This Privacy Policy describes how Crowsnest Group LLC ("Crowsnest Group," "we," "us," or "our"), a limited liability company organized under the laws of the State of Washington, collects, uses, and shares information when you use the Grailmate mobile application and related services (collectively, the "Service"). Grailmate is a product operated by Crowsnest Group LLC.
By using Grailmate, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.
1. Who We Are
The Service is operated by:
- Crowsnest Group LLC, a Washington limited liability company doing business as Grailmate
- Privacy and legal inquiries: legal@grailmate.app
- General support: support@grailmate.app
- For our mailing address, see Section 12 (Contact Us) below
2. Information We Collect
2.1 Information you provide when you create an account
Grailmate uses Sign in with Apple as its authentication method. When you sign in:
- Apple sends us a verified identity token, from which we extract your Apple user identifier (an opaque ID that Apple assigns; not your Apple ID email or password) and your email address (which may be a private "Hide My Email" relay address if you chose that option with Apple).
- We do not collect your name, profile photo, phone number, or any other Apple account information at sign-in. (A name is collected only if you voluntarily include one in an arbitration opt-out notice under Section 13.5 — see Sections 5 and 6.1.)
- Your email address is encrypted using AES-256-GCM authenticated encryption before being written to our database. The encrypted email is never returned by any API endpoint and is never written to logs.
- We retain your email address as part of your account record so that, if you exercise your right to opt out of arbitration under Section 13.5 of the Terms, we can locate and verify your account. We do not send automated email of any kind — no marketing, and no transactional, receipt, renewal, or system-notice email. Subscription receipts and renewals are sent by Apple. If you contact us (for example, an arbitration opt-out notice or a support request), a person replies to the address you wrote from. We do not use your email address for advertising or marketing purposes.
2.2 Information you create when you use the Service
When you create a price alert, we store:
- The product (style ID and metadata such as brand, model, size)
- Your target price
- The platform you want monitored (e.g., StockX, GOAT)
- The date and time the alert was created
- The status of the alert (active, met, dismissed)
If you submit feedback through the Service (for example, reporting an incorrect cross-merchant product match, or general feedback about the app), we store your feedback content, the listing identifier or product context you flagged, and the date and time of submission. We do not collect your name or contact information beyond what is already associated with your account. Feedback submissions are linked to your account record so we can address the specific issue you flagged and use the feedback as described in Section 3.6.
2.3 Push notification token
To deliver price alerts, we register a push notification token issued by our push delivery service provider. The token identifies your device for notification routing only; it is not linked to your name or email. We automatically remove invalid tokens when our push provider reports them as unregistered.
2.4 Information collected automatically
When you use the Service, we automatically collect:
- IP address and user agent, used to enforce rate limits and diagnose technical issues
- Search queries and filter selections (planned analytics, see Section 3.5), used to understand which categories of items users are looking for
- Diagnostic data (crash reports, error stack traces) via our error monitoring partner (see Section 4.2)
2.5 Information we do not collect
We do not collect:
- Precise or coarse location data
- Your contacts
- Browsing history outside the Grailmate app
- Health or fitness data
- Financial information, payment card data, or banking details
- Photos, audio, or video
3. How We Use Information
3.1 To operate the core service
- Authenticate you when you sign in
- Maintain the price alerts you have created
- Poll partner price feeds and detect when an alert's target price has been met
- Send you a push notification when an alert is met
3.2 To enforce limits and protect the service
- Apply rate limits to search and authentication endpoints to prevent abuse
- Detect and respond to fraudulent or malicious activity
3.3 To diagnose problems
- Capture error reports and crash diagnostics so we can fix bugs
- Investigate user-reported issues
3.4 To improve Grailmate
- Aggregate (non-individually-identifying) usage analytics to understand which features are most useful
- Plan future product improvements
3.5 Planned analytics (search log)
We are developing an internal analytics capability that may record:
- Search queries you submit (the text you type into the search bar)
- Filter selections you apply (such as brand, size, platform, and price range parameters)
- Result counts and result interaction summaries (which results were displayed, which you tapped)
- Your account identifier, so these signals are linked to your account — this lets us understand usage at the account level and ensures the search log is deleted when you delete your account
This analytics data will be retained for 90 days and then automatically pruned, and is deleted if you delete your account before then. It will be used solely to understand product usage patterns and to inform product improvements. It will not be shared with third parties, used for advertising or marketing, or sold. This list describes the maximum scope of analytics we may collect; in practice, the actual scope at any given time may be narrower than what is enumerated here.
