Black Label Vault
Privacy Policy
Effective date: May 27, 2026 · Last updated: May 27, 2026
Plain English summary: We collect the minimum needed to run your collection vault — your email, your card data, and a few technical signals to keep the site secure. Your card photos stay in your browser. We don't sell your data, run ads, or use it to train AI models. You can email us anytime to see, export, correct, or delete what we have.
This Privacy Policy describes how Black Label Vault ("we," "us," or "our") collects, uses, stores, and shares information when you use blacklabelvault.com (the "Service"). It applies alongside our Terms of Service.
This Service is intended for users in the United States. We do not target users outside the U.S. If you access the Service from outside the U.S., you do so on your own initiative and at your own risk; your data will be processed and stored in the United States.
1. Who We Are
Black Label Vault is operated by Black Label Vault, an independent platform for managing sports card collections at blacklabelvault.com. The data controller of personal information collected via the Service is Black Label Vault.
For questions about this policy or to exercise any of the rights described below, contact privacy@blacklabelvault.com.
2. Information We Collect
2.1 Information you give us directly
- Account information: your email address and a password you choose. The password is stored by our authentication provider (Supabase) as a one-way hash; we cannot see it.
- Collection data: the cards you enter into your vault, including player name, year, set, manufacturer, card number, variation, grade, grader, certification number, sport, and any notes or tags you add.
- Financial data you choose to enter: cost basis, purchase date, current value, and sold-ledger entries (sale price, sale date, fees, net proceeds, realized P&L, platform). This is optional — the Service works without it.
- Card photos: photos you upload of your cards. Photos are stored only in your browser's local storage on your device. They are never uploaded to our servers, except temporarily when you use the AI Scanner or AI Grade features (see Section 4).
- Subscription tier: Free, Pro, or Elite, plus the timestamps of tier changes.
- Wishlist and price-alert preferences: any cards you add to your wishlist and any target prices you set for alerts.
- PSA certificate numbers: when you use the PSA cert lookup, we send the cert number to PSA's public API and store the cert details, including the URLs of cert images hosted on PSA's CDN (we do not download or rehost the images).
2.2 Information collected automatically
- Authentication session cookie: a session token (set by our authentication provider as
sb-lyyntnjdxabgbmntagiv-auth-token) that keeps you signed in between visits. Deleting it signs you out.
- Server logs: our hosting provider (Netlify) and our backend (Supabase) log incoming requests including IP address, User-Agent string, and timestamp, for security, abuse prevention, and debugging.
- BLV Score cache: when the Service computes a BLV Score for one of your cards, we cache the result (score, signal, confidence, contributing factors) in our database for up to 24 hours to avoid recomputing the same values.
- Scanner feedback: when you use the AI Scanner, we log what the AI predicted, what you confirmed or corrected, and how long the interaction took. This helps us measure and improve identification accuracy. Each row is tied to your user ID and is deleted when you delete your account.
- Anti-abuse signals: on the signup form, Cloudflare Turnstile passively collects technical signals from your browser (such as hardware characteristics, navigator properties, and timing measurements) to verify that the request is from a human user. These signals are processed by Cloudflare and are subject to Cloudflare's Privacy Policy. We do not see or store the raw signals; we only receive a pass/fail token.
2.3 Information we don't collect
- We don't collect your name, phone number, mailing address, date of birth, or government ID.
- We don't run third-party analytics, advertising trackers, or marketing cookies. We have no Google Analytics, no Meta Pixel, no Mixpanel, no Segment, no ad network code.
- We don't sell your personal information to anyone. We don't share it with marketing partners.
- We don't use your card data, card photos, or AI scanner feedback to train AI models — ours or anyone else's.
3. How We Use Information
We use the information described above for the following purposes:
- To provide the Service: create and maintain your account, display your collection, run the AI features you trigger, look up market values, look up PSA certificates, generate Excel exports.
- To compute the analytics you see: portfolio value, gains and losses, BLV Scores, trend reads, market signals, milestones.
- To keep the Service running and secure: server-log monitoring, rate-limit enforcement, anti-abuse challenges, error tracking, and bug investigation.
- To improve the Service: we use aggregate Scanner Feedback data to measure identification accuracy over time. We do not look at individual users' data for product decisions.
- To communicate with you: we use your email only for transactional messages (account verification, password reset, billing receipts when subscriptions launch, account-deletion confirmation, and material privacy-policy changes). We do not send marketing email today; if that ever changes, we'll ask you to opt in.
