Privacy Policy

itmly (“we,” “our,” or “us”) is operated by Holy Schmitt Studios LLC. This Privacy Policy explains how we collect, use, and protect your information when you use itmly.app (the “Service”).

Account information: When you sign up via Google OAuth through Clerk, we receive your name, email address, and profile picture. We do not receive or store your Google password.

Item data: Information you provide about your items, including names, descriptions, photos, values, categories, and any custom metadata fields. This is your content and you own it.

Images: Photos you upload are stored in a private Supabase Storage bucket. Images are only accessible to you through authenticated API requests.

Usage data: We collect basic usage analytics to improve the Service, including page views, feature usage, and error logs. We do not use third-party advertising trackers.

Session recordings: We record anonymized session replays on the marketing pages so we can understand how first-time visitors navigate the landing pages and where the product positioning is working or failing. Recordings on authenticated pages are masked by default: form inputs, item names, photos, receipts, values, and any element tagged as sensitive are not captured. Session recordings are processed by PostHog (see Third-Party Services below).

We use your information to:

• Provide and operate the Service
• Power smart features such as auto-fill, photo recognition, and URL extraction
• Store and serve your item data and images
• Send transactional emails related to your account
• Improve the Service and fix bugs

When you use smart features (auto-fill, URL extraction, photo recognition), your input is sent to a third-party processing provider for analysis. This may include item names, descriptions, URLs, and images you choose to analyze. The provider's data retention and usage policies apply to this processing. We do not use your data to train machine learning models.

We use the following third-party services:

• Clerk — Authentication and user management
• Supabase — Database and file storage (hosted on AWS)
• Anthropic — Intelligent data processing
• Stripe — Payment processing and subscription billing
• eBay Browse API — Market value lookups
• Serper — Product image search
• Vercel — Application hosting and anonymous page-view analytics
• PostHog — Product analytics (pageviews, CTA clicks, signup and activation funnel, session replay). Session replay is masked on authenticated pages so your item data, photos, and receipts are not captured.

When you click an outbound “buy” link on a publicly shared item page, you are redirected to a third-party marketplace (such as eBay, Amazon, Discogs, StockX, or similar). Those marketplaces are not operated by us and their own privacy policies apply once you leave itmly.

Each service has its own privacy policy and data handling practices.

If you enable sharing on a collection, that collection and its items become publicly accessible via a unique URL. Publicly visible fields include: item names, images, categories, conditions, current values, brand and model, descriptions, and any custom metadata fields. Fields excluded from public view include: purchase prices, purchase dates, notes, locations, merchants, warranty details, and lend/borrow information.

Shared pages are indexable by search engines by default. You can revoke a share link at any time from the collection's Share dialog, which immediately removes public access.

For shared collections, we collect basic analytics so you can see how your shares perform: view count, outbound link click count, and the domain of the referring site (e.g., “reddit.com”). We never store full referrer URLs. Visitor IP addresses are SHA-256 hashed before storage and are not associated with any user account.

We use cookies and browser local storage for the following purposes:

• Authentication — cookies set by Clerk to keep you signed in
• Preferences — local storage to remember your selected currency, view mode, theme, and similar settings
• Analytics dedup — short-lived cookies (24 hours) on publicly shared pages to avoid double-counting views from the same visitor
• Product analytics — PostHog stores an anonymous distinct_id in local storage to correlate pageviews and funnel events, and sets a session cookie when session replay is active. These identifiers are not shared with advertisers and are reset when you sign out.

We do not set third-party advertising cookies or cross-site tracking cookies.

Your data is stored in a PostgreSQL database hosted by Supabase with row-level security enabled. Images are stored in private storage buckets and served through authenticated API endpoints. All data is transmitted over HTTPS.

We retain your data for as long as your account is active. Deleted items are soft-deleted (moved to trash) and can be permanently deleted by you at any time. If you delete your account, all associated data is permanently removed within 30 days.

You have the right to:

• Access all data associated with your account
• Export your data at any time
• Delete your data and account
• Opt out of non-essential communications

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last updated” date.

Questions about this policy? Contact us at help@itmly.app.