3.6 Algorithmic cross-merchant product matching
Some third-party marketplaces do not provide normalized product catalog data. To compare prices on these marketplaces against canonical products in our database, we apply algorithmic cross-merchant product matching that associates third-party listings with canonical products based on non-user-generated signals.
The cross-merchant product matching algorithm does not use your personal information, your account data, or your search history. The same matches apply for all users; matches are not personalized.
If you submit feedback reporting an incorrect cross-merchant product match, we use your feedback to evaluate the match in question, to clear incorrect matches from our system, and to improve the algorithm over time. Feedback content is described in Section 2.2 and is retained as described in Section 5.
4. How We Share Information
We share information with the following categories of recipients, and only to the extent necessary to operate the Service:
4.1 Apple, Inc. (authentication)
Sign in with Apple is operated by Apple. Apple's handling of your data during the sign-in flow is governed by Apple's Privacy Policy. We receive only the verified identity token Apple chooses to share with us.
We receive server-to-server notifications from Apple about subscription state transitions (App Store Server Notifications V2). These notifications contain subscription event metadata tied to your user record and are persisted as described under "Subscription event records" below.
4.2 Operational service providers
We use service providers in the categories of error monitoring, push notification delivery, hosting, and product data services. These providers process operational data necessary to deliver the Service:
- Error monitoring: when an error occurs in the backend, our error monitoring provider receives your IP address and user agent (used to identify error patterns), the route or feature where the error occurred, stack traces and source code context, and request body content (such as a search term or alert payload), capped at 16 kilobytes. Authentication tokens, cookies, and other sensitive credentials are filtered out before transmission. Your encrypted email address, your account identifier, and any other personally identifying data beyond IP, user agent, and request context are not transmitted.
- Push notification delivery: push notifications are routed through our push provider, which forwards messages to Apple Push Notification Service (APNs). The push payload includes the notification title (such as "Nike Dunk Low Panda hit your target"), a short body describing the price, and a small data object containing the alert identifier. Push tokens identify your device, not your account.
- Hosting: our backend is hosted by a third-party platform-as-a-service provider, which operates as a data processor on our behalf and has access to API traffic and our database file as part of normal hosting operations.
- Product data: we retrieve product and price data from a third-party catalog provider. We send only the search query, sneaker style identifiers, and pagination parameters. We do not send your user identifier, push token, email address, or any other personal information to this provider.
- Secure archival storage: if you exercise your right to opt out of arbitration under Section 13.5 of the Terms, a copy of your opt-out record is stored in an immutable, append-only archive operated by a third-party cloud storage provider located in the United States, so that your opt-out remains provable for the retention period described in Section 5.
Specific vendor names and the categories of data each processes are documented in our Privacy Nutrition Label on the App Store. We will update this Privacy Policy if we change vendor categories or introduce a new category of recipient.
4.3 Affiliate network and merchants
Grailmate participates in affiliate programs through a third-party affiliate network. When you tap a "Buy Now" or "View on" link in the app, we redirect you through the affiliate network to the merchant's website. Each affiliate-linked button in the app displays the disclosure "Affiliate relationship — we may earn a commission" so that the relationship is visible at the point of decision. The redirect URL contains:
- A static publisher identifier representing Grailmate (the same value for all users)
- The destination URL for the product
We do not attach any data identifying you, your account, or your device to the affiliate link. After the redirect, your interaction with the merchant's website is governed by that merchant's privacy policy.
While the affiliate network's reporting dashboards may surface individual transaction-level data to us as the publisher (such as transaction identifiers, item SKUs, and commission amounts), we treat all such data in aggregate and do not link it back to specific Grailmate users. We currently participate in affiliate programs with merchants in the sneaker resale category and may add additional partners in adjacent collectible categories as we expand.
