Privacy Policy

Effective Date: April 8, 2026

1. Introduction and Scope

This Privacy Policy (“Policy”) is issued by CollectorHome Ltd, a corporation incorporated under the laws of Canada (“CollectorHome”, “we”, “us”, or “our”), and governs the collection, use, disclosure, retention, and protection of Personal Information in connection with your access to and use of the website located at collectorhome.com and all associated features, applications, and services (collectively, the “Service”).

This Policy is intended to satisfy our obligations under the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”) and all applicable provincial privacy legislation. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described herein. If you do not agree, you must discontinue use of the Service immediately.

“Personal Information” means any information about an identifiable individual as defined under PIPEDA, excluding business contact information and publicly available information as enumerated in Schedule II of PIPEDA.

2. Age Eligibility

The Service is directed exclusively to individuals who are at least thirteen (13) years of age. We do not knowingly solicit, collect, or maintain Personal Information from any person under the age of thirteen (13). If we become aware that Personal Information has been collected from an individual under thirteen (13) without verifiable parental or guardian consent, we will take immediate steps to delete such information from our systems. If you believe that we may have inadvertently collected information from a minor, please notify us at [email protected] without delay.

3. Personal Information We Collect

3.1 Information You Provide to Us

We collect Personal Information that you voluntarily submit when registering for or using the Service, including but not limited to:

Account Registration Data: your email address, chosen username, and password (stored exclusively as a cryptographic hash; we do not retain your plaintext password at any time);
Collection Records: item condition, acquisition price, purchase date, seller name, geographic location of acquisition (city and country, as voluntarily provided), grading service, grade score, certificate number, storage location, item variant, personal notes, and up to three (3) photographs per item;
Wishlist and Price Alert Data: items saved to your wishlist and any target price thresholds and alert-direction preferences you configure;
Community Contributions: comments posted on item pages and likes or reactions you submit, which may be viewable by other users of the Service;
User-Submitted Catalogue Contributions: product photographs and market price data you submit for administrative review and potential inclusion in the Service’s catalogue; and
User Preferences: your selected display currency and language or locale setting.

3.2 Information Collected Automatically

When you access or interact with the Service, certain information is collected automatically, including:

Usage and Interaction Data: pages and features accessed, barcode scan events (including the Universal Product Code (“UPC”) scanned and whether a corresponding catalogue entry was identified), items added to or removed from your collection or wishlist, search queries entered, scrolling behaviour, and other in-application actions — collected via Google Analytics 4 as further described in Section 5;
Authentication Credentials: a session authentication token is stored in a browser cookie (identified as payload-token) upon successful login to maintain your authenticated session;
Device and Technical Data: browser type and version, operating system, and user-agent string, collected incidentally through standard web-server operations and push notification subscription registration; and
IP Address: your Internet Protocol (“IP”) address is processed by our hosting provider and by Cloudflare, Inc. in connection with bot-detection services described in Section 5. Additionally, upon your first login to the Service, your IP address is used on a one-time basis solely to auto-populate your default display currency; it is not retained by us beyond the duration of that request.

4. Purposes of Collection and Use

We collect and use Personal Information only for purposes that a reasonable person would consider appropriate in the circumstances and only to the extent necessary to fulfill those purposes, which include:

establishing, verifying, and maintaining your account and authenticating your identity;
delivering, operating, and improving the features and functionality of the Service;
synchronising your collection, wishlist, and price alert configurations across devices and sessions;
delivering push notifications — including price-drop alerts — to devices where you have granted notification permission, subject to your ability to withdraw such consent at any time as described in Section 7;
facilitating community features, including the display of comments and likes on publicly accessible item pages;
analysing aggregated and de-identified usage patterns — such as frequently scanned product categories and zero-result search terms — to inform product development, catalogue improvement, and feature prioritisation;
detecting, investigating, and preventing fraudulent, abusive, or unauthorised use of the Service; and
complying with applicable legal obligations and responding to lawful requests from governmental authorities.

We will not sell, rent, or trade your Personal Information to third parties for their own marketing or commercial purposes, nor will we use your Personal Information to serve targeted or behavioural advertising.

5. Disclosure to Third-Party Service Providers

In the course of providing the Service, we disclose certain information — including Personal Information — to the following categories of third-party service providers acting on our behalf or otherwise integrated into the Service. All such providers are engaged under obligations of confidentiality and are prohibited from using your information for any purpose beyond the provision of services to us.

5.1 Analytics — Google Analytics 4

We use Google Analytics 4, operated by Google LLC (“Google”), to collect pseudonymous data regarding your interactions with the Service, including event data, device type, and general geographic location derived from IP address. This data is transmitted to and processed on Google’s servers, which may be located in the United States. Google operates as an independent data processor in respect of such information. You may opt out of Google Analytics data collection by installing the Google Analytics Opt-out Browser Add-on. Google’s privacy practices are governed by the Google Privacy Policy.

5.2 Bot Detection — Cloudflare Turnstile

We employ Cloudflare Turnstile, a privacy-preserving verification service operated by Cloudflare, Inc., to protect the Service’s login interface from automated abuse. In connection with this service, your IP address and certain browser-derived signals are transmitted to and processed by Cloudflare. Such processing is governed by the Cloudflare Privacy Policy.

5.3 Product Identification APIs

When you initiate a barcode scan, the UPC code is transmitted to one or more third-party product identification services — including EAN Data, UPC Item DB, Open Food Facts, and go-upc.com — for the purpose of retrieving publicly available product information such as product name, brand, and indicative market pricing. No Personal Information is included in or derivable from these transmissions; only the UPC code (which identifies a product, not a person) is disclosed. Following a successful product lookup, we may contribute the resulting product metadata back to EAN Data solely to maintain our API service credits; such contributions consist exclusively of public product-catalogue data and do not include any information pertaining to you or your account.

