PRIVACY POLICY
1. Introduction
This Privacy Policy explains how Grailz, Inc. (“Grailz,” “we,” “us,” or “our”) collects, uses, shares, stores, and otherwise processes personal information when you access or use the Grailz website, application, marketplace, pack-opening features, vaulting and redemption services, community tools, customer-support channels, and other related products and services (collectively, the “Services”).
This Privacy Policy should be read together with the Grailz Terms of Service and any additional policy or notice presented at the time you interact with a particular feature. By using the Services, you acknowledge the practices described in this Privacy Policy to the extent permitted by law.
If Grailz launches features that materially expand processing—such as blockchain wallet integration, creator broadcasting, or teen-specific community flows—Grailz should supplement this Privacy Policy before launch.
2. Scope
This Privacy Policy applies to personal information we collect from or about users, prospective users, business contacts, vendors, and others who interact with the Services. It also applies to information we collect in connection with customer support, account administration, marketplace activity, promotions, community interactions, identity verification, fraud review, shipping and redemption requests, and our business operations.
This Privacy Policy does not apply to personal information processed by third parties that operate independently from Grailz, including payment processors, shipping carriers, social-media platforms, authentication and grading companies, analytics providers, ad networks, or other third parties whose own notices govern their data practices. Where we direct you to a third-party service or you choose to interact with one, that third party’s privacy notice will apply to the extent it controls the relevant processing.
3. Categories of Personal Information We Collect
Information you provide directly
We may collect identifiers and account information you provide directly, such as your name, username, display name, email address, phone number, mailing address, shipping address, password or authentication credentials, age or date-of-birth data where permitted, social-media handles, support-ticket submissions, survey responses, and communications with us.
Transaction and marketplace information
We may collect information about purchases, pack openings, listings, offers, redemptions, shipping requests, returns, refunds, chargebacks, account balances, payouts, reward activity, claimed prizes, and related transaction history. We may also collect details about the specific items associated with your activity, such as item identifiers, metadata, card information, market metrics, redemption status, or shipping status.
Community, content, and social-sharing information
If the Services allow you to create a profile, upload or submit content, share openings, post comments, message others, join waitlists, or participate in rankings or community features, we may collect the content and metadata associated with those actions, including photos, video, text, timestamps, likes, follows, messages, and related interaction data.
Identity verification, compliance, and fraud-review information
Where permitted or required, we may collect government-issued ID information, date of birth, proof-of-address documents, taxpayer information, sanctions-screening results, device signals, payment-risk signals, source-of-funds information, fraud-review notes, dispute information, and similar data to verify eligibility, protect against abuse, satisfy legal obligations, or enable high-risk features.
Automatically collected information
When you access the Services, we and our vendors may automatically collect internet and device information such as IP address, device identifiers, browser type, operating system, referring URLs, pages viewed, links clicked, session timing, approximate location inferred from IP, log data, cookies, SDK data, crash diagnostics, and event-level interaction data.
Information from third parties
We may receive information from payment processors, identity-verification providers, sanctions-screening services, analytics providers, advertising partners, shipping and logistics partners, grading or authentication partners, marketing partners, fraud vendors, social platforms, public databases, and other users or business partners. We may also receive information when another user invites you to the Services or when you interact with our content on a third-party platform.
Data about other people
If you use invite, referral, gifting, shipping, or collaborative account features and provide us with information about another person, you must have permission to do so and to allow us to use that information for the relevant purpose. We may use contact details for referred or gift recipients to deliver invitations, notices, shipments, or related support communications.
4. How We Use Personal Information
We may use personal information for one or more of the following purposes:
- To provide, maintain, personalize, and improve the Services.
- To create and administer accounts and authenticate users.
- To process purchases, pack openings, listings, marketplace transactions, payouts, rewards, shipping, redemption, and related customer-service functions.
- To provide transparency features such as transaction records, provenance information, item histories, market metrics, and user-facing activity logs.
- To operate community features, rankings, sharing tools, profiles, and other user-experience features.
- To verify identity, age, eligibility, and compliance status and to detect, investigate, prevent, and respond to fraud, abuse, security incidents, chargebacks, sanctions issues, legal claims, and violations of our policies.
