Privacy Policy

Last updated: May 13, 2026

This Privacy Policy explains how Vintique ("Vintique", "we", "us", "our") collects, uses, shares, and protects information when you visit our marketing website, sign up for the Vintique point-of-sale and antique-mall management service, or otherwise interact with us (together, the "Service"). It applies to information about (a) prospective and current customers and their personnel ("Customers"); (b) booth owners and consignors invited into a Customer's workspace; and (c) end shoppers whose transactions are recorded in the Service.

For most data inside a Customer's Workspace, Vintique acts as a processor on behalf of the Customer, who is the controller. This Policy describes our own practices; Customers should publish their own privacy notice covering how they use the Service.

1. Information we collect

1.1 Information you give us

• Account & billing. Mall name, contact name, email address, password (stored only as a one-way bcrypt hash), phone number, mailing address, plan selection, and the last four digits and brand of the card on file. Full card numbers are collected and stored by Stripe; Vintique never sees them.
• Workspace data you enter. Booth owner and consignor profiles (name, email, phone, tax ID, commission rates), inventory and item photos, transactions, gift card numbers and balances, sales-tax settings, settlement reports, internal notes, and any other content you upload or type into the Service ("Customer Data").
• Image uploads. The Service handles two distinct categories of uploaded photo, with different purposes and retention windows:
  • Lookup photos — a photo you submit through the in-app or Extension Price Lookup feature, for the sole purpose of returning a suggested price range and comparable listings. Lookup photos are ephemeral: they are written only to a short-lived, tenant-scoped "lookups" area of object storage just long enough to complete the visual search, and then removed by an automated cleanup job on a tight grace window (shortly after the search completes and at the latest at the next scheduled cleanup pass — see Retention below). The photo bytes themselves are not stored in our database (a small metadata row tracking the ephemeral object and a deletion-audit row may exist; see §7). Only the resulting comparable-listing data (titles, prices, source URLs) and a non-reversible hash of the query are cached so the same search can be reused across the mall (see Retention below).
  • Saved item photos — a photo you choose to attach to an item in your Workspace (for tagging, pricing, online listings, or vendor records). Saved photos are stored in object storage under your tenant-prefixed path and are retained for the life of the item record (see Retention below).
  EXIF stripping. We attempt to strip embedded EXIF metadata — including camera make/model, software, and any GPS coordinates the camera recorded — server-side after upload. Active server-side rewriting is implemented for JPEGs (the dominant format produced by phone cameras for visual search); for other formats we rely on the short retention window for lookup photos as the backstop. Lookup photos are passed through the strip step before being forwarded to our image-search sub-processor, and saved item photos are passed through it before being read for other purposes.
  No biometric processing / no facial recognition. Vintique does not run facial recognition, faceprint, fingerprint, voiceprint, or any other biometric identifier extraction on uploaded photos, and we do not instruct any sub-processor to do so. Do not upload photos containing identifiable people, minors, government identification, or other content that would trigger biometric-privacy laws (for example, the Illinois Biometric Information Privacy Act). See our Terms of Service for the full content restriction.
  Deletion of uploaded photos. You can delete a saved item photo (and the item it is attached to) at any time from inside your Workspace; deletes are propagated to object storage in the ordinary course (typically within minutes, and at the latest at the next scheduled cleanup pass). Lookup photos are not retained, so there is nothing to request deletion of after a lookup completes. To request deletion of any other content attributable to you, contact us as described in §8 below.
• Communications. Messages you send to support, feedback, survey responses, and any attachments.

1.2 Information we collect automatically

• Usage & device data. IP address, browser type and version, operating system, referring URL, pages viewed, features used, and timestamps. We use this to operate, secure, and improve the Service.
• Cookies & similar technologies. A session cookie keeps you signed in (httpOnly, SameSite=Strict, Secure in production, 24-hour expiry for the customer Workspace and 12 hours for staff). A separate CSRF cookie protects state-changing requests. We do not use third-party advertising or cross-site tracking cookies.
• Logs. Server, audit, and security logs that record events such as logins, failed-login attempts, password resets, impersonation events, billing webhook deliveries, and errors.

