The short version
We collect what we need to run the product — your email when you sign up, the coin photos you scan, and basic web logs. We don't sell or rent your data. You can export or delete everything we hold about you from your account page.
What we collect
Account info— email address you use to sign up, and a stable internal user ID (UUID). If you sign in with Apple and choose to hide your email, we receive Apple's private relay address only.
Coin scans — the obverse / reverse photos you upload, the image-embedding vector we derive from them for catalog matching, and the candidate matches we return. Scans are associated with your user ID.
Collections and wishlist — the catalog entries you save, the optional grade / acquisition price / notes you attach, and the coins on your wishlist.
Billing info — if you subscribe to a paid tier, Stripe holds your card details on their PCI-DSS-Level-1 infrastructure. We see only your Stripe customer ID, subscription status, and tier. We never store full card numbers, CVVs, or bank details.
Web logs — IP address, user-agent, requested URL, HTTP status, and timestamp. Retained for 30 days for abuse / security investigation, then deleted.
Retention
| Data type | How long we keep it |
|---|---|
| Account, collections, wishlist | Until you delete your account |
| Scan images (S3) | 365 days, then auto-deleted |
| Scan metadata + embeddings | Until you delete your account or the underlying scan |
| Billing records (Stripe + ours) | 7 years (tax / accounting requirement) |
| Web logs | 30 days |
| Deleted-account backup tail | 30 days (S3 versioning), then permanently gone |
Sub-processors
We use a small set of well-known providers to run the service. Each is contractually bound to handle your data only on our instructions.
- Amazon Web Services (US-East-2, Ohio) — hosts every part of the product: Aurora Postgres, ECS Fargate, S3 (scan images), Cognito (auth), Bedrock (vision models), and CloudFront / ALB (edge).
- Stripe — payment processing and subscription management. They hold card details under PCI-DSS Level 1; we hold only a customer ID and tier flag.
- Cloudflare — DNS and authoritative records for
numismatist.ai. They see request metadata only (IP, host header). - GitHub — source code hosting for the maintainers. Does not touch user data in production.
Your rights
From your account page you can:
- Access — see every collection, wishlist item, and scan record we hold for you.
- Export — download your collections + wishlist as CSV.
- Delete — hit Delete Accountand everything goes: account row, collections (cascade), wishlist (cascade), scan images, scan metadata. Backup tail in S3 versioning lingers up to 30 days, then it's gone.
If account-level controls don't cover what you need, email will@numismatist.ai and we'll respond within seven days.
Cookies and tracking
We use first-party cookies for sign-in sessions and CSRF protection. We don't set third-party tracking cookies, we don't run pixel trackers, and we don't share IDs with ad networks. If we later add product analytics, we'll do it with first-party-only tooling and update this section before turning it on.
Children
The service is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has created an account, email will@numismatist.ai and we'll delete it.
Security incidents
If we discover a breach affecting your data, we'll email you within 72 hours of confirming the scope. Stripe handles their own notifications for card data; we'll relay any breach they disclose to us.
Changes
We'll update the date at the top whenever this changes. For material changes — new sub-processors, new data categories, shortened retention windows — we email anyone with an active account at least 14 days before the change takes effect.
Contact
Privacy questions, data requests, or security reports: will@numismatist.ai.