Privacy Policy

Last updated: April 1, 2026

1. What We Collect

We collect only the information necessary to provide the Service:

• Email address — when you create an account or purchase a subscription. Used to deliver your API key, send transactional emails, and identify your account.
• Hashed password — stored using bcrypt. We never store or transmit your plaintext password.
• API key — a unique token issued to your account for authenticating requests to the Service.
• IP address — collected automatically for rate limiting anonymous and authenticated requests. Retained for up to 30 days.
• Watch search queries — brand name, reference number, and timestamp of each valuation request. Used to improve the Service and for query logging. Retained for 90 days.
• Portfolio items — watches you add to your portfolio (brand, reference, purchase price, notes). Retained until you delete them or close your account.
• Price alerts — watch references and target prices you configure. Retained until you delete them or close your account.
• Stripe customer ID — a reference token linking your account to your Stripe subscription. We never store your card number or full payment details on our servers.

2. How We Use It

We use the information we collect to:

• Deliver and manage your API key and account
• Process payments and manage your subscription
• Enforce rate limits and prevent abuse
• Monitor service health and debug errors
• Send transactional emails (key delivery, billing receipts, price alert notifications)
• Improve valuation accuracy and service quality using aggregated, anonymised query data

We do not sell your personal data. We do not send marketing emails without your explicit consent.

3. Data Retention

• Account data (email, hashed password, API key, portfolio, alerts): retained until you delete your account.
• Query logs (search brand, reference, timestamp): retained for 90 days, then automatically purged.
• API request logs (endpoint, response code, key prefix): retained for 30 days.
• IP addresses: retained for up to 30 days.
• After account deletion: all personal data is purged within 30 days.

4. Cookies

We use a small number of cookies that are necessary for the Service to function:

• ww_session — authentication cookie set when you log in. Contains a signed JWT identifying your session. Expires at the end of your browser session (or sooner if you log out). This cookie is required to use authenticated features.
• ww_anon_id — anonymous rate-limit tracking cookie for users who are not logged in. Contains a random identifier only — no personal data. Expires after 1 year.

Analytics tools (if enabled) are only loaded after you have given cookie consent via the consent banner. You can withdraw consent at any time by clearing your cookies or adjusting your browser settings.

5. Third-Party Services

We use the following third-party services, which may receive limited data as described:

• Stripe — payment processing. Your payment details are entered directly on Stripe's servers and are governed by Stripe's Privacy Policy.
• Supabase — hosted database and authentication infrastructure. Account data, query logs, and portfolio data are stored in Supabase. Governed by Supabase's Privacy Policy.
• Resend — transactional email delivery. Your email address is shared only to deliver service emails (API key, billing receipts, alerts). Governed by Resend's Privacy Policy.
• Sentry — error monitoring. Error reports may include request metadata; we configure Sentry to exclude API keys and personal data from error payloads. Governed by Sentry's Privacy Policy.

6. Your Rights (GDPR & CCPA)

Depending on your jurisdiction, you have the following rights regarding your personal data:

• Right to access — you may request a copy of the personal data we hold about you by emailing support@pricethat.watch.
• Right to deletion — you may delete your account at any time via Account Settings → Delete Account. You may also request deletion by emailing support@pricethat.watch. Data is purged within 30 days.
• Right to data portability — you may request a machine-readable export of your personal data by emailing support@pricethat.watch.
• Right to correction — if any information we hold is inaccurate, contact us to have it corrected.
• California residents (CCPA) — we do not sell personal data to third parties. You have the right to know what personal information is collected, to request deletion, and to non-discrimination for exercising these rights.

7. Security

All data is transmitted over TLS. Passwords are hashed with bcrypt before storage. API keys are stored in the database — treat them like passwords and do not share them publicly. If you believe your key has been compromised, rotate it immediately via the Account page.

8. Contact

Questions about this policy? Email us at support@pricethat.watch.