Grailmate

Privacy Policy

Last updated: May 4, 2026

This Privacy Policy describes how Crowsnest Group LLC ("Crowsnest Group," "we," "us," or "our"), a limited liability company organized under the laws of the State of Washington, collects, uses, and shares information when you use the Grailmate mobile application and related services (collectively, the "Service"). Grailmate is a product operated by Crowsnest Group LLC.

By using Grailmate, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

1. Who We Are

The Service is operated by:

• Crowsnest Group LLC, a Washington limited liability company doing business as Grailmate
• Privacy and legal inquiries: legal@grailmate.app
• General support: support@grailmate.app
• For our mailing address, see Section 12 (Contact Us) below

2. Information We Collect

2.1 Information you provide when you create an account

Grailmate uses Sign in with Apple as its authentication method. When you sign in:

• Apple sends us a verified identity token, from which we extract your Apple user identifier (an opaque ID that Apple assigns; not your Apple ID email or password) and your email address.
• We do not collect your name, profile photo, phone number, or any other Apple account information.
• Your email address is encrypted using AES-256-GCM authenticated encryption before being written to our database. The encrypted email is never returned by any API endpoint and is never written to logs.
• We retain your email address to support transactional communications related to the Service, which may include:
  • Subscription state communications (such as receipts, renewal notices, and cancellation confirmations) for any paid subscription tier you elect
  • Critical service communications (such as security notices or material changes to this Privacy Policy)
  • Account-related communications you initiate (such as replies to support requests you send us)
  We do not use your email address for advertising or marketing purposes.

2.2 Information you create when you use the Service

When you create a price alert, we store:

• The product (style ID and metadata such as brand, model, size)
• Your target price
• The platform you want monitored (e.g., StockX, GOAT)
• The date and time the alert was created
• The status of the alert (active, met, dismissed)

2.3 Push notification token

To deliver price alerts, we register a push notification token issued by our push delivery service provider. The token identifies your device for notification routing only; it is not linked to your name or email. We automatically remove invalid tokens when our push provider reports them as unregistered.

2.4 Information collected automatically

When you use the Service, we automatically collect:

• IP address and user agent, used to enforce rate limits and diagnose technical issues
• Search queries and filter selections (planned analytics, see Section 3.5), used to understand which categories of items users are looking for
• Diagnostic data (crash reports, error stack traces) via our error monitoring partner (see Section 4.2)

2.5 Information we do not collect

We do not collect:

• Precise or coarse location data
• Your contacts
• Browsing history outside the Grailmate app
• Health or fitness data
• Financial information, payment card data, or banking details
• Photos, audio, or video

3. How We Use Information

3.1 To operate the core service

• Authenticate you when you sign in
• Maintain the price alerts you have created
• Poll partner price feeds and detect when an alert's target price has been met
• Send you a push notification when an alert is met

3.2 To enforce limits and protect the service

• Apply rate limits to search and authentication endpoints to prevent abuse
• Detect and respond to fraudulent or malicious activity

3.3 To diagnose problems

• Capture error reports and crash diagnostics so we can fix bugs
• Investigate user-reported issues

3.4 To improve Grailmate

• Aggregate (non-individually-identifying) usage analytics to understand which features are most useful
• Plan future product improvements

3.5 Planned analytics (search log)

We are developing an internal analytics capability that may record:

• Search queries you submit (the text you type into the search bar)
• Filter selections you apply (such as brand, size, platform, and price range parameters)
• Result counts and result interaction summaries (which results were displayed, which you tapped)
• An internal anonymous identifier that links these signals across a single user session and across sessions, but is not linked to your email address, your Apple user identifier, or your account record

This analytics data will be retained for 90 days and then automatically pruned. It will be used solely to understand product usage patterns and to inform product improvements. It will not be shared with third parties, used for advertising or marketing, or sold. This list describes the maximum scope of analytics we may collect; in practice, the actual scope at any given time may be narrower than what is enumerated here.

