Privacy Policy

01Who we are

"Assay" (we, us, our) operates the website at assayapp.net and the supporting API at api.assayapp.net, through which we sell a $14.99 USD PDF valuation report. An iOS app is in development. Assay is run by Benjamin Rosenberg, a sole trader registered in the United Kingdom. This policy explains what data we collect across those surfaces and what your rights are.

Data Controller: Benjamin Rosenberg, sole trader, United Kingdom. Contact: [email protected] (currently routed via [email protected]).

If you have any privacy questions, write to [email protected] and we'll get back to you within five working days.

02What we collect, at a glance

Every entry below is linked to your account (we can tie it back to your user record) and not used to track you across other apps or websites (we don't share it with data brokers or ad networks).

Data type	Why we have it	Purpose
Email addressFrom checkout, signup, or Sign in with Apple	Delivering your report, authenticating your account, sending receipts and product updates you've opted into.	Service functionality
NameOptional. From checkout or Sign in with Apple	Personalising your report and receipts.	Service functionality
User IDAn internal pseudonymous identifier (`clientId`)	Linking your reports and entitlements to your account on our servers.	Service functionality
Item detailsWhat you submitted to be valued — title, year, grade, identifiers, photos if any	Generating the valuation and the PDF report.	Service functionality
Payment metadataFrom Stripe: last 4 digits, card brand, country, charge ID	Reconciling orders, handling refunds, fraud prevention. We never receive your full card number, expiry or CVC.	Service functionality, Compliance
Product interactionsPage views, valuations requested, report downloads	Diagnosing problems, prioritising features, measuring whether changes help.	Service functionality, Analytics
Crash and performance dataFrom the iOS app when it ships: Apple MetricKit reports	Detecting and fixing crashes, hangs and slow screens.	Service functionality, Analytics

What we don't collectWe don't collect health data, location, contacts, browsing history, search history outside Assay, or any "sensitive" categories. We never see your full card number — Stripe processes that. We don't run third-party advertising SDKs or analytics SDKs that share your data with ad networks.

03How we use it

Provide the service. Take your payment, generate your valuation, deliver the PDF report, run your account, send transactional email.
Keep the service working. Detect bugs, crashes, slow screens and abuse. Diagnose support tickets you raise.
Communicate with you. Send transactional emails (receipt, report delivery, re-delivery if requested). Marketing email is opt-in only and you can unsubscribe at any time.
Comply with the law. Meet our tax, accounting and fraud-prevention obligations, and respond to lawful requests from regulators or courts.

04Where data is held

Your account and order data live on our servers in Ashburn, Virginia (United States), hosted by Hetzner Online GmbH. Backups are encrypted and held in the same region. Card payments are processed by Stripe Payments UK, Ltd under Stripe's own privacy policy — we receive only a charge confirmation and limited payment metadata, never your full card details.

If you access Assay from inside the European Economic Area or the United Kingdom, your data is transferred to and processed in the United States. We rely on the European Commission's Standard Contractual Clauses (and the UK addendum where applicable) as the legal basis for that transfer, alongside the technical safeguards described in section 09.

05Who we share it with

The shortlist:

Stripe Payments UK, Ltd — our payment processor. Stripe takes your card data directly via Stripe Checkout; we never see it. Stripe's privacy practices govern that part. Stripe forwards us the metadata we need to reconcile orders (charge ID, last 4 digits, card brand, country) and to handle refunds.
Market-data providers we query on your behalf. When we generate a valuation, we may send the item details (not your identity) to one or more of: PriceCharting, PCGS, WatchCharts, eBay, Discogs, and equivalent category-specific data sources. The request is keyed to the item, not your account.
Email delivery via Resend for transactional messages (receipts, report delivery, support replies).
Apple — only if you sign in with Apple to access your account. Apple's privacy practices govern that part. When the iOS app ships, Apple will also process push notifications and crash diagnostics for it.
Law enforcement when we are legally required to comply with a valid request.

We don't sell your data. We don't share it with advertising networks. We don't run ad-tracking SDKs.

06How long we keep it

Account data — for as long as your account exists, plus six years of tax-relevant records (UK statutory retention).
Order and report history — six years from the date of the order, to meet HMRC retention requirements.
Payment metadata — six years (as part of the order record).
Crash and analytics data — twelve months, then aggregated or deleted.
Marketing email subscriptions — until you unsubscribe.

07Your rights

Under UK GDPR and equivalent regimes elsewhere, you have the right to:

Ask for a copy of the data we hold about you.
Correct anything that's wrong.
Delete your account and the personal data we hold for it, subject to legal retention obligations.
Object to processing for marketing purposes (already opt-in).
Withdraw consent for anything based on consent, at any time.
Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local data protection authority.

To exercise any of these, email [email protected] from the address on your account. We'll respond within one month.

08Children

Assay is rated 4+ by Apple on the basis that the in-app content is suitable for all ages, but the service is intended for users aged 13 or over, and users under 18 should only sign up with the consent of a parent or guardian. We do not knowingly collect data from children under 13. If you believe a child has signed up, contact [email protected] and we will delete the account.

09Security

We use bank-grade encryption in transit (TLS 1.2 or 1.3 with a Cloudflare Origin Certificate to our US infrastructure) and at rest for backups. Passwords are hashed (never stored in plaintext) and account tokens live in the platform keychain on your device. Access to production systems is limited to the developer with strict audit logging.

No system is perfectly secure. If you spot a vulnerability, please report it responsibly to [email protected] — we'll acknowledge within two working days.

10Cookies and similar technologies

The Assay website uses two strictly-necessary first-party cookies — no consent banner is required for either:

assay-locale — remembers the language you've selected so we don't re-detect it on every page load. Contains only the locale code (for example en-GB) and does not identify you.
avs — an anonymous preview-session identifier so you can run a free valuation preview before you check out, and so that preview can be claimed into your account when you buy. Pseudonymous; expires automatically.

Stripe Checkout sets its own cookies on the checkout page under checkout.stripe.com, governed by Stripe's privacy policy. We don't use third-party tracking cookies or analytics cookies on our own pages.

11Changes to this policy

If we make material changes, we'll post the update here with a new effective date and (where the change is significant) notify active users by email or in-app message at least 14 days in advance. Continuing to use Assay after that date means you accept the updated policy.

Contact

For anything privacy-related — access requests, deletion, questions, complaints:

[email protected]

Postal mail can be addressed to: Assay c/o Benjamin Rosenberg, United Kingdom. We will provide a postal address on request.