Privacy Policy

Gunny.ai (“we”, “our”, or “Gunny”) operates the Gunny.ai platform and the Gunny Chrome Extension. This policy explains what data we collect, how we use it, and the rights you have.

1. What we collect

• Account information: email address and name via Supabase Auth
• Subscription data: billing identifiers and subscription tier via Stripe (we do not store card numbers)
• Watchlist and Arsenal: the firearms you add to your watchlist and Arsenal (personal inventory tracker)
• Alert preferences: your score thresholds, price drop settings, and email opt-in state
• Usage data: aggregated page views and feature usage to improve the product

2. How we use it

• Deliver the service — deal scoring, alerts, and the weekly market digest
• Process payments and manage your subscription
• Send transactional and opt-in marketing emails via Resend
• Generate AI-powered analysis via Anthropic Claude (listing narratives, price predictions, market commentary)
• Process user-uploaded firearm photos via our AI provider for appraisal analysis — images are not used for AI model training and are deletable upon request

3. Third-party processors

We use industry-standard service providers to operate the platform, including Supabase (database and authentication), Stripe (payment processing), Resend (email delivery), Anthropic (AI analysis including photo appraisals), Vercel (web hosting), Railway (background jobs), PostHog (product analytics), and Sentry (error monitoring). Each provider processes only the minimum data necessary to deliver their service.

4. Data retention

We retain your account data while your subscription is active. Upon a verified account deletion request, we delete your personal data within 30 days. Aggregated, de-identified usage data may be retained for analytics.

Specific retention windows for individual data classes:

• Account profile, watchlist, Arsenal, saved searches: retained for the life of the subscription; deleted within 30 days of verified deletion request.
• AI Photo Appraisal uploads: processed for the duration of the appraisal request and deleted from our storage within 24 hours of generation. Anthropic processes the images in transit and does not retain them past the API call (per Anthropic's zero-retention commercial terms).
• Authentication and session logs: 30 days.
• Server access and error logs (Vercel, Sentry): 30 days.
• Product analytics (PostHog): 12 months for individual-level events; aggregated rollups retained indefinitely.
• Stripe billing records: retained by Stripe per their data retention policy and as required by US tax law (typically 7 years for transaction records).
• Email delivery logs (Resend): 30 days.

5. California privacy rights (CCPA / CPRA)

• The right to know what personal data we collect
• The right to delete personal data we hold about you
• The right to correct inaccurate personal data
• The right to opt out of the sale or sharing of personal data — we do not sell or share personal data with third parties for cross-context behavioral advertising
• The right to limit use of sensitive personal information — we do not process sensitive personal information beyond what is strictly necessary to operate the service
• The right to non-discrimination for exercising any of the above

We also do not sell, share, license, or otherwise commercialize aggregated or de-identified data derived from your account activity. Aggregated firearm-market analytics (e.g., genre-level price trends across our own ingested data) are used internally to power the product and may be displayed publicly on Gunny.ai — but never tied to an identifiable user.

6. European privacy rights (GDPR)

If you are in the EU/EEA/UK, you have the right to access, rectification, erasure, restriction, objection, and data portability. Our legal basis for processing is contract performance (operating your subscription) and legitimate interests (product improvement and fraud prevention).

International transfers: Our infrastructure is hosted in the United States. When we transfer personal data of EU/EEA/UK residents to processors located in the United States (Supabase, Stripe, Resend, Anthropic, Vercel, Railway, PostHog, Sentry), the transfer relies on Standard Contractual Clauses (SCCs) or each provider's Data Processing Addendum (DPA) where one is in place. We do not market or actively target Gunny.ai to EU/EEA/UK consumers; the service is United States-focused.

7. Cookies and analytics

Strictly necessary cookies: Session cookies set by Supabase Auth are required to keep you signed in. These cannot be disabled and are set automatically when you log in.

Analytics: PostHog product analytics fires by default to help us understand which features users engage with. On first visit you will see a cookie-consent banner with two options — “Accept all” (analytics continues) or “Essential only” (PostHog opts out via posthog.opt_out_capturing(); auth cookies still set because they are strictly necessary). Your choice is persisted in localStorage at gunny:cookie-consent and can be changed at any time by clearing site data and reloading.

We do not use advertising cookies, retargeting pixels, or cross-site behavioral tracking.

Marketing email opt-out: Alert and digest emails include a one-click unsubscribe link (List-Unsubscribe header per RFC 8058) and a corresponding link in the email body. Transactional emails (signup confirmation, password reset, billing receipts) are sent only when triggered by your own actions and do not have an opt-out.

7a. AI Photo Appraisal Data

When you use the AI Photo Appraisal feature:

• Your uploaded firearm images are transmitted to Anthropic Claude for analysis.
• Images are stored in our infrastructure only for the duration of the appraisal request and deleted within 24 hours of completion.
• Anthropic does not retain images past the API call (per their zero-retention commercial terms) and does not use them for model training.
• Images are not shared with any third party other than Anthropic.
• You may request immediate deletion of any uploaded image at any time via privacy@gunny.ai.

8. Firearms data disclaimer

All auction data displayed on Gunny.ai is sourced from publicly available third-party auction platforms (GunBroker, Rock Island Auction Company, Morphy Auctions, and others). We do not facilitate or broker firearm transactions. Buyers are responsible for complying with all applicable federal, state, and local laws.

9. Chrome Extension

The Gunny Chrome Extension collects no personal data. When you visit a GunBroker listing, the extension reads only the public item ID from the URL and requests public market data from Gunny.ai. The extension does not use cookies, track browsing history, or transmit any account information.

9a. Security incident notification

If we discover a personal data breach that is likely to result in risk to your rights, we will notify affected users without undue delay and in any event within 72 hours of becoming aware of the breach, where feasible. Notice will include the nature of the breach, the categories of data involved, the measures taken in response, and recommended steps for you. We will also notify the appropriate supervisory authority where required by applicable law.

10. Contact

Privacy questions, access requests, deletion requests, or notice of a suspected incident: privacy@gunny.ai

Gunny.ai is a small team and does not currently have a dedicated Data Protection Officer (DPO). Privacy inquiries are handled directly by the engineering and operations leads at the address above. We typically respond within 5 business days. If you have not received a response within 30 days, you may escalate to your local data protection supervisory authority.

11. Governing law

This policy is governed by the laws of the State of Texas, United States, without regard to conflict-of-law principles.

12. Changes

We may update this policy periodically. Material changes will be announced via email or in-product notice. Continued use of Gunny.ai constitutes acceptance of any changes.