Privacy Policy
Last updated: January 28, 2026
1. Introduction
BotCollector ("we," "us," or "our") is a collectibles tracking platform operated as a sole proprietorship based in Georgia, USA. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our website and services (collectively, the "Service").
We are committed to protecting your privacy and handling your data with transparency. Although we are a US-based service, we comply with the General Data Protection Regulation (GDPR) for all users as a matter of best practice.
By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our practices, please do not use our Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address - Required for account creation, authentication, and communication
- Username - Your public identifier on the platform
- Password - Stored only in hashed form; we never see your actual password
- Display name - Optional personalization for your profile
- Profile picture - Optional avatar image
2.2 Collection Data
When you use our Service to track your collection, we store:
- Figure ownership status (collected, wishlist, owned previously)
- Custom collections you create
- Notes and personal observations about figures
- Package condition checklists
- Reviews and ratings you submit
2.3 User-Generated Content
If you upload images or create content:
- Figure images - Photos you upload of your figures, stored privately by default
- Public images - If you opt in, images you choose to share with the community
- Reviews - Text reviews visible to other users
- Forum posts - Community discussions (when available)
2.4 Technical Information
We automatically collect certain technical data:
- IP address - For security, rate limiting, and fraud prevention
- Browser and device information - For service optimization
- Usage data - Pages visited, features used (aggregated and anonymized)
2.5 Payment Information
For paid subscriptions, payment processing is handled entirely by Stripe. We never store, process, or have access to your credit card numbers. We only receive confirmation of successful payments and basic billing information (billing address, last four digits of card for reference).
2.6 Newsletter Subscription
If you subscribe to our newsletter, we collect:
- Email address
- Subscription preferences (frequency)
- Consent metadata (timestamp, IP address, and consent text for GDPR compliance)
3. How We Use Your Information
We use the information we collect to:
3.1 Provide Our Service
- Create and manage your account
- Enable collection tracking and management
- Process and store your uploaded images
- Display your reviews and public content
- Process subscription payments
3.2 Communicate With You
- Send account-related notifications (password resets, security alerts)
- Deliver newsletters you've subscribed to
- Respond to support inquiries
- Notify you of significant changes to our Service or policies
3.3 Improve Our Service
- Analyze usage patterns to improve features (with your consent)
- Debug issues and fix bugs
- Develop new features based on user needs
3.4 Ensure Security
- Detect and prevent fraud and abuse
- Enforce our Terms of Service
- Protect the rights and safety of our users
3.5 Display Advertising
For users on our free tier, we display advertisements through Google AdSense. With your consent, these ads may be personalized based on your interests. You can opt out of personalized advertising through our cookie preferences.
3.6 AI Figure Identification
When you use our AI figure identification feature, your uploaded image is sent to Google Cloud Vision for analysis. The image is processed in real-time and is not stored or retained by Google after processing.
4. Legal Basis for Processing (GDPR)
Under the GDPR, we must have a legal basis for processing your personal data. We rely on the following:
4.1 Contract Performance
Processing necessary to provide our Service to you under our Terms of Service:
- Account creation and management
- Collection tracking functionality
- Subscription billing
- Image storage and display
4.2 Consent
Processing based on your explicit consent, which you may withdraw at any time:
- Newsletter communications
- Analytics cookies (Google Analytics)
- Advertising cookies (Google AdSense)
- Sharing your images publicly for use on figure pages
4.3 Legitimate Interest
Processing necessary for our legitimate business interests, balanced against your rights:
- Security logging and fraud prevention
- Service improvement through aggregated, anonymized analytics
- Protecting our legal rights and those of our users
4.4 Legal Obligation
Processing required to comply with applicable laws:
- Maintaining billing records for tax purposes
- Responding to valid legal requests
5. Information Sharing
We do not sell your personal information. We share data only in the following circumstances:
5.1 Service Providers
We use trusted third-party services to operate our platform. Each has a Data Processing Agreement in place:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, authentication, storage | Account and collection data |
| Vercel | Website hosting | Request logs, IP addresses |
| Stripe | Payment processing | Billing information |
| Resend | Email delivery | Email address, email content |
| Google Analytics | Usage analytics | Anonymized usage data |
| Google AdSense | Advertising (free tier) | Cookie-based preferences |
| Google Cloud Vision | AI figure identification | Uploaded image (not retained) |
| Cloudflare | Security, bot protection | Request metadata |
5.2 Legal Requirements
We may disclose your information if required to:
- Comply with applicable laws, regulations, or legal processes
- Respond to valid government requests
- Protect the rights, property, or safety of BotCollector or our users
5.3 Business Transfers
If BotCollector is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and your choices regarding your data.
