legal · privacy

Privacy

We don't want your data. The whole product is structured to minimise it. This page tells you exactly what we collect, why, and how to make it stop.

updated · pre-launcheffective · on first MCP call or sign-upversion · 0.3

What we collect

Affiliate-click logs: anonymous click ID, retailer, product, timestamp. Hashed session ID for analytics. Never linked to personally-identifying information.
Optional account data: if you sign up for price alerts, we store your email + alerts you've created. Supabase Auth handles password storage (we never see plaintext).
API key usage: when you use the MCP server via a Bearer token, we log which tool you called + when (for rate limiting + abuse prevention). We do not log the query content.
Product-analytics events (PostHog, server-side only). Six fixed event types — search_performed, product_viewed, alert_created, alert_fired, waitlist_signed_up, mcp_tool_called — each carrying a daily-rotating hash of your user ID (if signed in) or a per-request random ID (if not), bucketed durations + result counts (never the raw numbers), and the route or tool name. We never send PostHog your search query text, product titles or IDs, email address, raw user UUID, IP address, or user-agent. Daily salt rotation means PostHog cannot link your activity across days into a long-term behavioural profile.

What we don't collect

Marketing trackers (no Google Analytics, no Facebook Pixel, no third-party ad tags).
Your actual product searches outside of our own (we don't see what you search for at the retailers we link to).
Cross-site cookies or device fingerprints.

A note on agents

If you use Gridscoot through Claude, ChatGPT, Cline, or another MCP-compatible agent, we see the tool call, not the conversation. The agent vendor (Anthropic, OpenAI, etc) sees the conversation but not what we returned to it beyond what the agent decided to surface.

Affiliate disclosure

Gridscoot earns commission on purchases made through links on this site. The commission is paid by the retailer, not by you — your purchase price is the same whether you click through us or visit the retailer directly. We never adjust our rankings to favour retailers who pay higher commissions; ranking is algorithmic and based on price, in-stock status, delivery speed, and retailer freshness signals.

Affiliate networks involved: Commission Factory, Amazon Associates AU, eBay Partner Network. Read their respective privacy policies if you care; we're a referrer, not a processor.

Data retention

Anonymous clicks: Retained 365 days (auto-pruned). When you follow an outbound link, we log the product, retailer, destination URL, and the click timestamp. We hash your IP address with a salt that rotates every UTC day — the raw IP is never stored, and the hash is truncated to 16 hex characters so cross-day correlation is infeasible. We hash the user-agent string the same way. Anonymous clicks are never linked to your account; signed-in clicks store your user id so you can see your own click history if we add that surface later.
Price history: 365 days (auto-pruned).
API call logs: 7 days (auto-pruned).
Account data: Until you delete it — email hello@gridscoot.com.au and we'll delete your account within 30 days.

Contact

Questions, privacy requests, or account deletion: email hello@gridscoot.com.au.