4. How We Share Information

We share information with the following categories of recipients, and only to the extent necessary to operate the Service:

4.1 Apple, Inc. (authentication)

Sign in with Apple is operated by Apple. Apple's handling of your data during the sign-in flow is governed by Apple's Privacy Policy. We receive only the verified identity token Apple chooses to share with us.

4.2 Operational service providers

We use service providers in the categories of error monitoring, push notification delivery, hosting, and product data services. These providers process operational data necessary to deliver the Service:

• Error monitoring: when an error occurs in the backend, our error monitoring provider receives your IP address and user agent (used to identify error patterns), the route or feature where the error occurred, stack traces and source code context, and request body content (such as a search term or alert payload), capped at 16 kilobytes. Authentication tokens, cookies, and other sensitive credentials are filtered out before transmission. Your encrypted email address, your account identifier, and any other personally identifying data beyond IP, user agent, and request context are not transmitted.
• Push notification delivery: push notifications are routed through our push provider, which forwards messages to Apple Push Notification Service (APNs). The push payload includes the notification title (such as "Nike Dunk Low Panda hit your target"), a short body describing the price, and a small data object containing the alert identifier. Push tokens identify your device, not your account.
• Hosting: our backend is hosted by a third-party platform-as-a-service provider, which operates as a data processor on our behalf and has access to API traffic and our database file as part of normal hosting operations.
• Product data: we retrieve product and price data from a third-party catalog provider. We send only the search query, sneaker style identifiers, and pagination parameters. We do not send your user identifier, push token, email address, or any other personal information to this provider.

Specific vendor names and the categories of data each processes are documented in our Privacy Nutrition Label on the App Store. We will update this Privacy Policy if we change vendor categories or introduce a new category of recipient.

4.3 Affiliate network and merchants

Grailmate participates in affiliate programs through a third-party affiliate network. When you tap a "Buy Now" or "View on" link in the app, we redirect you through the affiliate network to the merchant's website. Each affiliate-linked button in the app displays the disclosure "Affiliate relationship — we may earn a commission" so that the relationship is visible at the point of decision. The redirect URL contains:

• A static publisher identifier representing Grailmate (the same value for all users)
• The destination URL for the product

We do not attach any data identifying you, your account, or your device to the affiliate link. After the redirect, your interaction with the merchant's website is governed by that merchant's privacy policy.

While the affiliate network's reporting dashboards may surface individual transaction-level data to us as the publisher (such as transaction identifiers, item SKUs, and commission amounts), we treat all such data in aggregate and do not link it back to specific Grailmate users. We currently participate in affiliate programs with merchants in the sneaker resale category and may add additional partners in adjacent collectible categories as we expand.

4.4 Cloudflare (web infrastructure)

The grailmate.app website is hosted on Cloudflare Pages, which logs standard web visit data (IP address, user agent, requested URL) for security and performance purposes. This applies to visitors to grailmate.app, including this Privacy Policy page. Cloudflare's privacy practices are described at cloudflare.com/privacypolicy.

4.5 We do not sell your information

We do not sell your personal information to data brokers, advertisers, or any third party. We do not share your information for cross-context behavioral advertising. We have no plans to begin doing so.

4.6 Legal disclosures

We may disclose information if required to do so by law, valid legal process (such as a subpoena or court order), or to protect the rights, property, or safety of Crowsnest Group LLC, our users, or the public. We will challenge legal requests we believe to be overbroad or improper to the extent permitted.

4.7 Business transfers

If Crowsnest Group LLC is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you in advance and provide you with the opportunity to delete your account before any transfer takes effect.

