Privacy Policy — TrueSpec BMX

TrueSpec BMX LLC ("TrueSpec," "we," "us," "our") is committed to protecting your personal information. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding that data. It applies to all users of truespecbmx.com regardless of location. If you are in the European Union or California, additional rights apply as described in Sections 9 and 10.

1.Data We Collect

1.1 Account Data

When you create an account: email address, display name (optional), password (stored as a cryptographic hash — never in plaintext), and account creation date.

1.2 Payment Data

Payment processing is handled by Stripe, Inc. TrueSpec does not receive, store, or process raw payment card numbers. We retain: transaction ID, purchase amount, purchase date, and product purchased.

1.3 Valuation Data

Bike configuration data and photos you submit for valuation. Listing URLs you submit. Valuation outputs and reports generated from your submissions.

1.4 Portfolio Data

Collection records you choose to save, including bike details and estimated values.

1.5 Usage Data

Pages visited, features used, time spent, IP address, browser type, device type, and referring URLs. Collected automatically via server logs and analytics.

1.6 Community Contributions

Factory specification corrections or additions you submit to the community database.

2.How We Use Your Data

—To operate and provide the valuation service.

—To generate, store, and deliver valuation reports.

—To process payments via Stripe.

—To send transactional emails: report delivery, account notifications, price alerts.

—To improve platform accuracy using anonymized, aggregated data.

—To detect and prevent fraud and abuse.

—Marketing communications — only with your consent. Opt out any time.

3.AI and Automated Processing

Photos and listing text you submit are processed by OpenAI's GPT-4o API for component extraction. OpenAI's API terms state that data submitted via API is not used to train their models. We do not share your photos with any party other than OpenAI for this specific purpose.

Valuation outputs are generated by our proprietary algorithm — no human manually reviews individual submissions unless you contact support.

4.Third-Party Data Processors

ProcessorPurposePrivacy Policy

SupabaseDatabase and authenticationsupabase.com/privacy

Stripe, Inc.Payment processingstripe.com/privacy

OpenAIAI component extraction from photosopenai.com/privacy

Vercel, Inc.Hosting and infrastructurevercel.com/legal/privacy-policy

ResendTransactional email deliveryresend.com/legal/privacy-policy

5.Data Retention

—Account data: retained for the life of your account plus 3 years after deletion.

—Valuation reports: retained indefinitely as part of our comparable sales history (anonymized after account deletion).

—Payment records: retained 7 years for tax and accounting compliance.

—Usage data: retained 2 years in aggregated form.

—Support communications: retained 3 years.

6.Data Security

We implement industry-standard security measures: TLS encryption in transit, AES-256 encryption at rest in Supabase, bcrypt password hashing, row-level security on all user data, and regular security reviews. In the event of a breach affecting your data, we will notify you as required by applicable law.

7.Cookies and Tracking

We use cookies for: session authentication, remembering preferences, and anonymous analytics. You can disable cookies in your browser settings, but some features may not function correctly without them.

8.Data Sharing

We do not sell your personal data. We share data only:

—With processors listed in Section 4, for the purposes stated.

—With law enforcement or government authorities when legally required.

—In connection with a merger, acquisition, or sale of TrueSpec, with notice to you.

—In anonymized, aggregated form that cannot identify you individually.

9.European Union — GDPR Rights

If you are in the EU or EEA, you have the following rights under the General Data Protection Regulation:

—Access: Request a copy of the personal data we hold about you.

—Rectification: Request correction of inaccurate data.

—Erasure: Request deletion of your data (subject to legal retention requirements).

—Portability: Receive your data in a structured, machine-readable format.

—Restriction: Request that we limit processing of your data in certain circumstances.

—Objection: Object to processing based on legitimate interests or for direct marketing.

To exercise these rights: privacy@truespecbmx.com

10.California — CCPA Rights

California residents have the right to: know what personal information is collected and how it is used; request deletion of personal information; opt out of the sale of personal information (TrueSpec does not sell personal data); and not be discriminated against for exercising these rights.

To exercise your rights: privacy@truespecbmx.com

11.Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected data from a child, contact us at privacy@truespecbmx.com.

12.Changes to This Policy

We will notify registered users by email and post the updated policy with a new effective date at least 30 days before material changes take effect.

13.Contact

Privacy questions: privacy@truespecbmx.com

Legal: legal@truespecbmx.com