5.4 Hosting and Storage — Vercel

The Service is hosted on the infrastructure of Vercel Inc. (“Vercel”). Product images and photographs submitted by users are stored in Vercel Blob Storage and served via publicly accessible URLs. Vercel may process data on servers located in the United States. Vercel’s privacy practices are described in the Vercel Privacy Policy.

We may also disclose Personal Information where required to do so by applicable law, court order, or lawful governmental request, or where we reasonably believe such disclosure is necessary to protect the rights, property, or safety of CollectorHome, our users, or the public.

6. Cookies, Local Storage, and Similar Technologies

The Service uses cookies and client-side browser storage technologies as set out in the table below. We do not deploy advertising cookies or cross-site tracking technologies.

Identifier	Storage Type	Purpose	Duration
`payload-token`	HTTP Cookie	Authenticated session management	Session / rolling expiry
`ch_locale`	localStorage	User language and locale preference	Persistent
`push-banner-dismissed`	sessionStorage	Records dismissal of push notification opt-in prompt	Expires on tab close
`ios-banner-dismissed`	sessionStorage	Records dismissal of iOS PWA installation banner	Expires on tab close

You may configure your browser to refuse or delete cookies; however, doing so may impair the functionality of certain features of the Service, including authenticated access.

7. Push Notifications

Where you grant the Service permission to deliver browser push notifications, your browser generates a unique push subscription comprising an endpoint URL and cryptographic key material. This subscription is transmitted to and stored on our servers and used exclusively for the purpose of delivering price-drop alerts and other notifications that you have elected to receive. Your consent to push notifications is entirely voluntary and may be withdrawn at any time by modifying your browser or operating system notification settings, or by submitting a deletion request to [email protected], whereupon we will promptly remove your push subscription from our systems.

8. Public Profiles and Community Features

If you elect to enable a public profile within your account settings, certain information — including your username, collection items, portfolio value, and item count — will become accessible to any visitor of the Service, including unauthenticated users. You bear sole responsibility for the information you choose to make publicly accessible through this feature. You may revert your profile to private at any time through your account settings. Comments and likes you post on item pages are inherently public and viewable by all visitors to those pages regardless of your profile privacy setting.

9. Data Retention and Deletion

We retain Personal Information for the duration of your account relationship with us and for such additional period as may be required by law or necessary for legitimate operational purposes. Upon receipt of a valid account deletion request submitted to [email protected], we will delete your account and all associated Personal Information from our active systems immediately upon processing your request. Residual copies of uploaded images stored in Vercel Blob Storage and CDN cache layers may persist for a brief additional period consistent with those systems’ cache-expiry policies and over which we have no direct control.

Aggregated, anonymised, and de-identified analytics data — which by its nature cannot reasonably be used to identify any individual — may be retained indefinitely for analytical and product development purposes.

10. Your Rights Under PIPEDA

Subject to applicable legal exceptions, you have the following rights with respect to your Personal Information under PIPEDA:

Right of Access: you may request confirmation of whether we hold Personal Information about you and, if so, a copy of that information in an intelligible form;
Right to Correction: you may request that we correct or supplement any Personal Information in our possession that is demonstrably inaccurate or incomplete;
Right to Withdraw Consent: you may withdraw your consent to our collection or use of your Personal Information at any time, subject to legal or contractual restrictions and reasonable notice, with the understanding that such withdrawal may affect our ability to continue providing the Service to you;
Right to Deletion: you may request the deletion of your account and associated Personal Information as described in Section 9; and
Right to Lodge a Complaint: if you are dissatisfied with our response to any privacy concern, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada.

To exercise any of the foregoing rights, please direct your written request to [email protected]. We will acknowledge your request within a reasonable time and provide a substantive response within thirty (30) days, or such longer period as may be permitted under applicable law, of which we will notify you.

11. Security Safeguards

We implement physical, organisational, and technical safeguards appropriate to the sensitivity of the Personal Information in our custody, including: transport-layer encryption (HTTPS/TLS) for all data in transit; one-way cryptographic hashing of user passwords using bcrypt; token-based authentication with scoped access controls; and access-restricted API endpoints. Notwithstanding the foregoing, no security measure can guarantee absolute protection against all potential threats. In the event of a security incident affecting your Personal Information, we will notify you and the applicable regulatory authorities in accordance with our obligations under PIPEDA. If you identify a potential vulnerability in the Service, we request that you disclose it responsibly by contacting [email protected].

12. Cross-Border Data Transfers

CollectorHome is headquartered in Canada; however, certain of our third-party service providers — including Google LLC, Cloudflare, Inc., and Vercel Inc. — operate and process data on servers located in the United States and potentially other jurisdictions outside Canada. By accessing and using the Service, you consent to the transfer of your Personal Information to, and its storage and processing in, jurisdictions outside Canada, including jurisdictions whose data protection laws may differ from those of Canada. We take reasonable contractual and operational steps to ensure that your Personal Information receives protection consistent with applicable Canadian privacy standards regardless of where it is processed.

13. Amendments to This Policy

We reserve the right to amend this Policy at any time. All amendments will be effective upon posting of the revised Policy to the Service with an updated Effective Date. Where amendments are material, we will endeavour to provide reasonable notice through the Service or by email to the address associated with your account. Your continued use of the Service following the posting of any amendment constitutes your acceptance of the amended Policy. If you do not agree to any amendment, you must cease using the Service and may request deletion of your account pursuant to Section 9.

14. Contact Information

All questions, requests, complaints, or inquiries regarding this Policy or our privacy practices should be directed to:

Privacy Officer
CollectorHome Ltd
[email protected]