Privacy Policy

Last Updated: December 31, 2024

Effective Date: December 31, 2024

1. Introduction

BrickPicker ("Company," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile applications, and services (collectively, the "Service").

This Privacy Policy applies to all users of BrickPicker, including visitors, registered users, and premium subscribers. Please read this policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

If you are a resident of the European Economic Area (EEA), United Kingdom (UK), or Switzerland, please see Section 11 for additional information about your rights under the General Data Protection Regulation (GDPR).

If you are a California resident, please see Section 12 for additional information about your rights under the California Consumer Privacy Act (CCPA).

2. Information We Collect

We collect information in several ways when you interact with our Service.

2.1 Information You Provide

Account Information: When you create an account (through our integrated forum system), we collect:

Username and display name
Email address
Password (stored securely using industry-standard hashing)
Profile information (avatar, bio, preferences)
Timezone settings

Portfolio Data: When you use Brickfolio, we collect:

LEGO sets you add to your portfolio
Purchase prices and dates you enter
Quantity and condition information
Notes and custom data you provide

Watchlist Data: When you use BrickWatcher, we collect:

Sets you add to your watchlist
Price targets and alert thresholds you configure
Notification preferences (email, SMS, in-app)
Mobile phone number (only if you enable SMS alerts; verified via one-time code)
Saved ZIP code (only if you enable in-stock-nearby alerts)

Prediction Data: When you participate in BrickPulse, we collect:

Predictions you make
Confidence levels and stakes
Prediction history and outcomes

Communications: When you contact us, we collect:

Email correspondence
Support tickets and feedback
Survey responses

2.2 Information Collected Automatically

Usage Data: We automatically collect information about your use of the Service:

Pages and features you access
Actions you take (clicks, searches, filters)
Time spent on pages
Referring websites and exit pages
Error logs and crash reports

Device Information: We collect information about your device:

Device type (desktop, mobile, tablet)
Operating system and version
Browser type and version
Screen resolution
Language preferences

Location Information: We may collect approximate location data:

Country and region (from IP address)
Timezone (from browser or user settings)

We do NOT collect precise GPS location data.

Cookies and Tracking Technologies: We use cookies, pixels, and similar technologies to collect information. See our Cookie Policy for detailed information.

2.3 Information from Third Parties

Forum Integration: Account information synced from the BrickPicker forum, including:

User profile data
Membership level and status
Forum activity metrics

Analytics Providers: Aggregated analytics data from third-party services that help us understand how users interact with our Service.

Payment Processors: If you make purchases, we receive limited transaction information (but NOT full payment card details) from payment processors.

3. How We Use Your Information

We use collected information for the following purposes:

3.1 Providing the Service

Create and manage your account
Authenticate your identity and secure your account
Provide access to Service features
Store and display your portfolio, watchlist, and predictions
Process and deliver notifications and alerts
Display personalized content and recommendations

3.2 Improving the Service

Analyze usage patterns to improve features
Identify and fix bugs and technical issues
Develop new features and services
Conduct research and statistical analysis
Test changes before wider release

3.3 Communication

Send transactional emails (password resets, account confirmations)
Send transactional SMS messages (watchlist alerts you have configured, account verification codes) only if you have opted in
Deliver price alerts and notifications you've requested
Provide customer support and respond to inquiries
Send service announcements and updates
Send marketing communications (with your consent)

3.4 Safety and Security

Detect and prevent fraud, abuse, and security threats
Enforce our Terms of Service
Protect the rights and safety of our users
Comply with legal obligations

3.5 Legal Compliance

Respond to legal requests and court orders
Comply with applicable laws and regulations
Establish, exercise, or defend legal claims

3.6 SMS and Mobile Messaging

If you opt in to SMS alerts, we collect and process your mobile phone number to deliver the watchlist alerts you have specifically configured and to send account verification codes. We do not share or sell your mobile phone number with third parties for marketing purposes, and we do not share mobile opt-in data or consent with any third party, including affiliates. SMS data — including phone numbers, message frequency, and delivery status — is used solely to operate the BrickPicker SMS alerting program. You may opt out at any time by replying STOP to any message or by disabling SMS in your Notification Settings. See our Terms of Service for full SMS program details.

