Privacy Policy

1. About This Policy

GrailGuard LLC ("we," "us," or "our") is a hand-carry courier service for high-value collectibles, organized as a limited liability company under California law. GrailGuard's customer-facing loss-coverage promise is a contractual reimbursement program funded directly from company reserves — it is not insurance, and GrailGuard does not transmit claim data to an insurance carrier or underwriter. This Privacy Policy explains what data we collect, what we do with it, and your rights. We wrote this in plain English — legal terms are in [brackets]. Effective date: July 3, 2026. Last updated: June 4, 2026.

2. What We Collect

We collect data three ways: what you give us, what we observe, and what third parties provide.

What You Give Us

• Booking form: Your name, email, phone number, pickup address, delivery address, recipient name/email/phone, item description, declared value, and payment card details (via Stripe — we never see the full card number).
• Account profile: Name, email, phone, age, U.S. state, what best describes you (collector, investor, or dealer), your Instagram/eBay (social or marketplace) handle, how you heard about us, the number of items over $25,000 you transported in the past 365 days, referral code, and saved payment method (last 4 digits only; the full card is stored by Stripe). The age, state, account-type, handle, referral-source, and high-value-item count are collected when you create a partner account and are used to verify eligibility (18+), understand our customer base, and improve our service.
• Bookings over $10K: A government-issued photo ID (driver's license, passport, or state ID) uploaded to Stripe Identity for verification per banking regulations [KYC].
• Courier background checks: If you become a courier, date of birth, last 4 digits of Social Security number, and a government ID image (handled by Checkr, our background-check vendor).
• Evidentiary record at pickup and delivery: Multi-angle photographs of the item taken by the courier at the moment of pickup and again at delivery (multiple angles per checkpoint — typically 8 angles per single item and up to 28 angles per multi-item lot, depending on item type and capture mode). Each photo bundle is HMAC-signed so the record is tamper-evident. We retain these for the lifetime of the booking record plus seven (7) years to support coverage claims and chargebacks.
• Recipient ID at delivery: When the courier arrives, they photograph the recipient's government-issued ID (driver's license, passport, or state ID) to verify identity before handing over the item. The recipient is asked to consent in person. If the recipient declines, the courier may refuse to complete the handoff. The image is stored alongside the booking record.
• Recipient signature and release initials (biometric notice): The recipient signs for the delivery on the courier's phone and initials each section of the Customer Release of Liability + Waivers (five delivery-time sections covering identity, inspection, acceptance, concealed-damage rules, and arbitration; the separate booking-time release captures eight initialed acknowledgments by the Shipper). The signature image and per-section initials are stored alongside the booking record.
  Biometric retention by state:
  • Illinois (BIPA, 740 ILCS 14): signature image destroyed within 3 years of delivery or sooner if the initial purpose has been satisfied, whichever comes first.
  • Texas (CUBI, Bus. & Com. Code §503.001): signature image destroyed within 1 year after the purpose for collection expires, consistent with the “reasonable time, not later than one year” rule.
  • Washington (RCW 19.375): signature image retained only as long as reasonably necessary for the purpose of collection — typically the 1-year window unless an open claim, dispute, or legal hold extends it.
  • All other states: signature image retained for up to 7 years alongside the booking record, consistent with general commercial-records retention.
  In every jurisdiction, an irreversible cryptographic fingerprint (SHA-256) of the signature image is retained beyond the biometric scrub as one-way proof a signature was captured. The fingerprint is not a biometric identifier (it is a hash, not a biometric template) so no BIPA/CUBI/WA biometric-retention rule applies to it. Active claims, open disputes, or legal holds extend each window until resolution.
• Delivery code verification: A six-digit code is sent to the recipient via SMS/email at booking. The recipient reads it aloud at handoff; the courier types it in. Verification timestamps are logged.
• Courier GPS breadcrumbs: From the moment your assigned courier marks Pickup Complete until your shipment is marked Delivered, Cancelled, Returned, or 72 hours have elapsed (whichever comes first), the courier app submits a GPS coordinate to our server approximately every ten (10) minutes. Pings outside this active-delivery window are rejected at our server. The trail is visible to you in real time on the tracking page at neighborhood-level precision (~110 meters) during transit and at street-level precision only when the courier is within approximately 200 meters of the delivery address. Pings are retained for ninety (90) days from capture, after which they are automatically purged by a scheduled job (records associated with an open dispute or legal hold are retained until resolution). The courier app does NOT record GPS during the pre-pickup window, on off-duty time, or outside the active delivery window. The full courier-side terms — including the courier's rights of access, deletion, opt-out, and non-retaliation — are in the Location Monitoring Policy.