1.3 Information from third parties

• Stripe. Subscription status, payment outcomes, last4/brand of card on file, and customer/subscription identifiers.
• SerpAPI / Google Lens / Google Shopping / eBay. When you use the in-app or Extension Price Lookup feature (or, once available, the Mobile App), we attempt to strip embedded EXIF metadata from the photo server-side (including any GPS coordinates the camera recorded) — active rewriting is implemented for JPEGs, with the short lookup-tier retention window described below as the backstop for other formats — and then transmit the photo bytes to SerpAPI, which relays the photo on our behalf to the configured visual-search engines — Google Lens, eBay, and Google Shopping — solely to perform the visual lookup and return comparable-listing results (titles, prices, source URLs, and thumbnails). On our side, the cleaned photo bytes are written only to a short-lived, tenant-scoped "lookups" area of object storage (e.g. lookups/t<your-tenant-id>/<random-id>), held just long enough to complete the search, and then removed by an automated cleanup job on a tight grace window (shortly after the search completes and at the latest at the next scheduled cleanup pass; well before the longer retention window that applies to saved item photos — see §7 for exact figures). The resulting comparable-listing data is cached briefly so the same search can be reused across the mall (see §7). The photo bytes are not used by us or by any of these sub-processors to train a face-recognition or biometric-identification model. Do not upload photos containing customers' faces, minors, identifying documents, or other personal information of identifiable individuals. See the full sub-processors page for details on what data is shared and where to find each sub-processor's own privacy policy.
• Vintique browser extension. Our optional Chrome extension is paired to your Workspace using a one-time claim code that the extension exchanges for a bearer token stored locally on the device. When you invoke the extension, it sends us the image URL or image bytes you select, your lookup query, and standard request metadata. The extension does not collect browsing history, page contents, or anything you do not explicitly submit.

1.4 Mobile app (forward-looking)

We are preparing a Vintique mobile app for booth owners and staff ("Mobile App"). Until it ships, this section is forward-looking and applies only to those who install the Mobile App once available; we publish it in advance so the privacy posture is accurate from day one.

• Camera and photo-library permissions. The Mobile App will ask the operating system for permission to access your device's camera and photo library. We only read or capture a photo when you take an explicit action that uses it (for example, tapping "Take photo" to start a Price Lookup or attaching a photo to an item). The Mobile App does not scan, index, or upload your photo library in the background. You can revoke either permission at any time from your device's system settings; the rest of the app will continue to work with photo features disabled.
• Push notifications. If you grant permission, we will use push notifications only for account, billing, and lookup-result notifications related to your Workspace.
• Apple refund-verification logs. If you purchase a Vintique subscription through Apple's App Store or in-app purchase and later request a refund through Apple, we may share with Apple a limited record of your activity in the Mobile App — specifically: the account creation timestamp, sign-in timestamps, and a count of feature uses such as lookups performed — solely so Apple can verify whether the Service was used. We do not share Customer Data, photos, or transaction contents with Apple for this purpose.
• Device identifiers and crash logs. The Mobile App will collect a per-install device identifier and basic crash and performance telemetry (no advertising identifiers, no cross-app tracking) to operate, secure, and debug the app.
• EXIF stripping. Photos uploaded from the Mobile App go through the same best-effort server-side EXIF-stripping path described in §1.1 (active rewriting for JPEGs, with the short lookup-tier retention window as the backstop for other formats) before being forwarded to any image-search sub-processor or read for other purposes.

2. How we use information

• provide, operate, maintain, and secure the Service;
• authenticate users and protect against fraud, abuse, and unauthorized access;
• process subscriptions, billing, refunds, and dunning through Stripe;
• send transactional email (welcome, password reset, billing receipts, daily vendor digests, support replies);
• respond to your support requests and feedback;
• monitor and analyze usage to debug, improve features, and produce aggregated, de-identified statistics;
• comply with our legal, tax, accounting, and audit obligations and to enforce our Terms of Service.

We do not sell or rent personal information, and we do not use Customer Data to train machine-learning models offered to other customers or third parties.

3. Legal bases (EEA/UK)

Where the GDPR or UK GDPR applies, we rely on: contract (to provide the Service you signed up for), legitimate interests (to secure the Service, prevent fraud, improve features, and run our business), legal obligation (tax, accounting, responding to lawful requests), and consent where required (for example, for optional product update emails, which you can withdraw at any time).

