Privacy Policy
Version 1.0 · Last updated July 2026
Grade Haus holds financial portfolio data, so we treat privacy seriously. This explains what we collect, why, how we store it, and your rights.
What we collect
- Account data: name, email, password hash (never the plain password), Google sign-in token if used.
- Portfolio data: card names, purchase prices and dates, grades, quantities, notes.
- Behavioral data: login timestamps and features used, for product improvement only.
- Payment data: handled entirely by Stripe. We never store card numbers — only your Stripe customer ID and subscription status.
- Uploaded files: spreadsheet imports are processed and then discarded.
How we use it
To provide the service (tracking, alerts), to send transactional emails (alerts, receipts, password resets), and to improve the product using aggregated, anonymized data only. We do not sell your data, share your portfolio with third parties, or use it for advertising.
Third-party services
- Stripe — payment processing.
- Railway — hosting and database.
- Resend — transactional email delivery.
- pokemontcg.io / market sources — public card and price data (no user data sent).
- Anthropic — AI features (Elite tier only); conversation content is sent to generate responses.
Your rights
You can export all your data at any time, edit or delete any entry, and delete your account and all associated data (processed within 30 days). Exports are in standard Excel and JSON formats. California (CCPA) and EU/UK (GDPR) residents' export and deletion rights are satisfied by these tools; contact privacy@gradehaus.com for any request.
Security
Data is encrypted in transit (HTTPS) and at rest. Passwords are stored as bcrypt hashes — our staff cannot see your password. In the event of a data breach, affected users will be notified within 72 hours.
Retention
Active-account data is kept while your account is active. After deletion, personal data is removed within 30 days. Billing records are retained as required for tax/legal compliance; server logs are kept for 90 days.
Contact: privacy@gradehaus.com. This document is a plain-language starting point and will be reviewed by counsel before general availability.