- To communicate with you about your account, transactions, updates, promotions, support requests, and legal notices.
- To conduct analytics, quality assurance, testing, debugging, product development, forecasting, research, and business planning.
- We may also create aggregated, anonymous, or de-identified information from personal information and other data we collect. We may use and disclose such information for lawful business purposes, including analytics, product improvement, research, capacity planning, measurement, and business development, provided we do not attempt to reidentify the information except as permitted by law.
- To protect the rights, safety, and property of Grailz, users, partners, service providers, and the public.
- To comply with law, regulation, court orders, subpoenas, tax obligations, recordkeeping requirements, and legitimate requests from regulators or law enforcement.
5. Legal Bases for Processing (Where Required)
In jurisdictions that require a stated legal basis for processing, Grailz may rely on one or more of the following bases. We process account, transaction, marketplace, redemption, shipping, and customer-support information to perform our contract with you. We process tax, sanctions, dispute, chargeback, recordkeeping, and regulatory information to comply with legal obligations. We process fraud-prevention, security, analytics, product-improvement, communications, and platform-integrity information based on our legitimate interests, subject to applicable rights and safeguards. We process marketing, certain cookies or tracking technologies, and any optional sensitive information based on consent where consent is required.
Where we rely on consent, you may withdraw consent as provided by applicable law by using the relevant preference tool, account setting, cookie control, unsubscribe mechanism, or by contacting privacy@grailz.com. Withdrawal will not affect processing already performed or processing that is independently permitted under another legal basis.
6. How We Share Personal Information
We may share personal information with the following categories of recipients, subject to applicable law and appropriate safeguards:
- Service providers and vendors that help operate the Services, such as cloud hosts, communications vendors, analytics providers, customer-support tools, data-storage providers, security tools, and product-development vendors.
- Payment processors, payout providers, fraud vendors, chargeback handlers, and tax or accounting vendors.
- Identity-verification, sanctions-screening, fraud-prevention, and compliance vendors.
- Shipping carriers, storage providers, custodians, redemption partners, insurers, logistics vendors, graders, authenticators, and related fulfillment partners.
- Advertising, marketing, attribution, social-media, and measurement partners, subject to applicable opt-out or consent requirements.
- Business partners, licensors, event partners, creators, leagues, teams, or promotional partners where relevant to a feature or campaign.
- Other users or the public where your profile, collection, posts, listings, rankings, live activity feeds, shared content, or other activity is designed to be visible to others.
- Government authorities, courts, law enforcement, regulators, or private parties when we believe disclosure is necessary to comply with law, protect rights or safety, investigate wrongdoing, enforce agreements, or respond to legal process.
- Parties to a corporate transaction or reorganization, such as a merger, acquisition, financing, bankruptcy, or asset sale.
We do not sell personal information for money in the ordinary sense. Depending on how our advertising, measurement, attribution, or similar tools are configured, certain disclosures to partners could be treated as a “sale,” “sharing,” or “targeted advertising” under some U.S. state privacy laws. Where that characterization applies, Grailz will provide any required notice and opt-out rights as described in the U.S. State Privacy Notice below.
7. Cookies, SDKs, Analytics, and Similar Technologies
We and our vendors may use cookies, pixels, local storage, SDKs, APIs, and similar technologies to remember preferences, authenticate users, protect the Services, measure campaign performance, understand user behavior, personalize content, attribute conversions, and improve the Services. These technologies may fall into four general categories: strictly necessary technologies, functional or preference technologies, analytics or performance technologies, and advertising or attribution technologies.
Depending on where you are located and how the Services are configured, Grailz will provide any cookie banner, preference center, opt-out mechanism, or consent flow required by applicable law for non-essential technologies. Browser settings, device-level controls, Global Privacy Control where required, and any in-app controls we make available may also allow you to manage certain categories of tracking. Disabling some technologies may affect the functionality of the Services.
Do Not Track / preference signals. Some browsers or extensions transmit “Do Not Track,” Global Privacy Control (“GPC”), or similar preference signals. Grailz will respond to GPC or comparable signals where required by applicable law and where technically feasible in the context in which the signal is received.