4. How we share information

• Within your Workspace. Customer Data is visible to users in the same Workspace according to the role and permissions you assign (admin, cashier, booth owner). Vintique enforces tenant isolation at two layers: every database query filters on a tenant identifier in the application, and a Postgres row-level-security backstop runs each request as an unprivileged role with the tenant identifier set as a session variable, so policies on every tenant-scoped table reject access if the variable is missing or does not match. Cross-tenant access is blocked.
• Sub-processors. We use vetted vendors to operate the Service:
  • Stripe — subscription billing and payment-method storage
  • SendGrid — transactional email delivery
  • Replit Object Storage — object storage for saved item photos and uploads
  • SerpAPI (relays to Google Lens, Google Shopping, and eBay) — item-lookup comparable-listing results
  • Replit — application hosting and managed PostgreSQL
  Each is bound by a written data-processing agreement and processes data only on our instructions. The full, current list — with the purpose of each sub-processor and the categories of data shared — is published at /sub-processors and is updated whenever the list changes.
• Vintique platform staff. A small number of authorized Vintique employees may access Customer Data when strictly necessary to operate, secure, or troubleshoot the Service, or to honor a Customer support request. All such access is logged. We may also use a short-lived "impersonation" mechanism to view a Workspace as one of its users; the impersonation is recorded in an audit log and shown to the Customer.
• Legal & safety. We may disclose information when required by law, subpoena, or court order, or when we reasonably believe disclosure is necessary to investigate fraud, protect the safety of any person, or enforce our Terms.
• Business transfers. If Vintique is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction. We will notify Customers in advance and any successor will be bound by terms no less protective than this Policy.

4.1 Tenant-private photos. Every photo uploaded to a Workspace — whether through the in-app uploader, the browser Extension, or (once available) the Mobile App — is treated as private to that Workspace. Saved item photos are stored in object storage under a tenant-prefixed path of the form uploads/t<your-tenant-id>/<random-id>, and every read, write, and delete is gated by that prefix: requests for a path that does not start with the caller's tenant prefix are rejected before any database lookup, so even a forged identifier cannot reach another tenant's photo. Within a Workspace, photos are visible only to users with the appropriate role (typically admins, the uploading cashier or booth-owner, and other staff with item-management permissions). We do not make uploaded photos public, syndicate them, share them across tenants, or use them to train any general-purpose machine-learning model. The only third parties that ever see photo bytes are the sub-processors listed above and the image-search sub-processors described in §1.3, and only for the narrow purposes described there.

5. International transfers

Vintique is based in the United States and our infrastructure is located in the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US. Where required, we rely on standard contractual clauses or other lawful transfer mechanisms.

6. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including: TLS encryption in transit; encryption at rest for the database and object storage; bcrypt password hashing; per-tenant data isolation enforced in application middleware; short-lived session cookies with SameSite=Strict and CSRF double-submit tokens; role-based access control; audit logging of privileged actions; rate-limited login endpoints; presigned, short-TTL upload URLs scoped to the uploader; and least-privilege access for our staff. No system is perfectly secure; if we learn of a breach affecting your information, we will notify you and applicable authorities as required by law.

7. Retention

We retain Customer Data for as long as your subscription is active. After cancellation or termination we retain it for 30 days to allow you to reactivate or export, after which it is deleted from our active systems. Backups are rotated and overwritten in the ordinary course (typically within 90 additional days). Some records (billing, tax, security logs) are retained longer where required by law or for legitimate business purposes.

Image-specific retention.

• Lookup photos (in-app, Extension, and — once available — Mobile App): short-lived. The image bytes (passed through the best-effort EXIF strip described in §1.1) are written only to a tenant-scoped "lookups" area of object storage (e.g. lookups/t<your-tenant-id>/<random-id>) for the duration of the visual search, and are then removed by an automated cleanup job on a tight grace window (shortly after the search completes and at the latest at the next scheduled cleanup pass). The photo bytes themselves are not stored in our database or in our application logs (a small metadata row tracking the ephemeral object and a best-effort deletion-audit row may exist). If you choose to keep a lookup photo by attaching it to an item, the photo is copied into the long-term tenant-prefixed uploads/ path and from then on follows the saved-item-photo retention rule below. We attempt to record each removal of a lookup-tier photo in an audit table so we can show the cleanup ran; audit insertion is best-effort and a logged audit failure does not block the underlying cleanup.
• Comparable-listing search cache: the textual results returned by the image-search sub-processor (titles, prices, source URLs), keyed by a non-reversible hash of the query, are cached for up to 24 hours so the same lookup can be reused across the mall without re-billing the sub-processor; older rows are deleted automatically by a scheduled job.
• Search-audit log (who ran a lookup, when, and the cost-counting metadata): kept for 30 days and then deleted automatically.
• Saved item photos: retained in object storage for the life of the item record. Deleting the item (or deleting the photo individually from the item) removes the object in the ordinary course (typically within minutes, and at the latest at the next scheduled cleanup pass).