If You Are a Recipient (Not the Booking Customer)

If a GrailGuard customer arranges a delivery to you, we will process personal information about you to complete that delivery: your name, email, phone, delivery address, the photograph of your government-issued ID at the moment of handoff, your signature, your initials on the release waivers, and your delivery code. We process this data under the legitimate-interest basis (GDPR Art. 6(1)(f)) — completing the courier service the booking customer paid for — and to satisfy our coverage documentation requirements. If you are a California resident, you have the same rights under the CCPA (Cal. Civ. Code § 1798.100 et seq.) as our booking customers, including the right to know, delete, correct, and limit the use of your personal information. You have the same access, correction, deletion, and portability rights as our booking customers (see Section 7 below); contact support@grailguard.io referencing the tracking number you received.

What We Observe

• Page views and events: Which pages you visit, how long you stay, clicks, form submissions tracked via Google Analytics 4 (opt-in; controlled by our consent banner).
• Server logs: Your IP address, browser type and version, operating system, device model, page referrer, and any HTTP error responses.
• Cookies: First-party only — gg_session_active (authentication), gg_cookie_consent_v1 (your choice on this banner), CSRF token, and Stripe-set cookies for fraud detection. No third-party ad cookies.
• Error traces: If your browser encounters a JavaScript error, we capture the error message, line number, and URL (via Sentry). PII is redacted [best-effort].

What Third Parties Provide

• Stripe: Payment verification, fraud signals, and refund status.
• Checkr: Courier background-check results (pass/fail; we don't store criminal history details).
• Stripe Identity: KYC verification result (pass/fail) for bookings ≥ $10K. The government-ID image is stored by Stripe per their retention policy; we delete our request record after verification.
• Postmark: Email delivery status (bounce, open, click events).
• Twilio: SMS delivery status and message receipt logs.

3. What We Do With It

• Fulfill bookings: Connect you with a courier, process your payment via Stripe, and deliver your item.
• Communicate: Send transactional emails (booking confirmation, delivery status, tracking updates) and support responses. SMS notifications for pickup/delivery.
• Verify identity and prevent fraud: Run OFAC sanctions screening, Stripe Radar fraud checks, and government-ID verification (via Stripe Identity for bookings ≥ $10K) to comply with financial regulations [BSA, AML].
• Track site usage: Measure page views, booking events, and conversion funnel via Google Analytics 4 (opt-in) and server-side PostHog events (always-on). We use this to understand which features work.
• Comply with coverage documentation requirements: Maintain audit logs of booking details, photos, signatures, and delivery proof for coverage claim handling and dispute resolution.
• Comply with BSA/high-value reporting: Bookings with declared value ≥ $10,000 are screened per the Bank Secrecy Act and reported as required by law.
• Improve our product: Analyze site errors, feature usage, and user feedback to build a better booking experience.

4. What We DON'T Do

• Sell your data: We do not sell your personal information to data brokers or advertisers. The one carve-out: if you expressly opt in to ad audience matching at booking, we share a hashed email and phone number with Meta/Google for advertising — see Section 5; you can withdraw at any time via /do-not-sell.html.
• Share with marketers: We do not license your contact details to third-party marketing lists.
• Third-party ad cookies: We do not set or allow ad networks to set cookies that track you across the web.
• Facial recognition: We do not run facial-recognition matching against your photos, do not build face templates, and do not sell biometric data. Pickup and delivery photographs may incidentally contain identifiable faces (typically the courier's hand and the package; occasionally the recipient). When we share photos outside GrailGuard for a chargeback dispute or a coverage claim, we share only the minimum images required to defend the case, redact faces by hand or limit the share to images that do not contain faces (e.g. seal-strip close-ups, item-condition macros), and only to the specific counterparty (Stripe or our legal counsel). We do not share photos containing your or your recipient's face with any party for marketing, training, or general analytics, and we do not run any automated face-detection or face-blurring software on your photos today. If you would like us to delete specific photos earlier than our retention schedule (privacy §6), email support@grailguard.io.
• Train AI on your booking data: We do not use your booking details to train large language models or other AI systems (your data remains your own).

