Privacy Policy

1. Who We Are

Controller. RTwelve Technologies LLC, a Hawaii limited liability company. Postal address: see Section 11. Privacy contact: privacy@spareagrade.com.

We have not appointed an EU or UK Representative or a Data Protection Officer at this time; if and when our processing thresholds require one under GDPR Articles 27 / 37, we will name them here.

2. Information We Collect

• Account data — email address, username, hashed password, account status, role, optional bio, optional avatar.
• User Content — comics and cards you submit, photos, comments, grades, annotations, votes.
• Device and usage data — IP address, user agent, pages and features used, errors and performance data, approximate location derived from IP.
• Authentication and session data — cookies and local storage tokens used to keep you signed in.
• AI analysis derivatives — metadata extracted from your uploaded images by our AI sub-processors (title, publisher, issue number, image classifications, etc.).
• Moderation logs — content moderation decisions on your uploads (for audit and abuse-prevention).
• Communications — emails you send to our support@, privacy@, legal@, etc. addresses.

We do not currently process payment information. If we introduce paid features, payment data will be handled by a third-party payment processor and we will store only limited tokens and metadata, never full card numbers.

3. Purposes & Legal Bases

We process personal data for the following purposes (the legal basis under GDPR / UK GDPR is shown in italics; for U.S. users the same purposes apply under the relevant state privacy laws):

• Provide, secure, and operate the Service, including AI analysis of uploaded images for grading workflows. Performance of contract; legitimate interests.
• Calculate and display Community Grades, leaderboards, and accuracy metrics. Legitimate interests.
• Moderate content and prevent fraud or abuse. Legitimate interests; legal obligation where applicable.
• Communicate with you about the Service. Performance of contract; legitimate interests.
• Personalize the experience and run product analytics. Legitimate interests; consent for non-essential cookies / SDKs in jurisdictions that require it.
• Comply with legal obligations. Legal obligation.

4. Sharing

We share personal data with:

• Service providers / sub-processors that operate parts of the Service on our behalf (see the list below). These vendors are contractually bound to use your data only as needed to deliver their services.
• Legal and safety recipients, where required by law or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or others' safety, or to respond to lawful requests.
• Business transfers. If we are involved in a merger, acquisition, asset sale, financing, reorganization, or bankruptcy, your information may be transferred to the successor entity. Any successor will be bound by this Privacy Policy or by a successor policy with materially equivalent protections.

We do not sell personal information for monetary consideration. We do not currently engage in cross-context behavioral advertising. If our practices change, we will update this Policy and provide opt-out mechanisms required by applicable law.

Current sub-processors

Where personal data is transferred outside your jurisdiction, we rely on appropriate safeguards, including the EU Standard Contractual Clauses and the UK International Data Transfer Addendum (or IDTA), and supplementary measures where appropriate. Where a vendor is certified under the EU–U.S. Data Privacy Framework or UK Extension, we will note that here as the framework's coverage is updated.

5. International Data Transfers

If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where our sub-processors are primarily located. We rely on the safeguards described above.

6. Your Rights

EEA / UK (GDPR). You have the rights to access, rectify, erase, restrict, or object to processing of your personal data; to data portability; to withdraw consent (without affecting prior processing); and to lodge a complaint with your local supervisory authority.

United States (state privacy laws).Where applicable, you may have the rights to know / access, delete, correct, opt out of "sale" or "sharing" or targeted advertising, and to appeal a denial. We honor Global Privacy Control (GPC) signals where required.

Canada (PIPEDA), Brazil (LGPD), Australia (Privacy Act). Rights as provided under local law.

To exercise any right, email privacy@spareagrade.com from the address associated with your account, or use the account deletion control in Settings. We will respond to privacy requests within the timelines required by the applicable law (typically 30–45 days). We may need to verify your identity before fulfilling certain requests submitted outside the signed-in self-service flow.

7. Retention

We retain personal data only as long as necessary for the purposes stated in this Policy, to deliver the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

When you delete your account:

• Account credentials (email, password hash, IP address, device fingerprint) are deleted within 90 days.
• Items you submitted (comics, cards):
  • Item records and uploaded images are retained so community grades, comments, annotations, and official-grade references remain meaningful, but ownership is transferred to an anonymized deleted-user account.
• Grades, comments, annotations, and votes you submitted on others' items: deleted with your account unless we must retain a limited record for security, abuse-prevention, or legal reasons.
• Moderation audit logs (warnings, suspensions, content takedowns involving your account): retained for 12 months after deletion for abuse-prevention purposes, then purged.
• De-identified and aggregated data — including accuracy statistics, grade-distribution data, model-training derivatives, leaderboard positions, and any data from which direct identifiers have been removed — may be retained indefinitely for product improvement, research, analytics, AI/ML model training, and to enable the operation, security, and continuity of the Service.

Residual copies may persist briefly in encrypted backups before being overwritten on the normal backup-retention cycle.

If you have a strong legal basis for full erasure of your contributions (e.g., GDPR Article 17), email privacy@spareagrade.com; we will assess each request individually and balance our legitimate interest in community-data integrity against your erasure right.

8. Children

The Service is not directed to children under 13 (or the higher local digital-consent age in your jurisdiction). We do not knowingly collect personal information from children below that age. If we learn that we have collected personal information from a child below the applicable age, we will delete it.

9. Cookies & Tracking

See the Cookie Policy. In jurisdictions that require opt-in consent for non-essential cookies and SDKs (EEA, UK, parts of the United States), we will obtain consent before such cookies fire, provide equal "Accept" and "Reject" options, and honor GPC where applicable. We will not deploy a banner unless and until non-essential analytics, ads, or tracking SDKs require it; the current Service uses authentication and preference cookies that are strictly necessary.

10. Security

We use administrative, technical, and physical safeguards including encryption in transit, encryption at rest for sensitive fields, role-based access control, audit logging, and Row Level Security on our database. No system is perfectly secure; if we detect a breach affecting your personal data, we will notify you and the relevant regulators where required.

To report a security vulnerability, email security@spareagrade.com. We provide safe-harbor protection for good-faith research that follows our reporting guidelines.

11. Changes; Contact

We may update this Policy by posting an updated version with a new effective date. For material changes, we will provide reasonable notice (e.g., banner or email). Continued use after the effective date constitutes acceptance.

Privacy contact:

• Email: privacy@spareagrade.com
• Postal:

  RTwelve Technologies LLC
  Attn: Privacy
  [STREET ADDRESS — TBD]
  [CITY], HI [ZIP], United States