Privacy Policy
Effective date: May 1, 2026
1. Information We Collect
Information you provide directly
Email address — when you authenticate via one-time passcode (OTP), we store your email address to identify your account and send you transactional messages (authentication codes, co-editor invitations).
Display name — optionally provided when you set up your account. Used to personalize your dashboard and lists.
Supply list content — titles, item descriptions, product URLs, notes, quantities, and other content you add to your lists. Published lists are publicly accessible; unpublished lists are visible only to you and any co-editors you invite.
Co-editor invitations — when you invite someone to co-edit a list, we store the invitee's email address and an invitation token to facilitate the accept flow.
Information collected automatically
Authentication tokens — when you log in, we create a session token stored as an HTTP-only cookie in your browser. The token is hashed before storage and used to identify your session on subsequent requests.
Draft claim token — if you start building a list before logging in, we store an anonymous draft token in a cookie. This token links your draft list to your account when you later authenticate.
Log data — our hosting provider (Vercel) may collect standard web server logs including IP addresses, browser type, pages visited, and timestamps. These logs are used for security monitoring and infrastructure operation and are retained according to Vercel's data retention policies.
Analytics — we use Google Analytics 4 (GA4) to understand how visitors use the Service. GA4 collects anonymized usage data including page views, session duration, and general geographic region. GA4 uses cookies and similar tracking technologies. You can opt out using browser settings or Google's opt-out tools.
Information collected from third parties
Product metadata — when you paste a product URL, ClassGear fetches publicly available product information (title, image, price, description) from the retailer's website. We store this metadata as part of your list item.
Amazon Product Advertising API — if you paste an Amazon product URL, we may query the Amazon Product Advertising API to retrieve product data. This query is server-side and does not expose your personal information to Amazon beyond what is inherent in the API call.
2. How We Use Information
We use the information we collect to:
- Operate the Service — create, store, display, and manage your supply lists
- Authenticate you — verify your identity via email OTP and maintain your session
- Send transactional email — deliver authentication codes and co-editor invitation emails via Resend (resend.com)
- Improve the Service — analyse usage patterns to fix bugs and improve features
- Prevent abuse — detect and prevent fraud, spam, and violations of our Terms of Service
- Comply with legal obligations — respond to lawful requests from government authorities
We do not sell your personal information to third parties. We do not use your information for targeted advertising.
3. Affiliate Tracking
When a list viewer clicks a product link on a published ClassGear list, the link may contain an affiliate tracking tag. This tag is processed by the retailer (e.g. Amazon) to attribute the referral to ClassGear. The retailer may set its own cookies on the viewer's browser in accordance with the retailer's own privacy policy.
ClassGear does not receive information about individual purchasers from retailers. We receive aggregate commission data only.
4. Information Sharing
We share personal information only in the following circumstances:
Service providers
We share information with third-party vendors who help us operate the Service:
- Vercel (vercel.com) — hosting and infrastructure. Vercel processes request data as part of serving the application.
- Neon (neon.tech) — managed PostgreSQL database hosting. Your lists, items, and account data are stored on Neon infrastructure.
- Resend (resend.com) — transactional email delivery. We share your email address with Resend solely to deliver authentication codes and invitation emails.
- Google Analytics (analytics.google.com) — anonymised usage analytics.
- Amazon Web Services — used to sign requests to the Amazon Product Advertising API.
Each of these providers processes data only as necessary to provide their services and is bound by their own privacy policies and data processing agreements.
Co-editors and list sharing
If you publish a list, its contents are publicly accessible to anyone with the URL. If you invite a co-editor, that person gains access to your list's content. Your email address is not displayed on public lists.
Legal requirements
We may disclose your information if required to do so by law or in response to a valid legal process (subpoena, court order, or similar). We will make reasonable efforts to notify you of such requests unless prohibited by law.
Business transfers
If ClassGear is acquired by or merged with another company, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.
5. Data Retention
| Data type | Retention period |
|---|---|
| Account (email, name) | Until account deletion request |
| Session tokens | 30 days from creation, or until sign-out |
| Authentication codes (OTP) | 10 minutes from issuance |
| Supply lists and items | Until you delete them or your account |
| Unclaimed anonymous drafts | 90 days from creation |
| Expired invitations | 30 days after expiry |
6. Cookies
ClassGear uses cookies for the following purposes:
| Cookie | Purpose | Duration |
|---|---|---|
cg_session | Identifies your authenticated session | 30 days |
cg_draft | Links an anonymous draft list to your session | 30 days |
Google Analytics (_ga, _ga_*) | Anonymised usage analytics | Up to 2 years |
You can disable cookies in your browser settings. Disabling cg_session will prevent you from staying logged in. Disabling cg_draft will prevent anonymous draft lists from being claimed after login.
7. Security
We implement reasonable technical and organisational measures to protect your personal information, including:
- Session tokens are SHA-256 hashed before storage; raw tokens are never persisted
- Authentication codes expire after 10 minutes and can only be used once
- Database connections use TLS
- All HTTP responses are served over HTTPS
No method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
8. Children's Privacy
ClassGear is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at support@classgear.co and we will delete it promptly.
9. Your Rights and Choices
Depending on your location, you may have the following rights regarding your personal information:
- Access — request a copy of the personal information we hold about you
- Correction — request that we correct inaccurate information
- Deletion — request deletion of your account and associated personal data
- Portability — request your list data in a portable format
To exercise any of these rights, email support@classgear.co. We will respond within 30 days.
California residents (CCPA)
California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. ClassGear does not sell personal information.
EEA and UK residents (GDPR)
If you are located in the European Economic Area or United Kingdom, you have rights under the General Data Protection Regulation (GDPR) including rights of access, rectification, erasure, restriction, portability, and objection. Our lawful bases for processing are: contract performance (operating your account and lists), legitimate interests (security and analytics), and consent (where applicable). To exercise your rights, contact support@classgear.co.
10. Third-Party Links
Our Service contains links to third-party websites and retailers. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party site you visit.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will indicate the effective date at the top of this page and, for material changes, notify you by email or by a prominent notice on the Service. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.
12. Contact
If you have questions or concerns about this Privacy Policy, please contact us:
Email: support@classgear.co