Privacy Policy

Sereal is a personal collectibles tracker for cards and comics, operated by Brian Lehnen. This policy explains what we collect, why, and the choices you have. Questions or requests: privacy@serealbox.com.

Account data: your email address and a securely hashed password (we never store your password in plain text).

Collection data you enter: cards, comics, costs, spend and sale records, wishlist, grading and sale plans, and any photos you upload.

Operational data: error diagnostics and server logs needed to keep the service reliable.

To power comp, deal, and certification-lookup features, card and comic details you enter may be sent as search or lookup queries to third-party services: eBay, SoldComps, PSA, and CGC. We send only what those lookups require.

If you choose to connect your eBay account for purchase importing, we store an encrypted (sealed) eBay OAuth refresh token plus sync metadata; the token is encrypted at rest and is never exposed to your browser.

We import your eBay purchase and order data — item titles, seller usernames, prices, shipping, totals, timestamps, listing URLs, and the raw order record — so you can review and add purchases to your collection.

You can disconnect at any time. If eBay notifies us that you deleted your eBay account, we purge the eBay connection data we hold for you.

Supabase — database, authentication, and photo storage.

Google Cloud Run — application hosting and server logs.

Amazon SES — sending the deal-digest emails you opt into.

Sentry — error monitoring, configured not to capture IP addresses or personal data by default.

Plausible Analytics — privacy-friendly, cookie-free, aggregate visitor analytics on our public marketing pages only (no cross-site tracking, no personal profiles). It is not used inside your authenticated account.

Inside your account we use only essential cookies required for sign-in and session security. We do not use advertising or cross-site tracking cookies. Plausible on our public pages is cookie-free.

Passwords are hashed, eBay tokens are sealed, and access is controlled and scoped to your account. We retain your data while your account is active and remove it when your account is deleted.

You can request access to, an export of, or deletion of your data by contacting privacy@serealbox.com. During beta these requests are handled manually. You can also delete most records directly within the app.

Any future use of anonymized metadata to improve the product, support AI features, or power shared/community features is separate from the operation of your account, is off by default, and will only happen if you explicitly opt in. It will be described and consented to separately before any such collection begins.