1. Who we are
minShelf is a social platform for rock and mineral collectors, operated by the founders as an independent project pending formal incorporation. For questions about this policy or to exercise your rights, contact us at privacy@minshelf.com.
2. Data we collect
- Account data: email, username, display name, optional profile details (bio, location, website, avatar).
- Specimens you post: photos, title, description, mineral/rock names, GPS coordinates (typed, picked on the map, or extracted from photo EXIF), category-specific properties, evidence flags.
- AI identification activity: a log of every AI scan you run including image bytes hash, model used, token counts, duration, the AI's parsed response, and the resulting specimen (if you save one). Used to operate the service and improve identification quality.
- Community activity: verification votes (agree / disagree / propose) you cast on other people's specimens, comments, likes, follows, group memberships, mentions, reports, and blocks.
- Edit history: changes you make to your specimens are recorded (field, old value, new value, timestamp) so the platform can show change history.
- Feedback you submit: any messages or screenshots you submit via the in-app feedback tool.
- Usage data: pages visited, anonymised performance metrics (Vercel Speed Insights), error reports (Sentry) - used to operate and improve the service.
- Dataset opt-ins: sharing a specimen with our research / training dataset is opt-in per specimen and off by default. We ask just once - at the moment one of your specimens is community-verified - or you can switch on an "auto-add my verified specimens" setting. We keep an auditable consent log recording each opt-in or withdrawal, the exact wording you agreed to, and a timestamp. You can withdraw at any time in Settings. If you never opt in, none of your specimens are ever included in any dataset.
3. How we use your data
- To provide and operate the minShelf platform.
- To show your public posts and profile to other users.
- To run AI identification on photos you submit (see section 5).
- To send notifications you have opted into (likes, comments, follows, peer verification votes).
- To improve the service through anonymised usage analytics and to investigate errors.
- To develop and improve our identification models, and to build an anonymised, community-verified dataset which in the future may be licensed. We only ever include specimens from people who have explicitly opted in (per specimen, or via the standing setting in Settings → Privacy & data sharing), and it is off by default - so if you never opt in, none of your data is used, shared, or licensed, full stop. Shared records use reduced-precision (~1 km) locality, drop direct identifiers, and photos are EXIF-stripped before release. You can withdraw at any time; future releases then exclude your data, though datasets already published cannot be recalled.
4. Sub-processors
We use the following third-party processors to operate the service. We do not sell your personal data.
- Supabase (Ireland / US) - database, authentication, file storage.
- Anthropic (US) - AI identification of photos you submit. Photos and any context text you provide are transmitted to Anthropic's API for inference. Per Anthropic's commercial terms, API inputs are not used to train their models by default.
- Stripe (Ireland / US) - subscription and payment processing for minShelf Premium. Stripe stores your payment details; we never see your full card number. Only used if you subscribe.
- Resend (US) - transactional email delivery (account and billing notices).
- Vercel (US) - hosting and anonymised real-user performance metrics (Speed Insights, Web Analytics - cookieless).
- Sentry (US) - error tracking. Stack traces and limited request context (URL, user agent) are captured when errors occur; we scrub email addresses and IDs before transmission.
- OpenStreetMap Nominatim (Germany) - reverse-geocodes find-location coordinates into human-readable region names (e.g. "Cornwall, UK"). Your lat/lng is sent rounded to ~110 m for caching.
- Law enforcement where legally required.
International data transfers to US-based processors are made under appropriate safeguards (Standard Contractual Clauses or equivalent).
5. Automated processing
We use AI vision models to suggest initial identifications for photos you submit. These suggestions are not final decisions - you can edit any field, ignore the suggestion, or override it entirely. The community can also propose corrections. No fully automated decisions affecting your legal rights are made by the platform.
6. Your rights (GDPR / UK GDPR)
If you are in the UK or EU, you have the right to: access your data, correct inaccurate data, delete your account and data, restrict or object to processing, request your data in a portable format, and withdraw consent (including your per-specimen dataset opt-ins and the standing "auto-add" setting) at any time. To exercise these rights, contact us at privacy@minshelf.com. You can also lodge a complaint with your local supervisory authority (e.g. the UK ICO, or your country's data protection authority).
7. Data retention
Your data is retained while your account is active. When you delete your account, your personal data is removed within 30 days. Some derived or anonymised data (e.g. aggregate scan counts) may be retained indefinitely. AI identify logs are retained for service improvement; we will delete or anonymise them on request.
8. Security and breach notification
We take reasonable measures to protect your data, including HTTPS in transit, encrypted storage at rest via Supabase, row-level security on every database table, and PII scrubbing on error reports. If a personal-data breach occurs that is likely to result in risk to your rights, we will notify the relevant supervisory authority within 72 hours where required by law, and notify affected users without undue delay.
9. Cookies and local storage
We use session cookies for authentication and local storage / IndexedDB on your device for in-app state (draft autosave, onboarding flag, offline cache). No third-party advertising or tracking cookies are used. Our analytics (Vercel) are cookieless.
10. Children
minShelf is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe we have, contact us and we will delete it.
11. Changes
We may update this policy. Significant changes will be notified via in-app notification. Continued use of the service after changes constitutes acceptance.