Courier live location during active delivery

During the active delivery window for your booking — from the moment your assigned courier marks the shipment as picked up until it is marked delivered, cancelled, refunded, or returned — your courier's approximate geographic position is shown to the buyer and to the recipient on the GrailGuard tracking page. The courier app submits a GPS coordinate every ten (10) minutes during the active-delivery window; pings submitted outside this window are rejected server-side. Outside the active delivery window — before pickup, after delivery, and during the courier's off-shift time — we do not collect, store, or display courier location at all.

Precision shown to you: during the picked-up and in-transit phases, the position you see is rounded to approximately one hundred ten (110) meters — neighborhood level. When the courier is within approximately 200 meters of the delivery address during the final mile (Out For Delivery), the position is displayed at street-level precision (approximately 3 to 10 meters depending on GPS signal quality and hardware) to coordinate the physical handoff of your shipment. If the most recent ping is more than sixty (60) minutes old (e.g., the courier's phone has been locked or the tab is backgrounded), we show a "last seen" timestamp instead of a stale pin.

Courier consent and rights: GrailGuard's courier-side terms — including the data collected, the four permitted purposes of use, the 90-day retention window, and the courier's rights of access, deletion, opt-out, and non-retaliation — are set out in the Location Monitoring Policy. Every GrailGuard courier acknowledges this policy in writing before being assigned an active delivery, satisfying the more demanding of the applicable state notice statutes (NY Civil Rights Law §52-c, CT Gen Stat §31-48d, DE Code Title 19 §705, and the California Privacy Rights Act).

Customer use of courier location data: position data is shown to you for the purpose of tracking your active shipment. You may not retain, redistribute, or re-publish your courier's position. You may not use the position to derive the courier's home or off-shift location — only active-delivery positions are ever shown, and we delete the underlying records within 90 days of capture.

5. Third-Party Processors

We work with specialized vendors; each receives only the data it needs and is contractually bound to protect it.

Opt-in ad audience matching (CPRA “sharing”). If — and only if — you check the optional ads box at booking (“Allow GrailGuard to use my info to show relevant ads on other platforms”), we share a hashed (SHA-256) version of your email address and phone number with Meta and Google for ad audience matching. This constitutes “sharing” of personal information for cross-context behavioral advertising under the California Privacy Rights Act (CPRA). It is strictly opt-in — never the default — and you can withdraw your consent at any time via the Do Not Sell or Share My Personal Information form or by emailing privacy@grailguard.io. We share no other personal information (no name, address, item details, or booking history) with advertising platforms.

Data Processing Agreements. Each of the vendors above processes your Personal Data on GrailGuard's behalf under a written Data Processing Agreement (DPA) or equivalent Service Provider contract terms. Those agreements are auto-incorporated into the standard terms of service we accepted with each vendor at signup, which is what privacy law (GDPR Article 28, CCPA §1798.140) requires when a company shares Personal Data with a third-party processor. Where a vendor processes EU/UK Personal Data outside the EEA or UK, the transfer is made under the European Commission's 2021 Standard Contractual Clauses (Modules 2 or 3 as applicable) and, for UK data subjects, the UK International Data Transfer Addendum to the SCCs (IDTA). The current SCC / IDTA version on file with each vendor is available on request to support@grailguard.io. The DPAs spell out what data each vendor can process, what they can't do with it, how they handle a breach, and what happens to your data if our relationship with that vendor ends. The current published version of each vendor's DPA is publicly available at the privacy-policy link in the rightmost column of the table above. If you'd like a copy of a specific DPA — either the version GrailGuard is operating under today or the version that was in effect during a specific past period — email support@grailguard.io with the vendor name in the subject. We will respond within 5 business days with either the PDF from our records or, if the version you need predates our retention window, a direct link to the vendor's archived version.