4.4 Cloudflare (web infrastructure)
The grailmate.app website is hosted on Cloudflare Pages, which logs standard web visit data (IP address, user agent, requested URL) for security and performance purposes. This applies to visitors to grailmate.app, including this Privacy Policy page. Cloudflare's privacy practices are described at cloudflare.com/privacypolicy.
4.5 We do not sell your information
We do not sell your personal information to data brokers, advertisers, or any third party. We do not share your information for cross-context behavioral advertising. We have no plans to begin doing so.
4.6 Legal disclosures
We may disclose information if required to do so by law, valid legal process (such as a subpoena or court order), or to protect the rights, property, or safety of Crowsnest Group LLC, our users, or the public. We will challenge legal requests we believe to be overbroad or improper to the extent permitted.
4.7 Business transfers
If Crowsnest Group LLC is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you in advance and provide you with the opportunity to delete your account before any transfer takes effect.
5. Data Retention
| Data | Retention period |
|---|---|
| Account record (Apple user identifier, encrypted email, age confirmation, Terms of Service acceptance record) | Life of your account; deleted when you delete your account |
| Price alerts you create | Life of your account; deleted with your account |
| Push notification tokens | Until invalidated by your device or deleted with your account |
| Subscription history | Life of your account; deleted with your account |
| Rate-limit counters | 7 days, automatically pruned |
| Price history (volatility data) | 30 days, automatically pruned |
| Search log (planned analytics; linked to your account) | 90 days, automatically pruned; deleted with your account if sooner |
| Server runtime logs (HTTP request metadata and stdout/stderr emitted by our backend services) | 30 days, automatically pruned by our hosting platform's standard retention policy (docs.railway.com/observability/logs#log-retention) |
| Aggregate usage statistics with no user linkage | Indefinite |
| Cross-merchant product matching decisions and review queue records (listing identifiers, canonical product associations, decision metadata) | Retained while the cross-merchant product matching feature operates, for algorithm quality review and improvement. These records describe listings and products, not users. |
| User feedback submissions (incorrect cross-merchant product match reports and general feedback) | Life of your account; deleted with your account. |
| Backups | Database backups are taken on a tiered schedule: daily backups kept up to 6 days, weekly backups kept up to 1 month, monthly backups kept up to 3 months. The longest retention window is approximately 90 days for the most recent monthly backup. |
| Arbitration opt-out records (only if you exercised the Section 13.5 opt-out): the date of your opt-out and an encrypted copy of the name and email address in your opt-out notice | 10 years from your opt-out, including in an immutable offsite archive; retained even after you delete your account (see Section 6.1), because it is necessary to establish and defend the parties' respective rights regarding dispute resolution |
5.1 Subscription event records
When you subscribe, renew, cancel, refund, expire, or reactivate a GrailWatch+ subscription, we log the event (event type, timestamp, prior/new tier) in an application-level subscription history table. We retain these records for the lifetime of your account to enable accurate subscription state reporting and fraud prevention. When you delete your account, your subscription event records are purged together with your account record per Section 6.1.
6. Your Rights and Choices
6.1 Account deletion
You may delete your Grailmate account at any time from the Settings screen within the app. When you delete your account, we immediately and permanently take the following actions (subject to the one exception noted below):
- Remove your encrypted email address
- Remove your Apple Sign In identifier
- Remove all price alerts you created
- Remove all push notification tokens associated with your account
- Remove any search-analytics records linked to your account (see Section 3.5)
- Submit a token revocation request to Apple to invalidate your Sign in with Apple authorization, ensuring that signing in with Apple again will require fresh consent
Exception — arbitration opt-out records. If you exercised your right to opt out of arbitration under Section 13.5 of the Terms, we retain a record of that opt-out even after you delete your account. That record includes the date of your opt-out and an encrypted copy of the name and email address you provided in your opt-out notice. We keep it because your opt-out is permanent and must remain provable for as long as a related dispute could arise, and because retaining it is necessary to establish and defend the parties’ respective rights. It is retained for the period stated in Section 5, including in an immutable offsite archive, and is the only category of data that survives account deletion.