5.4 With Your Consent
If you opt in to share images publicly, those images may appear on figure detail pages to help other collectors. You will be credited as the contributor and can withdraw this consent at any time.
6. International Data Transfers
BotCollector is based in the United States. Your data may be transferred to and processed in the United States and other countries where our service providers operate.
For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) - Our major service providers (Google, Stripe, Vercel, Supabase) include these EU-approved contractual terms in their Data Processing Agreements
- Supplementary measures - Additional technical and organizational protections as needed
By using our Service, you acknowledge that your data may be processed in the United States with these safeguards in place.
7. Data Retention
We retain your data only as long as necessary for the purposes described:
| Data Type | Retention Period |
|---|---|
| Account data (active) | Until you delete your account |
| Account data (after deletion) | 30 days (recovery period), then permanently deleted |
| Collection data | Until account deletion |
| Uploaded images | Until you delete them or your account |
| Billing records | 7 years (tax/legal requirement) |
| Newsletter (unsubscribed) | Email kept on suppression list to prevent unwanted re-subscription |
| Security logs | 90 days |
| Analytics data | 14 months (Google Analytics default) |
| Consent records | 7 years (proof of compliance) |
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
8.1 Access
You can request a copy of the personal data we hold about you. Most of this is accessible directly through your account settings.
8.2 Rectification
You can update or correct inaccurate data through your profile settings, or contact us for assistance.
8.3 Erasure ("Right to be Forgotten")
You can delete your account at any time through your account settings. After a 30-day recovery period, all your data will be permanently deleted, except where we have a legal obligation to retain it.
8.4 Data Portability
You can request an export of your data in a machine-readable format (JSON). This includes your profile, collections, and other personal data.
8.5 Restriction of Processing
You can request that we limit how we use your data while we address your concerns.
8.6 Object to Processing
You can object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds.
8.7 Withdraw Consent
Where we rely on consent, you can withdraw it at any time through your privacy settings or by contacting us. This includes:
- Newsletter - Unsubscribe link in any email, or privacy settings
- Analytics/Advertising cookies - Cookie preferences in footer
- Public image sharing - Image settings in your profile
8.8 Exercising Your Rights
To exercise any of these rights, you can use the self-service options in your account settings or contact us at privacy@botcollector.app. We will respond within 30 days (or 90 days for complex requests, with notice).
We may need to verify your identity before processing requests. We will not charge a fee unless requests are manifestly unfounded or excessive.
8.9 Right to Lodge a Complaint
If you believe we have violated your privacy rights, you have the right to lodge a complaint with your local data protection authority. For EEA residents, you can find your authority at edpb.europa.eu.
10. Children's Privacy
BotCollector is intended for users who are at least 13 years old. We do not knowingly collect personal information from children under 13.
During registration, users must confirm they are at least 13 years old. If we discover we have collected data from a child under 13, we will:
- Immediately suspend the account
- Attempt to notify the parent or guardian
- Delete all associated data within 48 hours
If you believe we have inadvertently collected data from a child under 13, please contact us immediately at privacy@botcollector.app.
11. Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in transit - All data transmitted over HTTPS with TLS 1.3
- Encryption at rest - Database and file storage encrypted
- Password security - Passwords hashed with bcrypt; we never store plaintext
- Access controls - Row-level security ensures you can only access your own data
- Regular monitoring - Automated security monitoring and logging
- Content moderation - Uploaded images are scanned for inappropriate content
While we strive to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to privacy@botcollector.app.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last updated" date at the top
- We will notify you via email or a prominent notice on our Service
- For significant changes affecting your rights, we may request renewed consent
We encourage you to review this policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
BotCollector
Email: privacy@botcollector.app
Location: Georgia, USA
We aim to respond to all privacy inquiries within 30 days.