Privacy Policy

What we collect

• Account: username, email, hashed password (bcrypt — we never see your real password).
• Profile: optional bio, avatar emoji, off-platform contact handles you choose to publish (Discord / eBay / Instagram / X / Telegram / Whatnot).
• Submissions: sale data you submit (card, grade, price, source URL or cert number).
• Collection & watchlist: the card IDs, graders, grades, and optional notes you record for your own collection or watchlist.
• Activity: pages you view, items you watchlist or favorite, last-seen time.

What we don't collect

• Payment card numbers — we don't process payments. If/when Stripe-powered Premium subscriptions are enabled, Stripe handles all card data and we only see a customer ID.
• Direct messages — we do not host user-to-user messaging. Conversations between buyers and sellers happen entirely on third-party platforms (Discord, eBay, Instagram, etc.) and are subject to those platforms' privacy policies, not ours.
• Photos — we do not host user-uploaded images.
• Your real name, address, or phone number.
• Tracking cookies from advertising networks — there are none.

What we use it for

• Operating your account and preventing fraud / abuse
• Calculating market prices and showing them to other users
• Sending notifications you opted into (watchlist alerts)
• Ranking submissions for accuracy and reputation

Public information

The following information is visible to anyone who visits your profile or the /for-sale directory: your username, tier, reputation, bio, avatar, joined date, public collection items, favorites, items you've flagged "open to offers," and any off-platform contact handles you've chosen to publish. You control all of this from your settings page.

Cookies

We use a single signed-cookie session token to keep you logged in. No third-party analytics or advertising cookies.

Sharing

We don't sell your data. Aggregated price data (no usernames or PII) may be shown publicly as part of price charts. Submission history is public on your profile by default.

Your rights (UK GDPR / EU GDPR / CCPA)

You can:

• Access & portability — download a JSON copy of your data at /me/export. We aim to respond to other access requests by email within 30 days as required by UK GDPR.
• Correct inaccurate data via your profile or by emailing us
• Delete your account — removed immediately on confirmation. Submitted public sale data is retained but anonymized (detached from your username) for market integrity.
• Withdraw consent for notifications at any time

Data retention

Account data: kept while your account is active. After deletion: account record and personal data are removed immediately. Verified sale submissions are retained anonymized (with no link to your user record) for market integrity.

Security

Passwords are bcrypt-hashed. Sessions use signed, HTTP-only cookies. Database backups are encrypted at rest. If we ever suffer a breach we'll notify affected users within 72 hours, in line with UK GDPR.

To report a suspected breach: email support@lazylabs.uk with the word BREACH in the subject. We will acknowledge within 24 hours.

Children

CheckAGrade is intended for users aged 18 and over. We do not knowingly collect data from users under 18; if we become aware that an account has been created by someone under 18 we will remove it.

Contact

support@lazylabs.uk for any privacy questions or data-access requests.