6. Data Retention

• Bookings: Personal-data columns (your name, email, phone, pickup and delivery addresses, recipient PII, government-ID numbers, signatures and initials, IP and user-agent metadata, free-text notes) are retained for 7 years from delivery as necessary to defend potential coverage claims and to comply with tax and financial-reconciliation obligations (Cal. Civ. Code §1798.105(d)(1) and §1798.105(d)(7); analogous exceptions under GDPR Article 17(3)(b) and 17(3)(e)). At year 7, those columns are automatically anonymized by our PII-retention sweeper, and the resulting de-identified row is retained for an additional 3 years (10 years total from delivery) solely for trend and operational analytics. After 10 years the row is permanently deleted.
• Account info: Anonymized within 30 days of your deletion request. You have a 30-day grace window during which you can sign in and cancel the deletion; the cascade runs on the day the grace period ends, scrubbing identifying columns (name, email, phone, addresses) from your account, bookings, support messages, and claims. Some legally-required metadata is retained per financial regulations.
• KYC documents (gov ID image): Stored by Stripe per their retention schedule. We don't store the image ourselves.
• Background-check data (Checkr): Retained by Checkr per their policy; we delete our copy after hiring decision.
• Payment metadata: Stripe retains card tokens and transaction records for dispute/chargeback handling (typically 3 years).
• Transactional emails (Postmark): Retained for 90 days, then deleted.
• Analytics events (PostHog): Raw, identifiable events kept for 12 months. After 12 months, automatically aggregated to non-personal counters and retained for business analytics.
• Error logs (Sentry): Kept for 30 days, then deleted.
• Server logs (IP, user-agent, referrer, HTTP error codes): Retained for 30 days, then deleted by log rotation.
• First-party cookies: Per the expiry stated in Section 8 (session cookies cleared at sign-out; gg_cookie_consent_v1: 365 days; CSRF tokens: per-request).
• OFAC sanctions and BSA screening logs: Retained for 5 years per 31 CFR §1010.430.
• Support chat logs (recording disclosure): The in-page chat widget on this site records the full conversation, including the visitor's typed input and the AI/agent replies. Recordings are reviewed by GrailGuard staff to improve service, train our AI assistant, and resolve disputes. Two-party-consent jurisdictions (California — Cal. Penal Code §631/§632.7; Florida; Massachusetts; Illinois; Pennsylvania; Nevada; Washington; and similar states): the conspicuous notice rendered as the first message in the chat panel constitutes the disclosure required by these statutes, and continuing the conversation after that notice constitutes the visitor's consent to the recording. Visitors may close the chat panel or type STOP at any time to end the session. Recordings are retained for 90 days, then deleted by a scheduled job.
• Evidentiary photo bundles (AR pickup + delivery scans): Kept for 7 years alongside the booking record so coverage claims and chargebacks can be substantiated even on items disputed years later. Each bundle is HMAC-signed at the moment of seal so authenticity is independently verifiable.
• Recipient ID photographs: Kept for 7 years alongside the booking record, used solely to substantiate chain-of-custody for that specific delivery. Not used for any other purpose, not shared with third parties except as required by a coverage claim or law-enforcement subpoena.
• Recipient signature + release initials: Kept up to 7 years alongside the booking record (mirrors the booking customer's release initials retention), subject to the state-tiered biometric schedule above (Illinois — destroyed within 3 years; Texas — within 1 year; Washington — only as long as reasonably necessary).
• Courier GPS breadcrumbs: Kept for ninety (90) days from the date of capture, after which they are automatically purged by the courier-breadcrumbs-purge scheduled job (runs daily at 03:30 UTC). Records associated with an open dispute, chargeback, regulatory investigation, or legal hold are retained until resolution. The 90-day window aligns with the GrailGuard Location Monitoring Policy v1.2 §6 and is sufficient to support chain-of-custody dispute defense + per-mile reimbursement substantiation.

7. Your Data Rights

If you're in California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), New Jersey (NJDPA), Tennessee (TIPA), Indiana (ICDPA), New Hampshire (NHPA), Nebraska (NDPA), Maryland (MODPA), Minnesota (MCDPA), Rhode Island (RIDTPPA), Kentucky (KCDPA), or another state with a comprehensive consumer-privacy law, you have specific rights. If you're in the EU, UK, or EEA, GDPR (and UK GDPR) gives you additional rights. We honor a Global Privacy Control (GPC) browser signal as a valid opt-out of sale and sharing under California Civil Code §1798.135(b)(1)(A) and equivalent provisions in CO, CT, TX, OR, and other states whose laws recognize universal opt-out preference signals. Right to appeal: If we deny a privacy-rights request, you may appeal that denial by replying to our written response within sixty (60) days; we will provide a substantive written response on appeal within sixty (60) days of the appeal request (or longer where permitted by the applicable state statute), and we will tell you how to contact your state Attorney General if you remain dissatisfied with the outcome.

