The short version

We collect what we need to run the product — your email when you sign up, the coin photos you scan, and basic web logs. We don't sell or rent your data. You can export or delete everything we hold about you from your account page.

What we collect

Account info— email address you use to sign up, and a stable internal user ID (UUID). If you sign in with Apple and choose to hide your email, we receive Apple's private relay address only.

Coin scans — the obverse / reverse photos you upload, the image-embedding vector we derive from them for catalog matching, and the candidate matches we return. Scans are associated with your user ID.

Collections and wishlist — the catalog entries you save, the optional grade / acquisition price / notes you attach, and the coins on your wishlist.

Billing info — if you subscribe to a paid tier, Stripe holds your card details on their PCI-DSS-Level-1 infrastructure. We see only your Stripe customer ID, subscription status, and tier. We never store full card numbers, CVVs, or bank details.

Web logs — IP address, user-agent, requested URL, HTTP status, and timestamp. Retained for 30 days for abuse / security investigation, then deleted.

Retention

Data typeHow long we keep it
Account, collections, wishlistUntil you delete your account
Scan images (S3)365 days, then auto-deleted
Scan metadata + embeddingsUntil you delete your account or the underlying scan
Billing records (Stripe + ours)7 years (tax / accounting requirement)
Web logs30 days
Deleted-account backup tail30 days (S3 versioning), then permanently gone

Sub-processors

We use a small set of well-known providers to run the service. Each is contractually bound to handle your data only on our instructions.

  • Amazon Web Services (US-East-2, Ohio) — hosts every part of the product: Aurora Postgres, ECS Fargate, S3 (scan images), Cognito (auth), Bedrock (vision models), and CloudFront / ALB (edge).
  • Stripe — payment processing and subscription management. They hold card details under PCI-DSS Level 1; we hold only a customer ID and tier flag.
  • Cloudflare — DNS and authoritative records for numismatist.ai. They see request metadata only (IP, host header).
  • GitHub — source code hosting for the maintainers. Does not touch user data in production.

Your rights

From your account page you can:

  • Access — see every collection, wishlist item, and scan record we hold for you.
  • Export — download your collections + wishlist as CSV.
  • Delete — hit Delete Accountand everything goes: account row, collections (cascade), wishlist (cascade), scan images, scan metadata. Backup tail in S3 versioning lingers up to 30 days, then it's gone.

If account-level controls don't cover what you need, email will@numismatist.ai and we'll respond within seven days.

Cookies and tracking

We use first-party cookies for sign-in sessions and CSRF protection. We don't set third-party tracking cookies, we don't run pixel trackers, and we don't share IDs with ad networks. If we later add product analytics, we'll do it with first-party-only tooling and update this section before turning it on.

Children

The service is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has created an account, email will@numismatist.ai and we'll delete it.

Security incidents

If we discover a breach affecting your data, we'll email you within 72 hours of confirming the scope. Stripe handles their own notifications for card data; we'll relay any breach they disclose to us.

Changes

We'll update the date at the top whenever this changes. For material changes — new sub-processors, new data categories, shortened retention windows — we email anyone with an active account at least 14 days before the change takes effect.

Contact

Privacy questions, data requests, or security reports: will@numismatist.ai.