Privacy Policy

This Privacy Policy describes what Theoman’s Coin Log (the “Service”) collects, how it is used, who can see it, and your rights. The Service is operated by an individual (the “Operator”) in the Commonwealth of Virginia, USA, as a hobbyist project.

1. Who we are

Theoman’s Coin Log is a hobbyist web app for tracking US coin collections. The Operator can be contacted at coins@theoman.com.

2. What we collect

• Email address — used for authentication (via Supabase), password reset, and essential account notifications.
• Username — the name you choose to identify yourself in the app and in shareable profile URLs.
• Collection data — the catalog IDs of coins you mark as owned, along with the timestamp each was added; your Sheldon grades; your wishlist; your needs-upgrade list; and your per-coin notes.
• Social graph — friend requests, friendships, and blocks you initiate.
• Appeal text — any message you submit when appealing a ban, along with the admin’s response.
• Moderation metadata — ban status, ban reason, and the timestamp, if applicable.
• Operational logs — rate-limit counters and violation records, used to throttle abuse.

3. What we don’t collect

• No real name, mailing address, or phone number.
• No payment information — the Service is free and does not process payments.
• No analytics trackers, third-party advertising pixels, or device fingerprinting.
• No geolocation data.
• No third-party cookies. The only cookies set are the authentication session cookies issued by Supabase.
• No training of machine-learning or AI models on your data. No generative or AI features use your data as input.

4. Why we collect it

We collect the data above solely to provide the Service’s core features: storing your collection, showing it to viewers per your visibility setting, letting you add/remove friends, moderating abuse, and preventing disruptive behavior. We do not use your data for advertising, marketing, resale, profiling, or any secondary purpose.

5. Where it’s stored

All user data is stored in a PostgreSQL database hosted by Supabase, Inc. Application code runs on a hosting provider (planned: Vercel Inc.). No other third parties have access.

• Supabase — supabase.com/privacy
• Vercel — vercel.com/legal/privacy-policy

6. Who can see your data

Your profile visibility is set by you and can be changed at any time from your Profile page:

• Public — anyone with your profile URL can view your collection, including unauthenticated visitors. Open Graph previews may be generated by social platforms.
• Friends-only — only users who are confirmed friends can view your collection. Everyone else (including unauthenticated viewers) is redirected away.
• Private — only existing friends and you can view your collection. You do not appear in search results or discovery surfaces.

The Operator, acting as an administrator, can view all profiles for the purpose of moderation. Admin access is not used for any other purpose.

7. How long we keep it

We retain your data until you delete your account. Deletion is immediate and cascades to your collection, grades, friendships, and appeals.

Exception — username ban list. When you delete your account, a one-way cryptographic hash (SHA-256) of your username is retained in an internal ban list, along with a timestamp. The hash cannot be reversed to recover your username without guessing it. We retain this under our legitimate interest in preventing impersonation and silent URL takeover on shareable profile links: without it, a different person could register your old username and inherit every shared link that pointed at your collection.

You may request removal of this entry by emailing coins@theoman.comand specifying the username you used. We will honor the request. Please note: after removal, the username becomes available for any other person to register, and any URL that previously pointed at your collection will resolve to that new user's profile (if they choose Public visibility) or redirect away. This is the consequence of having the entry forgotten, and it is the correct outcome when you exercise your right to erasure for this specific piece of data.

8. Your rights

All users have the following rights, exercisable from within the app:

• Export — download your collection as CSV, JSON, Markdown, or a WordPress block from your Showcase/Profile.
• Delete — permanently erase your account and associated data from your Profile page. Immediate and cannot be undone.
• Rename — change your username, subject to a 90-day cooldown between changes.
• Change visibility — move between Public, Friends-only, and Private from your Profile page.
• Appeal a ban — banned users may submit one appeal per ban session from the suspension page.
• Ask questions — email coins@theoman.com for any other data question or request.

Residents of the EU, UK, or US states with comprehensive privacy laws (e.g. California, Colorado, Connecticut, Virginia) are welcome to email the address above to exercise any statutory rights not already surfaced in-app, including access, correction, and deletion. The Service does not sell personal information.

Verification of requests. To prevent malicious deletion claims against other users:

• Account deletionrequests must come from the email address associated with your account. If you cannot access that address, use the password reset flow on the login page to regain control, then self-delete from your Profile page. We cannot process active-account deletion requests from unassociated email addresses — we have no way to verify you are the account holder, and honoring an unverified request would let a malicious person erase someone else's data.
• Ban-list removalrequests (see section 7) are handled more permissively — you only need to state the username in your email. An incorrect claim at worst frees up a name for re-registration; it does not affect any active user's data.

9. Cookies

The Service sets only the authentication session cookies required to keep you signed in (via Supabase). It does not set any tracking, analytics, or advertising cookies.

10. Minors

The Service is intended for users 18 and older. If you believe an underage person has created an account, please email coins@theoman.com and we will investigate and, if confirmed, remove the account.

11. Security

Passwords are never stored by the Service — authentication is handled by Supabase, which stores passwords hashed and salted. Data is protected in transit by TLS and at rest using the database provider’s standard encryption. The Service uses Row-Level Security and application-layer authorization guards. That said, no system is absolutely secure. Use a unique password, and do not enter data into this Service that you cannot afford to lose.

12. Changes to this policy

The Operator may revise this policy from time to time. Material changes will be reflected by a new “Last updated” date at the top of this page and, where practicable, by a notice on the Service or to the email address associated with your account.

13. Contact

Questions, requests, or concerns: coins@theoman.com.

See also the Terms of Service.