Privacy Policy
Effective date: May 26, 2026 Last updated: May 26, 2026
This Privacy Policy describes how Wyser Baron LLC ("Wyser Baron", "we", "us") collects, uses, and protects information when you use Coin Rectify (the "Service").
1. Summary
- We collect: an anonymous browser identifier and IP-address hash during the free trial; once you sign up, also your email address, billing information (via Stripe), photo file metadata (size, format, dimensions), and usage timestamps.
- Photo handling depends on the feature you use:
- Photo Cleanup (free / Photo Pro / Photo Business): your uploaded photos are processed in memory and discarded when your browser session ends. We do not retain the source photos or the cleaned crops.
- AI eBay Listings (AI Pro / AI Business): cleaned crops are uploaded to our image-hosting bucket (Cloudflare R2) so the eBay listing CSV can reference them, then automatically deleted after 30 days (eBay copies the image into its own system when you import the CSV, so our copy is only needed briefly for that handoff). We do not retain your source photos — the image bytes are stripped from our AI request logs before they are saved. See Section 5 for retention details.
- Why: to operate the free trial, authenticate you, bill you, enforce quota limits, host listing images, run AI listing generation, and improve the Service.
- Sub-processors: Stripe (billing), Resend (email), Railway (hosting), Cloudflare (CDN/DNS, R2 image hosting), Anthropic (AI listing generation — only invoked on AI tiers).
- You can: access, export, correct, or delete your data at any time by emailing [email protected].
2. Information We Collect
2.1 Information you provide
- Email address — for sign-in (passwordless magic links) and transactional billing emails.
- Marketing-email preference — boolean flag indicating whether you opted in to product update emails. Default off.
- Billing information — collected and processed by Stripe; we never see or store your card number. We retain only Stripe's customer ID and subscription metadata (plan tier, billing period dates).
2.2 Information generated by your use
- Photo metadata — file size, format, and pixel dimensions of uploads.
- Photo Cleanup pixel data — pixel content of photos uploaded for cleaning is held in memory for the duration of the request and discarded.
- AI eBay Listings pixel data — if you use an AI tier, the cleaned crops your AI listings reference are uploaded to our image-hosting bucket (Cloudflare R2). The cleaned crops are publicly fetchable by URL (this is required so eBay can pull them in when you upload the bulk-draft CSV). They are automatically deleted 30 days after upload by a bucket lifecycle policy — long enough for eBay to fetch them at import (after which eBay serves its own copy), short enough that we are not retaining your photos.
- AI request logs (AI tiers only) — when an AI call is made, we store the text of the request payload (the prompt and metadata), the model response, token counts, and cost — in our
ai_call_logtable. The coin image bytes are stripped out before the row is saved, so your photo is not retained here. These logs let us debug failed generations, replay prompts when we improve the model, and audit unexpected spend. They are accessible only to Wyser Baron engineers. - Usage events — timestamp and count of successfully processed photos and AI-generated listings, used to enforce quota limits.
- Anonymous trial identifier — when you visit without signing in, we set a first-party cookie called
coinrect_anon_idcontaining a random UUID. We use it to track how many of your 15 free trial photos have been used. It expires after 1 year. No third-party tracking cookies. - Session cookie — once you sign in, we set a first-party cookie called
coinrect_sessioncontaining a random session token. We use it to keep you signed in. It expires after 14 days. - IP address hash — for anonymous trial visitors, we compute a SHA-256 hash of your IP address (using the
cf-connecting-iporx-forwarded-forheader set by Cloudflare / Railway). The hash is stored alongside the trial identifier for fraud-pattern detection only. We never store the raw IP in our application database, and we never rate-limit or block users by IP.
2.3 Information automatically collected
- Raw IP address & request metadata — logged transiently by our hosting provider (Railway) and CDN (Cloudflare) for security and abuse prevention. Retention typically 7–30 days, controlled by those vendors.
3. How We Use Information
- Authentication & account management — sending sign-in links, identifying you across sessions.
