Privacy Policy

1. About This Policy

GrailGuard LLC ("we," "us," or "our") is a hand-carry courier service for high-value collectibles, organized as a limited liability company under California law. This Privacy Policy explains what data we collect, what we do with it, and your rights. We wrote this in plain English — legal terms are in [brackets]. Effective date: April 23, 2026. Last updated: April 23, 2026.

2. What We Collect

We collect data three ways: what you give us, what we observe, and what third parties provide.

What You Give Us

• Booking form: Your name, email, phone number, pickup address, delivery address, recipient name/email/phone, item description, declared value, and payment card details (via Stripe — we never see the full card number).
• Account profile: Name, email, phone, referral code, saved payment method (last 4 digits only; the full card is stored by Stripe).
• Bookings over $10K: A government-issued photo ID (driver's license, passport, or state ID) uploaded to Stripe Identity for verification per banking regulations [KYC].
• Courier background checks: If you become a courier, date of birth, last 4 digits of Social Security number, and a government ID image (handled by Checkr, our background-check vendor).

What We Observe

• Page views and events: Which pages you visit, how long you stay, clicks, form submissions tracked via Google Analytics 4 (opt-in; controlled by our consent banner).
• Server logs: Your IP address, browser type and version, operating system, device model, page referrer, and any HTTP error responses.
• Cookies: First-party only — gg_session_active (authentication), gg_cookie_consent_v1 (your choice on this banner), CSRF token, and Stripe-set cookies for fraud detection. No third-party ad cookies.
• Error traces: If your browser encounters a JavaScript error, we capture the error message, line number, and URL (via Sentry). PII is redacted [best-effort].

What Third Parties Provide

• Stripe: Payment verification, fraud signals, and refund status.
• Checkr: Courier background-check results (pass/fail; we don't store criminal history details).
• Stripe Identity: KYC verification result (pass/fail) for bookings ≥ $10K. The government-ID image is stored by Stripe per their retention policy; we delete our request record after verification.
• Postmark: Email delivery status (bounce, open, click events).
• Twilio: SMS delivery status and message receipt logs.

3. What We Do With It

• Fulfill bookings: Connect you with a courier, process your payment via Stripe, and deliver your item.
• Communicate: Send transactional emails (booking confirmation, delivery status, tracking updates) and support responses. SMS notifications for pickup/delivery.
• Verify identity and prevent fraud: Run OFAC sanctions screening, Stripe Radar fraud checks, and government-ID verification (via Stripe Identity for bookings ≥ $10K) to comply with financial regulations [BSA, AML].
• Track site usage: Measure page views, booking events, and conversion funnel via Google Analytics 4 (opt-in) and server-side PostHog events (always-on). We use this to understand which features work.
• Comply with carrier insurance covenants: Maintain audit logs of booking details, photos, signatures, and delivery proof for insurance claim handling and dispute resolution.
• Comply with BSA/high-value reporting: Bookings with declared value ≥ $10,000 are screened per the Bank Secrecy Act and reported as required by law.
• Improve our product: Analyze site errors, feature usage, and user feedback to build a better booking experience.

4. What We DON'T Do

• Sell your data: We do not sell your personal information to data brokers or advertisers.
• Share with marketers: We do not license your contact details to third-party marketing lists.
• Third-party ad cookies: We do not set or allow ad networks to set cookies that track you across the web.
• Facial recognition: We do not use facial recognition or biometric analysis on your photos.
• Train AI on your booking data: We do not use your booking details to train large language models or other AI systems (your data remains your own).

5. Third-Party Processors

We work with specialized vendors; each receives only the data it needs and is contractually bound to protect it.

6. Data Retention

• Bookings: Kept for 7 years (tax/Stripe reconciliation) or until you delete your account. After account deletion, we keep an anonymized booking record (no name/email/address) for accounting purposes.
• Account info: Deleted within 30 days of your deletion request (some legally-required metadata retained per financial regulations).
• KYC documents (gov ID image): Stored by Stripe per their retention schedule. We don't store the image ourselves.
• Background-check data (Checkr): Retained by Checkr per their policy; we delete our copy after hiring decision.
• Payment metadata: Stripe retains card tokens and transaction records for dispute/chargeback handling (typically 3 years).
• Transactional emails (Postmark): Retained for 90 days, then deleted.
• Analytics events (PostHog): Raw, identifiable events kept for 12 months. After 12 months, automatically aggregated to non-personal counters and retained for business analytics.
• Error logs (Sentry): Kept for 30 days, then deleted.
• Support chat logs: Kept for 90 days, then deleted.

7. Your Data Rights

If you're in California, Virginia, Colorado, Connecticut, Utah, or another state with a privacy law, you have specific rights. If you're in the EU, UK, or EEA, GDPR gives you additional rights.

Rights Everyone Can Exercise (US State Laws + GDPR)

• Right to know: You can request what personal data we hold about you and how we use it.
• Right to access: You can download a copy of your data in machine-readable format (e.g., JSON). GrailGuard customers can do this instantly without contacting support: sign in and click "Download my data" on your account page or call GET /api/customers/me/export.
• Right to delete: You can request deletion of your personal data, subject to legal retention obligations (e.g., tax records must be kept 7 years). GrailGuard customers can initiate account deletion without support: sign in and click "Delete my account" or call DELETE /api/customers/account. We use a 30-day grace period so you can cancel before permanent anonymization.
• Right to correct: You can ask us to fix inaccurate or incomplete data.
• Right to opt-out of sale: We don't sell your data, but you can submit an opt-out request via our form at /do-not-sell.html or by emailing privacy@grailguard.io.