Rights Everyone Can Exercise (US State Laws + GDPR)

• Right to know: You can request what personal data we hold about you and how we use it.
• Right to access: You can download a copy of your data in machine-readable format (e.g., JSON). GrailGuard customers can do this instantly without contacting support: sign in and click "Download my data" on your account page or call GET /api/customers/me/export.
• Right to delete: You can request deletion of your personal data, subject to legal retention obligations (e.g., evidentiary records for active or potential coverage claims under Cal. Civ. Code §1798.105(d)(7); tax and Stripe-reconciliation records under §1798.105(d)(1)). GrailGuard customers can initiate account deletion without support: sign in and click "Delete my account" or call DELETE /api/customers/account. We use a 30-day grace period so you can cancel before permanent anonymization. When the grace period ends, our automated cascade scrubs identifying columns from your account, bookings (customer + recipient name/email/phone, addresses), support messages, and claims; hard-deletes transactional records (already-sent SMS/email confirmations, saved addresses, stored payment metadata, notification preferences, promo redemptions, JWT revocation log); and retains evidentiary records (pickup/delivery photographs, recipient ID photo at handoff, signatures, GPS chain-of-custody, AR inspection seals, refund and payment records) for the 7-year coverage and chargeback window described in Section 6. Every deletion is recorded in our audit log so we can produce evidence of compliance on request.
• Right to correct: You can ask us to fix inaccurate or incomplete data.
• Right to opt-out of sale or sharing: We don't sell your data. If you opted in to ad audience matching at booking, that is “sharing” under the CPRA (see Section 5); you can opt out of it — or submit a precautionary opt-out — via our form at /do-not-sell.html or by emailing privacy@grailguard.io.
• Right to non-discrimination (Cal. Civ. Code §1798.125): GrailGuard will never deny you service, charge you a different price, provide a different level or quality of service, or threaten any of these consequences because you exercised any of the rights listed above. If we ever offer a financial incentive program (loyalty rewards, referral bonuses, opt-in discounts) it is offered on an opt-in basis only; declining to participate has no effect on your account standing, your pricing, or your access to any GrailGuard service. The only exceptions to this guarantee are the narrow ones the statute itself permits: (a) features that genuinely cannot operate without the data you deleted (for example, your booking history will be empty after account deletion), and (b) financial incentive programs you have explicitly opted into, where the program's terms disclosed the relationship between the data you provide and the value of the incentive before you opted in. We will never use "value of data" arguments to deny core services to customers who exercise their privacy rights.

GDPR Rights (EU/UK/EEA Only)

If you are a resident of the European Union, United Kingdom, or any jurisdiction with GDPR applicability, you have the following rights regarding your personal data:

