Privacy Policy

1. Information We Collect

Account & subscription

• Account data: email address and password (stored hashed) when you create an account
• Subscription data: email address and billing status when you subscribe to a paid plan
• Vendor / lab account data: business name, contact email, and domain when you claim or manage a vendor or laboratory profile

Content you upload

• Certificates of Analysis & documents: files you upload to publish a COA or to scan a COA, including any information contained in those files. Files may be retained to provide the service and to improve detection. See our Terms for the license you grant over uploaded content, and our Takedown Policy to request removal.

Collected automatically

• IP address (used for rate limiting and security)
• Browser type and device information
• Pages visited and referral source

Payment information

Payment card information is collected and processed directly by Stripe. We never see, store, or have access to your full card number. See Stripe’s Privacy Policy.

2. How We Use Your Information

• Provide account access and paid subscription features
• Store, analyze, and (where applicable) publish COAs and related data
• Compute and display trust scores and price comparisons
• Send transactional emails (account, billing, alerts)
• Prevent fraud and abuse, and enforce rate limits
• Verify the identity signals of vendors and laboratories
• Improve the platform and our detection methods
• Comply with legal obligations

3. We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties.

4. Subprocessors & Third-Party Services

We share data with the following service providers only as needed to operate the platform:

• Vercel — hosting and edge delivery (processes web requests)
• Neon — managed database hosting (stores account and platform data)
• Cloudflare R2 — object storage and CDN (stores uploaded COA files and images)
• Stripe — payment and subscription processing (receives email, card info, amount)
• Anthropic (Claude) — automated extraction and analysis of COA documents
• Resend — email delivery (receives email addresses for transactional email)
• Twilio — phone-number lookup used to verify vendor identity signals
• Google Places — address verification used to verify vendor identity signals

We also query public domain-registration data (RDAP/WHOIS) to assess vendor identity signals.

5. Cookies

We use only essential cookies and similar storage:

• user-token — session cookie for account authentication (HTTP-only, 30-day expiry)
• admin-token — session cookie for admin authentication (HTTP-only, 7-day expiry)
• disclaimer-accepted — local storage recording that you acknowledged the site disclaimer

We do not use advertising cookies or cross-site tracking. Because we use only essential cookies, no separate consent banner is required under most cookie/ePrivacy rules.

6. Data Retention

• Account data is retained for as long as your account is active.
• Uploaded COAs may be retained to provide the service and improve detection, subject to removal requests under our Takedown Policy.
• Billing records are retained as required for legal and tax compliance.

7. Data Deletion

You may request deletion of your account and associated personal information at any time by contacting [email protected]. Certain data may be retained where required by law (e.g., billing records for tax compliance). We will notify you of any data that cannot be deleted and the reason. Deletion requests are processed within 30 days.

8. Your Rights

Depending on your location, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Request deletion of your personal information
• Export your data in a portable format
• Opt out of marketing communications

California residents have additional rights under the CCPA/CPRA. To exercise any of these rights, contact us at [email protected].

9. Security

We use reasonable security measures to protect your information, including encrypted connections (HTTPS), encryption at rest, hashed passwords (bcrypt), HTTP-only session cookies, rate limiting on authentication endpoints, and access controls. No system is perfectly secure, but we take data protection seriously.

10. Children

This Site is not intended for anyone under 18 years of age. We do not knowingly collect personal information from minors.

11. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Site.

12. Contact

For privacy inquiries, contact us at [email protected].