Privacy Policy

We collect three categories of information:

(a) Information you provide. Email address (for account creation and one-time-code sign-in), billing details (handled by Stripe — we never see your card number), card photos you upload, card metadata (name, set, notes you add), and submission outcomes you log to fuel our public accuracy stats.

(b) Information collected automatically. Standard web telemetry (IP address, browser type, device, pages visited, referrer), session cookies for authentication, and aggregated usage events (e.g., grade started/completed) with token-count metrics for cost monitoring. We do not currently use third-party marketing or ad-targeting cookies.

(c) Information from connected services. If you sign in with Google OAuth, we receive your email address and Google account ID. We do not receive your password.

We use this information to:

• Provide and operate the Service (run AI grading, save your portfolio, send sign-in codes).
• Process payments and prevent fraud (via Stripe).
• Compute your usage against tier limits.
• Improve model accuracy in aggregate. Card images and predicted grades may be used to evaluate model quality at the de-identified, statistical level. We do not use individual user data to train third-party AI models.
• Send transactional email (sign-in codes, billing receipts, submission tracker reminders). Marketing email is opt-in only.
• Comply with legal obligations and respond to lawful requests.

We rely on a small set of trusted infrastructure providers to run the Service. Each is contractually bound to protect your data:

• Vercel Inc. (USA) — application hosting, edge network, deployment.
• Supabase Inc. (USA, EU regions) — authentication and Postgres database (user records, grades, portfolio, submission history).
• Anthropic PBC(USA) — large language model inference for grading and report Q&A. Per Anthropic's zero-data-retention enterprise terms, prompts and outputs are not used to train their models.
• Stripe Inc. (USA) — payment processing. Stripe sees billing details; we do not.
• eBay Inc. (USA) — when sold-comps are queried; queries include card name and set, not personal data.

We do not sell or rent your personal information to advertisers or data brokers.

Free tier: Uploaded card photos are processed to return a grade and are not stored on our servers. Your local browser history of past grades is stored in your browser only (usinglocalStorage) and never leaves your device.

Paid tiers: Card photos and grade reports are stored against your account so the portfolio, share-link, and outcome-tracking features work. You may delete any record from your portfolio at any time; deletion is permanent within 30 days.

Public share links: When you click "Share" on a report, the report becomes publicly accessible at a URL containing a random identifier. Anyone with the URL can view it. You may revoke a share link from your portfolio.

We use cookies for authentication (set by Supabase) and optionally for analytics (if you opt in). See our Cookie Policy for the full list and how to opt out.

Depending on your jurisdiction (GDPR/UK GDPR, CCPA, and similar frameworks), you may have rights to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data ("right to be forgotten").
• Export your data in a portable format (CSV/JSON).
• Object to certain processing.
• Withdraw consent for optional processing at any time.

You can delete your account and all associated data from your portfolio settings, or by emailing hi@slabscope.com. Account deletion is processed within 30 days. You can request a data export through the same channel; we aim to respond within 30 days.

Account data and portfolio records are retained while your account is active. After deletion, records are removed from primary storage within 30 days; backups are purged within 90 days. Anonymized aggregate statistics (e.g., model accuracy by grader) may be retained indefinitely for the public /accuracy page; these contain no personal identifiers.

Data is encrypted in transit (TLS 1.2+) and at rest (provided by Supabase and Vercel). Authentication uses one-time codes and OAuth; we do not store passwords. Database access is restricted to a small number of operational staff and is logged.

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you within 72 hours of confirmation, in accordance with applicable law.

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with such information, contact hi@slabscope.com and we will delete it.

Slabscope is operated from the United Kingdom. Several of our sub-processors are located in the United States or other regions outside the UK/EEA. Where personal data is transferred outside the UK, we rely on lawful transfer mechanisms recognised under the UK GDPR — typically the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or transfers to providers covered by an adequacy decision (such as the UK Extension to the EU–US Data Privacy Framework).

You can request a copy of the safeguards we rely on by emailing hi@slabscope.com.

If you are based in the UK or EEA, your personal data is processed in accordance with the UK GDPR and (where applicable) the EU GDPR. Slabscope is the data controller for your account information.

The legal bases on which we process your data are:

• Performance of a contract — to provide the Service you signed up for.
• Legitimate interests — to operate the Service securely, prevent fraud and abuse, and improve model accuracy in aggregate.
• Consent — for optional marketing communications, non-essential cookies, and any feature you explicitly opt in to.
• Legal obligation — where required to comply with UK or EU law.

If you believe your data has been mishandled, you may complain to the Information Commissioner's Office (ICO) at ico.org.uk. We'd appreciate the chance to address your concerns first — email us at hi@slabscope.com.

We may update this policy. Material changes will be communicated by email (to account holders) or via a notice on the site at least 14 days before taking effect. Continued use of the Service after the effective date constitutes acceptance.

Privacy questions, deletion requests, or data subject access requests: hi@slabscope.com.