4. Legal Bases for Processing (EEA/UK Users)

If you are located in the EEA, UK, or Switzerland, we process your personal data based on the following legal grounds:

| Purpose | Legal Basis | |---------|-------------| | Account creation and service delivery | Performance of contract | | Portfolio, watchlist, and prediction features | Performance of contract | | Essential cookies and security | Legitimate interests | | Analytics and service improvement | Legitimate interests | | Email notifications you requested | Performance of contract | | Marketing communications | Consent | | Fraud prevention and security | Legitimate interests | | Legal compliance | Legal obligation |

Legitimate Interests: Where we rely on legitimate interests, we have assessed that our interests do not override your rights and freedoms. You may object to processing based on legitimate interests at any time.

5. How We Share Your Information

We do NOT sell your personal information to third parties.

We may share your information in the following circumstances:

5.1 Service Providers

We share data with trusted third-party service providers who assist us in operating the Service:

| Provider Type | Purpose | Data Shared | |---------------|---------|-------------| | Hosting providers | Infrastructure and storage | All service data | | Analytics services | Usage analysis | Anonymized usage data | | Email services | Transactional and marketing emails | Email address, name | | Payment processors | Subscription billing | Payment information | | Error tracking | Bug monitoring and resolution | Error logs, device info | | Customer support | Support ticket management | Support conversations |

All service providers are contractually obligated to protect your data and use it only for specified purposes.

5.2 Legal Requirements

We may disclose your information when required by law:

Court orders, subpoenas, or legal process
Requests from law enforcement or regulatory authorities
To protect our rights, property, or safety
To protect the rights, property, or safety of others
To prevent fraud or illegal activity

5.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such transfer and any choices you may have.

5.4 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

5.5 Aggregated or Anonymized Data

We may share aggregated or anonymized data that cannot reasonably be used to identify you. This includes:

Market trend statistics
General usage patterns
Aggregated prediction accuracy data

6. Data Retention

We retain your personal data only as long as necessary for the purposes described in this Privacy Policy:

| Data Type | Retention Period | |-----------|------------------| | Account information | Until account deletion + 30 days | | Portfolio and watchlist data | Until account deletion | | Prediction history | Until account deletion | | Usage logs | 12 months | | Analytics data | 26 months | | Support tickets | 3 years after resolution | | Email communications | 2 years | | Backup archives | 90 days after deletion |

After Account Deletion:

Account data is deleted within 30 days
Anonymized analytics data may be retained
Predictions are anonymized (username removed)
Backup retention follows standard schedule

Legal Obligations: We may retain data longer if required by law, for legal claims, or for legitimate business purposes.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

7.1 Technical Measures

Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption
Encryption at Rest: Sensitive data is encrypted in our databases
Password Security: Passwords are hashed using bcrypt with strong salt values
Access Controls: Role-based access controls limit employee access to data
Infrastructure Security: Hosted on secure, compliant cloud infrastructure
Vulnerability Management: Regular security assessments and penetration testing

7.2 Organizational Measures

Employee security training and awareness programs
Data access limited to employees who need it for their roles
Confidentiality agreements with all employees and contractors
Incident response procedures for data breaches
Regular review and updates of security practices

7.3 Your Responsibilities

You are responsible for:

Keeping your login credentials secure
Using a strong, unique password
Logging out from shared devices
Notifying us of any suspected security breach

7.4 Breach Notification

In the event of a data breach that affects your personal data, we will:

Notify affected users without undue delay (within 72 hours where required)
Notify relevant supervisory authorities as required by law
Provide information about the breach and steps to protect yourself

8. Your Rights and Choices

You have certain rights regarding your personal data:

8.1 Access and Portability

Request a copy of your personal data
Export your portfolio and watchlist data
Receive your data in a structured, machine-readable format

8.2 Correction

Update inaccurate or incomplete personal data
Correct information through account settings
Request corrections by contacting support