5. Data Retention

6. Your Rights and Choices

6.1 Account deletion

You may delete your Grailmate account at any time from the Settings screen within the app. When you delete your account, we immediately and permanently:

• Remove your encrypted email address
• Remove your Apple Sign In identifier
• Remove all price alerts you created
• Remove all push notification tokens associated with your account
• Submit a token revocation request to Apple to invalidate your Sign in with Apple authorization, ensuring that signing in with Apple again will require fresh consent

Backup copies of our database (described in Section 5) may retain residual data for up to 90 days after deletion, after which the data is no longer present in any system we operate. We use backups solely for disaster recovery and do not selectively restore deleted user data.

Account deletion is irreversible. There is no recovery process.

6.2 Push notification controls

You can disable push notifications for Grailmate at any time through your iPhone's Settings app (Settings → Notifications → Grailmate). Disabling notifications does not delete your account or alerts; it simply stops delivery of new push messages.

6.3 Access and correction

The information we hold about you is limited and is largely visible within the Grailmate app itself (your alerts, your account state). If you believe we hold information about you that is inaccurate, contact legal@grailmate.app.

6.4 California residents (CCPA / CPRA)

California residents have the right to:

• Know what personal information we collect, use, and share about you
• Request deletion of personal information we hold about you
• Opt out of the sale or sharing of personal information (we do not sell or share)
• Limit the use of sensitive personal information (we do not use sensitive personal information for purposes beyond providing the Service)
• Be free from retaliation for exercising any of these rights

To exercise these rights, contact legal@grailmate.app or write to us at the mailing address above. We will respond within 45 days, with one additional 45-day extension if reasonably necessary, in which case we will provide notice within the initial 45-day period.

6.5 Other US state residents

Residents of US states with comprehensive privacy laws have rights similar to those described for California residents above, subject to applicable thresholds and exceptions defined by each state's law. To exercise rights provided under your state's law, contact legal@grailmate.app. We will respond within the timeframe required by applicable law.

6.6 Washington's My Health My Data Act

Grailmate does not collect consumer health data as defined by Washington's My Health My Data Act. If our practices change in a way that would bring us within scope of that law, we will update this Privacy Policy to describe the additional protections we apply.

7. Children's Privacy

Grailmate is not directed to or intended for use by anyone under 18. Our Terms of Service require users to be at least 18 years of age, and we ask users to confirm their age at first launch before access to the Service is granted. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and you become aware that someone under 18 has created a Grailmate account, please contact legal@grailmate.app and we will delete the account and any associated information promptly.

8. Security

We take reasonable and appropriate measures to protect your information, including:

• AES-256-GCM authenticated encryption for email addresses at rest
• TLS for all network traffic between the Grailmate app and our servers
• Sign in with Apple as the sole authentication method (we do not store passwords)
• JSON Web Tokens stored in iOS Keychain on your device
• Layered rate limiting on authentication and search endpoints
• Filtering of authentication tokens and cookies before transmission to error-monitoring infrastructure
• Strict CORS deny-by-default for browser-originating requests

No security measure is perfect. If we become aware of a data breach affecting your information, we will notify you in accordance with applicable law.

9. Geographic Scope

Grailmate is currently offered only to users in the United States. We do not target or knowingly accept users from the European Economic Area, the United Kingdom, or other jurisdictions outside the United States. If we expand availability to additional regions, we will update this Privacy Policy to describe any additional protections those jurisdictions require, including (where applicable) GDPR-required disclosures and rights.

10. Third-Party Links

The Service may contain links to third-party websites and services (such as StockX, GOAT, and other merchants reachable through "Buy Now" links). We are not responsible for the privacy practices or content of those third parties. We encourage you to read their privacy policies before providing them with any information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will:

• Update the "Last updated" date at the top of this page
• For material changes, provide notice via the App Store update notes, in-app messaging, email to your account address, or other appropriate means before the change takes effect

Continued use of the Service after a change becomes effective constitutes your acceptance of the revised Privacy Policy.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at:

Crowsnest Group LLC d/b/a Grailmate
1100 Bellevue Way NE, Ste 8A PMB 310
Bellevue, WA 98004-4280
United States
legal@grailmate.app