Privacy Policy

Effective date: 2026-05-14 · Last updated: 2026-05-14

Draft. This privacy policy is an initial draft. Before public launch, we recommend a privacy attorney review it for compliance with GDPR (EU users), CCPA / CPRA (California), Apple App Store and Google Play data-disclosure requirements, and other applicable regulations.

Real Product Origin ("we", "us") operates the Product Origin Checker browser extension, mobile app, and supporting backend services (collectively, the "Service"). This Privacy Policy explains what data we collect, how we use it, and your rights.

1. What we collect

1.1 Information you provide

Complaint submissions: When you use "Contest this finding", we collect the information you fill into the form — your name, email address, optional phone number, your stated affiliation or credentials, the indicators you're contesting, any proposed corrections, and your free-text reasoning.
Email-verification interactions: Whether and when you clicked the verification link we sent. We use this to confirm you own the email address you provided.

1.2 Information collected automatically

Product identifiers (ASINs): The Amazon Standard Identification Numbers of products you ask us to score. We cache scores by ASIN.
Submission metadata: For each complaint, we record the IP address it was submitted from and the User-Agent of the browser/device. This helps us detect abuse and is retained only for audit purposes.
Cloudflare Turnstile CAPTCHA token verification: Cloudflare may collect data per their privacy policy when verifying that you are a human. We receive only a pass/fail result.
Server logs: Standard request logs from our hosting provider (Render) recording request paths, timestamps, response codes. These do not include personal data beyond IP addresses and are retained for 7–30 days for operational monitoring.
Error tracking (if enabled): If we have Sentry enabled, application errors are sent to Sentry for diagnosis. Sentry data is automatically scrubbed of personal data we control.

1.3 What we DO NOT collect

We do not collect your Amazon account information, login, or order history.
We do not collect your browsing history outside of Amazon product pages.
We do not collect payment information.
We do not collect device identifiers, advertising IDs, location data, contacts, or microphone/camera data.
The browser extension does not have permission to read or write any non-Amazon pages.
The mobile app does not request permission to read your contacts, photos, location, or clipboard contents outside of the explicit "Check the link you copied?" prompt.

2. How we use what we collect

Scoring products: Product ASINs are sent to our backend, which queries the Anthropic Claude API to compute the three transparency indicators. The product ASIN, scraped page fields (title, brand, seller, etc.), and the resulting score are cached for up to 14 days to speed up repeat lookups.
Reviewing complaints: Your complaint submissions are reviewed by our team. We may contact you at the email or phone number you provided to follow up.
Service improvement: We use aggregate patterns from cached scores and complaint outcomes to refine our scoring engine.
Abuse prevention: IP addresses and User-Agents from complaint submissions are used to detect spam, bots, and coordinated abuse.

3. Third parties we share data with

Recipient	What they receive	Why
Anthropic, PBC	Scraped product metadata (title, brand, seller, reviews snippets) to score. Per Anthropic's policy, this is processed for inference and is not used to train their models without explicit opt-in.	Country-of-origin scoring requires AI inference.
Render, Inc.	Hosting our backend service and managed PostgreSQL database. All data we collect is stored here.	Hosting provider.
Resend, Inc.	Recipient email address and verification-email contents.	To deliver complaint-verification and admin-notification emails.
Cloudflare, Inc.	CAPTCHA challenge data on complaint submissions; DNS resolution; optional DDoS protection.	Bot protection.
Sentry, Inc. (if enabled)	Application error data, scrubbed of personal data.	Error monitoring.
Law enforcement	Only as required by valid legal process.	Legal compliance.

We do not sell your personal data. We do not share your personal data with advertisers.

4. Data retention

Cached product scores: retained indefinitely. Scores expire after 14 days and are re-computed on the next request, but the historical record remains in our database for audit and quality-control purposes.
Complaint submissions and personal data therein: retained until the complaint is resolved + 24 months for audit, or until you request deletion (whichever is later).
Server logs: 7–30 days.
Manually-verified score overrides: retained indefinitely. Even when "retired", the record persists for audit. The data does not contain personal information.

5. Your rights

Depending on where you live, you may have rights under applicable law (including GDPR for EU/UK residents and CCPA/CPRA for California residents):

The right to access the personal data we hold about you.
The right to have inaccurate data corrected.
The right to have your data deleted ("right to be forgotten" under GDPR).
The right to restrict or object to certain processing.
The right to data portability.
The right to lodge a complaint with a supervisory authority.

To exercise any of these rights, email us at privacy@realproductorigin.com from the email address associated with your complaint(s). We will respond within the timeframes required by applicable law.

6. Children's privacy

The Service is not directed at children under 13 (or 16 in the EU). We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it.

7. Security

We use industry-standard practices to protect the data we hold:

All connections to our backend are encrypted via TLS.
Our database is hosted on private networking within Render and is not directly accessible from the internet.
Administrative access to our admin module is gated by strong authentication and operated over TLS only.
Secrets (API keys, passwords) are stored as encrypted environment variables; never committed to source control.

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify affected users within the timeframes required by applicable law.

8. International transfers

Our backend is operated in the United States. By using the Service, you understand that your data may be processed in the United States, which may have data-protection laws different from the laws of your country.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected in the "Last updated" date at the top of this page. We encourage you to review the policy periodically.

10. Contact us

Questions, requests, or complaints: privacy@realproductorigin.com.

Mailing address: (to be filled in).