.

11. Children's privacy

CollectibleIQ is not intended for use by individuals under the age of 13. We do not knowingly collect data from children.

12. Changes to this policy

We may update this policy from time to time. We will notify you of material changes via email or in-app notification. The “Last updated” date at the top indicates the most recent revision.

13. Contact

For privacy questions or data requests, contact us at hello@collectibleiq.com.