Privacy Policy

1. Introduction

Gearlist ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information.

By using Gearlist, you consent to the data practices described in this policy.

2. Information We Collect

Account Information

• Email address (required for authentication)
• Name (optional, for MegaSupport supporters list)
• Account creation date and last login timestamp

Gear Inventory Data

• Item details (name, brand, model, type, serial number)
• Purchase information (date, price, currency)
• Photos and receipt images you upload
• Custom notes and descriptions
• Theft information if marked stolen (date, location, details)

Usage Data

• IP address (for rate limiting and security)
• Browser type and operating system
• Pages visited and features used
• Access times and session duration

3. How We Use Your Information

We use your personal information to:

• Provide and maintain the Gearlist service
• Authenticate your account and maintain security
• Store and display your gear inventory
• Process stolen gear reports and facilitate tip notifications
• Process subscription payments via LemonSqueezy
• Send important service notifications and security alerts
• Prevent fraud and abuse
• Improve our service and develop new features

4. Data Storage and Security

Database: Your data is stored in Supabase's secure PostgreSQL database hosted in the EU (Frankfurt region).

File Storage: Photos and receipts are stored using Tigris Storage with encryption in transit and at rest.

Security Measures:

• HTTPS encryption for all data transmission
• Secure authentication via Supabase Auth (magic links)
• Rate limiting to prevent abuse
• Regular security updates and monitoring
• Database backups and disaster recovery procedures

5. Public Information

Important: The following information becomes publicly visible when you mark an item as stolen:

• Item name, brand, model, type
• Serial number (searchable by exact match)
• Photos you uploaded
• Theft location (city) and date
• Theft details/notes

Your email and personal contact information are never displayed publicly. Only the item details are visible.

MegaSupport Supporters: If you opt in, your name and optional message will be displayed on our public Supporters page.

6. Third-Party Services

Supabase (Authentication & Database)

• Purpose: User authentication and data storage
• Data shared: Email address, account data
• Location: EU (Frankfurt)
• Privacy Policy: supabase.com/privacy

LemonSqueezy (Payment Processing)

LemonSqueezy acts as our merchant of record for subscription payments.

• Data shared: Email, name (if provided)
• Payment card details are handled directly by LemonSqueezy (we never see them)
• US Data Storage: Your name, ZIP code, and billing address are stored in the United States by LemonSqueezy
• We have completed a Transfer Impact Assessment (TIA) under GDPR Article 46 to ensure adequate safeguards for EU users
• LemonSqueezy uses Standard Contractual Clauses (SCCs) and additional security measures
• Privacy Policy: lemonsqueezy.com/privacy

Fly.io (Hosting)

• Purpose: Application hosting and delivery
• Location: EU regions for GDPR compliance
• Privacy Policy: fly.io/legal/privacy-policy

7. Anonymous Tips

When you submit an anonymous tip about stolen gear:

• Your message is stored in our database
• Your IP address is collected for spam prevention only (never shared with gear owners)
• Optional: spotted location and date (if you provide them)
• Optional: contact information (if you choose to include it)

What gear owners see: Your message, spotted location/date, and contact info (if provided). They do NOT see your IP address.

Rate Limiting: We limit tip submissions to 3 per hour per IP address to prevent spam.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services.

• Active accounts: Data retained indefinitely while account exists
• Deleted accounts: All personal data and gear inventory permanently deleted within 30 days
• Subscription data: We keep minimal subscription status information while your account exists. Payment records are handled by LemonSqueezy (our Merchant of Record) and may be retained by them as required for accounting, tax, fraud prevention, and legal compliance.
• Anonymous tips: Deleted when related gear item is deleted

9. Cookies and Tracking

We use essential cookies for:

• Session management (keeping you logged in)
• CSRF protection (security)
• Theme preferences (dark/light mode)

These cookies are necessary for the service to function. We do not use analytics or advertising cookies at this time.

10. Your Rights (GDPR)

If you are in the European Union, you have the following rights under GDPR:

To exercise any of these rights, contact us at privacy@gearlist.cloud. We will respond within 30 days.

11. Children's Privacy

Gearlist is not intended for use by individuals under 16 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us immediately.

12. Changes to Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email, and you will be required to accept the new policy before continuing to use the service.

Minor updates will be posted with an updated "Effective Date" at the top of this page.

13. Contact Information

For privacy-related questions, concerns, or to exercise your rights:

Email: privacy@gearlist.cloud