4. AI Processing
The Service uses Anthropic's Claude AI to power four features:
- Card identification (AI Scanner): a photo you capture of a card is sent to Anthropic for identification of the player, set, year, manufacturer, parallel, and card number.
- Card valuation: the card's identifying details (year, player, set, grade, sport) are sent to Anthropic for an estimated market value. No card photos and no account information are included on the value-lookup path.
- Portfolio insights: aggregate totals from your collection (total value, sport breakdown, top cards by value) are sent to Anthropic to generate written insights. No card photos and no account identifiers are included.
- AI grading (Pro and Elite, user-initiated only): when you tap "Grade This Card," front and (optionally) back photos of that card are sent to Anthropic for a condition estimate on the PSA 1–10 scale.
For all four features, we do not send your email, account ID, name, IP address, or any other personally identifying information to Anthropic. Anthropic processes the request under its own privacy policy and usage policy, and does not use API inputs to train its models.
AI estimates are not professional grading or financial advice. Card grade estimates from the AI Scanner are guidance only — not a guarantee of what PSA, BGS, SGC, or CGC will assign if you submit the card. Market value estimates and BLV Scores describe observed market activity, not investment recommendations. Submit cards to a certified grading service for official grades, and consult a qualified professional before making financial decisions about your collection.
You control whether AI runs. AI features only run when you take an explicit action (tapping Scan, Grade This Card, Refresh Value, Generate Insights, etc.). We do not run AI on your data passively in the background.
Photos in the background of a scan. When you capture a card with the AI Scanner, the photo you submit may incidentally include items in the background of the shot. Please make sure no personal documents, faces, screens, or identifying information are visible before scanning. Anthropic receives the entire photo, not just the card portion.
5. Cookies and Local Storage
5.1 Cookies
| Cookie | Purpose | Set by |
|---|
sb-lyyntnjdxabgbmntagiv-auth-token | Keeps you signed in. Without it you'd have to log in on every page load. | Supabase Auth |
We do not set tracking cookies, advertising cookies, or analytics cookies.
5.2 Browser local storage
The Service uses your browser's local storage for performance and personalization. Items stored on your device include:
| Key | Purpose |
|---|
blv_added_* | Cached copy of your card collection for fast page loads. |
blv_photos_* | Your card photos (kept locally; never uploaded except during AI features). |
blv_profile | Cached subscription tier and profile fields. |
blv_plan_* | Cached plan tier for paywall gating. |
blv_theme | Your light / dark mode preference. |
blv_photo_setting / blv_photo_consent | Photo display preferences and photo-library access consent. |
blv_milestones | Which collection milestones you've already seen. |
blv_last_sync | Timestamp of your last sync, to decide when to refresh. |
blv_events_log | A small in-browser log (most recent 200 events) of feature usage such as paywall prompts and successful exports. Used to debug client behavior; not transmitted off your device. |
blv_consent_v1 | Records that you've seen the storage-use notice. |
You can clear all of these at any time from your browser's site-settings panel. Clearing them will sign you out, remove your photo library, and reset preferences; your server-side data (account, collection in our database) is unaffected.
6. Third-Party Services (Sub-processors)
To deliver the Service, we share specific data with the third parties below. Each operates under its own privacy policy.
| Provider | Role | Data shared |
|---|
| Supabase, Inc. | Database, authentication, account hosting | Your email, account record, collection, BLV Scores, scanner feedback |
| Anthropic, PBC | AI model (Claude) for scanning, grading, value, insights | Card metadata and (Scanner / Grade only) card photos. No account identifiers. |
| eBay, Inc. | Market value lookups via the eBay Browse API | Search query strings (year, player, set, grade) — server-to-server only. No information about you is sent. |
| Professional Sports Authenticator (PSA) | Public certificate lookup | PSA cert numbers you enter — server-to-server only. |
| Cloudflare, Inc. | Turnstile anti-abuse challenge on the signup form | Browser signals collected by Turnstile during the challenge |
| Netlify, Inc. | Web hosting, serverless functions, request routing | HTTP request metadata including IP, User-Agent, request path |
| Google LLC (Google Fonts) | Typeface delivery (loaded on every page) | IP, User-Agent, and Referer header sent on each font request |
| Cloudflare (cdnjs) | JavaScript libraries (e.g., Excel export library) delivered on demand | IP, User-Agent, and Referer header sent when a library is loaded |
| jsDelivr | JavaScript libraries delivered on demand | IP, User-Agent, and Referer header sent when a library is loaded |
| Stripe, Inc. (upcoming) | Payment processing for Pro and Elite subscriptions, once launched | When subscriptions launch: payment card information is sent directly to Stripe by your browser; we never see or store it. We will receive only a Stripe customer ID and subscription status. |
If we add a new sub-processor, we'll update this list and the "Last updated" date at the top of this page. If you'd like to be notified of material privacy changes, write to privacy@blacklabelvault.com and we'll add you to the notification list.