8. Public Profiles, Community Features, and Visibility
The Services may be designed so that certain information is visible to other users or the public, such as your username, display name, profile photo, collection displays, achievements, activity history, listings, purchase or pack-opening highlights you choose to share, and other social or community interactions. Please consider carefully what information you choose to make public or submit to public-facing features.
While we may provide privacy or audience controls, we cannot prevent other users from capturing or redistributing content you choose to share publicly or semi-publicly. Public content and public activity may remain accessible in search results, archives, screenshots, cached pages, copied datasets, or third-party reposts even after you change settings or remove the original content from the Services.
9. Payments, Verification, Fraud Prevention, and Security Monitoring
To process payments, payouts, and high-risk or regulated activities, we and our vendors may use personal information to verify identity, assess fraud risk, detect account compromise, review device signals, monitor transaction patterns, investigate disputes, and satisfy legal obligations. We may combine personal information with information from third parties and public sources for these purposes.
If you fail verification, decline to provide required information, trigger fraud or sanctions concerns, or otherwise appear ineligible for a requested feature, we may deny or limit access to that feature and retain relevant information as necessary to document the decision, prevent abuse, or satisfy legal or operational obligations.
9A. Automated Decision-Making and Human Review
Grailz may use automated or partly automated tools to detect fraud, assess payment or payout risk, screen for sanctions or compliance issues, protect account security, and enforce platform rules. These tools may affect whether a transaction, payout, redemption, listing, or account feature is approved, delayed, reviewed, limited, or denied.
Where automated processing results in a decision that significantly affects you, such as account suspension, denial of a payout, or a significant feature restriction, you may have the right to request human review or provide additional information. You may contact privacy@grailz.com or support@grailz.com for that purpose.
10. Retention
We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, maintain transaction and marketplace records, support transparency and user account features, fulfill redemption and shipping obligations, detect and prevent fraud, comply with law, resolve disputes, enforce agreements, and protect our rights and the rights of others.
Retention periods may vary depending on the nature of the information and the purpose for which it was collected. For example, we may retain transaction history, account records, communications, verification records, support tickets, tax documentation, fraud signals, and dispute records for extended periods where needed for recordkeeping, chargeback defense, audit, sanctions, tax, consumer-protection, or other legal or operational requirements.
11. Data Security
We use administrative, technical, and physical safeguards designed to protect personal information appropriate to the nature of the information and the risks involved. These safeguards may include access controls, encryption in transit, logging, vendor oversight, training, role-based permissions, incident-response procedures, and data-minimization practices.
No security measure is perfect or impenetrable. We cannot guarantee absolute security, and transmission or storage of information is at your own risk to the extent permitted by law.
12. International Transfers
Grailz and its service providers may process personal information in the United States and other jurisdictions where we or our vendors operate. Those jurisdictions may have privacy laws that differ from the laws where you reside. Where required by law, we will implement appropriate transfer mechanisms or safeguards for cross-border transfers, such as standard contractual clauses, the UK International Data Transfer Addendum, adequacy decisions, or other lawful transfer tools.
13. Your Rights and Choices
Depending on where you reside, you may have rights to access, know, confirm, correct, delete, restrict, object to, or port certain personal information in a structured, commonly used, machine-readable format, or to opt out of certain processing such as targeted advertising, profiling, or certain forms of automated decision-making. You may also have a right to appeal a denied privacy request and, where applicable, a right to lodge a complaint with a supervisory authority.
You may exercise available rights by contacting us at privacy@grailz.com or through any self-service tools we make available. We may need to verify your identity before fulfilling a request.
You may update certain account information, communication preferences, and visibility settings through the Services. You may opt out of promotional emails by using the unsubscribe link in those emails, though we may still send transactional, legal, or service-related communications.
14. Children and Age Restrictions
The Services are not directed to children under thirteen (13), and we do not knowingly collect personal information from children under 13 in violation of applicable law. Account creation, pack purchases, marketplace features, payouts, withdrawals, redemption workflows, and other transactional features are intended for users who are at least eighteen (18), subject to local law and any feature-specific rules.