Backup copies of our database (described in Section 5) may retain residual data for up to 90 days after deletion, after which the data is no longer present in any system we operate. We use backups solely for disaster recovery and do not selectively restore deleted user data.
Account deletion is irreversible. There is no recovery process.
6.2 Push notification controls
You can disable push notifications for Grailmate at any time through your iPhone's Settings app (Settings → Notifications → Grailmate). Disabling notifications does not delete your account or alerts; it simply stops delivery of new push messages.
6.3 Access and correction
The information we hold about you is limited and is largely visible within the Grailmate app itself (your alerts, your account state). If you believe we hold information about you that is inaccurate, contact legal@grailmate.app.
6.4 California residents (CCPA / CPRA)
California residents have the right to:
- Know what personal information we collect, use, and share about you
- Request deletion of personal information we hold about you
- Opt out of the sale or sharing of personal information (we do not sell or share)
- Limit the use of sensitive personal information (we do not use sensitive personal information for purposes beyond providing the Service)
- Be free from retaliation for exercising any of these rights
To exercise these rights, contact legal@grailmate.app or write to us at the mailing address above. We will respond within 45 days, with one additional 45-day extension if reasonably necessary, in which case we will provide notice within the initial 45-day period.
6.5 Other US state residents
Residents of US states with comprehensive privacy laws have rights similar to those described for California residents above, subject to applicable thresholds and exceptions defined by each state's law. To exercise rights provided under your state's law, contact legal@grailmate.app. We will respond within the timeframe required by applicable law.
6.6 Washington's My Health My Data Act
Grailmate does not collect consumer health data as defined by Washington's My Health My Data Act. If our practices change in a way that would bring us within scope of that law, we will update this Privacy Policy to describe the additional protections we apply.
6.7 Do Not Track
The grailmate.app website does not respond to "Do Not Track" browser signals. The Grailmate app is a native application and does not use third-party tracking cookies for advertising.
7. Children's Privacy
Grailmate is not directed to or intended for use by anyone under 18. Our Terms of Service require users to be at least 18 years of age, and we ask users to confirm their age at first launch before access to the Service is granted. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and you become aware that someone under 18 has created a Grailmate account, please contact legal@grailmate.app and we will delete the account and any associated information promptly.
8. Security
We take reasonable and appropriate measures to protect your information, including:
- AES-256-GCM authenticated encryption for email addresses at rest
- TLS for all network traffic between the Grailmate app and our servers
- Sign in with Apple as the sole authentication method (we do not store passwords)
- JSON Web Tokens stored in iOS Keychain on your device
- Layered rate limiting on authentication and search endpoints
- Filtering of authentication tokens and cookies before transmission to error-monitoring infrastructure
- Strict CORS deny-by-default for browser-originating requests
No security measure is perfect. If we become aware of a data breach affecting your information, we will notify you in accordance with applicable law.
9. Geographic Scope
Grailmate is currently offered only to users in the United States. We do not target or knowingly accept users from the European Economic Area, the United Kingdom, or other jurisdictions outside the United States. If we expand availability to additional regions, we will update this Privacy Policy to describe any additional protections those jurisdictions require, including (where applicable) GDPR-required disclosures and rights.
10. Third-Party Links
The Service may contain links to third-party websites and services (such as StockX, GOAT, and other merchants reachable through "Buy Now" links). We are not responsible for the privacy practices or content of those third parties. We encourage you to read their privacy policies before providing them with any information.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will:
- Update the "Last updated" date at the top of this page
- For material changes, provide notice via the App Store update notes, in-app messaging, or other appropriate means at least 30 days before the change takes effect
Continued use of the Service after a change becomes effective constitutes your acceptance of the revised Privacy Policy.
12. Contact Us
If you have questions about this Privacy Policy or our privacy practices, contact us at:
Crowsnest Group LLC d/b/a Grailmate
1100 Bellevue Way NE, Ste 8A PMB 310
Bellevue, WA 98004-4280
United States
legal@grailmate.app