• Right of Access (Article 15): You have the right to obtain confirmation of whether we process your data and to receive a copy of your personal data in a portable format. GrailGuard customers can exercise this right instantly and without a support ticket: sign in and call GET /api/customers/me/export (or use the “Download my data” button on your account page) to receive a single machine-readable JSON file containing your profile, bookings, addresses, photos, signatures, and consent records, per GDPR Article 20.
• Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data held by us.
• Right to Erasure (Article 17): You may request deletion of your personal data, subject to legal retention obligations and legitimate business interests. Customers can now initiate deletion without contacting support: sign in and click “Delete my account” (or call DELETE /api/customers/account). We use a two-phase lifecycle: a 30-day soft-delete grace window during which you can still sign in and cancel, followed by hard anonymization (email, name, phone, and addresses scrubbed) after the window elapses. Financial records required by tax law remain in place per the retention windows below — roughly 3 years for payment metadata and 7 years for core account and booking records.
• Right to Restrict Processing (Article 18): You may request limitation of how we use your data while we handle disputes or verify accuracy.
• Right to Data Portability (Article 20): You may request your data in a structured, commonly-used, machine-readable format for transfer to another organization.
• Right to Object (Article 21): You may object to processing based on legitimate interests or direct marketing. We will cease processing unless we have compelling reasons to continue.
• Right Against Automated Decision-Making (Article 22): You have the right to opt-out of decisions based solely on automated processing that produces legal or similarly significant effects. The automated systems we use that could affect your booking are: Stripe Radar (payment fraud screening, can decline a charge before any GrailGuard human reviews it), Stripe Identity (government-ID verification for bookings ≥ $10,000; can decline KYC before human review), and KYC Stall Auto-Cancellation (if you do not complete Stripe Identity verification within 7 days of paying for a booking with declared value ≥ $10,000, the booking is automatically cancelled and refunded by rule kyc-stall-cron.cancelStalledKyc.7d; we send day-2 and day-5 reminder emails before the final cancellation, and the cancellation email itself contains the human-review contest channel — write to privacy@grailguard.io within 30 days to dispute and we will manually review the decision under our Article 22 procedure). If a booking was declined and you want human review of the decision, email support@grailguard.io with the subject "Human review of automated decision" and your booking attempt details. The support@ inbox is monitored by the GrailGuard founding team so a reviewer is always available. We will respond within 1 business day to acknowledge the request and within 5 business days to send our full written review. Our internal procedure is documented and auditable — every request is logged with timestamps so we can verify we met our commitment to you. If we uphold the original automated decision you have the right to a second human reviewer (we restart the 5-business-day clock for the second review) and the right to lodge a complaint with your local data protection authority (UK/EEA customers: ico.org.uk; California customers: oag.ca.gov).
• Right to Lodge a Complaint: You may file a complaint with your local data protection authority regarding our processing practices.

California Automated Decision-Making Technology (CCPA-ADMT) Disclosures

If you are a California resident, you have additional rights under the California Consumer Privacy Act's Automated Decision-Making Technology regulations (CCPA-ADMT, finalized Q2 2026). For each automated system listed below, we disclose the inputs, the plain-English logic of the decision, and your rights of human review.

• Stripe Radar (payment fraud screening). Inputs: card BIN, billing-address-vs-shipping-address mismatch, velocity of recent declined attempts on the card, device fingerprint, prior chargeback history of the card. Plain-English logic: Stripe Radar assigns a risk score from 0 to 100; charges with a risk score above Stripe's "elevated" threshold are declined automatically before any GrailGuard human reviews them. Effect: the charge fails and the booking does not complete.
• Stripe Identity (KYC for bookings ≥ $10,000). Inputs: government-ID image, selfie, ID-vs-selfie biometric similarity, OFAC/PEP screening. Plain-English logic: Stripe Identity returns "verified" or "requires review"; "requires review" outcomes are escalated to GrailGuard for manual handling. Effect: the booking is held pending review.
• KYC Stall Auto-Cancellation (rule kyc-stall-cron.cancelStalledKyc.7d). Inputs: time elapsed since payment for a booking with declared value ≥ $10,000, presence of a completed Stripe Identity verification record. Plain-English logic: if the Shipper has not completed Stripe Identity verification within 7 days of paying for a qualifying booking, the booking is automatically cancelled and refunded by this rule. We send day-2 and day-5 reminder emails before the day-7 cancellation, and the cancellation email itself contains the human-review contest channel. Effect: the booking is cancelled and the payment is refunded.

Human review SLA (California residents): If you want a human reviewer of an automated decision that affected your booking, email privacy@grailguard.io with the subject line "CCPA ADMT human review." We will acknowledge within 48 hours and complete the review within 5 business days. If we uphold the original decision, you have the right to a second human reviewer of equal or greater seniority (we restart the 5-business-day clock for the second review). You also have the right to lodge a complaint with the California Attorney General at oag.ca.gov regardless of the outcome.

How to Exercise Your GDPR Rights

To exercise any GDPR right, please submit a written request to privacy@grailguard.io with:

• Your full name and email address
• The right(s) you wish to exercise
• Sufficient detail to identify your request
• A copy of identification for verification purposes

We will respond to valid requests within 30 days (or 60-90 days if complex). We may request additional information to verify your identity before processing your request.