- Billing & subscription management — processing payments via Stripe, calculating usage against quota.
- Service delivery — running the cropping pipeline against your uploads.
- Communication — transactional emails (sign-in links, billing receipts) are sent regardless of preferences. Marketing emails are sent only to users who explicitly opted in via the sign-up checkbox or sidebar toggle.
- Security & fraud prevention — detecting and responding to abuse, suspicious activity, or technical issues.
- Legal compliance — responding to lawful requests where required.
4. Sub-processors
We rely on the following third parties to provide the Service. Each is bound by their own privacy policy.
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. | Payment processing & subscription management | Email, payment method (held by Stripe), billing address |
| Resend (Resend, Inc.) | Transactional email + marketing email delivery | Email, message content |
| Railway Corp. | Application hosting & managed Postgres | All application data (encrypted at rest in their infra) |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, R2 image hosting for AI tier listing images | IP, request headers (in transit); cleaned coin crops (publicly accessible by URL) |
| Anthropic, PBC | AI listing generation (Claude API) — invoked only when an AI Pro or AI Business user runs an AI listing request | The cleaned crop(s) of the coin being listed, plus the model prompt. Anthropic's commercial-tier policy states inputs and outputs are not used to train their models. |
We do not sell your personal data to any third party.
5. Data Retention
- Account data (email, preferences, usage events) — retained while your account is active and for up to 30 days after account deletion request.
- Billing records — retained per Stripe's terms and applicable tax / accounting rules (typically 7 years).
- Photo Cleanup uploads — pixel data never retained. Discarded immediately after processing.
- AI Listings cleaned crops in R2 — automatically deleted 30 days after upload via a bucket lifecycle policy. This window covers the typical "CSV exported → eBay imports → eBay fetches the photos" handoff; once eBay imports the listing it serves its own copy, so our copy is no longer needed. You can request immediate deletion of specific images by emailing [email protected].
- AI request logs (
ai_call_log) — retained approximately 90 days for debugging and replay (image bytes are stripped before storage, so these rows contain prompt text and metadata only, never your photo). A maintenance job runs on each application server start (typically several times per week) and deletes any AI-request-log rows older than 90 days. - Server logs — typically 7–30 days, per our hosting provider.
6. Your Rights
Depending on your jurisdiction, you may have the right to: - Access the personal data we hold about you; - Rectify inaccurate data; - Delete your data ("right to be forgotten"); - Export your data in a portable format; - Restrict or object to certain processing; - Withdraw consent for marketing emails at any time (toggle in the Account sidebar, or use the unsubscribe link in any marketing email); - Lodge a complaint with your local data protection supervisory authority (e.g. the ICO in the UK, or your EU member state DPA).
To exercise any of these rights, email [email protected]. We will respond within 30 days.
California residents (CCPA/CPRA)
California residents have additional rights including the right to know, delete, correct, and opt out of "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising.
7. Children's Privacy
Coin Rectify is not directed to children under 13 (or under 16 in the EU). We do not knowingly collect data from children. If you believe a child has provided us personal information, contact us and we will delete it promptly.
8. Security
We use industry-standard practices to protect your data: HTTPS (TLS 1.3) for all connections, encrypted-at-rest databases via our hosting provider, and SHA-256-hashed session tokens and magic-link tokens at rest. Internal credentials and API keys are stored in a managed secrets vault, never committed to source control or shared client-side. No system is perfectly secure; we cannot guarantee absolute protection but we will notify affected users without undue delay if we become aware of a breach affecting their personal data.
9. International Transfers
Coin Rectify is hosted in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. We rely on the standard contractual clauses provided by our sub-processors (Stripe, Cloudflare, etc.) for legal transfer of EEA/UK residents' data.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the email associated with your account at least 14 days before they take effect. The "Last updated" date at the top will reflect the most recent revision.
11. Contact
Wyser Baron LLC 1980 Sherman Ave North Bend, OR 97459 United States
Privacy questions: [email protected]