7a. Account & data deletion path

You can delete data, and your entire Workspace, without leaving the Service:

• Per-record deletion (any time). Inside an active Workspace, admins and (where their role permits) cashiers and booth-owner users can delete individual records — saved item photos, items, draft intakes, booth-owner profiles, gift cards, holds, transactions, and so on — directly from the relevant page in the Service. Deleting a saved item photo also removes the underlying object from object storage in the ordinary course (typically within minutes, and at the latest at the next scheduled cleanup pass).
• Workspace deletion (admins). A mall-owner admin can request deletion of the entire Workspace from Settings → Danger Zone → Schedule deletion. The request requires typed-name confirmation and immediately flips the Workspace into a read-only "Scheduled for deletion" state for a 30-day grace window. During that window: (a) sign-in still works for admins so you can change your mind, request an export, or download the export ZIP; (b) all create / update / delete operations across the API are blocked with a "Workspace scheduled for deletion" notice; and (c) admins can Restore the Workspace at any time, which lifts the read-only state and cancels the scheduled deletion.
• What gets purged at the end of the grace window. When the 30-day grace window expires, an automated job hard-deletes the tenant: every tenant-scoped database row (booth-owner profiles, transactions, transaction items, gift cards, holds, items, item-search cache entries, collections, settings, users, sessions, and any audit logs the law does not require us to keep) is purged, and every object in your tenant-prefixed object-storage path (saved item photos, generated exports) is removed. A small tombstone (the original tenant id and name, the deletion timestamp, and the actor) is written to the platform audit log so we can reconstruct what happened. Backups are rotated and overwritten in the ordinary course (typically within 90 additional days). Some records (billing, tax, and security logs) may be retained longer where required by law.
• Data export before deletion. Before the grace window expires you can request an export of every tenant-scoped table (CSV files bundled into a ZIP) from the same Settings → Danger Zone screen. The export is generated asynchronously and made available as a short-lived signed download URL.
• End shoppers and booth owners. If you are an end shopper or a booth owner whose information is held inside a Customer's Workspace, please contact that Customer first; we will assist them in responding. If you are not able to reach the Customer, contact us using the details in §12 and we will help where we can without violating the Customer's controller relationship described above.

8. Your rights and choices

Depending on where you live, you may have the right to access, correct, delete, port, restrict, or object to our processing of personal information about you, and to withdraw consent. Customers can exercise most of these rights directly inside the Service (edit profile, delete records, export reports, change password, cancel subscription). For end shoppers and booth owners whose information is held in a Customer's Workspace, please contact the Customer first; we will help the Customer respond. To make a request directly to Vintique, contact us using the details below. We will respond within 30 days (or sooner where required by law). You will not be discriminated against for exercising your privacy rights.

California (CCPA/CPRA). California residents have the right to know what personal information we collect, to delete it, to correct it, to limit use of sensitive personal information, and to opt out of "sale" or "sharing". Vintique does not sell or share personal information as those terms are defined under the CCPA/CPRA.

Email preferences. You can unsubscribe from product-update emails at any time using the link at the bottom of those messages. Transactional emails (billing, security, password reset, vendor digests you have configured) are necessary to operate the Service and cannot be turned off while your subscription is active.

9. Minimum age and children

Account holders and staff users (18+). The Service is built for businesses and adult professionals. Per our Terms of Service, all account holders and every individual invited into a Workspace — admins, cashiers, and booth-owner users — must be at least 18 years of age. We do not knowingly create or maintain accounts for anyone under 18, and we do not knowingly collect personal information from anyone under 18 in connection with operating a Workspace.

Children (under 13 / under 16). The Service is not directed to and is not intended for use by children. We do not knowingly collect personal information from children under 13 (the threshold under the U.S. Children's Online Privacy Protection Act) or, in jurisdictions where a higher threshold applies, under 16 (the GDPR/UK GDPR threshold). If you believe a child has provided us personal information, please contact us using the details in §12 and we will delete it. If you are a parent or guardian and have questions about information that may have been submitted about your child by an end shopper at a participating mall, contact the mall directly first; the mall is the controller of that data and we will assist them in responding.

10. Do Not Track

Vintique does not use cross-site tracking and does not respond to browser "Do Not Track" signals, because no such tracking takes place on the Service.

11. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify Customers by email to the address on file or by an in-app notice at least 14 days before the change takes effect. The "Last updated" date at the top reflects the most recent version.

12. Contact

For privacy questions, requests, or complaints, reply to any email we have sent you or contact us through the Settings page in your Workspace. If you are not satisfied with our response, you may have the right to lodge a complaint with your local data-protection authority.