Right to Erasure / Right to be Forgotten (GDPR Article 17 & CCPA §1798.105)

To request deletion of your personal data, email privacy@grailguard.io with the subject line “Right to Erasure Request”. Include your full name, email address associated with the account, and (optionally) a booking tracking number. We will verify your identity and:

• Acknowledge receipt within 10 business days (we typically respond within 1 business day) per CCPA §1798.130(a)(2)(B)
• Complete the deletion within 30 days (extendable to 90 days for complex requests)
• Confirm deletion in writing, including the categories of data removed

Certain records may be retained if required by law (e.g., tax records for 7 years, Stripe transaction records per financial regulations, or evidence relating to an open coverage claim). We will identify any such retained categories in our confirmation response. Delivery records older than 30 days past delivery are automatically removed from public tracking, independently of any erasure request.

8. Cookies

We use first-party cookies only — no third-party ad networks tracking you across the web.

• gg_session_active: Stores your login token (HttpOnly, Secure, SameSite=Strict).
• gg_cookie_consent_v1: Remembers your choice on our consent banner (365-day expiry).
• CSRF token: Protects against cross-site request forgery on form submissions.
• Stripe fraud detection: Stripe sets cookies for their own fraud detection (see Stripe's privacy policy).

You can manage cookies via our consent banner (shown on first visit) or your browser settings. Disabling essential cookies will break login and checkout. The Global Privacy Control (GPC) signal disables analytics cookies automatically.

9. How We Protect Your Data

• TLS in transit: All connections to grailguard.io are encrypted with TLS 1.3.
• AES-256 at rest: Sensitive data (booking details, addresses, driver's license images) encrypted in our PostgreSQL database on Railway.
• Cookies: Authentication cookies are HttpOnly (no JavaScript access), Secure (HTTPS-only), and SameSite=Strict (no cross-site submission).
• CSP/HSTS/Permissions-Policy: HTTP security headers prevent XSS, clickjacking, and camera/microphone access.
• Stripe card handling: We never see card numbers — Stripe collects them in their PCI-DSS compliant environment.
• Sentry error logs: PII is redacted on a best-effort basis (email, phone, token patterns stripped).
• Breach notification: If we suffer a data breach, we'll notify affected customers in the most expedient time possible and without unreasonable delay, consistent with California Civil Code §1798.82 (and within 72 hours where the GDPR applies).

10. Children

GrailGuard services are for adults aged 18 or older. We do not knowingly collect personal information from anyone under the age of 13 (per the Children's Online Privacy Protection Act, "COPPA"), nor from anyone aged 13–17 without parent or guardian consent. For EU/EEA residents, GDPR Article 8 applies; we treat the higher of (a) the member-state digital-consent age (which member states set between 13 and 16) or (b) our 18+ Terms of Service threshold as the floor for processing — in practice this means we will not knowingly process the personal data of any user under 18 regardless of jurisdiction. We do not condition our services on the collection of information beyond what is reasonably necessary to complete a booking.

For bookings of $10,000 or more, we collect a government-issued photo ID via Stripe Identity for KYC verification. If verification indicates the customer is under 18, the booking is declined and the ID image is deleted from our request record. For bookings under $10,000 we do not affirmatively verify age, but our Terms of Service §3 requires customers to be 18+, and any user who indicates they are under 18 may not proceed.

If you are a parent or guardian and believe your child under 18 has provided us with personal information, please email privacy@grailguard.io with the subject "COPPA request" — we will delete the information from our systems within 10 business days and confirm the deletion to you in writing.

11. Changes to This Policy

For non-material updates (typographical corrections, contact-information changes, clarifications that do not reduce your rights or expand our processing), the updated Privacy Policy is effective when posted to our website. For material changes that affect your rights or expand the categories of data we collect or share (including changes to retention periods, third-party recipients, or international transfers), we will give you at least thirty (30) days' advance notice by email to the address on your account or by in-app notification before the change takes effect. We will re-prompt for cookie consent when required. Material changes will not apply retroactively to data already collected under the prior policy. Your continued use of GrailGuard after the notice period constitutes acceptance of the updated policy; if you do not agree, you may stop using the Services and request account closure before the new policy takes effect. This mirrors the material-change protections in Section 13 of our Terms of Service.

Effective date: July 3, 2026. Last updated: June 4, 2026.

12. Contact

EU residents can lodge a complaint with your local data protection authority: Italy (GPDP), Germany (BfDI), France (CNIL), UK (ICO), or your country's DPA.