GDPR Rights (EU/UK/EEA Only)

If you are a resident of the European Union, United Kingdom, or any jurisdiction with GDPR applicability, you have the following rights regarding your personal data:

• Right of Access (Article 15): You have the right to obtain confirmation of whether we process your data and to receive a copy of your personal data in a portable format. GrailGuard customers can exercise this right instantly and without a support ticket: sign in and call GET /api/customers/me/export (or use the “Download my data” button on your account page) to receive a single machine-readable JSON file containing your profile, bookings, addresses, photos, signatures, and consent records, per GDPR Article 20.
• Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data held by us.
• Right to Erasure (Article 17): You may request deletion of your personal data, subject to legal retention obligations and legitimate business interests. Customers can now initiate deletion without contacting support: sign in and click “Delete my account” (or call DELETE /api/customers/account). We use a two-phase lifecycle: a 30-day soft-delete grace window during which you can still sign in and cancel, followed by hard anonymization (email, name, phone, and addresses scrubbed) after the window elapses. Financial records required by tax law remain in place per the retention windows below — roughly 3 years for payment metadata and 7 years for core account and booking records.
• Right to Restrict Processing (Article 18): You may request limitation of how we use your data while we handle disputes or verify accuracy.
• Right to Data Portability (Article 20): You may request your data in a structured, commonly-used, machine-readable format for transfer to another organization.
• Right to Object (Article 21): You may object to processing based on legitimate interests or direct marketing. We will cease processing unless we have compelling reasons to continue.
• Right Against Automated Decision-Making (Article 22): You have the right to opt-out of decisions based solely on automated processing that produces legal or similarly significant effects.
• Right to Lodge a Complaint: You may file a complaint with your local data protection authority regarding our processing practices.

How to Exercise Your GDPR Rights

To exercise any GDPR right, please submit a written request to privacy@grailguard.io with:

• Your full name and email address
• The right(s) you wish to exercise
• Sufficient detail to identify your request
• A copy of identification for verification purposes

We will respond to valid requests within 30 days (or 60-90 days if complex). We may request additional information to verify your identity before processing your request.

Right to Erasure / Right to be Forgotten (GDPR Article 17 & CCPA §1798.105)

To request deletion of your personal data, email privacy@grailguard.io with the subject line “Right to Erasure Request”. Include your full name, email address associated with the account, and (optionally) a booking tracking number. We will verify your identity and:

• Acknowledge receipt within 2 business days
• Complete the deletion within 30 days (extendable to 90 days for complex requests)
• Confirm deletion in writing, including the categories of data removed

Certain records may be retained if required by law (e.g., tax records for 7 years, Stripe transaction records per financial regulations, or evidence relating to an open insurance claim). We will identify any such retained categories in our confirmation response. Delivery records older than 30 days past delivery are automatically removed from public tracking, independently of any erasure request.

8. Cookies

We use first-party cookies only — no third-party ad networks tracking you across the web.

• gg_session_active: Stores your login token (HttpOnly, Secure, SameSite=Strict).
• gg_cookie_consent_v1: Remembers your choice on our consent banner (365-day expiry).
• CSRF token: Protects against cross-site request forgery on form submissions.
• Stripe fraud detection: Stripe sets cookies for their own fraud detection (see Stripe's privacy policy).

You can manage cookies via our consent banner (shown on first visit) or your browser settings. Disabling essential cookies will break login and checkout. The Global Privacy Control (GPC) signal disables analytics cookies automatically.

9. How We Protect Your Data

• TLS in transit: All connections to grailguard.io are encrypted with TLS 1.3.
• AES-256 at rest: Sensitive data (booking details, addresses, driver's license images) encrypted in our PostgreSQL database on Railway.
• Cookies: Authentication cookies are HttpOnly (no JavaScript access), Secure (HTTPS-only), and SameSite=Strict (no cross-site submission).
• CSP/HSTS/Permissions-Policy: HTTP security headers prevent XSS, clickjacking, and camera/microphone access.
• Stripe card handling: We never see card numbers — Stripe collects them in their PCI-DSS compliant environment.
• Sentry error logs: PII is redacted on a best-effort basis (email, phone, token patterns stripped).
• Breach notification: If we suffer a data breach, we'll notify affected customers within 72 hours per California law.

10. Children

GrailGuard services are for adults aged 18+. We don't intentionally collect data from anyone under 18. If you believe we have, email privacy@grailguard.io with the subject "COPPA request" and we'll delete it within 10 business days.

11. Changes to This Policy

When we make material changes, we'll notify you by email 30 days before the change takes effect. We'll re-prompt for cookie consent when required. You agree to the updated policy by continuing to use GrailGuard after the effective date.

Effective date: April 23, 2026. Last updated: April 23, 2026.

12. Contact

EU residents can lodge a complaint with your local data protection authority: Italy (GPDP), Germany (BfDI), France (CNIL), UK (ICO), or your country's DPA.