Privacy Policy — NumisLens

1. Introduction

NumisLens ("we", "us", or "our") operates a digital platform that allows users to catalog, manage, and organize coin and banknote collections. This Privacy Policy explains how we collect, use, store, and protect personal information when you use NumisLens.

By using NumisLens, you agree to the collection and use of information in accordance with this policy. If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdiction with data protection laws, this policy also describes your rights and our legal obligations under those frameworks.

2. Information We Collect

Information you provide

Account information (email address)
Collection data (coin and banknote descriptions, images, condition, grades, values, attributions)
Optional uploads (invoices, receipts, or other documentation)
Feedback and support communications

Information collected automatically

IP address
Device and browser information
Pages visited and interaction events (only with your consent — see Section 9)
Authentication session tokens (strictly necessary for the service to function)

All collection data, images, values, and descriptions are user-submitted content. NumisLens does not independently verify, appraise, or authenticate this information.

3. Legal Basis for Processing

We process your personal data under the following legal bases as defined by the GDPR:

Contract: Processing your account information and collection data is necessary to provide the service you signed up for.
Consent: Analytics tracking (PostHog) is only activated when you explicitly accept analytics cookies via the consent banner. You may withdraw consent at any time.
Legitimate interest: Security logging, fraud prevention, and maintaining service integrity.

4. How We Use Information

We use collected information to:

Provide and operate the NumisLens platform
Display, organize, and export collection data
Process coin images through AI-assisted identification (see Section 6)
Support insurance-related organizational features
Improve functionality and user experience (with your consent)
Communicate with users regarding the service
Maintain security and prevent misuse

5. Data Sharing and Third-Party Processors

We do not sell personal data. We do not share your collection data with advertisers.

We use the following third-party processors to operate the service:

Supabase — database, authentication, file storage, and serverless functions.
Vercel — website hosting and content delivery.
PostHog — product analytics (US-hosted). Only activated with your explicit consent.
Anthropic — AI coin identification processing. Coin images submitted for identification are sent to Anthropic's API for analysis. Anthropic does not retain submitted images or use them for model training.

We may also disclose data to legal authorities when required by law. Collection data is never shared with insurers or third parties unless explicitly exported or shared by you.

6. AI Processing

NumisLens offers an AI-assisted coin identification feature. When you use this feature, your coin images are sent to Anthropic for analysis. The AI generates suggested attributions, ruler identifications, and other numismatic data.

This processing is initiated only by your explicit action (uploading an image for identification). AI results are suggestions only and are not used for any automated decision-making that produces legal or similarly significant effects.

7. International Data Transfers

Some of our third-party processors operate in the United States. Where personal data is transferred outside the EEA or UK, we rely on the processor's compliance with standard contractual clauses (SCCs), the EU-US Data Privacy Framework, or equivalent safeguards.

8. Data Storage and Security

We use commercially reasonable safeguards to protect user data, including encryption at rest and in transit, row-level security policies to isolate user data, and signed URLs for image access. However, no method of transmission or storage is 100% secure.

9. Cookies and Tracking

NumisLens uses two categories of cookies and local storage:

Strictly necessary: Authentication session tokens and consent preferences. Required for the service to function; do not require consent.
Analytics: PostHog product analytics. Only activated when you explicitly accept analytics via the cookie consent banner.

We do not use advertising, retargeting, or social media tracking cookies.

10. Data Retention

We retain user data while an account is active. When you delete your account, we delete your personal data, collection records, and uploaded images. Backup copies may persist for up to 30 days before being permanently removed.

11. Your Rights

Depending on your jurisdiction, you may have the right to:

Access — request a copy of the personal data we hold about you
Rectification — correct inaccurate or incomplete data
Erasure — request deletion of your personal data
Portability — receive your data in a structured, machine-readable format
Restriction — request that we limit processing of your data
Objection — object to processing based on legitimate interest
Withdraw consent — withdraw analytics consent at any time

To exercise any of these rights, contact us at dev@numis-lens.com. We will respond within 30 days.

12. Data Breach Notification

In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and, where required by law, notify the relevant supervisory authority within 72 hours.

13. Children's Privacy

NumisLens is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify users of material changes by updating the "Last updated" date at the top of this page.

15. Contact

For privacy questions or to exercise your data rights, contact: dev@numis-lens.com