8.3 Deletion

Request deletion of your account and personal data
Deletion of specific data where possible
Note that some data may be retained for legal reasons

8.4 Objection and Restriction

Object to processing based on legitimate interests
Request restriction of processing in certain circumstances
Opt out of marketing communications

8.5 Withdrawal of Consent

Withdraw consent for marketing communications
Withdraw consent for non-essential cookies
Withdrawal does not affect prior lawful processing

8.6 How to Exercise Your Rights

To exercise your rights:

Account Settings: Many actions can be completed in your account settings
Email Request: Contact [email protected]
Support: Submit a request through our support system

We will respond to requests within 30 days (or sooner as required by law). We may need to verify your identity before processing requests.

9. Cookies and Tracking Technologies

We use cookies and similar technologies for essential functionality, analytics, and personalization. For detailed information, please see our Cookie Policy.

Summary:

Essential Cookies: Required for the Service to function (authentication, security)
Analytics Cookies: Help us understand how users interact with the Service
Preference Cookies: Remember your settings and preferences

Managing Cookies: You can manage cookie preferences through:

Browser settings
Our cookie preference center (where available)
Opt-out tools provided by analytics services

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States.

10.1 Transfer Safeguards

When transferring data internationally, we ensure adequate protection through:

Standard Contractual Clauses (SCCs): EU-approved contractual terms with service providers
Adequacy Decisions: Transfers to countries with adequate data protection laws
Additional Safeguards: Supplementary security measures where appropriate

10.2 EU-US Data Transfers

For transfers from the EEA to the United States, we rely on:

Standard Contractual Clauses
Supplementary measures as recommended by the EDPB
Contractual obligations with US-based service providers

11. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, you have additional rights under the GDPR:

11.1 Your GDPR Rights

Right of Access (Article 15): Obtain confirmation of processing and access to your data
Right to Rectification (Article 16): Correct inaccurate personal data
Right to Erasure (Article 17): Request deletion ("right to be forgotten")
Right to Restriction (Article 18): Limit how we process your data
Right to Data Portability (Article 20): Receive your data in a portable format
Right to Object (Article 21): Object to processing based on legitimate interests
Rights Related to Automated Decision-Making (Article 22): Not to be subject to purely automated decisions with legal effects

11.2 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe we are processing your data unlawfully.

EU Supervisory Authorities:

Contact your local Data Protection Authority
For cross-border processing, contact the lead supervisory authority

11.3 Data Protection Officer

For GDPR-related inquiries, contact:

Email: [email protected]

Subject Line: "GDPR Inquiry"

12. California Privacy Rights (CCPA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

12.1 Right to Know

You have the right to request information about:

Categories of personal information collected
Sources of personal information
Business purposes for collection
Categories of third parties with whom we share data
Specific pieces of personal information collected about you

12.2 Right to Delete

You have the right to request deletion of personal information we collected, subject to certain exceptions.

12.3 Right to Opt-Out

You have the right to opt-out of the sale of your personal information. We do not sell personal information.

12.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

12.5 Authorized Agents

You may designate an authorized agent to make requests on your behalf. We may require verification of your identity and the agent's authorization.

12.6 How to Exercise Your Rights

Online: Account settings or privacy request form
Email: [email protected]
Subject Line: "CCPA Request"

We will verify your identity using information associated with your account before processing requests.

12.7 Categories of Personal Information

In the past 12 months, we have collected the following categories:

| Category | Examples | Collected | |----------|----------|-----------| | Identifiers | Name, email, username, IP address | Yes | | Commercial Information | Purchase history, portfolio data | Yes | | Internet Activity | Browsing history, interactions with Service | Yes | | Geolocation Data | Country, region (approximate) | Yes | | Inferences | Preferences, behavior predictions | Yes | | Sensitive Personal Information | N/A | No |

13. Children's Privacy

The Service is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18.

If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information as quickly as possible.

If you believe we have collected information from a child under 18, please contact us at [email protected].

14. Third-Party Links

The Service may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices of third-party sites.

We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on our website
Updating the "Last Updated" date
Sending email notification (for significant changes)
Displaying a notice on the Service

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: