THE PRIVACY.
Last updated 2026-05-22. What we collect, why, who sees it, how long we keep it. We do not sell your data and we do not train third-party AI models on your content.
Account data: email, handle, display name, founding number, optional city + bio. You can edit or remove any of this anytime via /profile.
Vault data: items you add, photos you upload, story text, tags, visibility setting. You decide what's public, mutuals-only, or private.
Social data: room follows, posts, comments, salutes, saves. Salutes and follows are visible; saves are private to you.
Scan + identification data: photos + extracted feature descriptors you submit through Project Insight, plus a hash record + device fingerprint + IP hash for each scan attempt (audit log).
Coin data: edition number, metal, event tie, physical-twin shipping status. Founding coins surface publicly on your profile.
Push tokens (only if you opt in to notifications).
To run the Service. To identify items via Project Insight. To improve identification accuracy (Loop 1: user submissions; Loop 2: brand verifications; Loop 3: corrections). To prevent abuse (rate limits, anomaly detection, honeypot tripwires). To deliver physical coin twins. To communicate about your account.
We do NOT sell your personal data. We do NOT train third-party AI models on your content.
Public: items with visibility=public, your handle + display name + founding number + city if set, your public coins, your public profile bio.
Mutuals: items with visibility=mutuals.
Only you: items with visibility=private, your saves, your push tokens, your scan audit log.
HOARD staff: moderation queue contents (reports, pending submissions), audit logs, anything required to investigate a specific abuse report.
Brand Partners: items in their category they have authentication rights over; submissions tagged to their brand for verification review.
Feature descriptors extracted from photos you submit are compared against the proprietary reference database to identify items. The reference database stores descriptors, metadata, and provenance signals; it does NOT store raw photos linked back to individual users beyond what you upload to your vault or reference submissions.
Submissions enter a review queue and require trust-tier-scaled independent verifications before promoting to the reference database. Your submitter id is recorded against each accepted reference for audit + correction-event tracebacks.
Watermarking: scan API responses contain account-specific subtle variations. If watermarked data surfaces in a competitor or unauthorized export, we can trace the source.
Active account data: as long as the account is active. Archived vault items + posts: soft-deleted for 30 days, then hard-deleted. Scan audit log: 12 months (longer for entries flagged in abuse investigations).
Account deletion: request via /profile or email support@thehoard.social. We hard-delete personal data within 30 days; backups age out within 90 days.
You can view, export, correct, or delete your personal data at any time. EU/UK residents: GDPR rights including access, rectification, erasure, restriction, portability, and objection apply. California residents: CCPA rights apply. Write to privacy@thehoard.social.
We will not retaliate against rights exercises. We may verify identity before processing requests.
Encryption in transit (HTTPS) and at rest (Supabase managed). Row-level security policies gate every read. Photos in private buckets, signed URLs at render time. Per-user scoped storage folders. Column-level grants on sensitive denormalised counts (no client write access). Two-factor authentication ships in a future release; until then, use a strong unique password.
Our threat model for Project Insight is documented internally and shipped in phased protections (1-2d / 30d / 90d) per the founder's brief.
Privacy questions + rights requests: privacy@thehoard.social · Security disclosures: security@thehoard.social · General: support@thehoard.social.