Grale

Legal

Privacy Policy

Effective date:

Grale (grale.app) is operated by UV Foundry LLC, a Wyoming limited liability company (“we,” “us,” or “our”). This Privacy Policy explains what personal data we collect when you use Grale, why we collect it, and your rights over it — including rights under the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

If you have questions or want to exercise your rights, contact us at hello@grale.app.

1. Data Controller

UV Foundry LLC

Wyoming, United States

Email: hello@grale.app

UV Foundry LLC is the data controller for all personal data processed through grale.app.

2. Data We Collect

We collect only what we need to provide and improve the service.

2.1 Account Data

When you create an account we collect your email address and a hashed password (or OAuth token if you sign in via a third-party provider). Your email is used to authenticate you, send transactional messages (password resets, price alerts), and — only if you opt in — occasional product updates.

2.2 Portfolio & Watchlist Data

Cards you add to your portfolio, quantities, purchase prices, and price-alert thresholds are stored in your account. This data belongs to you; see Section 7 for export and deletion rights.

2.3 Usage & Analytics Data

We use Google Analytics 4 and Microsoft Clarity to understand how users interact with Grale. These tools may collect your IP address (anonymised), browser type, device type, pages visited, and session duration. This data is processed under a legitimate-interest basis (GDPR Art. 6 §1(f)) and helps us improve the product.

2.4 Affiliate & Click Data

When you click a link to TCGPlayer, eBay, or other marketplaces, we pass an affiliate tracking parameter so we may earn a commission on qualifying purchases. We log which card pages these clicks originate from (no personal identifier is stored alongside click logs).

2.5 Cookies & Local Storage

We use cookies for session management (Supabase auth) and analytics (Google Analytics 4, Microsoft Clarity). See our Cookie Policy for the full list.

3. How We Use Your Data

  • Provide the service: Authenticate you, display your portfolio, send price alerts.
  • Improve the service: Analyse usage patterns to fix bugs and build new features.
  • Affiliate revenue: Pass affiliate parameters when you click marketplace links.
  • Legal compliance: Respond to lawful requests and enforce our Terms of Service.

4. Third-Party Services & Sub-processors

We share data with the following sub-processors only to the extent necessary to operate the service:

ServicePurpose
SupabaseDatabase, authentication, storage
Google Analytics 4Usage analytics
Microsoft ClaritySession recording, heatmaps
TCGPlayerPrice data, affiliate commerce
eBaySold-listing data, affiliate commerce
VercelHosting & edge delivery

We do not sell your personal data to any third party.

5. Legal Bases for Processing (GDPR)

For users in the European Economic Area, our lawful bases are:

  • Contract (Art. 6 §1(b)): Processing your account data and portfolio to deliver the service you signed up for.
  • Legitimate interest (Art. 6 §1(f)): Analytics to improve the service, aggregate affiliate click tracking.
  • Legal obligation (Art. 6 §1(c)): Compliance with applicable law.

6. Data Retention

  • Account & portfolio data: Retained for as long as your account is active. Upon deletion we remove your personal data within 30 days, except where retention is required by law.
  • Analytics data: Google Analytics retains data for 14 months by default. Microsoft Clarity retains session recordings for 30 days.
  • Server logs: Access logs are retained for up to 90 days for security and debugging purposes.

7. Your Rights

Depending on where you live, you have the following rights over your personal data:

Access

Request a copy of the personal data we hold about you.

Correction

Ask us to fix inaccurate or incomplete data.

Deletion

Request erasure of your personal data ("right to be forgotten").

Portability

Receive your portfolio data in a machine-readable format (JSON or CSV).

Restriction

Ask us to pause processing while a dispute is resolved.

Objection

Object to processing based on legitimate interest.

CCPA opt-out

California residents can opt out of any sale of personal information (we do not sell data).

Withdraw consent

Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email hello@grale.app with the subject line “Privacy Request.” We will respond within 30 days (or within the timeframe required by applicable law).

EU residents also have the right to lodge a complaint with their local data protection authority.

8. International Data Transfers

Grale is operated from the United States. If you are located in the EU/EEA, your data will be transferred to and processed in the United States. Supabase and Vercel provide EU Standard Contractual Clauses (SCCs) as the transfer mechanism. Google and Microsoft participate in the EU-US Data Privacy Framework.

9. Children's Privacy

Grale is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us at hello@grale.app and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes we will update the effective date at the top of this page and, where appropriate, notify registered users by email. Continued use of Grale after the effective date constitutes acceptance of the revised policy.

Questions or Privacy Requests?

Email us at any time — we aim to respond within 2 business days.

hello@grale.app