7. Where Your Data Is Stored
Account records, collection data, BLV Scores, and scanner feedback are stored in the United States by Supabase. Server logs (including IP addresses) are held by Netlify in the United States.
This Service is intended for U.S. users only and we do not advertise or solicit business outside the U.S. If you access the Service from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States, and you consent to that transfer.
8. How Long We Keep Data
- Account and collection data: kept for as long as your account is active. If you delete your account, we permanently remove your account record, collection rows, BLV Scores, and scanner feedback within 30 days.
- BLV Score cache: automatically expires after 24 hours. Stale entries are overwritten on the next computation.
- Server logs: retained by Netlify and Supabase per their default log-retention policies (typically 30–90 days), then purged automatically.
- Browser local storage: persists on your device until you (or your browser) clear it. Not retained by us once you sign out on that device.
- Backups: Supabase maintains routine database backups for disaster recovery. Deleted account data may persist in a backup for up to 30 days before the backup itself rolls over.
- Transactional emails: we retain a record of transactional messages we've sent you (password resets, billing receipts, deletion confirmations) for at least 12 months for security and dispute resolution.
9. Your Rights
You have the following rights regarding your information. Some are available as in-app features; for others, email us and we'll respond within 30 days.
- Access: request a copy of the personal data we hold about you. Email privacy@blacklabelvault.com.
- Export (portability): Pro and Elite subscribers can use the in-app Export to Excel feature to download a complete copy of their collection and sold ledger as a spreadsheet. Free-tier users can request an export by email.
- Correction: edit any card record directly in the app. For account-level fields, email us.
- Deletion: request account deletion by emailing privacy@blacklabelvault.com from the address on your account. We'll confirm receipt within a few business days and complete deletion within 30 days. (A self-service Delete Account button is on our roadmap; this policy will be updated when it ships.)
- Withdraw consent: for any feature that depends on stored consent (e.g., photo library access), you can withdraw it from in-app settings, which will remove the relevant data from your device.
- Object to AI processing: AI features are user-initiated only. If you don't want any of your data processed by AI, simply don't use the AI Scanner, AI Grade, Refresh Value, Insights, or Trend features. You can continue to use the rest of the Service normally.
- Complain: we'd rather hear from you directly first. Email privacy@blacklabelvault.com and we will work to resolve the concern.
10. Data Security
We take reasonable measures to protect your information:
- Encryption in transit: the entire Service is served over HTTPS with HSTS enforced. Browsers will not load the site over an unencrypted connection.
- Encryption at rest: Supabase encrypts stored data and password hashes at rest using industry-standard mechanisms.
- Row-Level Security: our database is configured so that each user's rows are only accessible to that user (and to our limited-access service accounts for support). One user cannot read another user's data.
- API key handling: third-party API credentials (Anthropic, eBay, PSA, Stripe) are stored as server-side environment variables. They are never present in any file delivered to your browser.
- Content Security Policy: the Service enforces a strict Content Security Policy that blocks unauthorized scripts and external connections.
- No payment-card storage: when subscriptions launch, payment cards will be handled entirely by Stripe. We will never see or store your card number.
No system is perfectly secure. If we ever become aware of a security incident that materially affects your data, we will notify affected users by email without undue delay.
11. Children's Privacy
The Service is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has created an account, contact privacy@blacklabelvault.com and we will delete the account and any associated data.
If you are between 13 and 18, please use the Service only with the involvement of a parent or guardian.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we'll update the "Last updated" date at the top of this page. For material changes, we'll also send a notice to the email address on your account.
Continued use of the Service after a material change has been announced constitutes acceptance of the updated policy.
13. California Residents (CCPA / CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act and California Privacy Rights Act:
- The right to know what categories of personal information we collect and the sources, purposes, and recipients of that information (all disclosed in Sections 2, 3, and 6 above).
- The right to request deletion of personal information we hold about you, subject to limited exceptions (Section 9).
- The right to correct inaccurate personal information (Section 9).
- The right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of today.
- The right not to be discriminated against for exercising these rights.
To exercise any of these rights, email privacy@blacklabelvault.com from the address on your account. We may ask you to verify your identity before responding.