15. Sensitive Information
We ask that you do not provide sensitive personal information unless specifically requested by Grailz for a legitimate business or compliance need. Where we collect government ID information, taxpayer details, account numbers, or other sensitive information, we use it only for the purposes described at collection or otherwise permitted by law, such as identity verification, anti-fraud, tax reporting, sanctions screening, secure payouts, or physical-asset fulfillment.
16. Third-Party Websites and Services
The Services may link to or integrate with third-party websites, services, content, or applications. We are not responsible for the privacy, security, or data practices of those third parties. We encourage you to review the privacy notices of third parties before interacting with them or sharing your information with them.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal obligations, business operations, or the Services. If we make material changes, we will provide notice as required by law or in a manner reasonably designed to reach affected users. The “Effective Date” at the top of this Privacy Policy indicates when the current version became effective.
18. Contact Us
If you have questions about this Privacy Policy or our privacy practices, or if you want to submit a privacy request, you may contact us at privacy@grailz.com. Legal notices and regulator inquiries may be sent to legal@grailz.com, and general support requests may be sent to support@grailz.com or through the support tools made available in the Services.
Appendix A — U.S. State Privacy Notice
Residents of certain U.S. states may have additional privacy rights, including rights to know, access, confirm, correct, delete, or obtain a portable copy of personal information, and rights to opt out of targeted advertising, the sale or sharing of personal information as defined by applicable law, or certain profiling in furtherance of decisions that produce legal or similarly significant effects. Grailz does not discriminate against users for exercising privacy rights, except as permitted by law.
Where state law requires it, you may opt out of targeted advertising or the sale or sharing of personal information by using any cookie preference center or opt-out control we make available, sending a request to privacy@grailz.com, or using Global Privacy Control where we are required to recognize it.
Appendix B — Cookie and Tracking Notice
Strictly necessary technologies help us authenticate users, maintain sessions, process payments, protect the Services, prevent fraud, and deliver core functionality. Functional technologies remember settings and improve usability. Analytics technologies help us understand usage, measure performance, debug problems, and improve the Services. Advertising or attribution technologies help us measure campaign effectiveness, attribute conversions, and, where used, deliver or measure more relevant promotions.
You may be able to manage non-essential technologies through a banner, preference center, browser settings, mobile device settings, or other controls we make available. If you disable some technologies, portions of the Services may not function properly. We will obtain opt-in consent for non-essential technologies where required by law.
Appendix C — Retention Reference Schedule
Unless a longer period is required by law, dispute hold, fraud investigation, or operational necessity, Grailz generally expects to retain: account-profile records for the life of the account and for a reasonable period thereafter; transaction, payout, redemption, tax, and fulfillment records for approximately seven (7) years; identity-verification and fraud-review records for approximately five (5) to seven (7) years; customer-support records for approximately three (3) years; and marketing preference or suppression records for a reasonable period after opt-out to ensure continued compliance.
When an account is deleted, Grailz will delete or anonymize personal information where required and reasonably feasible, while retaining financial, transaction, tax, fraud, compliance, chargeback, support, provenance, ownership-chain, and physical-asset records where needed for legal, operational, dispute-resolution, abandoned-property, or platform-integrity purposes. Physical-card reclamation records may be retained during and after any applicable ninety (90) day reclaim window.
Appendix D — EEA/UK Privacy Notice
If you are located in the European Economic Area or the United Kingdom, you may have additional rights under the GDPR, UK GDPR, or similar laws, including the rights of access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making where applicable. You may exercise those rights by contacting privacy@grailz.com.
Grailz’s primary establishment is in the United States. Where Grailz transfers personal information from the EEA, UK, or Switzerland to the United States or another jurisdiction that has not been found adequate, Grailz will use appropriate safeguards where required, such as standard contractual clauses, the UK International Data Transfer Addendum, adequacy decisions, or other lawful transfer mechanisms.
You may have the right to lodge a complaint with your local data protection authority. We encourage you to contact us first so we can try to resolve your concern, but you are not required to do so before contacting a supervisory authority.