Privacy Policy

1. Our Privacy Philosophy

CollectorOps is built to serve you, not advertisers. We adhere to a "Privacy-by-Design" philosophy. This means your private valuation data, portfolio growth analytics, and personal insurance documentation are intentionally siloed, are not indexable by public search engines, and are never shared for commercial speculation.

2. Information We Collect

• Identity & Account Data: When registering via Google or email, we securely store your email, name, and basic profile identifiers.
• Portfolio & Asset Data: We host the data you explicitly input to manage your collection. This includes item metadata, purchase cost basis, condition logs, appraisal documents, and structural notes.
• Image & Documentation Assets: We securely store image assets and receipts you upload as part of your permanent asset record for insurance readiness.
• Usage & Technical Metadata: To ensure platform stability and security, our infrastructure processes connection metadata (such as IP addresses) as required by our secure cloud service providers.
• Platform Analytics: To constantly improve the collector experience, we use tools like Google Analytics to understand traffic patterns and feature usage in aggregate (anonymized/pseudonymized).
• Push Notification Tokens: If you explicitly opt-in to receive portfolio alerts, we securely store your device-specific notification token (FCM token) in your profile to strictly deliver requested updates.

3. Data Usage & Transparency

We use your information exclusively to fulfill the services defined in our Terms of Use, including securing your digital inventory, facilitating AI-based market valuation contextualization, and generating exportable reports. We do not sell your personal information, nor do we build secondary databases from your portfolio data to market to third parties.

4. Trusted Data Processors

• Google Firebase: Acts as our secure infrastructure for database (Firestore), file storage (Storage), and identity management (Auth). All data is governed by hardened access rules.
• Google AI (Gemini): Occasionally, we utilize secure API calls to Gemini to process image feature extraction (e.g., brand recognition, automated category/year tagging). Only relevant image fragments are sent; none of your portfolio data is used to train Google's models.
• Google Analytics: Employed to provide anonymized insights into platform performance and user engagement.

5. Data Security & Storage

Your security is non-negotiable. Our production architecture leverages industry-leading infrastructure to encrypt data in transit and at rest. Access to your personal data is restricted by rigorous server-side database rules that enforce strict identity boundaries: you can only ever access data that belongs specifically to your user account.

6. Your Rights Under GDPR (General Data Protection Regulation)

If you are a resident of the European Economic Area (EEA), you enjoy comprehensive data protection protections under the GDPR. We ensure and facilitate the execution of the following rights:

• Right of Access (Article 15): You can request a clear report detailing the personal data and portfolio metadata we process on your behalf.
• Right to Rectification (Article 16): You can instantly update, edit, and correct any piece of information inside your collector dashboard.
• Right to Erasure / "Right to be Forgotten" (Article 17): You can delete individual items directly, or make a secure request to permanently purge your entire account, authentication records, and secure uploads from all services.
• Right to Restriction & Objection (Articles 18 & 21): You have the right to limit the scope of how we process your statistics or object to anonymous tracking (such as disabling GA cookies in your browser settings).
• Right to Data Portability (Article 20): You have the right to receive or export your structured portfolio lists in a readable format.
• Right to Lodge a Complaint (Article 77): Independent of our support channels, you retain the legal right to lodge a formal complaint with a European Data Protection Authority (DPA) regarding our processing activities.

7. Lawful Bases for Processing Data

Under GDPR, we process your personal and portfolio data only when we have a valid legal justification:

• Contractual Necessity: Required to establish your private portfolio account, render interactive pricing widgets, and manage your asset inventory.
• Legitimate Interests: Necessary to ensure security safeguards across our services, block malicious actions, analyze aggregated usage through Google Analytics, and maintain global system stability.
• Explicit Consent: Applied when you explicitly request AI scans, optional automated metadata fills for visual documents, or opt-in to browser-based push notifications.

8. Executing GDPR Rights Safely (Zero Email Outreach Setup)

To prevent security exposures, identity theft, unsolicited spam harvesting, and phishing risks, CollectorOps has adopted a strict Zero Public Email Outreach policy. We do not provide or monitor any public or unauthenticated email addresses for privacy or access inquiries.

Instead, all verification and processing of Data Subject Requests under GDPR are handled exclusively through our internal, authenticated support ticketing environment. This design serves as a robust defense against social engineering: because you must be logged in to file a security or privacy request, we can confidently authenticate your identity before performing sensitive procedures (such as exporting or permanently destroying a collection's record history).

To exercise any of your rights or ask questions, simply log into your CollectorOps account, select the Support navigation tab inside the client layout, and open a ticket. Our administrative staff will handle your verified inquiry securely and respond within the statutory 30-day timeframe.