Privacy Policy
Your gear records can reveal what you own, what it’s worth, and where it lives. We treat that like financial data: private by default, encrypted, never sold, never used for advertising, and exportable or deletable by you at any time. The rest of this page is the detail behind that sentence.
01What we collect
Account information
Your email address and name, provided when you sign up directly or through Google sign-in. If you enable multi-factor authentication, we store what’s needed to verify it. Passwords are never stored in readable form.
What you put in your locker
Equipment records — brand, model, serial numbers, purchase dates and prices, condition, notes, and any storage locations you choose to record — plus documents you upload: receipts, insurance policies, certificates of insurance, and the reports you generate. This is the most sensitive data on the platform, and everything in sections 02 through 08 exists because of it.
Activity records
Sign-in events and significant account actions, which we show back to you on the activity page in your settings. When you share a report link, we log access to it so you can see whether and when it was used.
Technical data
We use Vercel Web Analytics for aggregate, cookieless page statistics — counts and trends, not profiles of you. We use Sentry for error monitoring; when something breaks, the error report may include technical details such as your browser type, IP address, and the actions that led to the error, so we can fix it. Neither is used to track you across other websites.
02What we never do
We do not sell your personal information or your inventory data. We do not share it for advertising. We run no ad networks, advertising pixels, or cross-site trackers. We do not use your gear records to build marketing profiles, and we do not give employees routine access to your receipts, serial numbers, or locations.
If any of this ever changes, this policy changes first, visibly, with notice — not retroactively.
03How we use information
To run the platform: store your records, generate your reports, deliver the sharing features you invoke, and show you your own activity. To secure it: verify sign-ins, operate MFA, detect abuse. To maintain it: diagnose errors and understand aggregate usage. To communicate: transactional email — sign-in verification, password resets, share notifications, beta program messages. During the beta, we also use account activity to administer the beta program itself, such as verifying tester checklist progress.
That is the list. There is no quiet secondary use.
04Who processes it
Brass & Glass runs on a small set of infrastructure providers that process data on our behalf, under their own security and privacy commitments: Supabase (database, authentication, and encrypted file storage), Vercel (hosting and the aggregate analytics described above), Resend (transactional email delivery), Sentry (error monitoring), and Google (only if you choose Google sign-in). When paid subscriptions launch, Stripe will process payments — Brass & Glass will not store your card details.
Beyond these processors, we disclose personal information only if required by law, to protect the rights and safety of users or the platform, or as part of a business transition — and in that last case, this policy’s commitments travel with the data.
06Your controls
From your account settings you can export a complete archive of your data, delete individual gear items or documents, review your account activity, manage MFA, and delete your account entirely. These are self-service — you do not need to email anyone to exercise them. Our data portability statement describes the export formats.
07Retention and deletion
We keep your data while your account is active. When you delete an item, a document, or your account, it is removed from active systems; copies in encrypted backups expire on a rolling schedule rather than immediately. We may retain limited records where needed for security, fraud prevention, or legal obligations — sign-in logs, for example, outlive the session they describe.
08Security
The platform is designed with encryption in transit and at rest, private document storage accessed only through signed, expiring URLs, multi-factor authentication, and privacy-first defaults. No system is perfectly secure, and we won’t pretend otherwise — but security decisions here start from the assumption that a gear inventory is theft-enablement data and must be protected accordingly. The full picture is on our security page.
09Children
The platform is not directed to children and requires users to be at least eighteen. We do not knowingly collect personal information from anyone under eighteen; if we learn we have, we will delete it.
10Your rights
Depending on where you live, you may have legal rights to access, correct, delete, or receive a copy of your personal information. On this platform those rights are built in as the self-service controls in section 06. If you need something the tools don’t cover, or want to exercise a right by request, email us and we will respond.
For California residents: we do not sell personal information and do not share it for cross-context behavioral advertising, so there is nothing to opt out of. We do not use or disclose sensitive personal information for purposes beyond providing the service you asked for.
11Where data is processed
Brass & Glass is operated from the United States, and data is processed on infrastructure located in the United States. If you use the platform from elsewhere, your information will be transferred to and processed in the U.S. Users in regions with additional data protection rights can contact us about exercising them.
12Changes to this policy
Updates will be posted on this page with a revised version number and effective date, and material changes will also be communicated through the platform or by email. The version history below stays current.
13Contact
Privacy questions and requests: hello@brass.glass.
v0.1 — June 11, 2026 — First published version.